This is the new MLex platform. Existing customers should continue to use the existing MLex platform until migrated.
For any queries, please contact Customer Services or your Account Manager. Dismiss

Vietnam's draft data-protection law specifies fines, loosens requirements on businesses

By Hoa Dinh ( June 12, 2025, 00:25 GMT | Insight) -- The latest draft of Vietnam’s personal data-protection law proposes fines of up to 5 percent of annual revenue for cross-border data-transfer violations. It also removes the strict 72-hour deadline to handle data subjects’ requests and eases the compliance burdens for small- and medium-sized enterprises. The latest draft of Vietnam’s personal data-protection law proposes fines of up to 5 percent of annual revenue for cross-border data-transfer violations. It also removes the strict 72-hour deadline to handle data subjects’ requests and eases the compliance burdens for small- and medium-sized enterprises.The fourth version of the draft law was discussed at a meeting of the country’s National Assembly last week as part of its ongoing 9th session.Referencing international practices, the draft outlines different levels of fines for different types of violations, which is a step up from the general fines of 1 percent to 5 percent of a company’s revenue in the previous year for all violations, which was proposed in the previous draft (see here).For the act of buying or selling personal data, a fine of up to 10 times the illicitly gained revenue was proposed. For violations related to cross-border data transfers, the maximum fines may reach 5 percent of a company’s previous year’s revenue. For other violations, the fines can go up to 3 billion Vietnamese dong ($117,900). The penalty for individuals should be set at half of that of businesses, the draft proposes.Vũ Hồng Thanh, the assembly’s vice chairwoman, and Nguyễn Trường Giang, vice chairman of the assembly’s Committee for Legal and Judicial Affairs, expressed reservations about the maximum fine of 5 percent of a company’s revenue, since it could result in a huge penalty for corporations with large revenues that can reach trillions of Vietnamese dong.Thanh suggested that guiding documents should be issued by the government to further clarify these fines. A mechanism should be put in place to handle foreign violators that don’t have a legal status in Vietnam, as well as newly established businesses that don't yet have revenue, she said.Giang also objected to the maximum fine of 3 billion Vietnamese dong for “other violations,” suggesting that these violations should be handled, instead, by the penalties promulgated in the Law on Handling Administrative Violations.In terms of data subjects’ rights and responsibilities, the latest draft retains most of the provisions of the previous draft, but adds that when exercising their rights, data subjects must comply with the law and not obstruct the activities of data processors, or infringe upon the rights and legitimate interests of agencies, organizations and other individuals.The latest draft also loosens the 72-hour time frame which the previous draft required data processors to handle data subjects’ requests (see here), and assigned the government to provide guiding documents with more flexible time frames in line with specialized legal regulations.In terms of the data-processing and cross-border data transfer impact-assessment dossiers, companies still have to prepare and submit them once during their entire operation and update them when there are changes. For both assessments, if they have been carried out in accordance with the provisions of the personal data-protection law, it is not necessary to conduct similar assessments under the Law on Data. This is a clarification of overlapping provisions of the two laws that was not provided in the previous draft.The draft also eases the compliance burdens for businesses by making it an option to have a personal data-protection expert instead of a mandate, allowing businesses to appoint internal staff or choose a service provider to perform the task.Article 46 of the draft has added provisions that exempt micro-enterprises and household businesses from the obligation of having personal data-protection experts, and from following the requirements on data-processing impact assessment. Small businesses and startups have the right to choose whether or not to follow these requirements within five years from the date of their establishment, or from the date that the law takes effect.The law is expected to be passed during the second phase of the assembly’s 9th session, which lasts until the end of this month....

Prepare for tomorrow’s regulatory change, today

MLex identifies risk to business wherever it emerges, with specialist reporters across the globe providing exclusive news and deep-dive analysis on the proposals, probes, enforcement actions and rulings that matter to your organization and clients, now and in the longer term.


Know what others in the room don’t, with features including:

  • Daily newsletters for Antitrust, M&A, Trade, Data Privacy & Security, Technology, AI and more
  • Custom alerts on specific filters including geographies, industries, topics and companies to suit your practice needs
  • Predictive analysis from expert journalists across North America, the UK and Europe, Latin America and Asia-Pacific
  • Curated case files bringing together news, analysis and source documents in a single timeline

Experience MLex today with a 14-day free trial.

Start Free Trial

Already a subscriber? Click here to login

Related Sections