Last review date: 2 January 2025
☒ omnibus – all personal data
☒ sector-specific
e.g., banking, consumer protection, healthcare, telecommunications
☒ constitutional
Last review date: 2 January 2025
Last updated date: 2 January 2025
Last review date: 2 January 2025
Last review date: 2 January 2025
Yes.
To enforce new privacy requirements under the PDPD, the Government has been working on a draft decree on administrative sanctions in the field of cybersecurity ("CASD"). The latest version of the draft CASD, submitted to the Ministry of Justice for appraisal in May 2024, maintained the previously proposed GDPR-type fine of 5% of the offender's total revenue of the preceding fiscal year in Vietnam. Additional sanctions and remedial measures under the draft CASD remain substantially unchanged, including license revocation, confiscation of the means used to process personal data, and mandatory cessation of data processing for 1-3 months. The issuance schedule of the CASD remains to be seen.
The Data Law, which will take effect on 1 July 2025, seeks to regulate digital data in general, which can encompass personal and non-personal data. The Law introduces new requirements regarding different forms of data processing, such as overseas transfer of important data and core data, and data disclosure to State authorities. Data-related products and services such as data intermediary, data analysis and synthesis, and data exchange are also captured. The Law delegates the Government to provide detailed regulations for guidance purposes.
Vietnam is also drafting a Personal Data Protection Law (PDPL), which is aimed at providing a comprehensive legal framework on personal data protection with a higher legal effect than the current PDPD. Under the latest version released for public consultation, the draft PDPL proposed to regulate personal data processing in specific contexts such as marketing, behavioral and targeted advertising, big data processing, AI, cloud computing, recruitment and employment monitoring, banking and finance, social networks, and media services. It also addresses specific categories of personal data, including health and insurance data, location data, biometric data, credit data, and children's data. The draft PDPL is expected to be enacted in May 2025 and take effect on 1 January 2026.