Vietnam's Ministry of Public Security is currently drafting the Law on Personal Data Protection and is in the process of gathering public feedback on the proposed draft.
This Draft Law is expected to be a more comprehensive and advanced framework than the existing Personal Data Protection Decree, introducing significant changes. Key updates include an expanded territorial scope, mandatory evaluations of data protection credibility, stricter conditions for obtaining consent, additional requirements for processing impact assessments, clearer regulations on cross-border data transfers, mandatory updates to regulatory filings, and contracts with data subjects. The Draft Law also proposes special requirements for processing sensitive data such as credit information, location data, biometric data, and employee data used for monitoring.
One of the most notable aspects of the Draft Law is its focus on regulating sector-specific data processing activities in areas like behavioral or targeted advertising, big data, artificial intelligence, cloud computing, banking and finance, social media and OTT platforms, marketing, and healthcare.
The Law is expected to be enacted in May 2025 and come into effect by January 2026. However, we strongly recommend that all enterprises involved in personal data processing in Vietnam begin preparations now, as the compliance requirements are expected to be extensive. We would be happy to discuss how you can start updating your policies, documents, procedures, and processes to align with the upcoming regulations.
Notable updates
| Issue | Main Content |
|---|---|
| Expanded territorial scope | Those processing personal data of foreign nationals in Vietnam to be regulated. |
| Protection of Sensitive Data | Evaluation of data protection credibility is required. |
| New principle for group companies | Each company in a corporate group must independently protect personal data, with separate, explicit consent required for each entity. |
| Consent without conditions | Organizations cannot require data subjects to consent to data transfers for unrelated services. |
| Data Processing Impact Assessment | A description and assessment of the current status of compliance with personal data protection regulations are required, along with a document detailing the data protection compliance rating. |
| Cross-border Transfer of Data | Regulated transfers include sharing data with foreign recipients, at international events, sending personal data abroad, online publication, business purposes, and fulfilling foreign legal obligations. |
| Regulatory filings update | Processing and Transfer Impact Assessment Reports must be updated every six months or immediately in cases of company dissolution, mergers, changes in data protection officers, or changes in registered data-related services or activities. |
| Contracting with Data Subjects | Contracts with data subjects must include personal data protection provisions, outlining responsibilities, rights, and obligations. Employee monitoring measures must be specified and require consent. |
| Service Mechanisms | New concepts and requirements are introduced for personal data protection (PDP) services, including DPO-as-a-Service, data protection experts, organizations certifying compliance, and entities ranking trustworthiness in data protection practices. |
Special data processing cases
New sectoral requirements
Send us your questions
Bui Thi Thanh Ngoc
Partner
KPMG Law in Vietnam
Tran Bao Trung
Associate Director
KPMG Law in Vietnam
Download to your devices here
Stay informed
Subscribe to our Tax and Legal Update newsletters for more insights and updates on the latest legislation
Subscribe here Opens in a new window