NEED-TO-KNOW
LEGAL ISSUES IN PERSONAL DATA PROTECTION

1. OVERVIEW

• Promulgation and Entry into Force: The Law on Personal Data Protection (Law No. 91/2025/QH15) was ratified by the National Assembly on June 26, 2025. To provide further details, the Government issued Decree No. 356/2025/ND-CP on December 31, 2025. Both legal documents officially come into force as of January 1, 2026. From this date, Decree No. 13/2023/ND-CP shall cease to have effect.
• Scope and Regulated Entities: The Law applies to Vietnamese agencies, organizations, and individuals; foreign agencies, organizations, and individuals in Vietnam; and foreign entities directly participating in or involved in the processing of personal data of Vietnamese citizens and persons of Vietnamese origin without determined nationality residing in Vietnam who have been issued with identification certificates.
• Transitional Provisions: Personal data processing activities conducted with the consent of data subjects or under agreements as prescribed in Decree No. 13/2023/ND-CP before the effective date of this Law shall continue to be carried out without the need to obtain new consent. Dossiers for impact assessment of personal data processing and cross-border transfer received by authorities before the effective date continue to be used, however, any updates made after the effective date must comply with the new Law. Notably, small-sized enterprises and startups may choose whether or not to implement regulations on preparing impact assessment dossiers and designating personal data protection personnel within 5 years from the effective date. This exemption does not apply if the entity provides personal data processing services, directly processes sensitive personal data, or reaches a processing scale of 100,000 or more personal data subject matters. Household businesses and micro-enterprises are also eligible for these exceptions under similar conditions.

 2. KEY ISSUES TO NOTE

Firstly, Classification and Principles of Personal Data Processing

• Main Content: Personal data is categorized into two groups: Basic personal data (including surname, middle name, and given name, date of birth, place of residence, phone number, images of the individual, etc.). Sensitive personal data (including opinions on religion, health status biometric data and genetic characteristics, financial, banking, and credit information, location data, etc.). The collection and processing of personal data must be conducted with the consent of the personal data subject matter, except for specific cases such as protecting the life and health of the data subject or others in urgent cases or responding to emergencies.
• Legal Basis: Article 2, Article 9 and Article 19 of the Law on Personal Data Protection 2025; Article 3, Article 4, and Article 5 of Decree No. 356/2025/ND-CP.
• Conditions, Procedures and Obligations: In the course of processing sensitive personal data, agencies and organizations must establish regulations on access authorization and restriction, processing procedures, and confidentiality measures. Personal data controlling parties and personal data processing and controlling parties must develop clear procedures and forms for the exercise of the rights of the personal data subject matter (such as the right to withdraw consent or request data deletion). Response and implementation timelines are strictly regulated: authorities/organizations must respond within 02 working days and complete the implementation within 10 to 30 days depending on the type of request (e.g., 10 days for modification, 15 days for cessation of processing, and 20 days for deletion).
• Relevant Entities: All individuals, enterprises, and organizations participating in or involved in the collection and storage of customer or employee information.

Secondly, Preparation of Impact Assessment Dossiers for Personal Data Processing and Cross-border Transfer

• Main Content: The personal data controlling party, personal data processing and controlling party, and personal data processing party are mandatory to prepare impact assessment dossiers when performing personal data processing or cross-border personal data transfer. This includes activities such as transferring personal data collected and stored in Vietnam to server systems or cloud computing services located outside the territory of Vietnam.
• Legal Basis: Articles 20, 21 and 22 of the Law on Personal Data Protection 2025; Articles 17 to 20 of Decree No. 356/2025/ND-CP.
• Conditions, Procedures and Obligations: Relevant entities must prepare and send 01 original complete dossier to the personal data protection authority (Ministry of Public Security) within 60 days from the date of commencement of personal data processing or cross-border transfer. Dossiers must be updated biannually (every 6 months) if there are changes to the purposes of transfer/processing or changes in the parties involved. Immediate updates must be performed within 10 days in cases of reorganization, operational termination, or when new business services concerning personal data processing arise.
• Relevant Entities: Personal data controlling and processing parties, especially foreign entities, and organizations utilizing international software solutions or cross-border cloud platforms.

Thirdly, Assignment of Forces, Units, and Personnel for Personal Data Protection

• Main Content: Agencies and organizations are responsible for designating personal data protection units or personnel with adequate capacity or hiring independent personal data protection service providers.
• Legal Basis: Article 33 of the Law on Personal Data Protection 2025; Articles 13 to 16 of Decree No. 356/2025/ND-CP
• Conditions, Procedures and Obligations: Designated personnel must hold at least a college-level degree or higher and have at least 02 years of working experience (or 03 years in the case of individuals providing hired services) related to fields such as legal affairs, information technology, risk management, or compliance control. These individuals must have received training and advanced training in legal knowledge and professional skills relating to personal data protection. The designation of personnel or units must be formalized through an official written document of the relevant agency or organization.
• Relevant Entities: All agencies, organizations, and enterprises are generally required to comply. However, small-sized enterprises, startups, household businesses, and micro-enterprises are eligible for an exception and may choose whether or not to implement these personnel regulations within 05 years from the effective date of the Law. This exemption does not apply if the entity provides personal data processing services, directly processes sensitive personal data, or reaches a processing scale of 100,000 or more personal data subject matters.

Fourthly, Notification of Incidents and Violations of Personal Data Protection

• Main Content: Whenever violations against personal data protection regulations are detected that may harm national defense, security, social order, and safety or infringe on the life, health, honor, dignity, and property of personal data subject matters, organizations and individuals must issue notices to the competent authorities.
• Legal Basis: Article 23 of the Law on Personal Data Protection 2025; Articles 8, 28, and 29 of Decree No. 356/2025/ND-CP.
• Conditions, Procedures and Obligations: The notification to the personal data protection authority (Ministry of Public Security) must be issued within 72 hours from the detection of such violations. The personal data controlling party or personal data processing and controlling party must prepare a written confirmation of violations, implement measures to remedy consequences, and cooperate with the personal data protection authority in handling the violation.
  Special Note: For organizations operating in finance, banking, and credit information activities, or when a violation incident involves personal location data or biometric data, the organization is mandatory to notify both the personal data protection authority and the affected personal data subject matter within no more than 72 hours from the time the violation is detected.
• Relevant Entities: Entities engaged in large-scale personal data collection, providers of platform application services providing personal location data, banks, credit institutions, securities institutions, and insurers.

Fifthly, Business of Providing Personal Data Processing Services

• Main Content: Activities such as services for analysis and utilization of personal data; services for scoring, rating, and assessing the creditworthiness of personal data subject matters; and providing/operating automated systems and software to process personal data on behalf of the personal data controlling party (e.g., SaaS, cloud computing) have officially become business lines for personal data processing services.
• Legal Basis: Articles 21 to 27 of Decree No. 356/2025/ND-CP
• Conditions, Procedures and Obligations: Organizations wishing to conduct business in this field are mandatory to obtain a Certificate of eligibility for providing personal data processing services issued by the Ministry of Public Security. Business conditions include: the head responsible for professional matters related to personal data processing must be a Vietnamese citizen permanently residing in Vietnam; having at least 03 personnel satisfying the statutory competency conditions for personal data protection; meeting standards for infrastructure, equipment systems, facilities, and technology suitable for the processing services. The application dossier includes: An application (Form No. 04), a business proposal, and relevant personnel dossiers (diplomas and documents proving qualifications).
• Relevant Entities: Digital technology enterprises, tech companies (AI, Big Data, Blockchain, Cloud), data analysis centers, and organizations providing enterprise software services or behavioral advertising.

In summary, to ensure compliance, relevant organizations and individuals may need to perform the following:

• Review and classify personal data: Clearly distinguish between basic personal data and sensitive personal data within current storage systems.
• Standardize procedures and forms: Update internal regulations and contracts; establish lawful methods to obtain consent from personal data subject matters and develop mechanisms to facilitate the exercise of their rights.
• Designate specialized personnel or units: Issue decisions to appoint personal data protection personnel or a personal data protection unit satisfying the statutory competency conditions or enter into contracts with independent personal data protection service providers.
• Complete Impact Assessment Dossiers (DPIA/TIA): Prepare and submit dossiers for personal data processing impact assessment and/or cross-border personal data transfer impact assessment to the personal data protection authority (Ministry of Public Security) no later than 60 days from the date of commencement of processing or transfer.
• Establish incident response procedures: Ensure the internal capability to record and notify the competent authorities within 72 hours from the detection of personal data leaks or violations.
• Apply for a Certificate of Eligibility: For entities engaged in the business of providing personal data processing services, prepare qualified personnel and infrastructure, and develop a business proposal to apply for a Certificate of eligibility for providing personal data processing services issued by the Ministry of Public Security.

NEED-TO-KNOW
LEGAL ISSUED IN ARTIFICIAL INTELLIGENCE

1. OVERVIEW

• Date of promulgation: The Law on Artificial Intelligence (Law No. 134/2025/QH15) was ratified by the National Assembly on December 10, 2025, and officially comes into force from March 01, 2026.
• Scope of regulation: The Law regulates the research, development, provision, deployment, and use of artificial intelligence (hereinafter referred to as “AI”) systems; the rights and obligations of relevant organizations and individuals; and the state management of AI activities in Vietnam. The Law applies to Vietnamese authorities, organizations, and individuals, as well as foreign entities participating in AI activities in Vietnam. It does not apply to AI activities serving only national defense, security, and cipher activities.
• Transitional provisions: For AI systems put into operation before March 01, 2026, providers and deployers are responsible for fulfilling compliance obligations within the following time limits from the effective date of the Law: 18 months for AI systems in the fields of health, education, and finance; 12 months for other AI systems. During these periods, the systems may continue to operate unless state management authorities determine a risk of causing serious damage and request the suspension or termination of operations.

2. KEY ISSUES TO NOTE

Firstly, Risk-based Classification and Management

• Main Content and Legal Basis: According to Article 9, AI systems are classified into three risk levels: high, medium, and low. High-risk AI systems are those that cause or pose a risk of significant harm to life, health, legitimate rights and interests of organizations and individuals, national interests, public interests, or national security.
• Conditions, Procedures and Obligations: Pursuant to Article 10 and Article 14, providers must self-classify AI systems before putting them into operation. For medium-risk and high-risk systems, providers must prepare classification dossiers and notify the classification results to the Ministry of Science and Technology via the single-window website on AI before operation. Specifically, high-risk AI systems must undergo conformity evaluation before operation; establish and maintain risk management measures; archive technical dossiers and activity logs; and ensure human oversight and intervention capabilities. Foreign providers with high-risk AI systems provided in Vietnam must have a legal contact point; in cases where the system is subject to mandatory conformity certification, they must have a commercial presence or an authorized representative in Vietnam.
• Relevant Entities: Enterprises and organizations acting as providers (those who provide systems to the market) and deployers (those using systems to provide services) need to prioritize these regulations to perform classification and maintain continuous system conformity.

Secondly, Transparency Obligations and Prohibited Activities

• Main Content and Legal Basis: Detailed provisions are set out in Article 11 regarding transparency responsibility and Article 7 regarding prohibited activities in AI activities.
• Conditions, Procedures and Obligations: Providers must ensure that AI systems interacting directly with humans are designed and operated so that users can recognize when they are interacting with the systems. Audio, images, and videos generated or edited by AI systems to simulate or imitate the appearance or voice of real persons (such as deepfakes) or reenact actual events must be marked in a machine-readable format and labeled clearly to distinguish them from human-made content and avoid confusion. Simultaneously, the Law strictly prohibits developing, providing, deploying, or using AI systems to deceive or manipulate human perception and behaviors; exploiting the vulnerabilities of vulnerable groups (including children, the elderly, persons with disabilities, etc.). It is also prohibited to collect, handle, or use data to train AI systems against the laws on protection of personal data or to conceal information that must be disclosed, transparent, or explained.
• Relevant Entities: Developers, digital content solution providers, and application platforms directly interacting with users need to establish notification labeling features and automated content moderation systems.

Thirdly, AI Regulatory Sandbox

• Main Content and Legal Basis: Article 21 regulates the AI regulatory sandbox to encourage innovation.
• Conditions, Procedures and Obligations: The sandbox is conducted under the supervision of competent state authorities, which are responsible for receiving and appraising dossiers in accordance with fast appraisal and response procedures. Authorities have the power to decide on the suspension or termination of the sandbox if risks to security, rights, or legitimate interests of organizations and individuals are detected. The results from the sandbox serve as a critical basis for the State to consider the recognition of conformity evaluation results, or the exemption, reduction, or adjustment of obligations prescribed in the Law.
• Relevant Entities: Digital technology enterprises and startups developing new AI products and services that require a controlled, real-world environment for research, production, and commercialization.

Fourthly, Incident Management

• Main Content and Legal Basis: Article 12 stipulates the responsibilities for reporting and handling serious incidents, which are events occurring during the operation of an AI system that cause or pose a risk of significant harm to life, health, human rights, property, cybersecurity, etc.
• Conditions, Procedures and Obligations: When a serious incident occurs, developers and providers must promptly apply technical measures to fix, suspend, or recall the system, and notify competent authorities. Deployers and users are obligated to promptly record and notify incidents and cooperate in the fixing process. The entire process of reporting and handling incidents must be conducted via the single-window website on AI.
• Relevant Entities: Developers, providers, deployers, and users all bear responsibilities for ensuring security and reliability, with specific obligations assigned to each entity based on the level of incident response.

In summary, to ensure compliance, relevant organizations and individuals may need to perform the following:

• Review, evaluate, and self-classify the risk levels (high, medium, and low) for AI systems currently under development or being provided to the market.
• Prepare notification procedures for medium-risk and high-risk AI systems; conduct conformity evaluation for high-risk AI systems.
• Implement labeling mechanisms and mark content in a machine-readable format for AI-generated outputs to fulfill transparency responsibilities.
• Establish adjustment plans for existing AI systems within the transitional period (12 to 18 months starting from March 01, 2026).
• Develop internal procedures for archiving technical dossiers and activity logs, data management, and establishing incident response scenarios and online reporting via the single-window website on AI when serious incidents occur.