What is the Law on Personal Data Protection (LPDP)?
The Vietnam Law on Personal Data Protection (LPDP) is a national law that governs the collection, processing, storage, sharing, and transfer of personal data related to individuals in Vietnam. Formally adopted by Vietnam’s National Assembly in June 2025, the LPDP establishes a comprehensive, legally binding framework for personal data protection and replaces earlier decree-based regulations with a full-fledged law.
The LPDP took effect on January 1, 2026.
Background and Legal Evolution
Vietnam’s personal data protection framework evolved in two major stages:
2023: Introduction of Decree No. 13/2023/ND-CP, Vietnam’s first comprehensive regulation on personal data protection
2025: Adoption of the Law on Personal Data Protection (LPDP), elevating data protection requirements from a government decree to a national law
2026: Full enforcement of the LPDP and its implementing decrees, replacing Decree 13
This transition reflects Vietnam’s move toward stronger accountability, clearer obligations, and more enforceable personal data governance.
When Did the Vietnam LPDP Take Effect?
- Adopted: June 26, 2025
- Effective date: January 1, 2026
From this date onward, organizations handling personal data related to Vietnam are required to comply with the LPDP and its implementing regulations.
Who Must Comply with the Vietnam LPDP?
The LPDP applies to a wide range of organizations, including both domestic and foreign entities.
You may be subject to the LPDP if you:
Collect or process personal data of individuals in Vietnam
Employ individuals or engage customers, partners, or users in Vietnam
Transfer personal data related to Vietnam across national borders
Use cloud services, external platforms, or AI tools involving Vietnamese personal data
Importantly, physical presence in Vietnam is not required. Foreign organizations may still fall under the LPDP if their data processing activities relate to individuals in Vietnam.
What is Considered Personal Data Under the LPDP?
The LPDP distinguishes between personal data and sensitive personal data.
Personal Data
Personal Data refers to information that identifies or can be used to identify an individual, either directly or indirectly. Examples include:
- Full name, date of birth, gender
- Address and contact information
- Nationality or identification-related data
- Personal images or profiles
Sensitive Personal Data
Sensitive personal data includes data that could significantly affect an individual’s rights or interests if misused. This category is subject to stricter protection requirements and typically includes:
- Financial and banking information
- Health and biometric data
- Location and behavioral data
- Other high-risk data categories defined by implementing regulations
Why the Vietnam LPDP Matters
For organizations, the LPDP represents a shift toward stricter expectations around:
- Visibility into where personal data resides
- Control over how data is accessed, used, and shared
- Accountability that can be demonstrated with evidence
- Ongoing compliance, not one-time certification
Organizations that rely solely on system-based or perimeter-based security models may struggle to meet these expectations.