The Law on Personal Data Protection stipulates the responsibilities of related parties in processing and protecting personal information, including small businesses and individual households. The Law takes effect from January 1, 2026, with certain provisions allowing small and micro enterprises to choose whether to implement them within a specified period.
적용 범위
Agencies, organizations, and individuals involved in processing personal data in Vietnam.
핵심 사항
- Provisions regarding the responsibilities of the data controller and processor
- Conditions and technical standards for protecting personal data
- Transitional provisions for activities being carried out before the law comes into effect
- Flexible application period for small and micro enterprises.
- Related parties must report violations of personal data protection regulations
🌐 이 문서의 사회적 영향
- Enhance the security of citizens' personal information
- Develop a safe and sustainable information technology industry.
- Encourage businesses to comply with international standards on data protection.
❓ 자주 묻는 질문
When does this Law take effect?
The Law on Personal Data Protection takes effect from January 1, 2026.
How long do small and micro enterprises have the right to choose whether to implement the provisions of the Law?
Small enterprises have the right to choose whether to implement the provisions within five years from the date the Law takes effect, while micro enterprises are not required to implement these provisions.
What does the Law stipulate about the responsibilities of the data controller?
The data controller must clearly state their responsibilities, rights, and obligations in agreements related to personal data processing; decide the purpose and means of processing personal data; and implement technical management measures to protect personal data.
전문
|
OF THE NATIONAL ASSEMBLY |
SOCIALIST REPUBLIC OF VIET NAM |
|
Law Number: 91/2025/QH15 |
LAW
PROTECTION OF PERSONAL DATA
Pursuant to the Constitution of the Socialist Republic of Vietnam amended and supplemented by Resolution No. 203/2025/QH15;
The National Assembly enacts the Law on Protection of Personal Data.
PART I
GENERAL PROVISIONS
Article 1. Scope of Regulation and Applicability
1. This Law regulates personal data, protection of personal data, and the rights, obligations, and responsibilities of agencies, organizations, and individuals related to such matters.
2. This Law applies to:
a) Agencies, organizations, and individuals of Vietnam;
b) Agencies, organizations, and individuals from foreign countries operating in Vietnam;
c) Agencies, organizations, and individuals from foreign countries directly participating in or related to activities processing personal data of Vietnamese citizens and Vietnamese-origin persons without determined citizenship currently residing in Vietnam who have been issued identification card certificates.
Article 2. Interpretation of Terms
In this Law, the following terms shall be understood as follows:
1. Personal data is numerical data or information in other forms that identify or help identify a specific individual, including basic personal data and sensitive personal data. Personal data after anonymization is no longer considered personal data.
2. Basic personal data is personal data reflecting common personal characteristics and background frequently used in transactions and social relations, listed in the Government's regulations.
3. Sensitive personal data is personal data closely linked to an individual’s privacy, whose infringement will directly affect the legitimate rights and interests of agencies, organizations, and individuals, listed in the Government's regulations.
4. Protection of personal data refers to the actions taken by agencies, organizations, and individuals using resources, means, and measures to prevent and combat activities infringing upon personal data.
5. Subject of personal data is the person reflected in the personal data.
6. Processing of personal datais an activity affecting personal data, including one or more activities such as collection, analysis, synthesis, encryption, decryption, modification, deletion, destruction, anonymization, provision, disclosure, transfer of personal data, and other activities impacting personal data.
7. Controller of personal data is the agency, organization, or individual determining the purpose and means of processing personal data.
8. Processor of personal data is the agency, organization, or individual carrying out the processing of personal data at the request of the controller of personal data or the controller and processor of personal data through a contract.
9. Controller and processor of personal data is the agency, organization, or individual determining the purpose, means, and directly processing personal data.
10. Third party is an organization or individual outside the subject of personal data, the controller of personal data, the controller and processor of personal data, and the processor of personal data participating in the processing of personal data as prescribed by law.
11. Anonymization of personal data is the process of changing or deleting information to create new data that cannot identify or help identify a specific individual.
12. Impact assessment of personal data processing is the analysis and evaluation of risks that may occur during the processing of personal data to apply measures to mitigate risks and protect personal data.
Article 3. Principles for the protection of personal data
1. Compliance with the Constitution, provisions of this Law, and relevant laws.
2. Collection and processing of personal data must be within a specific, clear scope and purpose, ensuring compliance with legal provisions.
3. Ensuring the accuracy of personal data and making necessary corrections, updates, and supplements; storing it for a period appropriate to the purpose of processing personal data, except where otherwise provided by law.
4. Effectively implementing comprehensive measures and solutions regarding institutional, technical, and human aspects suitable for protecting personal data.
5. Proactively preventing, detecting, blocking, combating, and promptly and strictly dealing with all violations of laws on the protection of personal data.
6. Protecting personal data in conjunction with safeguarding national and ethnic interests, serving economic and social development, ensuring national defense, security, and diplomacy; ensuring harmony between the protection of personal data and the protection of the legitimate rights and interests of agencies, organizations, and individuals.
Article 4. Rights and Obligations of Personal Data Subjects
1. The rights of personal data subjects include:
a) Being informed about activities processing personal data;
b) Agreeing or disagreeing, requesting withdrawal of consent for processing personal data;
c) Viewing, amending or requesting amendment of personal data;
d) Requesting provision, deletion, restriction on processing personal data; submitting requests to oppose processing personal data;
đ) Filing complaints, accusations, initiating lawsuits, requesting compensation for damages as prescribed by law;
e) Requesting competent authorities or organizations, entities, individuals related to processing personal data to implement measures and solutions to protect their personal data as prescribed by law.
2. The obligations of personal data subjects include:
a) Protecting their own personal data;
b) Respecting and protecting other individuals' personal data;
c) Providing complete and accurate personal data as prescribed by law, according to contracts, or when agreeing to allow processing of their personal data;
d) Adhering to laws on personal data protection and participating in preventing and combating activities infringing upon personal data.
3. When exercising their rights and fulfilling their obligations, personal data subjects must comply with the following principles:
a) Acting in accordance with the provisions of the law; adhering to the obligations of personal data subjects as stipulated in contracts. The exercise of rights and fulfillment of obligations by personal data subjects must aim at protecting their legitimate rights and interests;
b) Not causing difficulties or hindrances to the exercise of rights and legal obligations of personal data controllers, controllers and processors, and processors;
c) Not infringing upon the legitimate rights and interests of the State, agencies, organizations, and other individuals.
4. Agencies, organizations, and individuals have the responsibility to create favorable conditions and not cause difficulties or hindrances to the exercise of rights and fulfillment of obligations by personal data subjects as prescribed by law.
5. Upon receiving requests from personal data subjects to exercise their rights as stipulated in Clause 1 of this Article, personal data controllers, controllers and processors must promptly fulfill such requests within the time limit prescribed by law.
The Government shall provide detailed regulations on this matter.
Article 5. Application of Laws on Personal Data Protection
1. Activities for protecting personal data on the territory of the Socialist Republic of Vietnam shall be carried out in accordance with the provisions of this Law and other relevant laws.
2. In cases where laws and resolutions of the National Assembly promulgated before the effective date of this Law contain specific provisions on personal data protection that do not contravene the principles of personal data protection as prescribed by this Law, such provisions shall apply.
3. In cases where laws and resolutions of the National Assembly promulgated after the effective date of this Law contain provisions on personal data protection that differ from those of this Law, they must specify the content of implementation or non-implementation in accordance with this Law, and the content of implementation in accordance with such laws and resolutions.
4. In cases where agencies, organizations, and individuals carry out impact assessments on processing personal data and cross-border transfer of personal data as prescribed by this Law, they are not required to conduct risk assessments on processing personal data and cross-border transfer of personal data as prescribed by laws on data.
Article 6. International Cooperation on Personal Data Protection
1. In compliance with Vietnamese law, international treaties to which the Socialist Republic of Vietnam is a member, and international agreements on personal data protection based on equality, mutual benefit, respect for independence, sovereignty, and territorial integrity.
2. The contents of international cooperation on personal data protection include:
a) Establishing mechanisms for international cooperation to facilitate effective enforcement of laws on personal data protection.
b) Participating in judicial assistance regarding the protection of personal data from other countries.
c) Preventing and combating acts that infringe upon personal data.
d) Training human resources, conducting scientific research, and applying science and technology in personal data protection.
đ) Exchanging experiences in drafting and implementing laws on personal data protection.
e) Transferring technology to serve personal data protection.
3. The Government shall stipulate responsibilities for implementing international cooperation on personal data protection.
Article 7. Prohibited Acts
1. Processing personal data with the intent to oppose the Socialist Republic of Vietnam, affecting national defense, security, public order, social safety, rights, and legitimate interests of agencies, organizations, and individuals.
2. Obstructing activities related to personal data protection.
3. Exploiting personal data protection activities to commit acts violating the law.
4. Processing personal data contrary to legal provisions.
5. Using another person's personal data or allowing others to use one's own personal data to commit acts contrary to legal provisions.
6. Buying and selling personal data, except where otherwise provided by law.
7. Appropriating, intentionally disclosing, or losing personal data.
Article 8. Handling Violations of Laws on Personal Data Protection
1. Organizations and individuals who violate the provisions of this Law and other relevant laws concerning personal data protection may be subject to administrative penalties or criminal liability depending on the nature, severity, and consequences of the violation; if damage is caused, compensation must be made according to the law.
2. Administrative penalty procedures for violations in the field of personal data protection are carried out in accordance with Clauses 3, 4, 5, 6, and 7 of this Article and the law on handling administrative violations.
3. The maximum fine for administrative penalties for the act of buying and selling personal data is ten times the revenue obtained from the violation; if there is no revenue from the violation or the fine calculated based on the revenue obtained from the violation is lower than the maximum fine prescribed in Clause 5 of this Article, then the maximum fine prescribed in Clause 5 of this Article shall apply.
4. The maximum fine for administrative penalties for organizations committing violations of the provision on cross-border transfer of personal data is five percent of the organization's revenue of the preceding year; if there is no revenue of the preceding year or the fine calculated based on the revenue is lower than the maximum fine prescribed in Clause 5 of this Article, then the maximum fine prescribed in Clause 5 of this Article shall apply.
5. The maximum fine for administrative penalties for other violations in the field of personal data protection is three billion Vietnamese dong.
6. The maximum fines prescribed in Clauses 3, 4, and 5 of this Article apply to organizations; for individuals committing the same violation, the maximum fine is half the amount of the fine imposed on organizations.
7. The Government shall stipulate the method for calculating revenue obtained from the implementation of acts violating laws on personal data protection.
Chapter II
PROTECTION OF PERSONAL DATA
Section 1
PROTECTION OF PERSONAL DATA IN THE PROCESS OF PROCESSING PERSONAL DATA
Article 9. Consent of the Personal Data Subject
1. The consent of the personal data subject is the act where the personal data subject permits the processing of their personal data, except as otherwise provided by law.
2. The consent of the personal data subject shall only be effective when it is based on voluntariness and the personal data subject is fully informed of the following information:
a) The type of personal data being processed, the purpose of processing personal data;
b) The data controller or the data controller and processor;
c) The rights and obligations of the personal data subject.
3. The consent of the personal data subject must be expressed in a clear and specific manner, capable of being printed or copied in writing, including electronic form or verifiable format.
4. The consent of the personal data subject must ensure the following principles:
a) Expressing consent for each purpose separately;
b) Not being accompanied by conditions that compel agreement with purposes other than those agreed upon;
c) The consent remains effective until the personal data subject changes their consent or as otherwise prescribed by law;
d) Silence or non-response shall not be considered as consent.
5. The Government shall provide detailed regulations for Clause 3 of this Article.
Article 10. Withdrawal of Consent, Request to Restrict Processing of Personal Data
1. The personal data subject has the right to request withdrawal of consent for the processing of personal data, or to request restriction of the processing of personal data when there is suspicion regarding the scope, purpose of processing personal data, or the accuracy of personal data, except as provided for in Article 19 of this Law or as otherwise prescribed by law.
2. Requests for withdrawal of consent, requests to restrict processing of personal data from the personal data subject must be made in writing, including electronic form or verifiable format, and submitted to the data controller, the data controller and processor. Such requests for withdrawal of consent, requests to restrict processing of personal data shall be carried out in accordance with the law and agreements between the parties.
3. The data controller, the data controller and processor receiving such requests shall implement them and require the data processor to implement the requests for withdrawal of consent, restrictions on processing personal data from the personal data subject within the time frame prescribed by law.
4. Implementation of requests for withdrawal of consent, requests to restrict processing of personal data does not apply to processing activities conducted prior to the personal data subject's request for withdrawal of consent or request to restrict processing of personal data.
Article 11. Collection, Analysis, Aggregation of Personal Data
1. Personal data must be collected with the consent of the personal data subject prior to collection, except as otherwise provided by law.
2. Party and State agencies authorized by law may analyze and aggregate personal data from self-collected sources or shared, provided, transferred, exploited, and used for leadership, guidance, state management, economic and social development as prescribed by law.
3. Organizations and individuals not covered under Clause 2 of this Article may analyze and aggregate personal data from personal data permitted to be processed as prescribed by law.
Article 12. Encryption and Decryption of Personal Data
1. Encrypting personal data means converting personal data into an unrecognizable form unless decrypted; encrypted personal data remains personal data.
2. Personal data classified as state secrets must be encrypted and decrypted in accordance with laws on protecting state secrets and laws on cryptographic security.
3. Authorities, organizations, and individuals decide on the encryption and decryption of personal data in accordance with their personal data processing activities.
Article 13. Modification of Personal Data
1. The subject of personal data may modify their own personal data for certain types of personal data upon agreement with the data controller and the data controller and processor; request the data controller and the data controller and processor to modify their personal data.
2. The data controller and the data controller and processor shall modify personal data following a request from the data subject or according to the provisions of the law; they shall require the data processor and third parties to modify the data subject's personal data.
3. Modifying personal data must ensure accuracy. In cases where personal data cannot be modified due to legitimate reasons, the data controller and the data controller and processor must notify the requesting authority, organization, or individual.
Article 14. Deletion, Destruction, and Anonymization of Personal Data
1. Deletion and destruction of personal data shall be carried out in the following circumstances:
a) At the request of the data subject who accepts potential risks and damages to themselves. Such requests must comply fully with the principles set forth in Clause 3, Article 4 of this Law;
b) When the purpose of processing personal data has been fulfilled;
c) Upon expiration of the retention period as prescribed by law;
d) Pursuant to a decision by a competent state agency;
đ) As agreed upon;
e) In other cases as provided by law.
2. Requests from the data subject regarding deletion and destruction of personal data shall not be implemented in the circumstances stipulated in Article 19 of this Law or if such actions violate the provisions of Clause 3, Article 4 of this Law.
3. The data controller and the data controller and processor shall delete and destroy personal data in the circumstances specified in Clause 1 of this Article or require the data processor and third parties to delete and destroy the data subject's personal data. Deletion and destruction of personal data must be carried out using secure measures; preventing unauthorized access and illegal recovery of deleted and destroyed personal data.
4. Authorities, organizations, and individuals shall not illegally recover deleted and destroyed personal data.
5. The data controller and the data controller and processor, and the data processor have the responsibility to comply with the provisions of this Law. If it is impossible to delete and destroy personal data due to legitimate reasons after receiving a request from the data subject, the data controller and the data controller and processor must notify the data subject.
6. Anonymization of personal data is regulated as follows:
a) Authorities, organizations, and individuals anonymizing personal data are responsible for closely monitoring the anonymization process; preventing unauthorized access, copying, theft, disclosure, and loss of personal data during the anonymization process;
b) Re-identification of anonymized personal data is prohibited, except as otherwise provided by law;
c) Anonymization of personal data must comply with the provisions of this Law and other relevant laws.
Article 15. Provision of Personal Data
1. The subject of personal data provides personal data to agencies, organizations, or individuals in accordance with the provisions of the law or by agreement with such agencies, organizations, or individuals.
2. The data controller, the controller and processor of personal data provide personal data in the following cases:
a) Providing to the subject of personal data at the request of the subject of personal data in compliance with the provisions of the law and agreements with the subject, except where such provision may cause harm to national defense, national security, public order, social safety, or infringe upon the life, health, or property of others;
b) Providing to other agencies, organizations, or individuals when consented to by the subject of personal data, except where otherwise provided by law.
Article 16. Disclosure of Personal Data
1. Personal data can only be disclosed for specific purposes. The scope of disclosure and types of personal data disclosed must be appropriate to the purpose of disclosure. The disclosure of personal data shall not infringe upon the rights and legitimate interests of the subject of personal data.
2. Personal data can only be disclosed in the following cases:
a) With the consent of the subject of personal data;
b) In accordance with the provisions of the law;
c) As specified in Point b Clause 1 Article 19 of this Law;
d) To fulfill obligations under a contract.
3. Disclosed personal data must accurately reflect the original personal data and facilitate agencies, organizations, or individuals in accessing, exploiting, and using such data.
4. Forms of disclosing personal data include: posting data on electronic information websites, electronic portals, mass media, and other forms prescribed by law.
5. Agencies, organizations, or individuals disclosing personal data must strictly control and monitor the disclosure of personal data to ensure compliance with the purpose, scope, and legal provisions; prevent unauthorized access, use, disclosure, copying, modification, deletion, destruction, or other illegal processing of disclosed personal data within their capacity and conditions.
Article 17. Transfer of Personal Data
1. The transfer of personal data is carried out in the following cases:
a) Transferring personal data with the consent of the subject of personal data;
b) Sharing personal data among departments within the same agency or organization to process personal data in accordance with established processing purposes;
c) Transferring personal data to continue processing personal data in cases of division, merger, restructuring, or organizational changes of agencies, organizations, administrative units, and state-owned enterprises; division, merger, consolidation, termination of activities of units or organizations; units or organizations established based on the termination of activities of other units or organizations;
d) The data controller, the controller and processor of personal data transfer personal data to the data processor or third parties for processing personal data as prescribed;
đ) Transferring personal data at the request of competent state authorities;
e) Transferring personal data in cases specified in Clause 1 Article 19 of this Law.
2. The transfer of personal data in the cases specified in Clause 1 of this Article, whether charged or free of charge, shall not be considered as buying or selling personal data.
3. The Government shall provide detailed regulations on this Article.
Article 18. Other Activities in Processing Personal Data
1. The data controller, the controller and processor of personal data, the processor of personal data, and third parties storing personal data in a manner appropriate to their activities shall take measures to protect personal data during storage in accordance with the law.
2. The storage, access, retrieval, connection, coordination, confirmation, authentication of personal data, and other activities affecting personal data shall be carried out in accordance with this Law, data laws, other relevant legal provisions, and agreements between the parties.
3. Priority shall be given to exploiting and using personal data for state management activities and the operations of public service units to pilot certain special mechanisms and policies to create breakthroughs in scientific and technological development, innovation, and national digital transformation.
Article 19. Processing Personal Data Without Consent of the Personal Data Subject
1. Situations where processing personal data does not require consent of the personal data subject include:
a) To protect the life, health, honor, dignity, rights, and legitimate interests of the personal data subject or others in urgent situations; to protect one's own or others' legitimate rights and interests or the interests of the State and organizations from harmful acts in a necessary manner. The data controller, data processor, controller and processor of personal data, and third parties have the responsibility to prove such cases;
b) To address emergency situations; threats to national security that have not yet reached the level of declaring a state of emergency; preventing riots, terrorism, and crime;
c) To serve the activities of state agencies and state management activities as prescribed by law;
d) To implement agreements between the personal data subject and relevant agencies, organizations, or individuals as prescribed by law;
đ) Other cases as prescribed by law.
2. Agencies, organizations, and individuals related to the processing of personal data without the consent of the personal data subject must establish supervisory mechanisms including:
a) Establishing procedures and regulations for processing personal data and determining the responsibilities of agencies, organizations, and individuals during the processing of personal data;
b) Implementing appropriate data protection measures; regularly assessing risks that may occur during the processing of personal data;
c) Conducting periodic reviews and evaluations of compliance with legal provisions, procedures, and regulations for processing personal data;
d) Having mechanisms to receive and process complaints and suggestions from relevant agencies, organizations, and individuals.
Article 20. Cross-Border Transfer of Personal Data
1. Situations involving cross-border transfer of personal data include:
a) Transferring personal data stored in Vietnam to a data storage system located outside the territory of the Socialist Republic of Vietnam;
b) Agencies, organizations, and individuals in Vietnam transferring personal data to entities or individuals abroad;
c) Agencies, organizations, and individuals in Vietnam or abroad using platforms outside the territory of the Socialist Republic of Vietnam to process personal data collected in Vietnam.
2. Agencies, organizations, and individuals transferring personal data across borders must prepare an impact assessment report on cross-border data transfer and submit one original copy to the specialized agency responsible for protecting personal data within sixty days from the first day of cross-border data transfer, except in the case provided for in Clause 6 of this Article.
3. The impact assessment of cross-border data transfer shall be conducted once throughout the operational period of the agency, organization, or individual and updated in accordance with Article 22 of this Law.
4. The specialized agency responsible for protecting personal data decides to conduct periodic inspections of cross-border data transfer not more than once a year or to inspect at random when violations of the law on personal data protection are discovered or when there is a breach of personal data.
5. The specialized agency responsible for protecting personal data decides to require agencies, organizations, and individuals to stop cross-border data transfer when it discovers that the transferred data is being used for activities that could harm national defense and security.
6. Cases where the provisions on impact assessment of cross-border data transfer do not need to be implemented include:
a) Cross-border transfers of personal data by authorized state agencies;
b) Organizations storing personal data of their employees on cloud computing services;
c) The personal data subject transferring their own personal data across borders;
d) Other cases as prescribed by the Government.
7. The Government shall provide detailed regulations for Clauses 1, 5, and 6 of this Article; specify the components of the impact assessment report, conditions, procedures, and processes for conducting the impact assessment of cross-border data transfer.
Article 21. Impact Assessment of Personal Data Processing
1. The personal data controller and the controller and processor of personal data shall establish and retain records of the impact assessment of personal data processing and submit one original copy to the specialized agency responsible for protecting personal data within sixty days from the first day of personal data processing, except in cases provided for in Clause 6 of this Article.
2. The impact assessment of personal data processing shall be conducted once during the entire period of operation of the personal data controller and the controller and processor of personal data, and shall be updated in accordance with Article 22 of this Law.
3. The processor of personal data shall establish and retain records of the impact assessment of personal data processing in agreement with the personal data controller and the controller and processor of personal data, except in cases provided for in Clause 6 of this Article.
4. The specialized agency responsible for protecting personal data shall evaluate and request the personal data controller, the controller and processor of personal data, and the processor of personal data to complete the records of the impact assessment of personal data processing when the records are incomplete or not in compliance with regulations.
5. The personal data controller, the controller and processor of personal data, and the processor of personal data shall update and supplement the records of the impact assessment of personal data processing when there are changes to the contents that have been submitted to the specialized agency responsible for protecting personal data.
6. The competent state authority is not required to implement the provisions on the impact assessment of personal data processing stipulated in this Article.
7. The Government shall specify the components of the records, conditions, procedures, and processes for conducting the impact assessment of personal data processing.
Article 22. Updating Records of the Impact Assessment of Personal Data Processing and Cross-Border Transfer Impact Assessment
1. The records of the impact assessment of personal data processing and cross-border transfer impact assessment shall be updated periodically every six months when there are changes, or updated immediately in the cases provided for in Clause 2 of this Article.
2. The situations requiring immediate updates include:
a) When the organization, entity, or unit is reorganized, ceases operations, dissolved, or declared bankrupt in accordance with the law;
b) When there are changes in information about organizations or individuals providing personal data protection services;
c) When new or changed industries, professions, or services related to personal data processing registered in the records of the impact assessment of personal data processing or cross-border transfer impact assessment arise.
3. The updating of the records of the impact assessment of personal data processing and cross-border transfer impact assessment shall be carried out through the National Portal for Personal Data Protection or at the specialized agency responsible for protecting personal data.
4. The Government shall provide detailed regulations on this matter.
Article 23. Notification of Violations of Personal Data Protection Regulations
1. The personal data controller, the controller and processor of personal data, and third parties who discover violations of personal data protection regulations that may cause harm to national defense, national security, public order, social safety, or infringe upon the life, health, honor, dignity, or property of the personal data subject must notify the specialized agency responsible for protecting personal data no later than seventy-two hours from the time of discovering the violation. In the case where the processor of personal data discovers the violation, they must promptly notify the personal data controller or the controller and processor of personal data.
2. The personal data controller and the controller and processor of personal data must prepare a record confirming the occurrence of the violation of personal data protection regulations, cooperate with the specialized agency responsible for protecting personal data to handle the violation.
3. Agencies, organizations, or individuals shall notify the specialized agency responsible for protecting personal data in the following cases:
a) Discovering a violation of personal data protection regulations;
b) Personal data being processed for purposes other than those agreed upon between the personal data subject and the personal data controller or the controller and processor of personal data;
c) Not ensuring or improperly exercising the rights of the personal data subject;
d) Other cases as prescribed by law.
4. The specialized agency responsible for protecting personal data has the responsibility to receive notifications and handle violations of personal data protection regulations. The personal data controller, the controller and processor of personal data, third parties, and agencies, organizations, or individuals involved have the responsibility to prevent violations, mitigate consequences, and cooperate with the specialized agency responsible for protecting personal data in handling violations of personal data protection regulations.
5. The Government shall specify the content of notifications of violations of personal data protection regulations.
Section 2
PROTECTION OF PERSONAL DATA IN CERTAIN ACTIVITIES
Article 24. Protection of personal data of children, persons who have lost or are restricted in their civil capacity, and persons with difficulties in understanding and controlling their behavior
Clause 1. The protection of personal data of children, persons who have lost or are restricted in their civil capacity, and persons with difficulties in understanding and controlling their behavior shall be carried out in accordance with the provisions of this Law.
Clause 2. For children, persons who have lost or are restricted in their civil capacity, or persons with difficulties in understanding and controlling their behavior, the legal representative shall act on behalf to exercise the rights of the data subject, except for the cases stipulated in Clause 1, Article 19 of this Law. Processing personal data of children for the purpose of publishing or disclosing information about their private life and personal secrets from the age of seven years old and above requires the consent of both the child and the legal representative.
Clause 3. Processing of personal data of children, persons who have lost or are restricted in their civil capacity, and persons with difficulties in understanding and controlling their behavior shall be stopped in the following cases:
Point a. When the person who has given consent under Clause 2 of this Article withdraws such consent for processing personal data of children, persons who have lost or are restricted in their civil capacity, and persons with difficulties in understanding and controlling their behavior, except where otherwise provided by law;
Point b. Upon request of the competent authority when there is sufficient evidence to prove that processing personal data may infringe upon the legitimate rights and interests of children, persons who have lost or are restricted in their civil capacity, and persons with difficulties in understanding and controlling their behavior, except where otherwise provided by law.
Article 25. Protection of personal data in recruitment, management, and use of employees
Clause 1. The responsibility for protecting personal data of agencies, organizations, and individuals in recruiting labor is defined as follows:
Point a. Only information necessary for the recruitment purposes of the recruiting agency, organization, or individual, in compliance with the provisions of the law, may be requested; the provided information can only be used for recruitment purposes and other agreed purposes in compliance with the law;
Point b. Provided information must be processed in accordance with the law and must have the consent of the applicant;
Point c. Information provided by applicants must be deleted or destroyed if they are not recruited, except where otherwise agreed with the applicant.
Clause 2. The responsibility for protecting personal data of agencies, organizations, and individuals in managing and using employees is defined as follows:
Point a. Compliance with the provisions of this Law, labor laws, employment laws, data laws, and other relevant legal provisions;
Point b. Personal data of employees must be stored for the period prescribed by law or as agreed;
Point c. Personal data of employees must be deleted or destroyed when the employment contract is terminated, except where otherwise agreed or provided by law.
Clause 3. Processing of personal data of employees collected through technological and technical measures in employee management is defined as follows:
Point a. Only appropriate technological and technical measures in compliance with the law and ensuring the rights and interests of the data subject, based on the employee's awareness of such measures, may be applied;
Point b. Personal data collected through technological and technical measures contrary to the law may not be processed or used.
Article 26. Protection of personal data for health information and in insurance business activities
1. The protection of personal data for health information and in insurance business activities shall be regulated as follows:
a) There must be the consent of the personal data subject during the collection and processing of personal data, except in cases provided for in Clause 1 of Article 19 of this Law;
b) Fully apply regulations on the protection of personal data and other relevant laws.
2. Agencies, organizations, and individuals operating in the healthcare sector shall not provide personal data to third parties that are service providers for health care services or health insurance, life insurance, unless there is a written request from the personal data subject or in cases provided for in Clause 1 of Article 19 of this Law.
3. Organizations and individuals developing medical applications and insurance business applications must fully comply with regulations on the protection of personal data.
4. In the case where a reinsurance enterprise, ceding reinsurance, and transferring personal data to partners, such matters must be clearly stated in the contract with customers.
Article 27. Protection of personal data in financial, banking activities, and credit information activities
1. Organizations and individuals operating in the financial, banking sectors, and credit information activities have the following responsibilities:
a) Fully implement regulations on the protection of sensitive personal data, security standards in financial and banking operations according to the provisions of the law;
b) Not to use credit information of the personal data subject to score, rank credit, assess credit information, evaluate the credit trustworthiness of the personal data subject without their consent;
c) Only collect necessary personal data for credit information activities from appropriate sources in accordance with this Law and other relevant laws;
d) Notify the personal data subject in the event of exposure or loss of information about bank accounts, finance, credit, and credit information.
2. Organizations and individuals conducting credit information activities must comply with the provisions of this Law; apply measures to prevent unauthorized access, use, disclosure, and modification of customer personal data; have solutions to restore customer personal data in case of loss; ensure security during the collection, provision, and processing of customer personal data for credit information assessment.
3. The Government shall provide detailed regulations on this Article.
Article 28. Protection of personal data in advertising service business activities
1. Organizations and individuals engaged in advertising service business may only use personal data of customers transferred by the data controller or the controller and processor of data in accordance with agreements or collected through their own business activities for advertising purposes. The collection, use, and transfer of personal data must ensure the rights of the personal data subject as stipulated in Article 4 of this Law.
2. Data controllers and processors of data may only transfer personal data to organizations and individuals engaged in advertising service business in accordance with the law.
3. Processing personal data of customers for advertising business purposes must be with the consent of the customer, based on the customer's clear understanding of the content, method, form, and frequency of product promotion; providing methods for customers to refuse promotional information.
4. Using personal data for advertising must comply with the provisions of the law on preventing spam messages, emails, calls, and advertising regulations.
5. Personal data subjects have the right to request cessation of receiving information from advertising services. Organizations and individuals engaged in advertising service business must provide mechanisms and cease advertising upon the request of the personal data subject.
6. Organizations and individuals engaged in advertising service business shall not subcontract or agree for another organization or individual to act on their behalf in performing all advertising services using personal data.
7. Organizations and individuals engaged in advertising service business have the responsibility to prove the use of customer personal data for advertising; comply with the provisions of Clauses 1, 2, 3, and 4 of this Article and advertising regulations.
8. Organizations and individuals when using personal data for targeted or personalized advertising based on specific behavior or goals must comply with the provisions of this Article and the following provisions:
a) May only collect personal data through tracking of websites, online portals, applications with the consent of the personal data subject;
b) Must establish a method allowing the personal data subject to refuse data sharing; determine storage time; delete, destroy data when no longer needed.
Article 29. Protection of personal data for social media platforms and online communication services
Organizations and individuals providing social media services and online communication services shall have the following responsibilities:
1. Clearly inform the content of personal data collected when the personal data subject installs and uses social media and online communication services; do not collect personal data illegally or beyond the scope agreed with customers;
2. Shall not require the provision of images or videos containing full or partial identity documents as account verification factors;
3. Provide options allowing users to refuse the collection and sharing of data files (called cookies);
4. Provide an option for "do not track" or only track usage activities on social media and online communication services with the user's consent;
5. Shall not eavesdrop, intercept or record calls and read text messages without the consent of the personal data subject, except where otherwise provided by law;
6. Publicize privacy policies, clearly explain the methods of collecting, using, and sharing personal data; provide users with mechanisms to access, edit, delete data and set privacy settings for personal data, report security and privacy violations; protect the personal data of Vietnamese citizens when transferring data across borders; establish a quick and effective process for handling violations related to personal data protection.
Article 30. Protection of personal data in processing big data, artificial intelligence, blockchain, virtual universes, cloud computing
1. Personal data in big data environments, artificial intelligence, blockchain, virtual universes, and cloud computing must be processed for legitimate purposes within necessary limits, ensuring the rights and lawful interests of the personal data subjects.
2. Processing of personal data in big data environments, artificial intelligence, blockchain, virtual universes, and cloud computing must comply with the provisions of this Law and other relevant laws; conform to ethical standards and Vietnamese customs and traditions.
3. Systems and services using big data, artificial intelligence, blockchain, virtual universes, and cloud computing must integrate appropriate personal data security measures; must use suitable authentication and identification methods and access control to process personal data.
4. Processing of personal data using artificial intelligence must classify according to risk levels to implement appropriate personal data protection measures.
5. Shall not develop or use systems for processing big data, artificial intelligence, blockchain, virtual universes, and cloud computing that use personal data to harm national defense, national security, public order, social safety, or infringe upon the lives, health, honor, dignity, property of others.
6. The Government shall provide detailed regulations for this Article.
Article 31. Protection of personal data for location data and biometric data
1. Location data is data determined through positioning technology to identify location and help identify specific individuals.
2. Biometric data is data about physical attributes, unique and stable biological characteristics of an individual to identify that person.
3. The protection of personal data for location data is regulated as follows:
a) Shall not apply tracking through radio frequency identification tags and other technologies, except with the consent of the personal data subject or in cases required by competent authorities under the law or where otherwise provided by law;
b) Organizations and individuals providing mobile application platforms must notify users about the use of location data; take measures to prevent the collection of location data from unrelated organizations and individuals; provide users with options to track location data.
4. The protection of biometric data is regulated as follows:
a) Agencies, organizations, and individuals collecting and processing biometric data must have physical security measures for devices storing and transmitting biometric data; limit access to biometric data; have a monitoring system to prevent and detect biometric data breaches; comply with legal regulations and relevant international standards;
b) In cases where processing biometric data causes damage to the personal data subject, the organization or individual collecting and processing biometric data must notify the personal data subject in accordance with government regulations.
Article 32. Protection of Personal Data Obtained from Audio and Video Recording Activities in Public Places and Public Events
1. Agencies, organizations, and individuals may record audio and video and process personal data obtained from audio and video recording activities in public places and public events without the consent of the personal data subject in the following cases:
a) To perform national defense tasks, protect national security, ensure social order and safety, and protect the rights and legitimate interests of agencies, organizations, and individuals;
b) Sounds, images, and other identification information obtained from public events including conferences, seminars, sports competitions, artistic performances, and other public events that do not harm the dignity, reputation, or credibility of the personal data subject;
c) Other cases as provided by law.
2. In cases of audio and video recording as stipulated in Clause 1 of this Article, agencies, organizations, and individuals shall have the responsibility to notify or inform the personal data subject through other means that they are being recorded, except where otherwise provided by law.
3. Personal data obtained may only be processed and used for the intended purpose, and may not be used for unlawful purposes or to infringe upon the rights and legitimate interests of the personal data subject.
4. Personal data obtained from audio and video recording activities in public places and public events may only be stored for the necessary period to serve the purpose of collection, except where otherwise provided by law. When the storage period expires, personal data must be deleted and destroyed in accordance with the provisions of this Law.
5. Agencies, organizations, and individuals implementing audio and video recording and processing personal data obtained from such recordings in the cases stipulated in Clause 1 of this Article shall have the responsibility to protect personal data in accordance with the provisions of this Law and other relevant laws.
Chapter III
FORCES AND CONDITIONS TO ENSURE THE PROTECTION OF PERSONAL DATA
Article 33. Forces for Protecting Personal Data
1. The forces for protecting personal data include:
a) Specialized agencies responsible for protecting personal data under the Ministry of Public Security;
b) Departments and personnel responsible for protecting personal data within agencies and organizations;
c) Organizations and individuals providing personal data protection services;
d) Organizations and individuals mobilized to participate in protecting personal data.
2. Agencies and organizations shall have the responsibility to designate departments and personnel with the necessary qualifications to protect personal data or to hire organizations and individuals providing personal data protection services.
3. The Government shall specify the conditions and duties of departments and personnel responsible for protecting personal data within agencies and organizations; organizations and individuals providing personal data protection services; and personal data processing services.
Article 34. Technical Standards and Specifications for Protecting Personal Data
1. Technical standards for protecting personal data include standards for information systems, hardware, software, management, operation, processing, and protection of personal data published and recognized for application in Vietnam.
2. Technical specifications for protecting personal data include technical specifications for information systems, hardware, software, management, operation, processing, and protection of personal data developed, issued, and applied in Vietnam.
3. The issuance of technical standards and specifications for protecting personal data shall be carried out in accordance with the provisions of the law on technical standards and specifications.
Article 35. Inspection of Personal Data Protection Activities
The inspection of personal data protection activities shall be carried out in accordance with this Law and the regulations of the Government.
Chapter IV
RESPONSIBILITIES OF ORGANIZATIONS, ENTITIES, AND INDIVIDUALS FOR PERSONAL DATA PROTECTION
Article 36. State Management Responsibilities for Personal Data Protection
1. The Government shall uniformly implement state management responsibilities for personal data protection.
2. The Ministry of Public Security shall be the lead agency responsible before the Government to carry out state management responsibilities for personal data protection, except for matters within the purview of the Ministry of National Defense.
3. The Ministry of National Defense shall be responsible before the Government to carry out state management responsibilities for personal data protection within its purview.
4. Ministries, agencies at the level of ministries, and government agencies shall implement state management responsibilities for personal data protection in their respective sectors and fields under their purview as prescribed by law and their assigned functions and tasks.
5. Provincial People's Committees shall implement state management responsibilities for personal data protection in accordance with the law and their assigned functions and tasks.
Article 37. Responsibilities of Data Controllers, Data Processors, and Joint Controllers and Processors
1. Responsibilities of Data Controllers are as follows:
a) Clearly specify the responsibilities, rights, and obligations that must be adhered to by all parties in agreements and contracts related to personal data processing in accordance with this Law and other relevant laws;
b) Determine the purpose and means of personal data processing in documents and agreements with personal data subjects, ensuring compliance with principles and contents stipulated in this Law;
c) Implement appropriate management and technical measures to protect personal data in accordance with the law, review and update these measures when necessary;
d) Report violations of personal data protection regulations as provided for in Article 23 of this Law;
đ) Select suitable data processors to process personal data;
e) Ensure the rights of personal data subjects as provided for in Article 4 of this Law;
g) Be liable to personal data subjects for damages caused by personal data processing;
h) Prevent unauthorized collection of personal data from their systems, equipment, and services;
i) Cooperate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information for investigation and handling violations of personal data protection laws;
k) Fulfill other responsibilities as prescribed by this Law and other relevant laws;
2. Responsibilities of Data Processors are as follows:
a) Only accept personal data after reaching an agreement or contract on personal data processing with the data controller or joint controller and processor;
b) Process personal data strictly in accordance with the agreements and contracts signed with the data controller or joint controller and processor;
c) Fully implement personal data protection measures as prescribed by this Law and other relevant laws;
d) Be liable to the data controller or joint controller and processor for damages caused by personal data processing;
đ) Prevent unauthorized collection of personal data from their systems, equipment, and services;
e) Cooperate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information for investigation and handling violations of personal data protection laws;
g) Fulfill other responsibilities as prescribed by this Law and other relevant laws;
3. Joint controllers and processors shall fulfill all provisions set forth in Clause 1 and Clause 2 of this Article.
Chapter V
IMPLEMENTING PROVISIONS
Article 38. Effective Date
1. This Law shall take effect from January 1, 2026.
2. Small enterprises and start-ups have the right to choose whether to comply with the provisions of Articles 21 and 22 and Clause 2 of Article 33 of this Law within five years from the date this Law takes effect, except for small enterprises and start-ups operating personal data processing services, directly processing sensitive personal data, or processing personal data of a large number of data subjects.
3. Individual households and micro-enterprises are not required to comply with the provisions of Articles 21 and 22 and Clause 2 of Article 33 of this Law, except for individual households and micro-enterprises operating personal data processing services, directly processing sensitive personal data, or processing personal data of a large number of data subjects.
4. The Government shall provide detailed regulations on Clause 2 and Clause 3 of this Article.
2. Circular No. 47/2016/TT-BCA dated November 14, 2016, issued by the Minister of Public Security on the registration and inspection of civilian watercraft (hereinafter referred to as Circular No. 47/2016/TT-BCA), shall cease to be effective from the date this Circular comes into force.
1. Personal data processing activities that have been agreed upon or contracted according to the Decree No. 13/2023/NĐ-CP dated April 17, 2023 of the Government prior to the effective date of this Law may continue without needing renewed consent or agreement.
2. Impact assessment files for personal data processing and cross-border transfer of personal data files prepared in accordance with the Decree No. 13/2023/NĐ-CP dated April 17, 2023 of the Government and accepted by the specialized personal data protection agency before the effective date of this Law may continue to be used and do not need to prepare new impact assessment files for personal data processing and cross-border transfer of personal data under this Law; updates to these files after the effective date of this Law shall be conducted in accordance with this Law.
This Law was passed by the National Assembly of the Socialist Republic of Vietnam, the 15th term, the 9th session on June 26, 2025.
|
SPEAKER OF THE NATIONAL ASSEMBLY (Signed) Tran Thanh Man |
원본 문서(PDF)
관계도
문서를 클릭하면 열립니다. 빨간 테두리=효력을 변경하는 관계.