Key highlights of the Personal Data Protection Law 2025

11 February, 2026 | TNTP LAW | Legal newsletter

The Personal Data Protection Law 2025 (“PDPL 2025”) will take effect on 1 January 2026, marking an important milestone in the completion of Vietnam’s legal framework on personal data protection. Under the new Law, activities involving the collection, storage, and processing of personal data of customers, employees, or business partners may entail significant legal risks if not conducted in compliance with statutory requirements. The enactment of the PDPL 2025 establishes fundamental principles and obligations, enabling organizations and individuals to proactively control and safeguard personal data, while at the same time imposing more stringent compliance requirements in data usage practices. In this article, TNTP provides an overview of several key provisions of the Personal Data Protection Law 2025 (“PDPL 2025”) that merit particular attention.

1.Definition and classification of personal data

The definition of personal data (“PD”) is clarified in Article 2 of the PDPL 2025 (Interpretation of Terms). Accordingly, personal data means digital data or information in other forms that identifies or helps identify a specific individual. Where personal data has been anonymized in accordance with the law, it is no longer considered personal data.

Based on this general definition, the PDPL 2025 classifies personal data into two categories:

Basic personal data: personal data reflecting common personal identification information, which is frequently used in transactions and social relations.
Sensitive personal data: personal data closely associated with an individual’s privacy, the infringement of which may directly affect the lawful rights and interests of agencies, organizations, or individuals.

The determination of whether a specific type of data constitutes basic personal data or sensitive personal data is subject to the list promulgated by the Government.

Overall, the provisions on personal data under Article 2 of the PDPL 2025 demonstrate a progressive and appropriate legislative approach by clearly defining the scope of personal data. The distinction between basic and sensitive personal data is reasonable, helping to clarify different levels of protection and providing a legal basis for applying more suitable and effective protective measures.

2.Prohibited acts related to personal data protection

Article 7 of the PDPL 2025 sets out specific prohibited acts applicable to individuals and organizations in personal data protection activities, including:

Processing personal data for purposes opposing the State, undermining national defense, national security, social order and safety, or infringing upon the lawful rights and interests of agencies, organizations, or individuals;
Obstructing personal data protection activities;
Abusing personal data protection activities to commit violations of law;
Processing personal data in violation of applicable legal provisions;
Using another person’s personal data or allowing others to use one’s own personal data to carry out unlawful acts;
Trading in personal data, except where otherwise permitted by law; and
Illegally appropriating, intentionally disclosing, or causing the loss of personal data.

The explicit identification of prohibited acts under Article 7 of the PDPL 2025 reflects a consistent legislative stance toward strengthening personal data protection. These provisions aim to tightly control risks arising from personal data processing activities, particularly risks of data leakage, loss, and misuse of personal data for unlawful purposes, thereby effectively safeguarding the lawful rights and interests of individuals.

3.Sanctions for Violations of Personal Data Protection Regulations

Pursuant to Article 8 of the PDPL 2025, depending on the nature, severity, and consequences of the violation, organizations, individuals, or entities breaching personal data protection regulations may be subject to administrative sanctions or criminal liability in accordance with law. In addition, where damage is caused, the violating party must also compensate for damages in accordance with applicable legal provisions.

Regarding administrative penalties, the PDPL 2025 specifies maximum fines applicable to organizations (with individuals committing the same violations subject to a maximum fine equal to one half of that imposed on organizations), as follows:

Trading in personal data: up to ten (10) times the illegal proceeds derived from the violation. Where there is no illegal revenue, or where the calculated fine based on illegal revenue is lower than VND 3,000,000,000, the maximum fine shall be VND 3,000,000,000.
Violations relating to cross-border transfer of personal data: up to 5% of the revenue of the immediately preceding year. Where there is no revenue in the preceding year, or where the calculated fine is lower than VND 3,000,000,000, the maximum fine shall be VND 3,000,000,000.
Other violations in the field of personal data protection: up to VND 3,000,000,000.

The sanctioning regime under the PDPL 2025 reflects a strict enforcement approach by combining administrative, criminal, and civil liabilities. The imposition of substantial monetary penalties, particularly for personal data trading and cross-border data transfer violations, demonstrates a strong deterrent effect, contributing to heightened compliance awareness and more effective personal data protection in practice.

The PDPL 2025 establishes a comprehensive legal framework governing the collection, storage, and processing of personal data, and imposes stringent compliance obligations on relevant agencies, organizations, and individuals. Compliance with the Law not only serves to mitigate legal risks and severe sanctions, but also plays a critical role in safeguarding the lawful rights and interests of data subjects in the digital environment.

Best regards,

New posts