The latest Law on Personal Data Protection and the guiding documents

The Law on Personal Data Protection, recently passed by the National Assembly, marks a significant milestone in safeguarding individuals' private information. Concurrently, a Decree providing detailed regulations for the implementation of this Law has also been promulgated.

1. The latest law on Personal Data Protection

On June 26, 2025, the National Assembly passed Law No. 91/2025/QH15 on Personal Data Protection, which officially took effect on January 1, 2026. This marks a significant development in Vietnam's legal system regarding the protection of privacy rights and information security amid the country's rapid digital transformation.

Law No. 91/2025/QH15 comprises 5 Chapters and 39 Articles. A core pillar of the Law is the clear establishment of basic personal data rights, including the right to be informed, the right to agree or disagree with, and the right to access, rectify, and request rectification of his/her personal data.

Highlights of the Law:

1. Data subjects have the right to agree or disagree with, and to withdraw consent to, personal data processing.

2. Silence or non-response is not considered consent.

3. Data subjects may request the exercise of rights of deletion, destruction and de-identification of personal data

4. Multi-factor authentication is mandatory for personal data in Big Data processing.

5. Personal information of candidates must be erased or destroyed if they are not recruited.

6. Employers must delete or destroy personal data of employees upon termination of their contracts

7. Processing of children's personal data requires the consent of their legal representative.

8. Data subjects have the right to file complaints and denunciations, initiate lawsuits, and request compensation for damage when their rights are infringed.

9. Data subjects must be notified in the event of a personal data breach or "leak."

10. Social networks shall not request the provision of images or videos containing the whole or part of identification papers for use as an account authentication factor.

2. Guiding document for the 2025 Law on Personal Data Protection

The Government promulgated Decree No. 356/2025/ND-CP on December 31, 2025. This Decree takes effect on January 1, 2026, concurrently with the Law, and supersedes the previous Decree No. 13/2023/ND-CP. Decree No. 356/2025/ND-CP remains the sole guiding document for the Law on Personal Data Protection 2025.

Decree No. 356/2025/ND-CP consists of 5 Chapters and 42 Articles, providing detailed regulations on the processes, procedures, and measures for implementing Law No. 91/2025/QH15. The Decree focuses on five core policy groups:

• Detailed procedures for the assessment of the impact of personal data processing;

• Stricter procedures for the cross-border transfer of personal data;

• New regulations on the functions and duties of the personal data protection personnel (DPO);

• A new system of reporting forms that completely replaces those under Decree No. 13/2023/ND-CP;

• Coordination mechanisms for inspection and examination by the Cyber Security and High-Tech Crime Prevention Bureau (A05).

Highlights of Decree No. 356/2025/ND-CP:

1. Adjustment of the list of basic personal data.

2. Adjustment of the list of sensitive personal data.

3. Clear regulations on the duration for responding to and ceasing data processing when a data subject withdraws consent.

4. Clear regulations on responding to and processing data when a data subject requests to view, rectify, or request rectification.

5. Additional responsibilities for storing and demonstrating proof of the consent of the personal data subject.

6. Additional guiding regulations on sharing personal data between departments within the same agency or organization.

7. Guidance on personal data protection in finance, banking, and credit information activities.

8. Guidance on personal data protection within Artificial Intelligence (AI) systems and the Metaverse.

9. Additional requirements for the conditions for personal data protection personnel and personal data protection departments in agencies and organizations.

10. Changes to cases of ceasing cross-border transfer of personal data.

11. The notification deadline for personal data protection violations is now specifically applicable to personal position data and biometric data.

12. Additional regulations on the inspection of personal data protection activities.

13. Guidance on the application of personal data protection regulations to specific types of subjects.

The above is the content of the article: "The latest Law on Personal Data Protection and guiding documents."