July 14, 2026

PDPL and Data Protection Compliance in Vietnam

female hand using smartphone get 2-step verification to unlock a highly secure login access, virtual login screen information,secure Internet access, cybersecurity

Summary: Data protection is increasingly a board-level compliance issue in Vietnam, particularly for companies that handle employee, customer, student or user data as part of routine operations. This article provides a practical, non-exhaustive overview of the areas companies should review under Vietnam’s personal data protection framework, with the caveat that specific legal requirements should be verified directly given the evolving nature of this area of law.

By ECOVIS Vietnam Law | Last reviewed: 13 July 2026

“Clients increasingly ask about data protection not because a regulator is knocking, but because a foreign partner’s due diligence checklist demands it — treating this as a compliance program rather than a one-off document saves that conversation from becoming a bottleneck.” — Attorney Vu Manh Quynh, Founder & Managing Partner, ECOVIS Vietnam Law

Why This Matters for Foreign Investors / Foreign Companies

Vietnam has been developing its personal data protection framework, generally referred to as the PDPL and its implementing regulations, over recent years, and companies operating in Vietnam — including foreign-invested businesses in East Ho Chi Minh City — are increasingly expected to demonstrate structured data handling practices. Because this area of law has been evolving, and because specific requirements (such as consent mechanisms, registration or notification obligations, and cross-border transfer conditions) may be updated or clarified over time, companies should treat data protection as an ongoing compliance program rather than a one-time checklist.

For foreign investors, data protection compliance is not only a regulatory matter but increasingly a commercial one: many multinational clients, partners and investors now expect Vietnamese counterparties to demonstrate baseline data protection practices as part of vendor due diligence or investment review. Companies that have not yet reviewed their data handling practices under the current framework may find this creates friction in commercial negotiations, in addition to potential regulatory exposure.

Key Legal and Compliance Issues

  1. Understanding what counts as personal data. Under Vietnam’s personal data protection law and its implementing regulations, personal data generally covers information that can identify an individual, and certain categories (such as health, biometric or financial data) may be treated as sensitive and subject to heightened obligations; companies should verify current definitions and categories applicable to their data.
  1. Employee data and HR files. HR departments typically hold significant volumes of personal data — CVs, ID documents, payroll information, performance records — and should review how this data is collected, stored, and shared (including with overseas headquarters or payroll vendors), as cross-entity data sharing may itself trigger specific obligations.
  1. Customer, student and user data. Businesses collecting customer, student or platform user data should review consent practices, data retention periods, and the purposes for which data is used, particularly where data is used for marketing or shared with third parties.
  1. Cross-border data transfer risk. Companies transferring personal data outside Vietnam — for example, to a foreign parent company, a cloud provider, or an offshore vendor — should be aware that cross-border transfers may be subject to specific conditions or assessments under the current framework, and should verify applicable requirements before finalizing data flows.
  1. Contracts with vendors and processors. Agreements with vendors that process personal data on the company’s behalf (payroll providers, marketing platforms, cloud hosting) should include data protection terms allocating responsibilities and liability; relying on a vendor’s standard terms without review may leave gaps in accountability.
  1. Data protection governance. Depending on the scale and nature of data processing, companies should consider whether internal policies, designated responsible personnel, or data protection impact assessments may be appropriate, noting that specific thresholds and requirements should be confirmed based on current regulations.
  1. Incident response and breach notification. Companies should have a basic internal process for identifying and responding to data incidents, since breach notification expectations are a recurring theme in Vietnam’s evolving data protection framework and in comparable regional frameworks.

Practical Risks for Management

  • CEO/Founders: Treating data protection as a purely technical IT matter, rather than a legal and governance issue, may leave the company unprepared for regulatory inquiries or partner due diligence.
  • CFO: Vendor contracts (payroll, accounting software, cloud services) that lack data protection clauses may create unaddressed liability exposure that is difficult to quantify until an incident occurs.
  • HR/Country Manager: Sharing employee data with overseas headquarters without reviewing cross-border transfer requirements may create compliance gaps that are easy to overlook in routine HR reporting.
  • Board: Absence of a documented data protection compliance program may be viewed unfavorably in investment due diligence or in the event of a regulatory inquiry, and should be addressed proactively rather than reactively.

What Companies Should Review

  • Map what personal data is collected across HR, customer, student and marketing functions
  • Review consent language used in employment contracts, customer terms and marketing sign-ups
  • Assess whether any data is transferred outside Vietnam, and to whom
  • Review vendor and processor contracts for data protection clauses
  • Confirm data retention periods are documented and reasonable
  • Assess whether sensitive data categories (health, biometric, financial) are involved and handled appropriately
  • Establish a basic internal incident response process
  • Monitor regulatory updates, as Vietnam’s data protection framework continues to develop

How Ecovis Vietnam Law Can Support

Ecovis Vietnam Law supports tech companies, HR teams, education businesses, marketing teams and CFOs across East Ho Chi Minh City — including Thao Dien, An Phu, Thu Thiem and Thu Duc — with practical data protection reviews covering data mapping, vendor contract review, cross-border transfer assessments and internal policy development. Because this area of law has been evolving, our approach emphasizes verifying current requirements at the time of engagement rather than relying on prior assumptions, and coordinating with clients’ IT and HR functions to build a workable, documented compliance program.

FAQ

What is the PDPL and does it apply to my company?
The PDPL refers to Vietnam’s personal data protection law and its implementing regulations, which generally apply to organizations processing personal data of individuals in Vietnam; companies should verify current applicability to their specific operations given the evolving regulatory landscape.

Does PDPL compliance apply to foreign-owned companies operating in Vietnam?
In general, data protection obligations are expected to apply based on where data processing activities occur and whose data is processed, rather than the nationality of ownership, but companies should confirm current scope for their specific situation.

Do we need consent to collect employee data?
Employment relationships often involve a lawful basis for certain data processing, but companies should still review consent and disclosure practices carefully, as requirements may differ for different categories of data.

Is transferring data to our overseas headquarters considered a cross-border transfer?
In many cases, yes — sending personal data outside Vietnam, including to an affiliated headquarters, may be treated as a cross-border transfer subject to specific conditions, and this should be assessed on a case-by-case basis.

Do we need a written agreement with every vendor that touches personal data?
It is generally advisable to have data protection terms in place with any vendor or processor handling personal data on the company’s behalf, to allocate responsibility and reduce exposure in the event of an incident.

What should we do if we experience a suspected data breach?
Companies should have an internal process to assess, contain and document the incident, and should seek legal advice promptly to evaluate notification obligations, which may vary depending on the nature and scale of the incident.

How often should our data protection practices be reviewed?
Given the pace of regulatory development in this area, an annual review, or a review triggered by significant operational changes (new systems, new markets, new data types), is generally advisable.

Share this post:
Facebook
Twitter
LinkedIn
WhatsApp

Discover more articles