On September 24, 2024, the government of Vietnam issued the first draft of a new Law on Personal Data Protection (“Draft PDPL”). As foreshadowed in our previous legal update, the Ministry of Public Security has been very active in developing this draft law. With this draft, they promise to continue their considerable efforts to establish a robust personal data protection culture in Vietnam, as the Draft PDPL indicates a tentative entry into force on January 1, 2026.
With a tentative adoption by the National Assembly in May 2025, the Draft PDPL does not include any transition period, save for micro-enterprises, SMEs, and startups, which are only exempted from appointing a data protection department in their first two years of existence, while the timeline to comply with other obligations under the PDPL remains the same as for other enterprises.
The Draft PDPL includes 68 articles, divided into seven chapters, making it more extensive than last year’s Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), and expressly addresses personal data protection in many fields, including marketing services, behavioral advertising, big-data processing, AI, cloud computing, labor monitoring and recruitment, financial and credit information, health and insurance, and others.
It remains unclear how the PDPL will interact with the PDPD (whether it will replace its predecessor or coexist with it), although the Draft PDPL provides that it will prevail over any laws that have provisions on personal data protection that differ from the provisions of the PDPL.
Among the important new developments of the Draft PDPL when compared to the PDPD, we note:
- Consent remains the main legal basis for processing, with limited exceptions (still not including “legitimate interest”). However, consent for cross-border transfer is further regulated under the Draft PDPL, including for intra-group sharing.
- Data processing impact assessment dossiers for controllers and processors (“DPIA”) and transfer impact assessment for transferors (“TIA”) are retained, but, for the latter, the cases of transfer of personal data abroad have been further defined. These DPIAs and TIAs will have to be updated and submitted again to the authorities every six months or immediately upon material change.
- New definitions have been inserted, such as “developers”, “personal data protection organization”, “personal data protection expert”, “de-identification of personal data”, “use of personal data for marketing”, “use of personal data for behavioral advertising”, and “personal data protection credit rating”, and other definitions currently found in the PDPD have been modified (e.g., land use right-related information has been included as “sensitive information”).
- A data protection department must be appointed for basic personal data processing (it is no longer limited to sensitive personal data processing) and the Draft PDPL includes a recognition that a data protection department can be an external service provider (i.e., a personal data protection organization). The Draft PDPL further regulates this new service.
- Certification mechanisms are introduced as credit ratings for personal data protection (high credibility, trust, pass, failing).
- The 72-hour timeline to address certain data subjects’ requests and to notify the authorities in case of violation of the personal data protection regulations remains unchanged.
We will publish a deeper dive into the Draft PDPL shortly to provide you with more information on this new draft and draw comparisons with the PDPD, which was just enacted last year. Businesses are strongly encouraged to continue monitoring the development of this new legislation for preparation and to provide comments during the public consultation phase, which is open until November 24, 2024.
