On September 24, 2024, the Vietnamese government released the first draft of a new Law on Personal Data Protection (PDPL) for public consultation. The draft law is set to take effect on January 1, 2026, and is open for public comments until November 24, 2024.
Developed by the Ministry of Public Security (MPS), the draft PDPL consists of 68 articles across seven chapters. It builds upon the existing Personal Data Protection Decree, offering more comprehensive regulations covering areas such as marketing, behavioral advertising, big data, artificial intelligence, employee monitoring, financial data, healthcare, and more.
The draft law is expected to be reviewed and adopted by the National Assembly in May 2025. While no transition period is provided for compliance, micro-enterprises, SMEs, and startups are exempt from appointing a data protection department for the first two years of operation. However, these businesses are still required to comply with other aspects of the law.
Key Features of the Draft PDPL
- Expanded Scope: The PDPL applies to all domestic and foreign entities involved in personal data processing within Vietnam, as well as those processing data of Vietnamese individuals abroad.
- Strict Consent Requirements: Consent remains the primary legal basis for processing personal data. New provisions emphasize obtaining informed consent from data subjects, especially for sensitive data such as health records and biometric data. Silence or non-response will not be considered consent.
- Data Protection Impact Assessments (DPIA) and Transfer Impact Assessments (TIA): Organizations are required to conduct DPIAs and TIAs every six months or following significant changes in data processing activities.
- Data Protection Obligations for Enterprises: Companies must establish a data protection department, appoint a personal data protection expert, and adhere to other regulatory requirements for compliance.
- Exemption for MSMEs: Micro-enterprises, SMEs, and startups are exempted from appointing a data protection department for their first two years, though they must comply with all other obligations.
- Data Breach Notifications: Enterprises must notify authorities within 72 hours of any data breach incidents.
- Personal Data Protection Certification: A certification system will be introduced, enabling businesses to earn trust ratings based on their compliance with personal data protection standards.
- Prohibition of Personal Data Sales: The draft law prohibits the sale of personal data in any form.
Data Protection in Specific Sectors
The draft law also includes provisions for specific sectors such as finance, banking, and credit information services. For example, financial institutions are prohibited from buying or selling credit information, must obtain explicit consent for credit assessments, and are required to notify individuals in case of data breaches involving financial accounts.
Challenges and Compliance Considerations
While the PDPL aims to align Vietnam’s data protection framework with international standards, challenges remain. For instance, the interaction between the new PDPL and the existing PDPD is unclear. Additionally, unlike the GDPR, the PDPL does not recognize “legitimate interest” as a legal basis for data processing, which could pose challenges for businesses.
The draft law represents a significant step toward strengthening personal data protection in Vietnam. Businesses are encouraged to review the draft and provide feedback during the consultation period to ensure compliance and prepare for the law’s implementation by 2026.
Find the best supply chain logistics news at The Supply Chain Report. Free international trade tools are available at ADAMftd.com.
#VietnamDataLaw #PersonalDataProtection #DataPrivacy #VietnamRegulations #DataSecurity #CyberLaw #LegalReforms
