On June 26, 2025, the National Assembly of the Socialist Republic of Vietnam officially passed the Personal Data Protection Law 2025 (Law No. 91/2025/QH15), which will take effect on January 1, 2026.
This new law builds upon Decree No. 13/2023/NĐ-CP on personal data protection and establishes a comprehensive legal framework governing the collection, storage, processing, and transfer of personal data in Vietnam.
Under this law, all enterprises operating in Vietnam must comply with the new regulations. Personal data of employees collected by businesses is explicitly recognized as protected personal data. Consequently, businesses are required to implement adequate protection measures. Violations may result in administrative penalties, criminal liability, and civil compensation for damages.
Below are several key highlights regarding enterprise responsibilities under the Personal Data Protection Law 2025:
1. Absolute Prohibition on Buying and Selling Personal Data
The law strictly prohibits the purchase or sale of personal data, unless otherwise provided by law.
Administrative fines can reach up to 10 times the revenue gained from the violation.
If such revenue cannot be determined, or if it is lower than the fixed fine, the penalties are as follows:
- Up to VND 3 billion for organizations;
- Up to VND 1.5 billion for individuals.
In addition to financial penalties, offenders may face criminal prosecution, compensation for affected data subjects, and additional sanctions or remedial measures depending on the severity of the violation.
2. Fines up to 5% of Annual Revenue for Data Privacy Violations
The maximum administrative fine for cross-border data transfer violations is 5% of the company’s total revenue from the preceding fiscal year.
Other penalties include:
- Buying or selling personal data: Up to 10 times the illicit revenue;
- Other violations related to personal data protection: Up to VND 3 billion;
- For individuals: Maximum fines are half the amount applicable to organizations.
3. Individuals’ Rights to Request Deletion and Correction of Personal Data
Personal data must be deleted or destroyed in the following circumstances:
- Upon the data subject’s request, accepting potential risks;
- When the processing purpose has been fulfilled;
- When the storage period expires;
- Upon a competent authority’s decision;
- Under mutual agreement between parties;
- As otherwise required by law.
Data deletion must be carried out securely to prevent unauthorized recovery.
If deletion is not feasible for legitimate reasons, the data controller must inform the requester.
Article 13 of the Personal Data Protection Law 2025 also allows individuals to edit or request corrections to their personal data.
The data controller must process such requests within the statutory period and ensure the accuracy and integrity of the data.
4. Employers May Only Collect Applicant Data for Recruitment Purposes
Organizations and individuals involved in recruitment may only:
- Request information strictly necessary for the hiring process;
- Avoid collecting irrelevant or excessive information;
- Use such data solely for recruitment purposes, unless the applicant provides consent for other uses.
Personal data obtained during recruitment (through resumes, interviews, etc.) must be processed in accordance with the law and with the applicant’s consent.
If the candidate is not hired, the employer must delete or destroy the collected data unless both parties agree otherwise.
5. Employers Must Delete Employee Data After Contract Termination
Personal data of employees may be retained only for the period permitted by law or as legally agreed upon by both parties.
When an employment relationship ends, the employer must delete or destroy the employee’s personal data, except where retention is required by law (e.g., for insurance or tax purposes).
Employers may use technologies such as GPS, cameras, or attendance software only when employees are fully informed and have consented, and such data must not be used for other purposes without consent.
6. Obligation to Conduct Personal Data Processing Impact Assessments
As a data controller and processor, an enterprise such as PPJ Group must prepare and maintain a Personal Data Processing Impact Assessment (PDPIA) report and submit one original copy to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) within 60 days from the first day of data processing.
The PDPIA must always be available for inspection by the authorities and must be updated every six months or whenever significant changes occur.
The structure and content of the Impact Assessment Report are currently guided by Decree No. 13/2023/NĐ-CP.
7. Conclusion – Ensure Compliance with Personal Data Protection Law 2025
Compliance with the Personal Data Protection Law 2025 not only helps businesses avoid legal and financial risks, but also enhances brand reputation and builds trust with clients and partners.
MLT Lawyers is ready to assist businesses in Vietnam with:
- Reviewing internal data processing systems;
- Drafting internal policies and contracts for personal data processing;
- Preparing and submitting PDPIA reports to the authorities.
Contact MLT Lawyers today for detailed consultation and tailored legal solutions to ensure your business complies fully with Vietnam’s Personal Data Protection Law 2025.
📞 Phone: (028) 62727 987 | Mobile: 0919 211 048
📧 Email: [email protected]