Vietnam: Law on Personal Data Protection including data protection regulation enters into force

On 1 January 2031, the Law on Personal Data Protection enters into force. Under Article 41 of the "Implementing Regulations of the Law on Personal Data Protection" (adopted 31 December 2025), small businesses have until 5 years from the effective date of the Law on Personal Data Protection to appoint dedicated data protection personnel and conduct impact assessments. This exemption does not apply if they provide data processing services, directly handle sensitive data, or process the data of over 100’000 individuals. The Law, as implemented on 1 January 2026, also states that organisations and individuals handling personal data must obtain clear consent from data subjects before processing their data, with special provisions for sensitive data and the personal data of children (Article 9, 2, 24). The processing of personal data must be conducted in accordance with the principles of purpose limitation, data minimisation, and accuracy (Article 3). The processing of personal data by automated means must be disclosed to data subjects, along with an explanation of the potential impact on their rights and interests (Article 9). Data subjects must be afforded the option to decline the processing of their data by AI systems (Article 4). The Law allows organisations to utilise personal data for the development of self-learning algorithms and automated systems, such as artificial intelligence (AI) so long as they comply with these articles. Under Article 41 of the "Implementing Regulations of the Law on Personal Data Protection" (adopted 31 December 2025), small businesses have until 5 years from the effective date of the Law on Personal Data Protection to appoint dedicated data protection personnel and conduct impact assessments. This exemption does not apply if they provide data processing services, directly handle sensitive data, or process the data of over 100’000 individuals.