Since 2023, the legal framework for personal data protection and processing in Vietnam has been continuously updated with significant advancements and far-reaching impacts on all aspects of normal business operations, with the advent of Decree 13/2023/ND-CP, the Data Law 2024, and the Personal Data Protection Law 2025 (PDPL). In a context where personal data is becoming an indispensable resource for the operation and business optimization of any enterprise, understanding the basic legal concepts of personal data protection law serves as an important initial step for businesses to equip themselves with fundamental awareness and progress toward full compliance with legal obligations in the processing of personal data. This article will introduce the basic and common legal concepts in the field of personal data protection law.
1. Personal Data:
Personal data is digital data or information in other forms thatidentifiesor helps identify a specific human being, including: basic personal data and sensitive personal data. (Clause 1, Article 2 of the Personal Data Protection Law)
In which:
- Basic personal data is personal data reflecting common identity elements and background information, frequently used in transactions and social relationships, belonging to the list issued by the Government.
- Sensitive personal data is personal data closely linked to an individual’s privacy rights, which when violated would directly affect the legitimate rights and interests of agencies, organizations, or individuals, belonging to the list issued by the Government.
2. Personal Data Processing:
Refers to any operation or set of operations performed upon personal data, including but not limited to: collection, analysis, aggregation, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer of personal data, and other activities affecting personal data.
3. Subjects:
Data Subject: an individual to whom the personal data relates.
- Personal Data Controller: an agency, organization, or individual that determines the purposes and means of processing personal data.
- Personal Data Processor: an agency, organization, or individual that processes personal data at the request of the personal data controller or the personal data controller and processor through a contract.
- Personal Data Controller cum Processor: an agency, organization, or individual that determines the purposes, means, and directly processes personal data.
4. Rights of the Data Subject:
The rights of the personal data subject include: a) The right to be informed about personal data processing activities; b) The right to consent or refuse consent, and to withdraw consent for personal data processing; c) The right to access, rectify, or request rectification of personal data; d) The right to request provision, erasure, restriction of processing of personal data; and to submit objections to personal data processing; e) The right to lodge complaints, denunciations, initiate lawsuits, and claim compensation for damages in accordance with the law; f) The right to request competent authorities or agencies, organizations, individuals involved in personal data processing to implement measures and solutions to protect their personal data as prescribed by law.
5. Data Subject’s Consent
(i) The consent of the data subject is the permission granted by the data subject for the processing of their personal data, unless otherwise provided by law.
(ii) The consent of the data subject is only valid when based on voluntary action and clear knowledge of the following information: a) The type of personal data being processed and the purpose of personal data processing; b) The personal data controller or the personal data controller and processor; c) The rights and obligations of the data subject.
(iii) The consent of the data subject must be expressed in a clear, specific manner that can be printed or copied, including in electronic form or verifiable format.
(iv) The consent of the data subject must adhere to the following principles: a) Express consent for each specific purpose; b) Not be accompanied by conditions requiring consent to purposes other than those agreed upon; c) Remain effective until the data subject changes their consent or as prescribed by law; d) Silence or non-response shall not be considered as consent.
6. Cross-border Personal Data Transfer
Cases of cross-border personal data transfer include: a) Transferring personal data stored in Vietnam to data storage systems located outside the territory of the Socialist Republic of Vietnam; b) Agencies, organizations, or individuals in Vietnam transferring personal data to organizations or individuals abroad; c) Agencies, organizations, or individuals in Vietnam or abroad using platforms outside the territory of the Socialist Republic of Vietnam to process personal data collected in Vietnam.
The above legal concepts are the most fundamental concepts pertaining to the legal framework for personal data protection in Vietnam. In the next article, we shall introduce the personal data protection regulations applicable to specific sectors as stipulated by the Personal Data Protection Law 2025.
Date Written: 19/07/2025
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
