Today, the National Assembly officially passed Vietnam’s Personal Data Protection Law (PDP Law). This new Law represents a significant advancement, and a more comprehensive framework compared to Decree No. 13/2023/ND-CP on personal data protection.
The PDP Law will take effect on 1 January 2026. The official text of the Law is expected to be published in the coming days.
According to the draft version submitted to the National Assembly on 13 June 2025, the Law introduces a number of important new provisions, including:
- Significant administrative sanctions:
- Up to 10 times the revenue gained from unlawful personal data trading.
- Up to 5% of the previous year’s revenue for violations related to cross-border data transfers.
- Up to VND 3 billion for other violations.
- New compliance obligations, particularly in cases where personal data is processed without the data subject’s consent.
- Sector-specific regulations covering employment, healthcare, insurance, finance, banking, credit information, advertising, social media platforms, online media, big data, AI, blockchain, metaverse, and cloud computing.
- Protection measures for sensitive data, including location data and biometric data.
- Exemptions and transitional arrangements for certain entities:
- Startups and small businesses may opt out of obligations like Data Protection Impact Assessments (DPIAs) and appointments of Data Protection Officers (DPOs) for five years from the effective date.
- Microenterprises and household businesses are exempt from these requirements.
Building on our deep experience with Decree 13, KPMG remains committed to supporting businesses in navigating and complying with the new Personal Data Protection Law. We will provide timely updates once the official law is released.
Download to your devices here
Stay informed
Subscribe to our Tax and Legal Update newsletters for more insights and updates on the latest legislation
Subscribe here