Vietnam has taken a major step in its data protection regime with the enactment of its first comprehensive Personal Data Protection Law. For businesses operating in Vietnam or processing the data of Vietnamese residents, understanding this law is essential. This article presents only verified facts.
The Law and Its Foundation
On 26 June 2025, Vietnam's National Assembly officially passed Law No. 91/2025/QH15 on Personal Data Protection (the PDPL). This law elevates Vietnam's data protection framework from decree-level provisions to full statutory law.
The PDPL builds on and replaces Decree No. 13/2023/ND-CP on Personal Data Protection (known as the PDPD or Decree 13), which had entered into effect on 1 July 2023 and served as the interim legal basis for data privacy regulation. The PDPL consists of 39 articles divided into five chapters.
A Note on the Effective Date
Published sources differ on the PDPL's effective date. Several legal advisories cite an effective date of 1 January 2026, while others cite 1 July 2026 with a one-year transitional period. What is consistently reported is that the implementing decree — Decree No. 356/2025/ND-CP — was issued on 31 December 2025 to detail and guide implementation of the PDPL, and that this decree formally announced the replacement of Decree 13. Organisations should confirm the precise applicable date and transitional provisions for their specific situation with qualified Vietnamese legal counsel.
Who the Law Applies To
The PDPL has extraterritorial effect. It applies to Vietnamese agencies, organisations, and individuals that collect or process personal data; foreign organisations and individuals offering services to Vietnamese residents or transferring Vietnamese personal data abroad; and public institutions handling Vietnamese personal data. This means businesses from e-commerce platforms to financial services providers — domestic and foreign — fall within scope.
Key Changes from Decree 13
The PDPL introduces broader definitions, expanding the scope of personal data to include both digital and non-digital formats, such as paper-based records. It establishes a framework for penalties, including monetary fines of up to 5% of a corporate violator's annual revenue from the previous year for cross-border data transfer breaches. It also introduces sector-specific compliance requirements for industries including financial services, telecommunications, healthcare, insurance, advertising, and cloud computing.
Notably, the PDPL imposes qualification requirements for data protection personnel and service providers that were absent under Decree 13 — organisations must ensure that appointed personnel or engaged external providers possess demonstrable expertise in data protection.
Implications for Security
While the PDPL is fundamentally a data protection law rather than a security testing mandate, its breach notification obligations, impact assessment requirements, and substantial financial penalties make demonstrable data security a business imperative. Organisations processing personal data need to know that the systems handling that data are genuinely secure.
How Simuna Infosec Helps
Our security assessments help organisations identify and remediate the vulnerabilities in systems that process personal data — before a breach triggers the PDPL's significant penalties. We have experience supporting a multinational software company with major operations in Vietnam, giving us practical understanding of the regional technology environment. We provide the security assurance that Vietnam's strengthened data protection regime increasingly demands.
*This article reflects publicly available information as of mid-2026. Sources differ on certain effective dates; consult qualified Vietnamese legal counsel for compliance decisions.*