⚠️ COMPLIANCE GUIDE
Vietnam Data Protection
Compliance Guide 2026
Everything you need to know about PDPD (Decree 13/2023) and the Cybersecurity Law
⚠️ KEY TAKEAWAY
Vietnam's Personal Data Protection Decree (PDPD) has been in effect since July 1, 2023. Businesses must obtain explicit consent, implement security measures, and may face penalties up to 5% of annual revenue for serious violations.
This law applies to ALL businesses processing data of Vietnamese citizens, regardless of where the business is located.
📑 Table of Contents
1. Overview of Vietnam's Data Protection Laws
Vietnam's data protection framework consists of two main pieces of legislation:
Personal Data Protection Decree (PDPD) - Decree 13/2023/NĐ-CP
Effective July 1, 2023, this is Vietnam's first comprehensive personal data protection law. It establishes:
- Rights for individuals (data subjects) regarding their personal data
- Obligations for businesses processing personal data
- Consent requirements and legal bases for processing
- Cross-border data transfer rules
- Penalties for violations
Cybersecurity Law - Law 24/2018/QH14
Effective January 1, 2019, this law focuses on:
- Data localization requirements for certain businesses
- Cybersecurity measures and incident response
- Government access to data for security purposes
⚠️ Who Must Comply?
ANY business that collects, stores, or processes personal data of Vietnamese citizens—including foreign companies selling to Vietnamese customers, employing Vietnamese workers, or partnering with Vietnamese businesses.
2. Key Compliance Requirements
Consent Requirements
You must obtain explicit, informed consent before collecting personal data:
- Clear language: In Vietnamese, easy to understand
- Specific purpose: Explain why you need the data
- Freely given: Cannot be bundled with unrelated services
- Withdrawable: Users must be able to revoke consent easily
Data Subject Rights
Vietnamese citizens have the right to:
- ✓ Know what data you hold about them
- ✓ Access a copy of their data
- ✓ Correct inaccurate information
- ✓ Delete their data (with exceptions)
- ✓ Restrict how their data is processed
- ✓ Port their data to another provider
- ✓ Object to certain types of processing
Sensitive Personal Data
Extra protections apply to "sensitive" categories:
- Health and medical information
- Biometric data (fingerprints, facial recognition)
- Genetic data
- Political/religious views
- Sexual orientation
- Criminal records
- Financial/credit information
- Location data
✅ Impact Assessment Required
Processing sensitive data requires a Data Protection Impact Assessment (DPIA) and may require registration with the Ministry of Public Security.
3. Penalties for Non-Compliance
| Violation Type | Penalty (VND) | Penalty (USD) |
|---|---|---|
| Minor violations (incomplete privacy policy, poor documentation) | 20-40 million | ~$800-1,600 |
| Moderate violations (collecting data without proper consent) | 40-60 million | ~$1,600-2,400 |
| Serious violations (selling personal data, major breaches) | 60-100 million | ~$2,400-4,000 |
| Very serious violations (gross negligence, repeated offenses) | Up to 5% of annual revenue | Varies |
| Criminal violations (intentional harm, data theft) | Up to 7 years imprisonment | |
4. Data Localization Requirements
Under the Cybersecurity Law, certain businesses must store data locally in Vietnam:
Who Must Localize?
- Telecommunications services operating in Vietnam
- Internet-based services (social networks, e-commerce, online games)
- Services that collect, analyze, or process personal data of Vietnamese users
What Data Must Be Localized?
- Personal data of Vietnamese users
- Data about user relationships
- Data created by users in Vietnam
⚠️ Cross-Border Data Transfers
Transferring personal data outside Vietnam requires a documented Impact Assessment and appropriate safeguards. Transfers to countries without adequate protection may require additional measures or government approval.
5. Compliance Checklist
📋 Essential Compliance Steps
6. Frequently Asked Questions
Does PDPD apply to foreign companies?
Yes. If you process personal data of Vietnamese citizens, PDPD applies regardless of where your business is headquartered. This includes foreign e-commerce sites, SaaS companies, and any business with Vietnamese customers or employees.
How is PDPD different from GDPR?
While similar in many ways, key differences include: stricter data localization requirements, different penalty structures, registration requirements for sensitive data, and specific provisions for government data access. GDPR compliance is a good foundation but doesn't guarantee PDPD compliance.
Can I use AWS/Azure/GCP for Vietnamese data?
Yes, but with caveats. Singapore-based regions are commonly used for Vietnam-serving workloads. For certain data categories (government, critical infrastructure), local Vietnam storage may be required. Implement encryption and access controls for cross-border transfers.
Do I need a Data Protection Officer (DPO)?
PDPD doesn't explicitly require a DPO like GDPR does. However, businesses processing large volumes of personal data or sensitive data should designate someone responsible for data protection compliance.
What's the timeline for compliance?
The law is already in effect (since July 2023). Businesses should be compliant now. If you're not yet compliant, prioritize: privacy policy updates, consent mechanisms, and security measures as immediate actions.
Need Help with Compliance?
Our team can help you assess your current compliance status, implement required controls, and build cloud infrastructure that meets Vietnam's data protection requirements.
🛡️ Get Compliance Assessment →Or read our Data Privacy Story →