Personal data protection obligations of enterprises
May 07th, 2026
As of January 01st, 2026, the Law on Personal data protection 2025 and Decree No. 356/2025/ND-CP guiding the Law on Personal data protection officially take effect, establishing a more comprehensive legal framework for personal data protection in the context of digital transformation in Vietnam. These legal instruments reinforce and impose stricter requirements on enterprises regarding their obligations to protect personal data. Accordingly, enterprises should note the following key contents during implementation:
1. The necessity of personal data protection in enterprises
· The increasing processing of personal data and the an inevitable need for a personal data protection mechanism: Currently, most enterprises act as entities involved in one or more stages of the personal data lifecycle, from collection, analysis, encryption, deletion, destruction, etc. In the context of digital transformation, where the scale and scope of data processing continue to expand, the establishment of a legal framework for personal data protection has become an inevitable requirement. This not only helps ensure information security but also minimizes legal and operational risks for both enterprises and data subjects.
· Personal data protection is a security “shield” and creates a competitive advantage for enterprises: Personal data is a strategic asset of enterprises but also a primary target for infringement and illicit exploitation in the digital age. Therefore, compliance with data protection regulations is not merely a legal duty but also a solid “shield” against risks in cyberspace. By protecting personal data, enterprises can establish a certain competitive advantage by effectively safeguarding the legitimate rights of customers and employees, while mitigating the risks of data leaks that could adversely affect the enterprise's prestige, reputation and finances.
2. Enterprises’ obligations regarding personal data protection
There are 04 basic groups of obligations that enterprises must comply with as follows:
2.1. Establishing a governance framework for personal data protection in enterprises:
(1) Identifying roles in personal data processing: Depending on the scope of access to and processing of personal data, an enterprise must determine whether its role is (i) Personal Data Controller, (ii) Personal Data Processor, or (iii) Personal Data Controller and processor, this serves as the basis for issuing internal policies or establishing specialized departments in accordance with the law;
(2) Classifying personal data: including (i) basic personal data and (ii) sensitive personal data. For sensitive personal data, in addition to applying general protection measures as with basic personal data, enterprises must implement additional measures such as establishing access control and authorization regulations, processing procedures and security measures, etc., in accordance with the regulations;
(3) Appointing departments/personnel in charge of personal data protection and/or hiring organizations, individuals to provide personal data protection services;
(4) Establishing a monitoring mechanism for processing personal data in cases where the data subject’s consent is not required.
2.2. Security and operations:
(1) Obtaining data subject consent prior to processing personal data;
(2) Storing personal data in a format suitable for the enterprise's operations and implementing protection measures during storage as required by law;
(3) Other obligations related to specific personal data protection activities.
2.3. Assessment, reporting and compliance:
(1) Notifying violations of personal data protection regulations;
(2) Conducting Personal data processing impact assessment;
(3) Conducting Transfer of personal data abroad impact assessment;
(4) Updating dossiers mentioned in 2.3.(2) and 2.3.(3) above.
2.4. Other obligations
In addition to the basic obligations above, enterprises must ensure compliance with other related obligations under personal data protection laws, such as obligations toward data subjects during the processing of personal data; obligations to prevent unlawful collection of personal data from enterprises’ systems, equipment, and services; obligations to cooperate with competent state authorities in the protection of personal data, including providing information for the investigation and handling of violations of personal data protection laws, etc.
Note: Except in cases of providing personal data processing services, directly processing sensitive personal data, or processing personal data upon reaching a scale of 100,000 or more data subjects based on the cumulative amount of personal data processed, the obligations under sections 2.1.(3), 2.3.(2), and 2.3.(4) shall apply as follows:
· Small enterprises and startups have the option to implement or not implement obligations under sections 2.1.(3), 2.3.(2), and 2.3.(4) for a period of 05 years starting from January 01st, 2026.
· Household businesses and micro-enterprises are exempt from these obligations.
3. Types of documents that enterprises must prepare and submit to state management agencies
a) Internal documents: Internal policies, procedures, regulations, templates; reports assessing the level of compliance with legal obligations; periodic training and capacity-building plans for personal data protection; personal data protection standards and regulations and emergency response plans for personal data protection incidents.
b) Documents for submission to state agencies:
(i) For personal data processing activities as prescribed: Preparation of dossier for Personal data processing impact assessment to be submitted to the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security.
(ii) For the transfer of personal data abroad as prescribed: Preparation of dossier for Transfer of personal data abroad impact assessment to be submitted to the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security.
(iii) For updates to the dossiers referred to in (i) and (ii) above: Preparation of an updated dossier in the prescribed form for submission to the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security.
(iv) For cases where the enterprise detects a violation of personal data protection regulations that could harm national defense, national security, social order and safety, or infringe upon the life, health, honor, dignity, property of personal data subjects: Submission of a Notification of violation of personal data protection regulations in the prescribed form to the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security.
4. Sanctions against enterprises for violating personal data protection obligations
a) Administrative liability: Currently, the detailed guiding documents regarding administrative sanctions for personal data protection violations (detailing specific acts corresponding to fine types/levels, sanctioning authority, etc.) have not been officially issued and are still in the draft stage for public consultation. However, according to the Law on Personal data protection 2025, violations in the field of personal data protection may generally be subject to administrative liability as follows:
| No. | Acts of violation | Forms and levels of administrative sanctions |
| 1 | Buying, selling personal data | · A fine of up to 10 times the revenue derived from the violation. · In cases where there is no revenue derived from the violation, or if the fine calculated based on such revenue is lower than 03 billion VND, a maximum fine of 03 billion VND shall be applied. |
| 2 | Violation of regulations on the transfer of personal data abroad | · A fine of up to 05% of the enterprise’s total revenue from the immediately preceding year. · In cases where there is no revenue from the immediately preceding year, or if the fine calculated based on revenue is lower than 03 billion VND, a maximum fine of 03 billion VND shall be applied. |
| 3 | Other violations in the field of personal data protection | A maximum fine of 03 billion VND. |
b) Civil liability: If an enterprise’s violations cause damage to a data subject, the enterprise must provide compensation for damages in accordance with the provisions of civil law.
c) Criminal liability: Depending on the nature, severity, consequences of the violation, an enterprise may be subject to criminal prosecution for related offenses.
----------------------
Compliance with personal data protection is not only a mandatory obligation but also provides enterprises with a competitive advantage and minimizes operational risks. Protecting personal data in accordance with legal regulations and mitigating civil, administrative and criminal legal risks requires enterprises to establish a rigorous internal management system, strictly fulfill reporting obligations to competent authorities, and adhere to other statutory requirements.
For legal support and advice regarding compliance with personal data protection regulations, enterprises may contact us with the following information:
LEGAL ASSOCIATES LAW FIRM
Address: Room D14, Floor 2, 40 Ba Huyen Thanh Quan, Xuan Hoa Ward, Ho Chi Minh City
Phone number: 028 3930 6949
Email: thaianh.luong@la-vn.com