Vietnam’s Data Privacy Evolution: Understanding Consent and Compliance Under the PDPD and Beyond

Written By Mona Hariri

Vietnam’s data protection landscape is evolving faster than ever. Over the past few years, the government has introduced a suite of digital and data-focused laws — culminating in the Personal Data Protection Decree (PDPD) and the upcoming Personal Data Protection Law (PDPL). Together, these mark Vietnam’s shift toward a more comprehensive privacy framework inspired by the EU’s GDPR, yet tailored to local priorities like national security and regulatory oversight.

Consent: The Cornerstone of Vietnam’s Data Processing Rules

Under the PDPD, the primary legal basis for processing personal data is the explicit prior consent of the data subject.
Consent must be:

  • Voluntary and informed, based on a clear understanding of why and how data will be processed.

  • Specific and affirmative, not implied by silence or inactivity.

  • Granular, meaning individuals can consent to different purposes separately.

  • Verifiable, through written, digital, or electronic means that can be reproduced if required.

Businesses must explain five key elements when obtaining consent:

  1. The purpose of processing.

  2. The types of data collected.

  3. The entities authorized to process the data.

  4. The data subject’s rights and obligations.

  5. Whether any sensitive personal data is being processed.

Importantly, data subjects may withdraw consent at any time, though prior lawful processing remains valid. This introduces both flexibility for individuals and compliance challenges for companies operating in Vietnam.

When Consent Is Not Required

The PDPD recognizes limited exceptions where personal data may be processed without consent, such as:

  • Emergencies involving threats to life or health.

  • Publicly disclosed data, processed in accordance with the law.

  • Government activities related to national defense, security, or public safety.

  • Contractual obligations between data subjects and organizations.

  • State functions under sector-specific laws.

For E-commerce operators, consent is also not required when data is collected:

  • From publicly available sources;

  • To execute or perform a sales contract;

  • To calculate fees or service charges; or

  • To fulfill legal obligations.

Complex Regulatory Structure

Vietnam’s data protection framework is fragmented across multiple laws and regulators.
Key authorities include:

  • The Ministry of Public Security (MPS) — particularly its Department of Cybersecurity and High-Tech Crime Prevention, which enforces the PDPD, Data Law 2024, and Cybersecurity Law 2018.

  • The Vietnam Competition Commission (VCC) under the Ministry of Industry and Trade, which oversees the Law on Protection of Consumers’ Rights (2023).

  • The Ministry of Information and Communications (MIC) — now largely merged into the Ministry of Science and Technology — which previously enforced the IT Law (2006) and Law on Cyber Information Security (2015).

This overlapping jurisdiction makes compliance complex, especially for multinational companies managing cross-sector data activities.

Vietnam’s Expanding Data Protection Framework

1. PDPD (2023):

Vietnam’s first comprehensive data protection decree, heavily influenced by the GDPR, introduced definitions of data controllers, processors, and data subjects, as well as core principles of data processing. However, it omitted “legitimate interest” as a lawful basis and imposed strict rules around granular consent and data impact assessments.

2. Consumer Protection Law (2023):

Expands protection beyond personal data to include all consumer information, creating potential overlap with the PDPD. It also establishes strict rules for obtaining consent and notifying consumers of data breaches, giving the VCC enforcement authority over both local and foreign traders.

3. Data Law (2024):

Vietnam’s newest law extends regulation to non-personal data and introduces the concept of data ownership. It empowers the government to restrict or license the transfer of “important” or “core” data overseas and lays a foundation for regulating data intermediaries, AI systems, and data marketplaces.

4. Cybersecurity Law (2018):

A foundational law that introduced data localization and content control requirements for online service providers. While controversial, subsequent decrees have narrowed its scope, applying localization primarily to specific high-risk services.

5. Forthcoming Personal Data Protection Law (PDPL):

Expected to replace the PDPD, this upcoming law will elevate data privacy to the level of a national law — introducing higher fines, sector-specific compliance obligations, and stronger enforcement powers for the MPS.

Global Concepts, Local Adaptation

Vietnam’s lawmakers frequently look abroad — drawing inspiration from the EU, China, the U.S., and South Korea — but always customize these models to fit Vietnam’s domestic priorities. The result is a privacy framework that feels globally familiar but locally distinct: a system that values both individual rights and state interests in equal measure.

What Businesses Should Do Now

Multinational companies and local organizations should take a proactive approach by:

  • Mapping all personal data flows involving Vietnamese users or employees.

  • Reviewing consent mechanisms to ensure they meet PDPD standards.

  • Preparing impact assessments for data processing and cross-border transfers.

  • Monitoring updates to the forthcoming PDPL and its guiding decrees.

  • Training staff on new data subject rights and consent management obligations.

With at least five new data regulations expected by 2025, compliance is no longer optional — it’s a strategic necessity for maintaining consumer trust and business continuity in Vietnam’s rapidly digitalizing economy.

Mona Hariri
Previous

European Health Data Space (EHDS): Legal Analysis and Strategic Guidance for Health Data Governance
Next

FTC and States Sue Live Nation and Ticketmaster for Deceptive Ticketing Practices