STIPULATIONS ON PERSONAL DATA PROTECTION

THONG LUAT CO., LTD.

STIPULATIONS ON PERSONAL DATA PROTECTION

The National Assembly passed the Law on Personal Data Protection 2025 on June 26, 2025, which takes effect from January 01, 2026, with the following key contents:

1. Prohibition of the buying and selling of personal data

According to Article 7 of the Law on Personal Data Protection 2025, seven acts related to personal data are strictly prohibited, including:

  1. Processing personal data to oppose the Socialist Republic of Vietnam, affecting national defense, national security, public order and safety, or the lawful rights and interests of agencies, organizations, and individuals.
  2. Obstructing personal data protection activities.
  3. Abusing personal data protection activities to commit acts in violation of the law.
  4. Processing personal data contrary to legal provisions.
  5. Using other people’s personal data or allowing others to use one’s personal data to commit acts in violation of the law.
  6. Buying or selling personal data, unless otherwise provided by law.
  7. Appropriating, intentionally disclosing, or causing the loss of personal data.

2. Individuals have the right to request the deletion or modification of personal data

According to clause 1 Article 14 of the Law on Personal Data Protection 2025, personal data shall be deleted or destroyed in the following cases:

  1. Individuals at request the personal data subject matter shall accept the potential risks;
  2. Purpose of personal data processing has been completed;
  3. Retention period as stipulated by law has expired;
  4. There is a decision from a competent state agency;
  5. By agreement between the parties;
  6. Other cases as stipulated by law.

Personal data deletion must ensure security and prevent unauthorized recovery. If deletion is not possible for legitimate reasons, the personal data controller must notify the requester.

Article 13 of the Law on Personal Data Protection 2025 stipulates that individuals may modify certain types of personal data themselves or request the personal data controller to perform the modification.

The personal data controller is responsible for processing requests within the legally prescribed time limit. The modification must ensure accuracy, and where there cannot be done for reasonable reasons, an official notification must be given.

3. Penalty up to 5% of revenue for administrative violation of personal data protection

According to clause 4 Article 8 of the Law on Personal Data Protection 2025, the maximum penalty for an administrative violation committed by an organization concerning the cross-border transfer of personal data is 5% of its revenue in the preceding year.

Where there is no revenue from the preceding year, or if the penalty calculated based on the revenue is lower than the maximum penalty specified in clause 5 of this Article, the penalty specified in clause 5 Article 8 shall prevail.

In addition to violations related to cross-border data transfer, the Law also stipulates:

  • Buying or selling of personal data: The maximum penalty is 10 times the revenue gained from the administrative violation (clause 3 Article 8);
  • Other administrative violations in sector of personal data protection: The maximum penalty may be up to VND 3 billion (clause 5 Article 8);
  • For individuals committing the same administrative violations: The maximum penalty is half of that applied to organizations (clause 6 Article 8).

4. Recruiters only request the personal data of candidates serving the recruitment:

According to clause 1 Article 25 of the Law on Personal Data Protection 2025, recruiting organizations or recruiting individuals:

  1. Only requesting the provision of information serving the recruitment of the recruiting agencies, organizations, and individuals in conformity with the law and use the provided information solely for recruitment or other purposes under agreements in compliance with the law;
  2. Processing the provided information in compliance with the law and with the consent of the candidates;
  3. The information of unsuccessful candidates must be deleted unless otherwise agreed with the candidates.

5. Enterprises must delete the personal data of employees upon termination of the contract

According to clause 2 Article 25 of the Law on Personal Data Protection 2025, personal data protection responsibilities of agencies, organizations, and individuals in the management and use of employees are stipulated as follows:

  1. Complying with this Law, labor and employment laws, data laws, and other relevant laws;
  2. Storing employees’ personal data for the period as stipulated by law or under agreements;
  3. Employees' personal data must be deleted or destroyed upon termination of the contract, except in cases where otherwise stipulated by law or under agreements.

The aforementioned is our updated content for reference.

 

 

***Note:

-The translation is for reference only.

Related Featured Legal Documents

The Government's Decree No. 144/2026/ND-CP dated May 05, 2026 amending and supplementing a number of articles of the Government's Decree No. 181/2025/ND-CP dated July 01, 2025, detailing the implementation of a number of articles of the Law on Value-Added

The Government's Decree No. 144/2026/ND-CP dated May 05, 2026 amending and supplementing a number of articles of the Government's Decree No. 181/2025/ND-CP dated July 01, 2025, detailing the implementation of a number of articles of the Law on Value-Added

SMALL AND MEDIUM-SIZED ENTERPRISES WITH BUSINESS REGISTRAION FOR THE FIRST TIME EXEMPTED FROM CORPORATE INCOME TAX FOR THE FIRST 03 YEARS OF ESTABLISHMENT

SMALL AND MEDIUM-SIZED ENTERPRISES WITH BUSINESS REGISTRAION FOR THE FIRST TIME EXEMPTED FROM CORPORATE INCOME TAX FOR THE FIRST 03 YEARS OF ESTABLISHMENT

NEW FEATURES OF THE CORPORATE INCOME TAX LAW 2025

NEW FEATURES OF THE CORPORATE INCOME TAX LAW 2025

NEW FEATURES OF THE AMENDED VALUE-ADDED TAX LAW 2024

NEW FEATURES OF THE AMENDED VALUE-ADDED TAX LAW 2024

From May 21, 2026, change in the method of residence notifications for Vietnamese citizens and temporary residence declarations for foreigners

From May 21, 2026, change in the method of residence notifications for Vietnamese citizens and temporary residence declarations for foreigners

From January 1, 2026, Enterprises with annual total revenue below VND 01 billion to be exempt from Corporate Income Tax (CIT)

From January 1, 2026, Enterprises with annual total revenue below VND 01 billion to be exempt from Corporate Income Tax (CIT)

Increasing the administrative penalty amount for invoice issuance violations

Increasing the administrative penalty amount for invoice issuance violations

The annual business license fee is completely abolished starting from 2026.

The annual business license fee is completely abolished starting from 2026.
zalo
messenger
email
call