1. Absolute prohibition of buying and selling personal data:

According to Article 7 of the Law, seven acts related to personal data are strictly prohibited, including:

(a) Processing personal data to oppose the Socialist Republic of Vietnam, affecting national defense, national security, public order and safety, or the lawful rights and interests of agencies, organizations, and individuals.

(b) Obstructing personal data protection activities.

(c) Abusing personal data protection activities to commit acts in violation of the law.

(d) Processing personal data contrary to legal provisions.

(e) Using other people’s personal data or allowing others to use one’s personal data to commit acts in violation of the law.

(f) Buying or selling personal data, unless otherwise provided by law.

(g) Appropriating, intentionally disclosing, or causing the loss of personal data.

2. Strict sanctions for violations:

Article 8 of the Law stipulates strict penalties for violations of personal data protection regulations, including:

(a) The maximum administrative fine for buying or selling personal data is 10 times the revenue obtained from the violation. If no revenue is generated or the calculated fine is lower than VND 3 billion, the default fine shall be VND 3 billion.

(b) The maximum administrative fine for violations related to cross-border data transfers is 5% of the violating organization’s revenue from the preceding year. If such revenue is unavailable or results in a lower fine, the maximum fine shall be VND 3 billion.

(c) Enterprises and individuals may be subject to criminal prosecution for acts of a serious nature and extent.

3. Obligation to delete employee personal data after termination of contract:

According to Clause 2, Article 25 of the Law, after terminating an employment contract, businesses must:

(a) Comply with the Law on Personal Data Protection 2025, labor laws, data laws, and other relevant legal provisions.

(b) Retain employees’ personal data only for the period prescribed by law or agreed upon by the parties.

(c) Delete or destroy the employee’s personal data upon termination, unless otherwise agreed or stipulated by law.

4. Social media platforms must not require ID images/videos for verification purposes:

Pursuant to Article 29, providers of social networking and online communication services must:

(a) Clearly notify data subjects of personal data collected when installing and using such services; must not collect personal data illegally or beyond the agreed scope.

(b) Not request images or videos containing full or partial identity documents as a factor for account verification.

(c) Provide users with the option to reject the collection and sharing of data files (cookies).

(d) Provide a “do not track” option or only track usage with the user’s consent.

(e) Not eavesdrop, record calls, or read text messages without the data subject’s consent, unless otherwise provided by law.

(f) Publicly disclose privacy policies, clearly explain methods of data collection, use, and sharing; provide users with mechanisms to access, modify, delete data, set privacy rights, report violations; protect Vietnamese citizens’ personal data in cross-border transfers; and implement prompt, effective violation-handling procedures.

Accordingly, from January 1, 2026, social networking platforms may not use images or videos of identity cards, citizen IDs, passports, or other identity documents as verification elements.

5. “Post-audit mechanism” instead of “prior approval” for cross-border personal data transfers:

According to Article 20, instead of obtaining prior approval, enterprises transferring personal data across borders must conduct an impact assessment and submit one original copy to the competent authority within 60 days from the first day of transfer, except for the following cases:

(a) Transfers by competent state authorities;

(b) Agencies and organizations storing employee personal data on cloud computing services;

(c) Data subjects transferring their own personal data across borders;

(d) Other cases as prescribed by the Government.

The personal data protection authority may conduct periodic inspections (no more than once per year) or unscheduled inspections upon discovering violations or incidents involving data breaches or losses.

6. Exemptions and incentives for small and micro enterprises:

According to Article 38, the Law provides exemptions and incentives for small and micro enterprises:

(a) Small and startup enterprises may choose whether to implement the following obligations within five years from the effective date: (i) prepare personal data processing impact assessments; (ii) update data processing and cross-border data transfer impact assessments; (iii) designate data protection officers.

(b) Household businesses and microenterprises are exempt from the above obligations.

7. Recommendations from Pros Legal:

In light of these critical new regulations, businesses should consider taking the following measures to mitigate legal risks:

(a) Proactively review and assess current personal data processing practices;

(b) Develop compliance plans for protecting personal data of employees, customers, and third parties involved in operations;

(c) Establish a comprehensive governance framework for personal data processing activities;

(d) Carry out administrative procedures for reporting and conducting data processing impact assessments, and promptly update any changes (especially related to cross-border transfers) with the competent authority.

The Law on Personal Data Protection 2025 has a broad scope of application, stringent sanctions, and numerous binding legal obligations. Therefore, timely awareness and implementation of compliance measures will not only help businesses avoid legal risks and potential financial losses but also build trust with customers, partners, and regulators in the course of business operations.