Navigating Vietnam Data Privacy Laws has become the top priority for businesses in 2026. If you’ve been keeping an eye on Southeast Asia’s tech scene, you know Vietnam has been moving fast. But as of January 1, 2026, the “move fast and break things” era is officially getting a massive regulatory upgrade.
The days of navigating a patchwork of vague decrees are over. Vietnam is stepping into its role as a Regulatory Fortress with the Law on Personal Data Protection (PDPL – Law No. 91/2025/QH15). For the BPO (Business Process Outsourcing) and tech sectors, this isn’t just another legal update—it’s a total shift in how business is done.
Here’s what you need to know to navigate the Decree 13 and Beyond landscape without getting caught in the crosshairs.
From Patchwork to Powerhouse: The Legal Shift
Historically, Vietnam’s data rules were scattered across telecommunications and cybersecurity laws. It was a bit like trying to build a LEGO set without the manual. Decree 13 (2023) gave us the manual, but it lacked the statutory teeth to truly change behavior.
That changed on June 26, 2025, when the National Assembly passed the PDPL. Alongside Decree No. 356/2025/ND-CP, this law is now the supreme authority. It effectively ends the confusion, placing data privacy at the center of Vietnam’s socio-economic strategy.
The Legislative Evolution at a Glance
Phase | Legal Instrument | Impact on Businesses |
Pre-2023 | Scattered Laws (Cybersecurity 2018) | High ambiguity; minimal enforcement. |
2023–2025 | Decree No. 13/2023/ND-CP | First major framework; introduced DPIAs. |
2026+ | PDPL (Law No. 91/2025/QH15) | Supreme law; revenue-based fines; global reach. |
The Nationality Rule: Does This Apply to You?
One of the most striking features of the 2026 PDPL is its extraterritorial reach. It doesn’t matter if your servers are in Singapore or your office is in Manila—if you process the data of Vietnamese citizens, you are under the jurisdiction of the Ministry of Public Security (MPS).
This is a massive deal for the offshore BPO sector. If a firm in India handles customer support for a Vietnamese retail app, they are now legally bound by Vietnamese law.
Redefining Sensitive: Your Data Just Got Heavier
The PDPL splits data into Basic and Sensitive categories. However, the 2026 classification system (via Decree 356) adds a layer of complexity for the financial and BPO sectors.
- Basic Data: Names, DOB, gender, marital status, and ID numbers.
- Sensitive Data: Health records, genetic data, biometric data, and religious beliefs.
- The 2026 Update: Bank account details and transaction history are now officially Sensitive.
The consequences? Any BPO processing financial data must now appoint a Data Protection Officer (DPO) and a dedicated Data Protection Department (DPD), regardless of company size.
The Security First Mindset
Unlike the European GDPR, which is built on a Human Rights philosophy, the enforcement of Vietnam Data Privacy Laws is viewed through a National Security lens. The primary enforcer is the Department for Cybersecurity and High-tech Crime Prevention (A05).
This means the government expects proactive reporting. If there’s a data leak—even if it hasn’t caused confirmed harm yet—you must notify authorities. Privacy in Vietnam is inextricably linked to social order and national defense.
Consent: No More Check All Boxes
Bundled consent is officially dead. In 2026, every single reason for processing data needs its own explicit Yes.
- Granularity is Key: Marketing, service delivery, and third-party sharing each need separate approvals.
- Silence is Not Consent: You cannot assume a user agrees just because they didn’t say no.
- Auditable Proof: You must be able to prove consent in a verifiable electronic format.
The Clock is Ticking: New Response Timelines
One of the most practical changes in 2026 is the relaxation of the old 72-hour rule for all requests, which was honestly a nightmare for operations. Decree 356 introduces more realistic, yet still strict, timelines:
Data Subject Request Timelines (2026)
Request Type | Acknowledgment | Implementation |
Access / Correction | 2 Working Days | 10 Days |
Withdrawal of Consent | 2 Working Days | 15 Days |
Deletion of Data | 2 Working Days | 20 Days |
Mandatory Homework: DPIA and CTIA
If you are doing business in 2026, you have 60 days from the start of processing to file your impact assessments with the MPS.
- DPIA (Data Processing Impact Assessment): A deep dive into what you process and how you mitigate risk. This must be updated every six months.
- CTIA (Cross-border Transfer Impact Assessment): If data leaves Vietnam (or is even stored on a global cloud), this is your most critical document. It must detail the recipient’s security standards and how you’ll coordinate during a breach.
Sector-Specific Gotchas
- HR & Recruitment: If you don’t hire a candidate, you must delete their data. If an employee leaves, their data must be purged immediately. Employee monitoring (like tracking computer usage) now requires explicit, separate consent.
- AI & Tech: The AI Law (effective March 2026) requires people-centered design. High-risk AI, like facial recognition or credit scoring, faces mandatory technical audits.
- The Law on Data: If you handle Core Data (over 1 million citizens’ basic info), the scrutiny intensifies even further.
The Ouch Factor: 5% of Revenue
This is where the boardrooms start paying attention. Vietnam has shifted to revenue-based deterrence, much like the guidelines established by the International Association of Privacy Professionals (IAPP) for global data standards.
- Cross-border Violations: Fines up to 5% of prior-year revenue or 3 Billion VND (~$115k), whichever is higher.
- Illegal Data Trading: Fines of 10x the illegal gain.
Data protection is no longer a cost of doing business fine; it’s a potential existential threat to the company.
Your 2026 Compliance Roadmap
- Audit Your Data: Map everything. Is it basic or sensitive? Where is it stored?
- Appoint Your DPO: Don’t wait until January. Get your Data Protection Officer and Department in place now.
- Update Vendor Contracts: Ensure your BPO partners are ready for the 20-day deletion rule.
- Prepare the DPIA/CTIA: Start drafting these dossiers. The MPS will be looking for them come Q1 2026.
The Bottom Line
Vietnam isn’t just a low-cost outsourcing destination anymore; it’s becoming a sophisticated, regulated digital hub. By aligning with the PDPL now, you aren’t just avoiding fines—you’re building the currency of trust that will define the winners of the 2026 digital economy.
Outsource Asia can connect you with an experienced, specialized partner who fits your exact needs. Let us help you build a team that makes your business better every day.
