Law on Personal Data Protection, No. 91/2025/QH15 and Data Breach Challenges in the Digital Era

Law on Personal Data Protection, No. 91/2025/QH15 and Data Breach Challenges in the Digital Era

The Law on Personal Data Protection, No. 91/2025/QH15 marks a pivotal milestone in Vietnam’s information security legal framework. Effective from January 1, 2026, this legislation sets new standards for the collection and protection of personal data. With data breaches becoming increasingly severe, businesses must act swiftly to ensure compliance and safeguard information.

Background of the Law on Personal Data Protection, No. 91/2025/QH15

Before delving into the specifics, it’s essential to understand why Vietnam needed a personal data protection law and how the Law on Personal Data Protection, No. 91/2025/QH15 addresses practical needs.

Vietnam is undergoing a robust digital transformation, with personal data being collected and processed at an unprecedented scale. However, the legal framework for managing and protecting personal data has been fragmented, leaving significant gaps. Recent years have seen alarming data breaches, with over 110 million records involved in illegal data trading in the first half of 2025 alone, highlighting critical cybersecurity vulnerabilities.

Luật số 912025QH15 (2).jpg
How the Law on Personal Data Protection, No. 91/2025/QH15 Protects Personal Data in the Digital Era

Passed by the National Assembly on June 26, 2025, and effective from January 1, 2026, the Law on Personal Data Protection, No. 91/2025/QH15 establishes a comprehensive legal framework. It covers individual rights, organizational responsibilities, and penalties to mitigate risks associated with data breaches in digital activities.

Key highlights of the Law on Personal Data Protection, No. 91/2025/QH15

The law not only defines personal data and its scope but also establishes clear principles, rights, obligations, and requirements for data processing, periodic audits, and cross-border data transfer controls. Key highlights include:

  • Mandatory encryption of personal data in specific scenarios, ensuring unauthorized parties cannot access sensitive information.
  • Periodic or ad-hoc audits of cross-border personal data transfers when risks are identified.
  • Mandatory notification of data breaches or losses within 72 hours of detection.
  • Stringent penalties, including fines up to 5% of annual revenue or VND 3 billion for serious violations, and up to “10 times the illegal profits” for violations involving illicit gains.
Key highlights of the Law on Personal Data Protection
Key highlights of the Law on Personal Data Protection

Scope and Definitions Under the Law on Personal Data Protection, No. 91/2025/QH15

This section details the law’s scope and core definitions to help businesses and organizations understand their responsibilities and boundaries.

Scope and Applicability

The Law on Personal Data Protection, No. 91/2025/QH15 governs the collection, processing, storage, sharing, and deletion of personal data, as well as the protection of data subjects’ rights and the responsibilities of related entities. It applies to:

  • Agencies, organizations, and individuals in Vietnam.
  • Foreign agencies, organizations, and individuals processing personal data related to Vietnamese residents.
  • Individuals of Vietnamese origin residing in Vietnam without confirmed nationality.

Definition of Personal Data

The law defines personal data as information that can directly or indirectly identify a data subject. Sensitive data, such as health, private secrets, or financial credit information, receives special consideration.

Principles for Processing Personal Data

Organizations and individuals must adhere to core principles, including:

  • Transparency and clear purpose: Data collection and processing must align with the stated purpose.
  • Data minimization: Collect only necessary data and retain it for a reasonable period.
  • Accuracy and updates: Correct inaccuracies promptly.
  • Security: Implement encryption and access controls to ensure data safety.
  • Risk notification and response: Detect and address data breach incidents promptly.

Rights and Obligations of Data subjects

The Law on Personal Data Protection, No. 91/2025/QH15 not only outlines organizational responsibilities but also emphasizes the central role of individuals as data owners. Data subjects are granted stronger control over their information while bearing specific obligations.

Rights of Data subjects

Individuals have enhanced rights to manage their personal data, including:

  • Being informed about how their data is processed.
  • Consenting to, refusing, or withdrawing consent for data processing.
  • Accessing, correcting, deleting, or restricting the processing of their data.
  • Requesting a copy of their personal data.
  • Objecting to data processing.
  • Filing complaints, lawsuits, or seeking compensation for violations of their rights.

Obligations of Data subjects

Individuals using services or interacting with data-processing organizations must:

  • Protect their own personal data and avoid providing false information that could cause harm.
  • Respect others’ personal data rights.
  • Provide accurate data as required for contracts, transactions, or legal obligations.
  • Cooperate with data processors when required and comply with data protection laws.

Organizational Responsibilities and Data Breach Solutions

Alongside protecting individual rights, the Law on Personal Data Protection, No. 91/2025/QH15 imposes strict requirements on organizations and businesses that collect and process personal data. These entities bear the highest responsibility for ensuring data security, transparency, and legal compliance.

Responsibilities of Data controllers and Processors

Both data controllers (who determine the purpose and means of processing) and processors (who process data on behalf of controllers) must:

  • Implement appropriate technical and organizational measures to protect personal data, with regular reviews and updates.
  • Notify authorities of data breaches within 72 hours of detection.
  • Conduct data protection impact assessments (DPIAs), especially for cross-border data transfers, and update them as needed.
  • Cooperate with authorities to audit or halt data transfers when risks are identified.
  • Compensate for damages caused by violations and remain accountable to data subjects.
  • Face criminal liability for serious violations.

Preventing Data Breaches: Technical and Organizational Solutions

To avoid violations under the new regulations, organizations should adopt the following measures:

  • Deploy multi-layered security systems, including firewalls, intrusion detection/prevention systems (IDS/IPS), web application firewalls (WAF), and access controls.
  • Encrypt data at rest and in transit.
  • Monitor systems, detect intrusions, and issue early warnings.
  • Perform regular backups and test recovery processes to minimize data loss risks.
  • Train staff and establish internal data security protocols.
  • Conduct periodic risk assessments and update security measures.
  • Develop an incident response plan, including reporting, notification, remediation, and post-incident reviews.

Numerous warnings about data breaches have appeared in publications like GenKThanhnienViet.vn, and Trang Tin cong nghe, underscoring the real-world pressures the Law on Personal Data Protection, No. 91/2025/QH15 places on businesses.

Penalties and Risks of Data Breaches

The Law on Personal Data Protection, No. 91/2025/QH15 is not merely advisory; it includes clear enforcement mechanisms, reflecting the state’s commitment to personal data protection. Strict penalties aim to deter violations and compel organizations to prioritize data security.

Penalties under the Law on Personal Data Protection, No. 91/2025/QH15

Violations of personal data processing regulations may result in administrative fines or criminal liability, depending on severity:

  • Fines up to VND 3 billion for various violations, a record level highlighted in media and PR campaigns as a warning to businesses.
  • Fines up to 10 times the illegal profits for violations involving the sale or illicit use of personal data.
  • Fines up to 5% of the previous year’s revenue for non-compliant cross-border data transfers.
  • Repeated violations may lead to additional penalties, such as license revocation or a 1–3-month suspension of data collection activities.

Real-World risks of Data Breaches

  • Loss of brand reputation and customer trust.
  • Legal disputes, lawsuits, and compensation claims.
  • Business disruptions due to penalties or suspensions.
  • Regulatory audits or criminal investigations.

For example, some businesses have faced reputational collapse due to customer data leaks, incurring fines up to VND 3 billion. Internal data leaks remain a prevalent risk.

Roadmap for businesses before January 1, 2026

To comply with the Law on Personal Data Protection, No. 91/2025/QH15 by its effective date, businesses must prepare now to avoid legal risks and ensure readiness. Below is a five-step roadmap for comprehensive compliance:

  1. Audit existing data systems to identify personal data being collected, processed, or stored.
  2. Conduct risk assessments and create data protection impact assessments (DPIAs).
  3. Build or optimize security infrastructure with encryption, monitoring, and access controls.
  4. Train staff and establish internal processes, ensuring personnel are the first line of defense.
  5. Test systems, run incident response drills, and review compliance before the law takes effect.

Starting early is critical, as compliance pressures and violation risks will intensify as January 1, 2026 approaches.

VNETWORK: Comprehensive Infrastructure, Content Delivery Network, and Security Solutions for the Law on Personal Data Protection, No. 91/2025/QH15

With the Law on Personal Data Protection, No. 91/2025/QH15 taking effect on January 1, 2026, compliance is not just a legal requirement but a vital factor in safeguarding business reputation and customer trust.

As a Comprehensive Cybersecurity Response Center, VNETWORK supports Vietnamese businesses in achieving compliance with the Law on Personal Data Protection, No. 91/2025/QH15 and building robust data security systems through its AI-powered infrastructure, transmission, and cybersecurity ecosystem.

Luật số 912025QH15 (3).jpg

VNETWORK is currently a leading provider of infrastructure, transmission, and cybersecurity solutions in Vietnam and Asia.

VNETWORK is a leading provider of infrastructure, transmission, and cybersecurity solutions in Vietnam and Asia. Its three flagship solutions include:

  • VCLOUD: A Tier III cloud-native platform with 99.997% uptime, integrated CI/CD, and ISO 27001-compliant security. It offers scalable, tailored solutions with 24/7 technical support.
  • VNIS: An AI-driven web, app, and API security system with SOC integration, protecting against ransomware, DDoS attacks, and vulnerability exploitation in real time. VNIS is essential for secure digital transformation.
  • EG-Platform: A globally unique email security solution meeting 100% of the ITU-T X.1236 standard by the International Telecommunication Union. It leverages AI and machine learning to detect and prevent ransomware, phishing, and APT attacks, ensuring secure two-way email systems.

Compliance with the Law on Personal Data Protection, No. 91/2025/QH15 not only helps businesses avoid fines up to VND 3 billion or 10 times illegal profits but also strengthens reputation, operational resilience, and customer trust in the data-driven era.

VNETWORK is committed to partnering with Vietnamese businesses to build secure, autonomous, and sustainable digital infrastructure, ready for the era of comprehensive data protection.

Conclusion

The Law on Personal Data Protection, No. 91/2025/QH15 marks a transformative step in personal data management in Vietnam. With rising data breaches, businesses that overlook compliance risk legal penalties and reputational damage.

Adopting appropriate technological and organizational solutions is essential. VNETWORK, a leading Comprehensive Cybersecurity Response Center and provider of infrastructure, transmission, and security solutions in Vietnam and Asia, is a trusted partner to help businesses navigate compliance and protect personal data professionally.

FAQ: Common questions about the Law on Personal Data Protection, No. 91/2025/QH15 and Data Breaches

1. When does the Law on Personal Data Protection, No. 91/2025/QH15 take effect?

The law was passed on June 26, 2025, and takes effect on January 1, 2026.

2. How long do businesses have to report a data breach?

In case of a personal data breach posing harm, controllers or processors must notify authorities within 72 hours of detection.

3. What is the maximum penalty for personal data violations under the new law?

Fines can reach 3 billion VND  for serious violations, or up to 10 times the illegal profits if violations involve illicit gains.

4. Do small businesses have to comply with all provisions immediately?

Small businesses and startups may have flexibility to delay certain provisions for up to five years from the law’s effective date.

5. How does VNETWORK help businesses comply with the Law on Personal Data Protection, No. 91/2025/QH15?

VNETWORK offers secure infrastructure, data encryption, monitoring, risk assessments, staff training, and incident response solutions to ensure compliance and minimize data breach risks.

RELATED POST

Sitemap HTML