Aligning Business Practices with Vietnam’s New Personal Data Protection Laws

On June 26, 2025, Vietnam enacted the LPDP1, a milestone that upgrades and consolidates the country’s privacy regime. It builds on Decree 132, which has guided personal data protection since July 1, 2023. The LPDP creates a single, strong framework to protect privacy. And Vietnam has not stopped there. In September 2025, the Ministry of Public Security released a draft decree to implement the LPDP (“Draft Decree”). It provides guidance for key LPDP provisions. Enterprises and individuals that process personal data in Vietnam should stay alert to the country’s privacy regime. Rules are being created and implemented quickly, and enforcement is catching up.

WHAT ARE THE KEY OBLIGATIONS AND COMPLIANCE CHALLENGES UNDER THE LPDP?

The LPDP becomes effective on January 1, 2026 and will co-exist with Decree 13. It consolidates most of the existing rules under Decree 13, adds further requirements and provides guidance on implementation. If a company is already compliant with Decree 13, significant changes to core data governance is not required. However, changes in certain fields such as marketing and AI may be necessary.

One of the key obligations that carries on from Decree 13 is the obligation to prepare, submit and maintain a data processing impact assessment (“DPIA”) and an offshore data transfer impact assessment (“DTIA”). These impact assessments, once submitted to the authorities, must be updated every 6 months if there is any change or immediately upon the occurrence of (i) a corporate restructuring or cessation of business, (ii) a change of the personal data protection service provider, or (iii) expansion or amendment of the business scope, that concerns the processing of personal data.

The LPDP waives the requirement for a DTIA, in cases where the data subject personally transmits his or her own data overseas (for example, a data subject uses services provided by an offshore entity).

On the other hand, unlike Decree 13 which is silent on the specific requirements for a data protection officer (“DPO”), the LPDP introduces a general DPO framework but defers the specifics to the Draft Decree, which will become a secondary instrument when adopted. Earlier LPDP drafts proposed demanding requirements and conditions for the DPO and the personal data service provider, but such restrictive language has been omitted from the final text. The current version of the Draft Decree fills the gap by establishing concrete qualifications for a DPO, which, among other requirements, includes having attended a course and passed a qualifying test administered by a licensed Vietnamese institute.

HOW ARE CROSS-BORDER DATA TRANSFERS REGULATED, AND WHAT PRACTICAL APPROACHES ARE COMPANIES TAKING?

The LPDP does not create a new, standalone regime for cross-border transfers. Instead, it builds on Decree 13 by strengthening existing obligations, such as preparing and maintaining a DTIA, by clarifying the definition of “cross-border transfer” and by carving out several limited exemptions. As a result, organizations that already comply with Decree 13 for outbound transfers will not need to change their current approach in any material way. However, new obligations arise under the Law on Data3 and its implementing instruments and companies operating in Vietnam should be aware.

The Law on Data and its implementing instruments introduce separate duties that companies operating in Vietnam must track closely if their data will flow across Vietnam’s borders. Under this framework, data owners must perform risk assessments, conduct impact assessments for cross-border transfers and processing, and complete prescribed procedures, including obtaining prior approval where Core Data or Essential Data are involved. Decree 165/20254 and Prime Minister’s Decision 20/20255 further specify that, in certain circumstances, a dataset containing personal data may be classified as Core Data or Essential Data. In practice, maintaining a rigorous data inventory and granular data-flow maps is indispensable to align business operations with these layered legal requirements.

TO WHAT EXTENT DOES THE LPDP ALIGN WITH OR DIVERGE FROM GLOBAL STANDARDS SUCH AS THE EU’S GDPR?

At a high level, Vietnam’s LPDP tracks global standards, particularly the GDPR6, with extraterritorial reach, familiar principles (purpose limitation, data minimization, transparency), and the LPDP provides comparable rights for data subjects. However, the LPDP operates differently.

The LPDP is firmly consent-centric. As a rule, processing requires freely given, specific, informed, and unambiguous consent, with a separate consent for sensitive data. Narrow exemptions exist (eg, legal obligations, emergency, life or health protection, contractual necessity, or limited “legitimate interests”), but they all function as exceptions and not as broad alternative legal bases. Notably, LPDP recognizes “legitimate interests” as a concept, though still in a restricted form.

Beyond personal data rules, companies must account for the Law on Data’s parallel controls. This dual-track system emphasizes classification of data and clearly demonstrates that national security and public interest are given priority. Regulators retain discretion to scrutinize and, in some cases, pre-approve cross-border data flows. By contrast, the GDPR relies on adequacy decisions, appropriate safeguards (notably Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and limited derogations for specific situations.

In practical terms, a GDPR-compliant program can be a good baseline for companies in Vietnam. However, Vietnam’s approach will require an additional layer of work, including data classification, impact and risk assessments and filings or approvals. Companies operating in Vietnam should build these steps into their practices and monitor evolving guidance.

HOW ARE REGULATORS IN VIETNAM ENFORCING THE LAW — AND WHAT IS THE CURRENT ENFORCEMENT LANDSCAPE?

The LPDP confirms that the Ministry of Public Security, specifically the Department of Cybersecurity and High-Tech Crime Prevention (“A05”), is the lead enforcer. A05 also leads enforcement of the Law on Data, reconfirming Vietnam’s policy posture: national security and public interest can outweigh commercial convenience and commercial interests.

However, as with other regulations in Vietnam, the strict framework operates mainly as a deterrent. Companies are expected to maintain dossiers, filings, and records ready for inspection. In 2024, A05 launched the first LPDP compliance inspection program, requiring selected organizations to submit reports and respond to inquiries. Even without a finalized sanctions framework and with a limited target set, the program signaled the future: documentation-heavy inspections. The aim of the program was also to understand implementation challenges and to create a business-friendly regime while making clear that self-enforced compliance is the default.

Channels for public complaints are also expanding. The National Portal of Personal Data Protection enables anyone to report violations. This increases the likelihood that investigations will begin with complaints or tips, rather than from random audits. Although the LPDP strengthens enforcement by introducing stricter penalties (including revenue-linked fines for serious violations such as trading personal data), in practice most cases originate from complaints or targeted inspections. This approach reinforces the deterrent effect while a comprehensive sanctions framework is expected to follow soon after January 1, 2026.

CONCLUSION

Vietnam’s LPDP marks a decisive shift from fragmented guidance to a unified, consent-centric regime, one that mirrors global privacy principles while including Vietnam-specific controls and documentation expectations. For organizations already aligned with Decree 13 or the GDPR, the path forward only requires recalibration and refinement.

In practice, a successful compliant program should include the following steps:

• build and maintain a data inventory and data-flow maps;

• operationalize DTIA/DPIA updates;

• prepare for DPO qualifications once finalized;

• tighten cross-border transfer practices, especially where Core or Essential Data may be implicated; and

• prepare incident and inquiry response with complete audit trails.

With complaint channels expanding and inspections heavily reliant on paperwork, strong documentation is both the first line of defense and the fastest route to establish compliance.