Skip to main content

Key Highlights of the Law on Personal Data Protection 2025

| TNTP LAW |

The Law on Personal Data Protection 2025, officially passed by the National Assembly on 26 June 2025 and effective from 1 January 2026 (the “Personal Data Protection Law”), marks a significant development in strengthening privacy protection in Vietnam. The Law establishes a clear and stringent legal framework governing the collection, processing, and protection of personal data, imposing new compliance requirements on businesses in adapting their data governance practices, while also enhancing public awareness of personal data protection.
The following article by TNTP analyzes several key highlights of the Law on Personal Data Protection 2025.

1.Prohibited acts related to personal data

Article 7 of the Personal Data Protection Law sets out seven categories of strictly prohibited acts to prevent the unlawful misuse of personal data and to establish clear legal boundaries for personal data processing activities. These prohibited acts include:

  • Processing personal data to oppose the Socialist Republic of Vietnam or to undermine national defense, national security, social order and safety, or the lawful rights and interests of agencies, organizations, or individuals;
  • Obstructing personal data protection activities;
  • Abusing personal data protection activities to commit violations of law;
  • Processing personal data in violation of legal regulations;
  • Using another person’s personal data, or allowing others to use one’s own personal data, to commit acts in violation of the law;
  • Buying or selling personal data, except where otherwise permitted by law;
  • Misappropriating, intentionally disclosing, or losing personal data.

Depending on the nature, severity, and consequences of the violation, acts infringing personal data protection regulations may result in administrative penalties, criminal liability, and compensation for damages in accordance with the law.

2.Processing personal data without the data subject’s consent

Although the general principle is that personal data may only be processed with the consent of the data subject, the Personal Data Protection Law allows for certain exceptional circumstances in which personal data may be processed without consent, in order to balance public interests and privacy rights.

Pursuant to Clause 1, Article 19 of the Law, such circumstances include:

  • Protecting the life, health, honor, dignity, lawful rights, and interests of the data subject or others in emergency situations; or protecting one’s own legitimate rights or interests, those of others, or those of the State, agencies, or organizations where necessary against infringements.

In these cases, the personal data controller, processor, controller-processor, or third party bears the burden of proving the applicability of this exception and remains legally accountable for the lawfulness of such processing.

  • Addressing emergency situations; threats to national security that have not yet reached the level requiring a declaration of a state of emergency; preventing and combating riots, terrorism, crime, and other legal violations;
  • Serving the operations of state agencies and state management activities in accordance with the law;
  • Performing agreements entered into between the personal data subject and relevant agencies, organizations, or individuals as prescribed by law;
  • Other cases as provided by law.

In such circumstances, the personal data controller, processor, controller-processor, or relevant third party is still required to establish and implement data processing monitoring mechanisms and to be accountable when complaints or requests are raised by relevant agencies, organizations, or individuals.

3.Employers’ obligation to delete employees’ personal data after termination of employment

This is one of the most notable provisions of the Personal Data Protection Law and is expected to have a significant impact on corporate human resource management practices.

Pursuant to Clause 2, Article 25 of the Law, enterprises are obligated to ensure confidentiality and may only retain personal data for a specified period in accordance with the law or contractual agreements. Upon termination of an employment contract, employers must delete or irreversibly destroy the employee’s personal data.

However, “data deletion” does not mean erasing all data indiscriminately. Employers are required to classify data, permanently delete data that no longer has a lawful basis for processing, and retain only data that falls within the legally permitted scope, purpose, and retention period. Under Point (c), Clause 2, Article 25, employers may continue to retain personal data in certain exceptional cases, including: (i) where there is an agreement with the employee; or (ii) where required under specialized laws, such as records relating to social insurance, health insurance, unemployment insurance; accounting and tax documents; or documents and evidence that must be retained in the event of labor disputes.

This provision aims to ensure that employees’ information is not retained unnecessarily, misused, or processed for improper purposes, particularly sensitive data such as medical records, biometric data (e.g., fingerprints, facial data), personal preferences, images, videos, and voice recordings. At the same time, it requires businesses to revise and improve their data management practices, from collection and use to classification and deletion of employee data.

4.Social media platforms prohibited from requiring images of identity documents for verification

The Personal Data Protection Law introduces specific regulations for social media platforms and online communication services, notably prohibiting the requirement for users to verify their identity or accounts using identity documents.

Article 29 of the Law stipulates that platforms may not require users to provide images or videos containing all or part of identity documents for account verification purposes. The collection of images of identity cards, citizen identification cards, passports, or other identification documents in any form as a verification factor is strictly prohibited.

This regulation aims to prevent the risk of leakage of sensitive personal information. Previously, many platforms required users to photograph their identity documents for verification, leading to widespread misuse, trading of personal information, and large-scale data breaches that disrupted social order and safety. Under the new law, platforms are required to adopt alternative verification methods such as OTP codes, biometric authentication, or electronic eKYC, without requesting images of original identity documents.

In addition, the Law prohibits social media platforms from eavesdropping, secretly recording, recording calls, or reading text messages without user consent. Platforms must provide users with options to refuse the collection and sharing of cookies and to disable online activity tracking. They are also required to publish privacy policies and clearly explain how personal data is collected, used, and shared.

5.Cross-border transfer of personal data

Article 20 of the Personal Data Protection Law tightens the conditions for transferring Vietnamese citizens’ personal data outside the national territory.

Cross-border personal data transfers include:

  • Transferring personal data stored in Vietnam to data storage systems located outside the territory of the Socialist Republic of Vietnam;
  • Agencies, organizations, or individuals in Vietnam transferring personal data to organizations or individuals abroad;
  • Agencies, organizations, or individuals in Vietnam or abroad using platforms located outside Vietnam to process personal data collected in Vietnam.

To be permitted to conduct cross-border personal data transfers, the transferring agency, organization, or individual must prepare a cross-border personal data transfer impact assessment dossier and submit a report to the competent authority within 60 days from the date of the first cross-border data transfer.

However, impact assessment is not required in the case of cross-border data transfers conducted by competent state authorities; where agencies or organizations store their employees’ personal data on cloud computing services; or where the personal data subject independently transfers their own personal data across borders.

The specialized personal data protection authority may conduct periodic inspections of cross-border data transfers no more than once per year, or ad hoc inspections upon detecting violations or data breaches. The authority also has the power to require the suspension of data transfers if such transfers pose a risk to national defense or national security.

The above is TNTP’s article on “Key Highlights of the Law on Personal Data Protection 2025.” We hope this article is useful to our readers. Should you require further assistance, please do not hesitate to contact TNTP.

Sincerely,

New posts
Categories

TNTP & ASSOCIATES INTERNATIONAL LAW FIRM

More about TNTP

The copyright belongs to: TNTP & Associates International Law Firm