Vietnam: Draft Law on Personal Data Protection - An Urgent Requirement and Legal Framework for Personal Data Protection in the Digital Era

ADK Lawyers

9th March 2025
The Personal Data Protection Law is essential to safeguard citizens’ rights, prevent data violations, and enhance the accountability of organizations, businesses, and individuals. This article will review issues such as big data, cloud storage, labour recruitment, compliance checks, business activities related to data, and others.

In today’s digital era, protecting personal data has become an urgent issue as data breaches are  becoming increasingly common, posing significant challenges for both individuals and businesses.  The primary cause stems from users’ carelessness in sharing personal information on social media,  the lack of security in technological applications, as well as the absence of a legal framework for  personal data protection in Vietnam.

In light of the current situation, the Ministry of Public Security has stated that the lack of legal regulations and enforcement mechanisms is insufficient to address the growing risks for data breaches. The Personal Data Protection Law is therefore essential to safeguard citizens’ rights, prevent data violations, and enhance the accountability of organizations, businesses, and individuals. This law will establish a robust legal foundation for protecting personal information amid Vietnam’s rapid digital transformation.

Key Highlights of the Draft

Following the implementation of Decree No. 13/2023/ND-CP, Vietnam’s first regulation on personal data protection, authorities have identified the need for a more unified and comprehensive legal framework. In response, on September 24, 2024, the Ministry of Public Security introduced the Draft Law on Personal Data Protection (“Draft”) to collect feedback from businesses and individuals.

The Draft aims to strengthen data protection regulations while introducing key adjustments in data management for businesses. Additionally, it seeks to foster the development of Vietnam’s data economy, aligning with international data protection standards and enhancing trust and transparency in digital transactions.

1. Data Security Requirements for Cloud Storage

Cloud computing has become widely adopted across sectors such as commerce, education, and finance due to its efficiency and cost savings. Major global platforms  such as Amazon Web Services (AWS), Google Cloud, OneDrive, and Microsoft Azure enable online data storage, processing, and sharing, reducing the need for physical infrastructure. However, these services also present significant security challenges, particularly regarding sensitive personal data, necessitating a comprehensive legal framework to ensure data protection.

Article 25 of the Draft establishes technical and organizational requirements to safeguard personal data on cloud platforms. Contracts with cloud service providers must include compliance with Vietnam’s data protection regulations, stringent security measures, and provisions ensuring that data is processed exclusively for the customer’s benefit. Additionally, providers must conduct regular security audits and allow data deletion upon request.

Cloud service providers must also implement appropriate security systems, enforce access controls, ensure subcontractor compliance, and promptly notify users of any changes affecting personal data. These measures aim to enhance cloud security, protect user rights, and ensure compliance with legal standards in the digital era.

2. Data Security Requirements for Big Data

Big Data refers to large, rapidly accumulating datasets from multiple sources, characterized by high volume and complexity, which pose challenges for traditional data processing methods. Article 23 of the Draft introduces key regulations on Big Data management, affirming the right to access publicly available personal data while ensuring its lawful use. Organizations and individuals may access such data only from platforms where users have provided consent, and its use must strictly comply with legal regulations to safeguard data subjects’ rights.

The Draft also mandates that companies engaged in personal data processing must register with data protection authorities and be subject to oversight to ensure transparency and accountability. A prominent application of Big Data can be seen in e-commerce, where platforms like Shopee and Lazada utilize publicly available personal data to analyze user behavior, optimize advertising, and recommend products. Under the Draft’s legal framework, such platforms must adhere strictly to data usage regulations and prioritize user privacy, contributing to a secure and regulated data environment in the digital era.

3. Data Protection Requirements in Labor Surveillance and Recruitment

Article 26 establishes clear rules on collecting and processing employee data. Employers can only store necessary labor records and must obtain consent for processing personal information. Data should be deleted when no longer required. These requirements protect the privacy of employees while  ensuring that data processing is transparent and lawful.

Foreign companies hiring Vietnamese employees must comply with local data protection laws and have clear agreements on data processing. For example, multinational companies must ensure lawful data transfers when sharing employee records with Vietnamese partners. These measures enhance transparency and data security in employment.

4. Regulations on Business Activities Related to Data

The Draft Law on Personal Data Protection introduces key regulations to oversee data-related business activities, an area previously lacking comprehensive legal management. These measures aim to combat the illegal trade of personal data, a significant issue in Vietnam. The new rules governing data brokerage, analysis, and data markets will require businesses to register with authorities and comply with strict data protection requirements, fostering a secure and transparent digital economy while safeguarding individual rights.

Article 43 specifically regulates services involving personal data processing, including credit information services, outsourced data processing, and creditworthiness assessments. Businesses engaged in these activities must meet strict compliance criteria, such as employing certified experts in data security and legal compliance and maintaining a minimum credit rating for data protection. For instance, companies providing data storage and processing must adhere to these standards to ensure secure and legality of data processing.

5. Compliance Checks on Personal Data Protection

A noteworthy new aspect in the Draft is the establishment of a compliance monitoring mechanism to ensure adherence to personal data protection regulations. Authorities may conduct periodic or surprise inspections in cases of suspected violations or as part of state management.The inspections will include evaluating the implementation of security requirements, assessing the  impact of data processing and transferring data abroad, and ensuring that these processes are  conducted legally. The goal is to establish a clear and transparent legal environment, fostering trust  and protecting individual rights in data processing activities.Organizations must properly prepare documentation and comply with inspection requirements, while authorities will maintain confidentiality of results in accordance with the law.

Expected Impacts and Recommendations

The Draft Law on Personal Data Protection will be instrumental in establishing a comprehensive legal framework to safeguard personal information in the digital era. As technology advances and digitalization accelerates, data protection has become a pressing issue, not only for citizens’ rights but also for national security, social stability, and economic growth. The law aims to protect individual rights, prevent privacy violations, and combat illegal data trade, fostering a secure and transparent digital environment. Its implementation will support digital transformation, economic development, and the creation of a modern digital society, while aligning Vietnam with international human rights standards and strengthening its global integration

To ensure effective enforcement, businesses must adopt comprehensive data security measures and establish robust data management systems. These measures should not only involve the use of advanced encryption technologies but also focus on setting up clear access controls to ensure that individuals or organizations only have access to the information they are authorized to use. Additionally, businesses must closely monitor the use and sharing of personal information, ensuring that this information is not leaked, violated,  or misused. Investing in modern security technologies, such as end-to-end encryption and secure data transmission, is essential to protect data from cyber threats and ensure regulatory compliance.

 ADK VIETNAM LAWYERS

Please Login or Register for Free now to view all updates and articles

 Login  Sign Up

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

ADK Lawyers

ADK & Co Vietnam Lawyers is a client-centric motto and brings “Client’s Satisfied and Success”. We will not merely be a law firm but act as a companion with clients.

ADK & Co Vietnam Lawyers is operated by legal experts who extensive experience in many fields and talented and enthusiastic colleagues. We want to use our extensive legal knowledge, multi-dimensional perspective, and positive attitude to provide the most complete and complete legal service. We build various diverse with a practical range of legal services in many areas.  In that, based on risk assessment and plan orientation, we offer efficient legal solutions to eliminate or minimize legal risks in business activities and the daily life of clients."

Click here to view the author's profile

Author

Tags

  • Vietnam
  • Internet & Social Media
  • Legal Updates
  • Data Protection & Privacy

Related Content

  • No related content

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.

 

A leading provider of legal and tax know-how and information for Asia.

Useful Links

Contact Us

Hong Kong, China
Tel: +852 3001 8810
support@legalcentrix.com

Copyright © 1997 - 2025 Legal Centrix. All Rights Reserved Privacy Policy | Terms of Use

Some text to show in popup