Vietnam: Law on Personal Data Protection including cybersecurity regulation was adopted by National Assembly

On 26 June 2025, the Law on Personal Data Protection was adopted by the National Assembly of Vietnam. The Law requires organisations to implement suitable technical and organisational measures to safeguard personal data against unauthorised access, disclosure or misuse (Articles 3, 14, 16, 18, 27). This encompasses the establishment of a dedicated data protection officer or department to provide oversight (Article 33), although small and medium-sized enterprises and startups may be temporarily exempt. In the event of a personal data breach, the relevant authorities must be informed (Article 23), and data subjects must be informed if biometric data processing causes data to the subject (Article 31). It is required that organisations conduct regular risk assessments and audits to ensure ongoing compliance with data protection Law (Articles 19, 21, 22, 37).