On September 24, 2024, the government of Vietnam issued the first draft of a new Law on Personal Data Protection (“Draft PDPL”). As foreshadowed in our previous legal update, the Ministry of Public Security has been very active in developing this draft law. With this draft, they promise to continue their considerable efforts to establish a robust personal data protection culture in Vietnam, as the Draft PDPL indicates a tentative entry into force on January 1, 2026. With a tentative adoption by the National Assembly in May 2025, the Draft PDPL does not include any transition period, save for micro-enterprises, SMEs, and startups, which are only exempted from appointing a data protection department in their first two years of existence, while the timeline to comply with other obligations under the PDPL remains the same as for other enterprises. The Draft PDPL includes 68 articles, divided into seven chapters, making it more extensive than last year’s Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), and expressly addresses personal data protection in many fields, including marketing services, behavioral advertising, big-data processing, AI, cloud computing, labor monitoring and recruitment, financial and credit information, health and insurance, and others. It remains unclear how the PDPL will interact with the PDPD (whether it will replace its predecessor or coexist with it), although the Draft PDPL provides that it will prevail over any laws that have provisions on personal data protection that differ from the provisions of the PDPL. Among the important new developments of the Draft PDPL when compared to the PDPD, we note: Consent remains the main legal basis for processing, with limited exceptions (still not including “legitimate interest”). However, consent for cross-border transfer is further regulated under the Draft PDPL, including for intra-group sharing. Data processing impact assessment dossiers for controllers and