Vietnam is entering a new phase of data governance. From January 1, 2026, the Personal Data Protection Law (PDPL) will officially take effect, replacing the interim Decree 13/2023/ND-CP. This shift is more than a technical update—it marks Vietnam’s first fully fledged, statute-level data protection law and signals a more mature, structured approach to personal data protection.

The PDPL aims to strike a careful balance: strengthening individual privacy rights while remaining realistic about how businesses—especially smaller ones—actually operate.

From Decree to Dedicated Law

Under Decree 13, data protection in Vietnam functioned largely as a stop-gap framework. While useful, it left gaps, ambiguities, and enforcement uncertainties. The PDPL changes that. As Law No. 91/2025/QH15, it provides a comprehensive legal foundation with clearer authority, stronger enforcement mechanisms, and more detailed obligations for organizations handling personal data.

This move elevates data protection from a regulatory requirement to a core legal responsibility, aligning Vietnam more closely with global data protection trends.

A Much Broader Scope

One of the most impactful changes is the law’s expanded reach. The PDPL applies not only to Vietnamese entities but also to foreign organizations and individuals that process the personal data of Vietnamese residents. In practice, this means overseas tech platforms, service providers, and data processors can no longer assume they fall outside Vietnam’s regulatory perimeter simply because they lack a local presence.

The law also clarifies that personal data protection applies to both digital and non-digital (paper-based) data, closing a loophole that previously caused uncertainty.

Stricter, More Meaningful Consent

Consent is at the heart of the PDPL, and the new law significantly raises the bar. Consent must now be:

• Voluntary, without coercion or imbalance of power
• Specific, tied clearly to each processing purpose
• Fully informed, with transparent disclosure of how data will be used

Importantly, organizations may no longer bundle consent for unrelated purposes. Each purpose requires its own explicit agreement, a change that will affect everything from HR forms to mobile apps and online platforms.

Mandatory Impact Assessments—With a Pragmatic Twist

For higher-risk data processing activities, the PDPL introduces mandatory Data Processing Impact Assessments (DPIAs). These assessments are designed to identify risks to individuals and demonstrate accountability before harm occurs.

However, lawmakers have recognized practical constraints. Startups and small or medium-sized enterprises (SMEs) benefit from a five-year exemption from certain obligations, including DPIAs and appointing a Data Protection Officer. This transitional support reflects a pragmatic understanding that compliance maturity takes time.

Clear Focus on High-Risk Sectors

Unlike the technology-neutral approach of Decree 13, the PDPL adopts a sector-specific model. Entire chapters are dedicated to high-risk areas such as:

• Employment and recruitment
• Healthcare and medical data
• Finance and banking
• Artificial intelligence and big data analytics
• Social media and digital platforms

For example, employers are now explicitly required to delete applicant data if a candidate is not hired, reinforcing data minimization principles in recruitment.

New Prohibitions and Stronger Penalties

The PDPL introduces explicit prohibitions that were previously unclear or implied. These include bans on:

• Buying or selling personal data (unless legally permitted)
• Illicit collection or processing
• Seizing, destroying, or manipulating data unlawfully

Enforcement is also sharper. The law introduces clear administrative fines and opens the door to criminal liability for serious violations. Cross-border data transfer breaches, in particular, face significantly higher penalties, reflecting heightened regulatory concern over international data flows.

Clearer Definitions, Stronger Rights

The PDPL refines core definitions, distinguishing more clearly between basic personal data and sensitive personal data, while allowing the government to issue detailed lists in the future. This clarity reduces interpretive risk for organizations and strengthens protections for individuals.

Data subject rights are expanded and clarified, with more concrete obligations on data controllers to respond, delete, or correct data within defined circumstances.

How the PDPL Truly Differs from Decree 13

In essence, the PDPL transforms Vietnam’s data protection regime in five key ways:

1. From temporary regulation to permanent law
2. From general principles to sector-specific rules
3. From implied obligations to explicit compliance requirements
4. From limited enforcement to clear penalties and liability
5. From one-size-fits-all to SME-friendly compliance pathways

A More Mature Data Protection Era

Vietnam’s new PDPL represents a significant leap forward. It strengthens individual rights, clarifies business responsibilities, and modernizes enforcement—without ignoring economic realities. For organizations operating in or targeting Vietnam, 2026 is not just a compliance deadline; it is a signal that data governance is now a central pillar of doing business in the country.