New updates in the Draft Law on Personal Data Protection compared to Decree 13/2023/ND-CP and Legal notes for businesses
LexNovum Lawyers
14/04/2025
In the context of the rapid development of digital technology, protecting personal data has become increasingly urgent. Decree 13/2023/ND-CP (“Decree 13”) has laid the initial legal framework for personal data protection in Vietnam. However, to enhance the effectiveness of protection and align with international trends, a Draft Law on Personal Data Protection (“Draft Law”) has been proposed with many notable updates. On March 10, 2025, the Draft Law was further updated and is expected to be presented to the National Assembly for review and approval at the 9th session of the 15th National Assembly (May 2025).
This article will analyze the key changes in the Draft Law compared to Decree 13 and provide practical warnings for businesses.
1. Expanding the scope of data classified as sensitive personal data
Compared to the categories of sensitive personal data specified in Article 2.4 of Decree 13, Article 2.4 of the Draft Law has added new types of information classified as sensitive personal data under points (i) and (k), specifically as follows:
“4. Sensitive personal data refers to information that, if breached, would directly impact the legal rights and interests of organizations and individuals, closely associated with an individual’s right to privacy, including:
…
i) Information on salary, allowances, and other sources of personal income;
k) Information on land users and land data containing details about land users;”
This update increases business’s responsibilities compared to when it only processes general personal data, specifically: Notifying data subjects that the data being processed is sensitive personal data (Article 10.9 of the Draft Law); classifying data based on data management, processing, and protection requirements (Article 12.3 of the Draft Law); encrypting data during storage, transmission, receipt, and sharing in cyberspace (Article 15.3 of the Draft Law); and implementing measures for the protection of sensitive personal data (Article 50 of the Draft Law).
Therefore, when a business employs employees (i.e., engages in processing activities related to employees’ salaries and income) or collects data on individuals’ land use, it must comply with the regulations on processing sensitive personal data.
2. Strengthening the handling of violations related to personal data protection regulations
Under Decree 13, the handling of violations related to personal data protection is only generally stipulated, without specific administrative penalties for violations. Article 4 of Decree 13 states: “Agencies, organizations and individuals that commit violations against regulations on protection of personal data, depending on the severity of their violations, may be disciplined, or face administrative penalties or criminal prosecution according to regulations.”
However, the Draft Law establishes clearer and stricter penalties. Specifically, Article 4 of the Draft Law states:
“1. Agencies, organizations, and individuals that violate personal data protection regulations, depending on the severity, shall bear civil liability, be subject to disciplinary action, administrative sanctions, or criminal prosecution under the law;
2. Administrative fines ranging from 1% to 5% of the previous year’s revenue shall be imposed on organizations and businesses violating personal data protection regulations. The Government shall specify detailed regulations on fines and penalty frameworks for each administrative violation”.
Compared to the provisions of Decree 13, the Draft Law has added civil liability for violations of personal data protection regulations.
At the same time, the Drafting Committee has proposed administrative fines ranging from 1% to 5% of the previous year’s revenue of the violating organization or enterprise. This is a particularly noteworthy provision.
Therefore, even if the enterprise incurred losses in the previous year, it would still be obligated to pay the fine if it breaches personal data protection regulations. Furthermore, the specific levels of violations and corresponding penalty frameworks will be specified in a guiding document issued by the Government.
To enhance the effectiveness of monitoring and enforcement, the Draft Law also adds provisions on the inspection of personal data protection activities under Article 57.
Accordingly, Article 57.1 stipulates: “The inspection of personal data protection activities shall be conducted regularly, periodically, or on an ad hoc basis in the following cases:
a) When there is a violation of laws regarding personal data protection;
b) To carry out state management duties as prescribed by law.”
Therefore, businesses need to pay attention to complying with new regulations on penalties and inspections by authorities to avoid being penalized.
3. Regulating additional responsibilities for businesses operating in specialized sectors
This Draft Law provides entirely new regulations for specialized sectors, including: Article 25 (Protection of personal data in the business of behavioral or targeted advertising services); Article 26 (Protection of personal data in big data processing); Article 27 (Protection of personal data in artificial intelligence, blockchain, and virtual universes); Article 28 (Protection of personal data in cloud computing); Article 29 (Protection of personal data in monitoring and labor recruitment); Article 31 (Protection of personal data related to health and insurance information); Article 33 (Location data); and Article 35 (Biometric data).
Accordingly, in addition to the general principles of personal data protection applicable to all businesses, organizations operating in specialized sectors such as marketing and advertising, or those involved in activities related to artificial intelligence, blockchain, virtual universes, etc., need to promptly research and equip themselves with legal knowledge to comply with and meet the specific personal data protection requirements to these fields.
For example: For business activities related to the processing of location data, the Draft Law stipulates that mobile application platforms must provide clear notifications to customers regarding the use of their location and offer users options to control location tracking settings. Therefore, businesses need to pay attention to comply with location data regulations when utilizing mobile application platforms that have functions to collect, use, or track customers’ locations.
For businesses processing biometric data, the Draft Law requires that they “implement physical security measures for devices used to store and transmit biometric data; using strong encryption measures during the transmission and storage processes; and restrict access to biometric data.” These are legal requirements that businesses must be aware of and prepare for before processing personal data.
4. The impact assessment dossier of processing personal data and the impact assessment dossier of transferring personal data abroad must be regularly updated
Similar to the provisions of Decree 13, the Draft Law still maintains two basic responsibilities of the Personal Data Controller and the Personal Data Processor, which are:
(i) Implement the impact assessment dossier of processing personal data; and
(ii) Implement the impact assessment dossier of transferring personal data abroad.
However, currently, Decree 13 only regulates the update and supplementation without specifying the implementation timeline.
In the future, the Draft Law proposes clearly to stipulate the responsibility to update these 02 (two) dossiers every six months whenever there are any changes (as stipulated in Article 47.1 of the Draft Law), as well as certain cases requiring immediate updates (Article 47.2), such as:
“a) When the company dissolves or merges;
b) When there is a change in information about the Personal Data Protection Organization and Personal Data Protection Expert;
c) When a new business sector or service arises or when the business of services or products related to personal data that have been registered in the impact assessment dossier of processing personal data or the impact assessment dossier of transferring personal data abroad is discontinued.”
This regulation requires businesses to continuously monitor and update dossiers related to personal data to avoid being penalized for non-compliance.
Personal data protection law is a relatively new issue in Vietnam and has a profound impact on the business operations of all enterprises, regardless of their size. We will continue to monitor this topic and update your business on noteworthy developments in our upcoming publications. If you have any questions or requests regarding this topic, please contact LexNovum Lawyers for assistance.
Executor: Corporation Team – LNV
Notes: The comparison is based on the Draft Law on Personal Data Protection updated as of March 10, 2025.
The information provided herein is based on the Draft Law and is not yet legally effective. The information in this article should be used for reference purposes only. We are not responsible or liable for any individual or organization that uses the information in this article for purposes other than reference. Prior to making any decisions or taking any actions, please consult official recommendations or contact LexNovum Lawyers to receive in-depth advice from us.
If you wish to use or share this article, please kindly cite the source as “LexNovum Lawyers”.
