The Personal Data Protection Law (PDPL) is Vietnam’s first comprehensive approach to enacting a unified data protection law within a single legal framework to protect personal data. It governs the collection, use, disclosure, and care of personal data by organizations, aiming to protect individuals’ personal data while enabling legitimate business use, recognizing that protecting personal data is an important economic driver for the country.
If your website uses cookies that track users' behavior, preferences, or identity (such as analytics or marketing cookies), you must obtain clear and informed consent before activating those cookies. This aligns with the PDPL’s emphasis on notifying individuals and obtaining their permission before collecting personal data.
Taking its cues from GDPR, Vietnam’s PDPL relies on the requirement to inform individuals of the purposes for collecting personal data, obtain their consent, and ensure that data is properly protected. Any third-party services used (e.g., for marketing or analytics) must also comply with PDPL standards.
To be in compliance, businesses operating in or serving users in Vietnam must follow six key principles:
Review data practices:
Comply with Vietnam’s constitution, the PDPL and relevant laws
Purpose limitation:
Collect and process personal data within a specific, clear and lawful scope and purpose
Accuracy and storage limitation:
Ensure personal data is accurate and that personal data is stored only for the period allowed for the purpose of processing
Data security:
Protect personal data effectively through institutional, technical and human means
Guard against violations:
Proactively detect and prevent violations of personal data protections and act swiftly to handle and resolve any such violations
Balance national interests and rights:
Protect personal data in alignment with the balance between personal data protection and the protection of legitimate rights held by agencies, organizations and individuals
The PDPL applies to all organizations and individuals—both domestic and international—that process personal data of individuals in Vietnam. This means that foreign companies offering services or operating digital platforms accessible to Vietnamese users must also comply. Non-profit organizations, startups, and large enterprises alike fall under its scope.
Vietnam’s law grants consumers various data privacy rights, including:
Individuals can request access to their personal data held by an organization and obtain information about how it is being processed.
Individuals must be informed about what personal data is being collected, the purpose of processing, retention period, and whether their data will be shared or transferred abroad. Data can only be collected and processed with prior, explicit, and voluntary consent. Consent must be separate for each purpose of processing, and individuals can refuse consent without being denied basic services. At any time, individuals can withdraw their consent to the collection and processing of personal data.
Individuals can request corrections of updates to their personal data to ensure accuracy.
Consumers can request the deletion of their personal data when it is no longer needed for stated purposes, when consent has been withdrawn, or the processing is unlawful.
Individuals can request that organizations limit how their personal data is used, for example, only storing it but not actively processing it, and to object to their personal data being used for certain purposes, such as direct marketing, profiling, or automated decision-making.
Individuals can request that their personal data be provided in a structured, machine-readable format, or transferred to another organization.
Individuals can file complaints with the Ministry of Public Security if they believe their data rights have been violated. They may also seek compensation if misuse of their personal data causes damage.
Individuals have heightened rights in cases where sensitive data is in question, such as financial, health, biometric, or political data. Organizations must implement stricter safeguards relative to these kinds of data.
Cookies that store or track personal data fall under the PDPL. Cookies and tracking technologies that process personal data (such as IP addresses, browsing activity, or profiling data) fall within the scope of the PDPL. Functional cookies necessary for website operations may be exempt from consent, but all other cookies—particularly those for analytics, advertising, and behavioral tracking—require clear disclosure and prior user consent. A transparent cookie policy and consent banner are essential for compliance.
Non-compliance with the PDPL can result in penalties. Depending on the severity of the breach, organizations may face administrative fines, suspension of data processing activities, or even criminal liability in serious cases. While specific fine amounts are subject to implementing decrees, non-compliance may also result in reputational damage and operational restrictions, especially for businesses handling sensitive or large-scale data.
To check your compliance with the PDPL Vietnam, businesses should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent:
Ensure consent banners are implemented correctly, enable users to withdraw consent at any time, and maintain consent logs and enable users to withdraw consent at any time
Check with partners:
Review third-party data-sharing practices
Train staff:
Ensure that employees have training to understand and comply with PDPL
The PDPL regulates the processing of personal data by individuals and organizations in Vietnam, including foreign entities directly involved in processing the personal data of Vietnamese citizens—or persons of Vietnamese origin residing in Vietnam—even if those entities are located outside the country.
The PDPL classifies personal data into two categories: Basic personal data, such as names, date of birth, contact information, national ID numbers, photographs, family relationships, digital account details, and more. Sensitive personal data, including political opinions, religious beliefs, medical conditions, ethnicity, biometric or genetic data, sexual orientation, criminal records, financial account data, real-time location, and other unique identifiers requiring enhanced protection.
Sensitive data includes particularly private information—such as health and medical records, ethnicity, genetic/biometric data, sexual orientation, financial and criminal records, real-time location, and other personally identifying or sensitive categories as specified by law.
The Ministry of Public Security (MPS), through its Department of Cybersecurity and High‑Tech Crime Prevention, is the main regulatory and enforcement body overseeing data protection under PDPL and related decrees.
Routine personal or household data processing is exempt, so long as the data isn’t shared with third parties or used commercially. Some additional exemptions may apply for specific contexts (e.g., governmental or emergency processing), to be clarified further in upcoming implementing decrees.
Processing is lawful if based on: The data subject’s voluntary consent (clear, explicit, specific, and removable) Performance of a contract Legal obligations Protecting the vital interests of the individual Public interest, especially concerning national security or public safety Other sectoral legal bases as specified by law
Detailed information, guidance, and updates will be provided by the Ministry of Public Security, especially through: The guiding decree (expected before the end of 2025) The sanction decree outlining penalties These are intended to offer clarity on aspects like data categorization, breach reporting, DPO rules, impact assessments, and more
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
