[Vietnam] From Banking to Employment: Sectoral Impact of Vietnam’s Personal Data Protection Law

Author - Sally Nguyen

1. Background

   On June 26, 2025, the National Assembly of Vietnam enacted the Personal Data Protection Law (No. 91/2025/QH15) (“PDPL”), which will take effect on January 1, 2026 (the “Enforcement Date”). While the PDPL was adopted based on Decree No. 13/2023, it represents the country’s first statutory-level legislation, establishing a more robust and comprehensive legal framework for safeguarding personal data.

2. Scope of Application

   The PDPL applies to:

   (i) Vietnamese authorities, as well as all natural and legal persons within Vietnam;

   (ii) foreign natural and legal persons carrying out operations in Vietnam; and

   (iii) foreign natural and legal persons who process the personal data of Vietnamese data subjects, even where such processing occurs outside Vietnam.

   This extraterritorial scope imposes legal obligations on multinational corporations and other foreign entities handling the personal data of Vietnamese data subjects, requiring full compliance with the PDPL regardless of where the data processing takes place.

3. Enhanced Compliance Requirements Across Key Sectors

The enactment of the PDPL has the following impacts on several sectors:

• Banking and Finance: The PDPL prohibits the use of credit information for scoring or ranking purposes without the explicit consent of the data subject. Banks, credit institutions, and fintech companies must redesign their processes, ensure transparency in obtaining consent, and invest in security infrastructure to protect account and credit information.

• Emerging Technologies (AI, Big Data, Blockchain): Companies using AI, big data, blockchain, the metaverse, or cloud computing must handle personal data responsibly, only for necessary and legitimate purposes. Systems and services should include strong data protection measures, proper authentication, and access controls. Data should be classified by risk to ensure adequate protection, and these technologies must never be used to harm national security, public order, or individuals’ rights. All practices should follow ethical standards and respect Vietnamese cultural values.

• Digital Platforms: Social-media and online service providers must not use identity documents (e.g., ID cards, passports) for account verification and are prohibited from intercepting or monitoring user communications without explicit consent, unless expressly authorized by law. Accordingly, global technology and OTT service providers will be required to restructure their account verification processes and business models as of the Enforcement Date to comply with these newly adopted restrictions.

• General Employment: Enterprises must delete or destroy employee data after contract termination, unless otherwise agreed or required by law. Moreover, it is essential to comply with existing laws and regulations related to labor, employment, data protection, and other relevant areas.

4. Penalties for Non-Compliance

The PDPL introduces significant administrative penalties to ensure compliance:

• For violations involving cross-border information transfers, a fine of up to 5% of the organization’s total revenue in the previous fiscal year may be imposed.

• For other violations in the field of personal data protection, fines of up to VND 3 billion may be imposed on organizations, while fines for individuals shall be limited to half of the amount applicable to organizations.

• Additional legal liabilities include criminal prosecution and civil damages.

Final Thoughts

By clearly understanding the obligations and rights under Vietnam’s Personal Data Protection Law and carefully navigating the regulatory framework, businesses can effectively manage personal data while minimizing legal and reputational risks. Vietnam’s data protection regime establishes comprehensive requirements for the collection, processing, storage, and transfer of personal information, including cross-border transfers and sensitive data. While the law provides certain exemptions and grace periods for SMEs and start-ups, all organizations handling Vietnamese personal data must implement robust compliance measures.

TWL Law Group advises businesses on all aspects of Vietnam’s personal data protection regulations, providing strategic legal guidance to ensure compliance, implement effective data governance, and mitigate risks across the data lifecycle.

About Author

Sally serves as the Managing Partner of TWLV and is based in Ho Chi Minh City. With over 15 years of experience, Sally has worked with prestigious institutions including a leading foreign bank, as well as international firms. She specializes in M&A, banking, foreign investments, corporate & commercial matters, labor issues, and dispute resolution. She is an appointed examiner for the Lawyer Apprenticeship Completion Examination of the Vietnam Bar Federation.