Last modified 15 February 2026

Data Protection in Vietnam

Transfer of personal data in Vietnam

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Vietnam

On 26 June 2025, Law No. 91/2025/QH15 on Personal Data Protection (“PDPL”) was officially enacted by the National Assembly and took effect on 1 January 2026. This elevated the regulatory framework from decree-level provisions to statutory law. Subsequently, Decree No. 356/2025/ND-CP of the Government elaborating on certain articles and implementation measures of Law on Personal Data Protection (“Decree 356”) was promulgated on 31 December 2025 as the guiding decree for the PDPL, taking effect on the same date as the PDPL. Decree 356 formally announced the replacement of the Decree No. 13/2023/ND-CP of the Government dated 17 April 2023 on Personal Data Protection (“PDPD”).

The PDPL and Decree 356 prescribe general data protection principles, covering:

Comply with the provisions of the Constitution, the PDPL, and other relevant laws.
Personal data may only be collected and processed within a specific and clearly defined scope and purpose, ensuring compliance with the law.
Ensure the accuracy of personal data and allow it to be corrected, updated, or supplemented when necessary; store personal data for a period appropriate to the purpose of processing, unless otherwise provided by law.
Effectively and synchronously implement appropriate institutional, technical, and human measures and solutions to protect personal data.
Proactively prevent, detect, stop, combat, and strictly and promptly handle any violations of the law on personal data protection.
Personal data protection must be associated with the protection of national and ethnic interests, serve socio-economic development, and ensure national defense, security, and foreign affairs;
ensure harmony between personal data protection and the protection of the lawful rights and interests of agencies, organizations, and individuals.

The PDPL and Decree 356 serve as the principal legal framework governing personal data protection in Vietnam. However, beyond these core instruments, a number of other general laws and sector‑specific regulations also establish rights and obligations concerning personal data, which organizations must comply with in parallel. For instance:

The Cybersecurity Law (together with its guiding legislation) sets out key requirements on data localization and the establishment of branches or representative offices by foreign service providers. These obligations will be discussed further below.
The Data Law, which governs both personal and non‑personal data, classifies data into “important data,” “core data,” and “other data.” Organizations that process important or core data are subject to additional security, assessment, and compliance obligations. The Data Law also regulates data‑related products and services, and governs the establishment and operation of the national database system and the national data center.

Related resources

Definitions

Definitions in Vietnam

Definition of personal data

Under the PDPL, personal data is defined as digital data or information in other forms that identify or helps to identify a specific individual. Personal data is classified into two categories of “basic personal data” and “sensitive personal data”. Personal data, once de-identified, is no longer considered personal data.

“Basic personal data” is defined as personal data reflecting common personal details and background information, frequently used in transactions and social relations. Decree 356 further specifies the scope of basic personal data by providing a detailed list that includes:

surname, middle name, and birth name, alias (if any);
date of birth, date of death or date of going missing;
gender;
place of birth, place of birth registration, place of permanent residence registration, place of temporary residence registration, current residence, hometown, contact address;
nationality;
personal image;
phone number, personal identification number, passport number, driver's license number, plate number;
marital status;
family relationship information (parents, children, spouse);
digital account information; and
information associated with an individual or used to identify an individual other than sensitive personal data.

Definition of sensitive personal data

Sensitive personal data is defined as personal data in association with individual privacy which, when being infringed, will directly affect the legal rights and interests of agencies, organizations, and individuals. Decree 356 further specifies the scope of sensitive personal data by providing a detailed list that includes:

data revealing racial origin or ethnic origin;
political, religious, and belief-related views;
information on private life, personal secrets, and family secrets
health conditions;
biometric data and genetic characteristics;
data revealing an individual’s sexual life or sexual orientation
data about crime and violations of law collected and stored by law enforcement agencies;
personal location data identified via location services;
information on login names and passwords used to access an individual’s electronic identification account; images of ID cards, citizen ID cards, and 9-digit ID cards;
login names and passwords for access to bank accounts;
bank card information;
data on transaction history of bank accounts;
financial and credit information and information relating to customers’ activities and transaction histories in the areas of finance, securities, and insurance held by credit institutions, foreign bank branches, intermediary payment service providers, securities institutions, insurers, and other authorized organizations;
data monitoring behavior and activities related to the use of telecommunications services, social networks, online communication services, and other services in cyberspace; and
other specific personal data as specified by law to be kept confidential and subject to strict confidentiality measures.

Definition of data controller, data processor, data controller-processor and third party

The PDPL provides definitions and roles of different stakeholders involved in the collection and processing of personal data with their respective obligations, notably:

Data controller

A data controller is an agency, organization or individual that decides the purposes and means of processing personal data. The controller is responsible for serving privacy notices to and obtaining consent from the data subjects, preparing and filing to the authority a Data Processing Impact Assessment (“DPIA”) (in the capacity of data controller) and Cross-border Transfer Impact Assessment (“TIA”) (if considered as data transferor), notifying the authority of violations of regulations on personal data protection (including data breach), ensuring and honoring the data subjects’ rights, etc.

Data processor

A data processor is an agency, organization or individual that processes data as requested by the controller via a contract. Accordingly, the processor must receive and process personal data strictly in compliance with the contract or agreement with the controller. In particular, the law requires the processor only to receive personal data after concluding an agreement or contract on personal data processing with the controller and process personal data in compliance with the agreement or contract concluded with the controller. The processor is responsible for preparing and filing to the authority a DPIA (in the capacity of a data processor) and a TIA (if considered as data transferor), notifying the controller of violations of regulations on personal data protection (including data breach), etc.

Data controller-processor

A data controller-processor is an agency, organization or individual that decides the purposes and means of processing, and directly processes, personal data. Consequently, the controller-processor must comply with responsibilities of the controller and processor (if applicable).

Third party

A third party is defined as an organization or individual other than the data subject, data controller, data controller-processor, or the data processor that participates in the personal data processing according to the law.

Definition of personal data processing

Under the PDPL, “personal data processing”, or “processing” is rather broad. It refers to activities that impact personal data, including one or more of the following: collection, analysis, aggregation, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer of personal data or other activities that affect personal data. With such wide and open-ended definition of personal data processing, it appears that all types of activities related to personal data could be considered processing personal data and subject to the requirements prescribed by the PDPL.

Related resources

Authority

National data protection authority in Vietnam

Following the streamlining and reorganization of the state administrative apparatus in 2025, the Ministry of Public Security (“MPS”) , particularly the Department for Cybersecurity and High-tech Crime Prevention and Fighting ("A05"), has been designated as the primary authority responsible for regulating and enforcing Vietnam’s data‑related laws and regulations, notably including personal data protection, data governance, and cybersecurity.

In particular for personal data protection, the MPS is responsible for the following tasks:

to develop, promulgate, or submit to competent state authorities for promulgation, and guide the implementation of legislative documents guiding the implementation of the law on personal data protection;
to develop, manage, and operate the National Information Portal for Personal Data Protection;
to assess, conduct preliminary and final reviews of the results of personal data protection activities carried out by relevant agencies, organizations and individuals;
to request cyberspace service providers to:
- store data and establish branches or representative offices in Vietnam (if applicable), and
- provide users' information for serving investigation into cybersecurity crime.
to cyberspace service providers to delete illegal data uploaded on their service and/or system; and
through Vietnam Cyber Emergency Response Teams/Coordination Center (“VNCERT/CC”), a workforce under the A05, to act as the National Coordination Center for response to cybersecurity incidents and information security testing.

In addition to the MPS, ministries responsible for sector‑specific laws and regulations (e.g., banking and finance, education, healthcare, natural resources and environment, culture, sports and tourism, etc.) also oversee personal data processing activities carried out by organizations within their respective sectors.

Related resources

Registration

Registration in Vietnam

There is no general requirement under current Vietnamese laws whereby organizations are required to register itself, or its personal data processing activities, with the local authorities. That being said, organizations that collect and/or process personal data of Vietnamese citizens and/or and persons of Vietnamese origin without determined nationality residing in Vietnam who have been issued with identification certificates are required to prepare and submit a DPIA to the authority (i.e. the A05). This DPIA filling requirement applies to organizations, regardless of whether the organization process personal data in their capacity of data controller to data processor.

The DPIA must be prepared in accordance with standard forms and templates prescribed under the law and be made available at all times for the inspection and evaluation by the A05. In addition, the controller / processor / controller-processor must send an original copy of the DPIA to the A05 within 60 days from the date of the personal data processing. The A05 will then appraise the DPIA, issue assessment results and request revision if it finds that the DPIA is incomplete or non-compliant. The DPIA must be reviewed and updated on a periodic basis every six months, or promptly within ten days following the occurrence of material changes specified under the law.

Registration of data processing activities under sector specific laws/regulations.
If an organization’s data processing activities are subject to specific registration and/or notification requirements under sector specific laws or regulations, the organization must additionally comply with such requirements. For instance, registrations applicable to data processing service providers, provider of data-related products and services, cloud service providers, telecommunication service providers, etc.

Related resources

Data protection officers

Data protection officers in Vietnam

Agencies and organizations must:

establish an internal Data Protection Department (“DPD”) and/or
appoint a Data Protection Officer (“DPO”) with adequate capacity or hire an external personal data protection service providers to handle personal data protection obligations of the organizations.

Information on such a DPD and/or DPO (or the external DPO service providers (if any)) must be declared in the DPIA and the TIA dossiers submitted to the authority.

The Decree 356 sets out specific qualifications of the person eligible to be appointed as a DPO or a member of DPD.

The appointment of a DPD / DPO must be made in the form of a written decision made by the company (i.e. a board resolution or a letter of appointment signed by the company's legal representative and affixed with the stamp of the company) and a copy of this written decision is required to be submitted alongside the DPIA / TIA dossiers. Where the organizations hires an external DPO, corresponding service contracts must be executed and submitted together with the DPIA / TIA dossiers.

Related resources

Collection and processing

Collection and processing in Vietnam

According to Vietnamese laws, the primary legal basis for the processing of personal information is a consent given by the data subject (exemptions are available in certain cases, as discussed further below). Accordingly, consent requirements are among the most important regulations under the PDPL.

Consent obtained from the data subjects must be clear, specific and must be capable of being verified as to whether the data subject has given consent, including the time and scope of such consent. Consent must be voluntarily made based on the data subject's full understanding of:

the type of personal data to be processed and the purpose of the personal data processing;
the data controller or data controller-processor;
the data subject's rights and obligations; and
the data to be processed that is sensitive personal data, if any.

In addition, consent must be expressed clearly and specifically in a format that can be printed out or reproduced in writing, including in electronic or verifiable formats, including in writing, by recorded phone calls, in consent syntax via mobile text messages, via email, websites, platforms, or applications with technical mechanisms established to obtain consent, and other appropriate methods. Silence or non-response by the data subject is not construed as consent. Furthermore, consent must be made for each purpose. That is to say, multiple purposes need to be demonstrated in a way that data subjects can give consent to one or more of them.

Additionally, the consent of the data subject must not be accompanied by conditions requiring mandatory consent to purposes other than those agreed upon in the content of the agreement.

Circumstances where consent can be exempted:

to protect the life, health, honour, dignity, and legitimate rights and interests of the data subject or others in urgent cases; or to protect one’s own or others’ legitimate rights or benefits, or benefits of the State or agencies/organizations in a necessary manner against infringement on such rights or benefits. The controller, processor, controller-processor and third party are responsible for proving such situation;
to address emergency situations or threats to national security that have not yet reached the level requiring the declaration of a state of emergency; to prevent and combat riots and terrorism, crimes, and violations of the law;
to serve the operations of state agencies and the state management according to the law;
to carry out the agreement between the data subject and a relevant agency, organization, or individual according to the law;
to conduct audio and video recording and to process personal data obtained from audio and video recording activities in public places and public activities in certain cases as prescribed by law; and
other cases according to the law.

Data subjects are allowed to withdraw their consent at any time, provided that such request to withdraw consent is made in accordance with statutory conditions. However, such consent withdrawal shall not apply to the processing activities that occur before the withdrawal request. The consent withdrawal request must be expressed in writing, including in electronic or verifiable formats.

Related resources

Transfer of personal data

Transfer of personal data in Vietnam

In general, if a data controller wishes to share, disclose or otherwise transfer an individual’s personal information to a third party (including group companies and its vendors/data processors), the data controller must inform the data subjects and obtain prior explicit consent from the data subjects, unless otherwise regulated by law.

Cross-border transfer requirements under PDPL

Decree 356 regulates the following cases as cross-border transfers of personal data:

Personal data storage activities that involve the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam or to cloud computing services provided by foreign service providers;
Activities involving the transfer of personal data by agencies, organizations, or individuals in Vietnam to recipients that are organizations or individuals located overseas;
Activities involving the processing of personal data collected in Vietnam and transferred to platforms outside the territory of the Socialist Republic of Vietnam for further processing.

Organizations conducting the transfer of data across border from Vietnam to overseas (“data transferor”) are required to prepare and submit a TIA to the authority (MPS), unless an exemption can be applied.

As regards exemptions, cases that are not required to comply with regulations on conducting the TIA include:

cross-border transfer of personal data by competent state authorities;
agencies or organizations storing the personal data of their employees on cloud computing services;
personal data subjects transferring their own personal data across borders; (iv) journalism and media activities in accordance with the law;
cross-border transfers of personal data that have been publicly disclosed in accordance with the law;
in emergency situations where it is truly necessary to provide personal data across borders in order to protect the life, health, or property safety of individuals; or to perform tasks and obligations as prescribed by law;
cross-border personal data transfers for the purpose of cross-border personnel management in accordance with labor rules, internal regulations, and collective labor agreements as prescribed by law; and
provision of personal data across borders for the purpose of entering into contracts or carrying out procedures related to cross-border transportation, logistics, remittance, payment, hotel bookings, visa applications, or scholarship applications.

A TIA (and also DPIA) submitted in accordance with the PDPD, which was received by the authority before the effective date of the PDPL (1 January 2026), shall continue to be valid and shall not be required to be re-prepared in accordance with the PDPL/Decree 356. That said, if any updates must be made to the above-mentioned dossiers after the effective date of the PDPL, these must comply with the provisions of the PDPL.

Moreover, small and start up enterprises may enjoy a five-year exemption for TIA (and DPIA and DPO) requirements if meeting conditions required by law. Business household and micro-enterprises may be exempted from TIA (and DPIA and DPO) requirements if meeting conditions required by law.

The TIA must be prepared in accordance with the statutory forms and templates, and be made available at all times for inspection and evaluation by the A05/MPS. In addition, the transferor must also send one original copy of the TIA to the A05 within 60 days from the date of the personal data transfer. Within 15 days from the submission date, the A05 will appraise the TIA and request the transferor to revise the dossier if it finds that the TIA is incomplete or insufficiently meet the legal requirements. The transferor will then have 30 days to update and submit the updated TIA dossier to the A05. Failure to meet such timeframe could result in the transferor facing administrative sanctions in line with the law. The TIA must be reviewed and updated on a periodic basis every six months, or promptly within ten days following the occurrence of material changes specified under the law.

Cross-border transfer requirement under Data Law

The Data Law also requires a data transferor to prepare and file to the regulator (also MPS) a cross-border data transfer and processing impact assessment (TIA), which are different and separate from the TIA requirements under the PDPL. In particular, the TIA requirements under the Data Law apply to cross-border transfers of data classified as “important data” and “core data”.

Most of the data classified as “important data” or “core data” under the Data Law consists of data collected and/or managed by state agencies that has not been made public. However, the list also includes non-governmental data, including data involving a “significant amount of personal data”. In particular, non-governmental data classified as important data and core data includes the following:

Non-governmental data classified as “important data”:
- basic citizen data of 100,000 or more Vietnamese citizens;
- sensitive citizen data of 10,000 or more Vietnamese citizens; and
- data on bank accounts, payment history, and debt obligations of 10,000 or more Vietnamese enterprises or organizations.
Non-governmental data classified as “core data”:
- basic citizen data of 1,000,000 or more Vietnamese citizens;
- sensitive citizen data of 100,000 or more Vietnamese citizens; and
- data on bank accounts, payment history, and debt obligations of 100,000 or more Vietnamese enterprises or organizations.

However, a TIA under the Data Law could be exempted if both of the following conditions are met:

the data being transferred is “important data” or “core data” under the category of “significant personal data” under the Data Law framework (as discussed above); and
the data transferor has already complied with the TIA requirements prescribed under the PDPL.

However, note that this exemption applies only to cross‑border transfers of core or important data that fall under the category of “significant personal data”. If the cross‑border transfer involves other categories of core or important data, a TIA under the Data Law would still be required.

Additional data localization requirements

In addition to the above TIA requirements, data localization could also be imposed on certain businesses providing services in Vietnam. The data localization requirements are regulated in various legal documents, notably including:

Requirements under Decree 147 on Internet

Domestic information websites (e.g., aggregated news/information websites) and domestic social networks must store service users’ data in servers identified by IP addresses in Vietnam.

Requirements under Cybersecurity Law

Domestic and foreign companies providing services on telecommunications networks, the Internet, or value-added services in cyberspace in Vietnam who engage in the collecting, exploiting/using, analyzing and/or processing of data (including personal information, data about service users' relationships and data generated by service users) must store such data in Vietnam for a specified period to be stipulated by the Government. Foreign enterprises providing telecoms and online services to customers in Vietnam may be required to locally store certain customer-related data in Vietnam for a certain period prescribed by law if the authority alerts them that their services / online platforms have been used to commit violations of Vietnam’s laws but such online service providers fail to remedy the situation upon the request of the authority. The government is updating the data localization requirements under the Cybersecurity Law. It is anticipated that the updated requirements will be submitted to the Prime Minister for consideration in April 2026.

Data transfer agreement

A data transferor and its data recipient must have an agreement in place that includes the following mandatory content elements:

The purpose, method, and scope of data export, and the purpose and method of data processing by the data recipient;
The location and duration of data storage, and data processing measures upon expiration of the storage period or completion of the agreed objectives;
Binding requirements on the data recipient regarding the provision of transferred data to third parties;
Data protection measures to be applied by the data recipient;
Remedial measures, compensation for damages, liability for breach of contract, and dispute resolution measures in relation to violations of data protection obligations; and
Responsibilities of the parties in data processing.

Related resources

Security

Security in Vietnam

Organizations must take necessary managerial or technical measures to ensure that the personal information shall not be lost, stolen, disclosed, modified or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed or destroyed.

A data controller must classify information based on its secrecy in order to take appropriate protection measures. Agencies and organizations that use classified and unclassified information in activities within their fields must develop regulations and procedures for processing information, and determine the content and method of recording authorized access to classified information.

In addition, there are certain key data protection requirements under Decree 356, among others:

The transfer of sensitive personal data must be subject to physical security measures for storage and transmission devices, encryption measures, anonymization of personal data, and other security measures during the transfer process.
In cases where personal data is shared between departments within the same agency or organization for processing in accordance with the established processing purposes, the agency or organization must develop procedures to control the sharing and use of personal data in compliance with regulations; and implement measures to prevent internal personnel from unlawfully sharing personal data with third parties.
Personal data stored on cloud computing platforms must be encrypted both at rest and in transit, and must be subject to strict access control.
There are also other specific requirements in relation to AI, big data, banking/finance, metaverse, blockchain, etc. that enterprises will need to pay attention to (e.g., organizations and individuals shall apply personal data protection measures within AI systems, the metaverse, and blockchain systems, among others, including conducting annual compliance assessments with personal data protection regulations).

Related resources

Breach notification

Breach notification in Vietnam

The laws of Vietnam have introduced a general requirement for the reporting and notification of actual or suspected personal information security incidents. A data breach reporting / notification requirement in Vietnam will be triggered if the data incident falls within any of the following scenarios:

Scenario 1. The affected data system is located in Vietnam.
Scenario 2. The incident occurs to providers of the following services:
- telecommunication services;
- data storage and sharing in cyberspace;
- services providing national or international domain names to service users in Vietnam;
- e-commerce;
- online payment;
- payment intermediary;
- connecting transportation in cyberspace;
- social networks and social media;
- online games; and
- other services that provide, manage and operate information in cyberspace in the form of messages, voice calls, video calls, email, or online chatting.
Scenario 3. The incident causes “significant loss” to the legitimate rights and interests of the affected Vietnamese persons.

Under Scenario 1, where there is a data security incident, organizations must promptly take relevant measures to mitigate and notify relevant data subjects and / or relevant competent State authorities, as the case may be, in a timely manner, e.g. 5 days after detection of the security incident, and must provide an update on the incident status when it is completely resolved. Affected organizations and individuals must be notified of the data incident if the incident falls under Scenario 2 or Scenario 3.

In the case of an incident under Scenario 1 that is beyond the control of the organization, the operator of the information system must immediately prepare an initial report on the incident to report such incident to the relevant agencies and a final report on response to the incident within five days after finishing responding to the incident. Moreover, if the information system of a trader, organization or individual engaged in e-commerce is attacked causing risk of loss of consumer’s information, the data controller must notify the authorities within 24 hours after the detection of incident.

Normally, the data controller would be required to give relevant notifications to the following State authorities:

- Local police agency (i.e. A05 under the MPS with regard to offshore service providers, provincial police department where the head office of data controller is located); and
- VNCERT/CC.

That said, the government is reviewing the notification requirements in Scenarios 1 – 3 above. Thus, the foregoing procedure may be subject to change in the near future.

Scenario 4: The PDPL sets out a reporting requirement that upon detection of any violation against regulations on personal data protection which may cause harm to national defense, national security, social order and safety, or infringe upon the life, health, honor, dignity, or property of a data subject, the controller, controller-processor, or third party must notify the specialized personal data protection authority no later than 72 hours from the time the violation is detected. In cases where a data processor detects a violation, it must promptly notify the data controller or the data controller-processor.

The information to be notified will include:

A description of the nature of the violation of personal data protection regulations, including: time, location, acts committed, organizations and individuals involved, types of personal data, and the quantity of data concerned;
Contact details of the personal data protection department or personnel, or of the organization or individual providing personal data protection services;
A description of the possible consequences and damage resulting from the violation of personal data protection regulations; and
A description of the measures taken to address and mitigate the harm caused by the violation of personal data protection regulations.

Thereafter, the controller, controller-processor, or the third party shall prepare written minutes confirming the occurrence of the violation of the regulations on personal data protection, and coordinate with the A05 to handle the violation. In practice, as the 72-hour timeframe is very tight, more often than not, data controllers find it very challenging to comply with this timeframe.

In addition to the four scenarios mentioned above, data breach notification requirements are also imposed by sector-specific laws / regulation, such as laws / regulations governing financial services, e-commerce services, etc.

Related resources

Enforcement

Enforcement in Vietnam

Subject to specific data protection laws and the regulations breached, the sanctions in relation to data protection breaches are scattered across various different laws and regulations. In general, amongst others, the major type of sanction would be administrative penalty. For example, failure to obtain prior consent of the data subjects on collection, processing and use of their information shall be subject to a monetary fine varying from VND 10 million to VND 20 million (approx. USD 400 to USD 800). In serious cases, according to the Criminal Code, any person who commits illegal use of information on the computer or telecommunications network may be liable to a monetary fine varying from VND 30 million to VND 1 billion (approx. USD 1,200 to USD 40,000) or face a penalty of up to 3 years' community sentence or 6 months - 7 years' imprisonment; and the offender might also be liable to a monetary fine varying from VND 20 million to VND 200 million (approx. USD 800 to USD 8,000) or prohibited from holding certain positions or doing certain jobs for 1 - 5 years.

The PDPL also sets out the general framework that administrative fines depend on the type of violation. The maximum fine for sale and purchase of personal data will be 10 times the revenue from the sale or VND 3 billion (about USD 115,000), whichever is higher. The maximum fine for cross-border transfer violations is 5% of the violator’s revenue of the preceding year or VND 3 billion, whichever is higher. The maximum fine for other violations are capped at VND 3 billion. However, to actually implement such fines, the regulator will need to issue a Decree on Sanctioning. As of 2026, the MPS is preparing to promulgate the Draft Decree on Sanctioning and the document is expected to present to the Government in April 2026. The official issuance timeline, nonetheless, remains unclear. Once this decree takes effect, the MPS will have a basis to start imposing sanctions on non-compliance with the requirements under the PDPL.

In addition, the MPS will launch the National Portal of Personal Data Protection to receive the impact assessment filings and reports on violation of the PDPL. With this portal, companies are expected to be more vulnerable to inspection actions in this area, as the portal aims to enable data subjects like employees or clients to easily report on companies’ acts of non-compliance with the PDPL and breach of their personal data.

Related resources

Electronic marketing

Electronic marketing in Vietnam

According to Vietnam’s anti-spam regulation (i.e. Decree No. 91/2020/ND-CP on anti-spam text messages, emails and calls), advertisements by text message, email and call may only be sent or made in compliance with specific requirements, notably including:

it is prohibited to send advertising messages or make advertising calls to phone numbers on the Do-Not-Call Register;
for phone numbers not included in the Do-Not-Call Register, only one initial advertising registration message (i.e. a message inquiring whether the user would like to receive advertising communications from the advertiser) is allowed;
if the user refuses to receive advertising messages after receiving the initial advertising registration message, no further advertising message is allowed;
immediately after receiving a refusal request from a user, the advertiser must terminate providing advertising messages, email or calls to such user;
no more than three advertising messages / three advertising emails / one advertising call per day may be sent or made to the same user;
advertising messages are only allowed from 7 a.m. to 10 p.m.; advertising calls are only allowed from 8 a.m. to 5 p.m.; and
advertising contents must comply with advertising laws.

Organizations are not allowed to hide their names or use unlawfully the name of others when sending advertisements via e-mail or text message. Specific information must be stated in each electronic message: for example, information about the advertiser and the advertising service provider, opt-out function (refusing acceptance of advertisements), and a label identifying “QC” or “ADV” [QC means Adv. in Vietnamese].

Related resources

Online privacy

Online privacy in Vietnam

Data tracking behavior and activity in the use of telecommunications services, social networks, online communications and other services in cyberspace are explicitly classified as sensitive personal data under the PDPL. Accordingly, the use of cookies and other online-data tracking technology is subject to the rules on personal data protection under PDPL (as discussed above). For example, online service providers must seek for users’ prior acceptance before certain technologies (e.g. cookies, positioning service) are activated.

Related resources

Key contacts

Data protection lawyers in Vietnam

Waewpen Piemwichai

Counsel

Tilleke & Gibbins

Hanoi

Email Full bio

Quang Minh Vu

Associate

Tilleke & Gibbins

Ho Chi Minh

Email Full bio

Cross-border transfer requirements under PDPL

Decree 356 regulates the following cases as cross-border transfers of personal data:

Personal data storage activities that involve the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam or to cloud computing services provided by foreign service providers;
Activities involving the transfer of personal data by agencies, organizations, or individuals in Vietnam to recipients that are organizations or individuals located overseas;
Activities involving the processing of personal data collected in Vietnam and transferred to platforms outside the territory of the Socialist Republic of Vietnam for further processing.

As regards exemptions, cases that are not required to comply with regulations on conducting the TIA include:

cross-border transfer of personal data by competent state authorities;
agencies or organizations storing the personal data of their employees on cloud computing services;
personal data subjects transferring their own personal data across borders; (iv) journalism and media activities in accordance with the law;
cross-border transfers of personal data that have been publicly disclosed in accordance with the law;
in emergency situations where it is truly necessary to provide personal data across borders in order to protect the life, health, or property safety of individuals; or to perform tasks and obligations as prescribed by law;
cross-border personal data transfers for the purpose of cross-border personnel management in accordance with labor rules, internal regulations, and collective labor agreements as prescribed by law; and
provision of personal data across borders for the purpose of entering into contracts or carrying out procedures related to cross-border transportation, logistics, remittance, payment, hotel bookings, visa applications, or scholarship applications.

Cross-border transfer requirement under Data Law

Non-governmental data classified as “important data”:
- basic citizen data of 100,000 or more Vietnamese citizens;
- sensitive citizen data of 10,000 or more Vietnamese citizens; and
- data on bank accounts, payment history, and debt obligations of 10,000 or more Vietnamese enterprises or organizations.
Non-governmental data classified as “core data”:
- basic citizen data of 1,000,000 or more Vietnamese citizens;
- sensitive citizen data of 100,000 or more Vietnamese citizens; and
- data on bank accounts, payment history, and debt obligations of 100,000 or more Vietnamese enterprises or organizations.

However, a TIA under the Data Law could be exempted if both of the following conditions are met:

the data being transferred is “important data” or “core data” under the category of “significant personal data” under the Data Law framework (as discussed above); and
the data transferor has already complied with the TIA requirements prescribed under the PDPL.

Additional data localization requirements

Requirements under Decree 147 on Internet

Domestic information websites (e.g., aggregated news/information websites) and domestic social networks must store service users’ data in servers identified by IP addresses in Vietnam.

Requirements under Cybersecurity Law

Domestic and foreign companies providing services on telecommunications networks, the Internet, or value-added services in cyberspace in Vietnam who engage in the collecting, exploiting/using, analyzing and/or processing of data (including personal information, data about service users' relationships and data generated by service users) must store such data in Vietnam for a specified period to be stipulated by the Government. Foreign enterprises providing telecoms and online services to customers in Vietnam may be required to locally store certain customer-related data in Vietnam for a certain period prescribed by law if the authority alerts them that their services / online platforms have been used to commit violations of Vietnam’s laws but such online service providers fail to remedy the situation upon the request of the authority. The government is updating the data localization requirements under the Cybersecurity Law. It is anticipated that the updated requirements will be submitted to the Prime Minister for consideration in April 2026.

Data transfer agreement

A data transferor and its data recipient must have an agreement in place that includes the following mandatory content elements:

The purpose, method, and scope of data export, and the purpose and method of data processing by the data recipient;
The location and duration of data storage, and data processing measures upon expiration of the storage period or completion of the agreed objectives;
Binding requirements on the data recipient regarding the provision of transferred data to third parties;
Data protection measures to be applied by the data recipient;
Remedial measures, compensation for damages, liability for breach of contract, and dispute resolution measures in relation to violations of data protection obligations; and
Responsibilities of the parties in data processing.

Quick links

Data Protection in Vietnam

Transfer of personal data in Vietnam

Cross-border transfer requirements under PDPL

Cross-border transfer requirement under Data Law

Additional data localization requirements

Requirements under Decree 147 on Internet

Requirements under Cybersecurity Law

Data transfer agreement

Continue reading