Vietnam PDPL (Personal Data Protection Law) is the collective term for the legal framework governing the collection, processing, and transfer of personal data in Vietnam. At its core is Decree 13/2023/ND-CP (Personal Data Protection Decree, commonly known as PDPD), and efforts are underway to elevate it to the statutory level (the PDPL proper).

This article is intended for legal, compliance, and IT officers at Japanese companies that have already entered or are considering entering the Vietnamese market. It provides a practical overview of consent management, data subject rights, cross-border transfers, PIA (Privacy Impact Assessment), and penalties for violations.

As data protection laws are being enacted in rapid succession across ASEAN countries, Vietnam stands out for the breadth of its regulatory reach and its comparatively strict penalties. These are issues that cannot be avoided when advancing AI adoption or integrating data with headquarters, and readers are encouraged to approach this article from the perspective of simultaneously building a compliance framework and driving AI projects forward.

The legal framework referred to as "Vietnam PDPL" must be understood by combining Decree 13/2023 as its core with subsequent penalty decrees and the ongoing legislative efforts to elevate it to statutory law. We begin by covering the background of its enactment, its scope of application, and its positioning relative to other ASEAN laws.

Vietnam had long addressed data protection through fragmented privacy provisions scattered across laws such as the Civil Code, the Cybersecurity Law, and the Law on Electronic Transactions. However, it overhauled its personal data protection framework by enacting Decree 13/2023/ND-CP (PDPD) as a dedicated, comprehensive regulation. Since its entry into force, operational guidance has been steadily developed, primarily by the Ministry of Public Security, and the government is moving forward with elevating the framework from a Decree to a formal Law.

The PDPD is structured to address data subject rights, obligations of data processors, cross-border transfer regulations, and sanctions for violations within a single framework. A notable feature is that while it references the GDPR (EU General Data Protection Regulation) as a model, it incorporates Vietnam's own notification and registration system.

Immediately after the law came into force, practical preparations on the industry side lagged behind, and the authorities continued to operate with a transitional approach. However, as cases of inspections and guidance by the authorities have accumulated, situations are increasingly arising where merely formal compliance is insufficient. For local subsidiaries of Japanese companies, the time has come to re-examine their headquarters-driven personal information protection policies against the framework of Vietnamese law.

The scope of the PDPD is broad, extending not only to businesses that process personal data within Vietnam, but also to businesses outside Vietnam that process data targeting the Vietnamese market or individuals residing in Vietnam. Foreign businesses handling information of Vietnamese users—such as those in e-commerce, SaaS, or mobile apps—are no exception.

"Personal data" subject to the law is organized into two categories: basic data (such as name and contact information) and sensitive data (such as health, biometric, financial, religious, and sexual orientation information). When handling sensitive data, obligations such as consent requirements, protective measures, and the appointment of a DPO become significantly more stringent.

A particularly relevant issue for Japanese companies is the case of sharing employee data from a Vietnamese entity with the Japanese headquarters. Data sent to headquarters HR systems or payroll BPO services—such as salary, performance evaluation, and social insurance information—is subject to the PDPD, requiring consideration of both cross-border transfer regulations and consent requirements.

Even for companies still in the process of considering market entry, there is a possibility of falling within the scope of the PDPD from the point of handling lead lists obtained through market research or customer information collected via distributors.

ASEAN countries have been advancing the development of data protection laws in recent years. Thailand's PDPA, Singapore's PDPA, Indonesia's PDP Law, Malaysia's PDPA, and the Philippines' DPA are all influenced by the GDPR while incorporating each country's own notification and registration systems.

Compared to these, Vietnam's PDPD is distinctive in the following respects. First, it explicitly stipulates a requirement to submit TIA (Transfer Impact Assessment) documentation for cross-border transfers. Second, the criteria for appointing a DPO are defined with relative clarity for businesses processing sensitive data and similar entities. Third, there is significant overlap with adjacent laws such as the Cybersecurity Law and the Law on Electronic Transactions, necessitating practical compliance responses that span multiple pieces of legislation.

For Japanese companies operating across the ASEAN region, a practical approach is to organize each country's regulations within a common framework—covering data inventory, consent management infrastructure, and cross-border transfer procedures—while layering in country-specific differences. A cross-cutting comparison is covered in "ASEAN Data Protection Laws: An In-Depth Comparison of 4 Countries" (slug: asean-data-protection-law-comparison-guide).

While the PDPD imposes numerous obligations on businesses, the three key pillars to grasp in practice are consent acquisition, data subject rights, and DPO appointment. We will examine the requirements for each, along with operational points that tend to become issues for Japanese companies on the ground.

Consent under the PDPD must satisfy the requirements of being "freely given, clear, specific, informed, and revocable." The common practice of obtaining consent through a blanket "by agreeing to the Terms of Service you consent to the use of your personal information" approach is insufficient; consent must be obtained after individually disclosing the purpose of use, retention period, whether data will be shared with third parties, and transfer destinations.

When handling sensitive data, explicit consent must be obtained in writing or electronically, and records of such consent must be retained. A mechanism that allows tracking on a per-data-subject basis—including the time and method of consent acquisition and withdrawal history—is effectively mandatory.

A typical sticking point for Japanese companies is the failure to digitize paper-based consent forms. By incorporating a consent flow into the registration process for internal systems and maintaining a ledger using a Consent Management Platform (CMP) or IT Service Management (ITSM) tool, companies can ensure readiness to respond promptly to regulatory inquiries.

Note that lawful bases other than consent—such as the performance of an employment contract or compliance with a legal obligation—are recognized in certain situations. Rather than processing everything under "consent," the key to avoiding rework downstream is to organize operations by lawful basis and design the operational flow accordingly.

The PDPD guarantees data subjects a number of rights. Representative examples include the right to know whether one's data is being processed, the right to request correction or deletion of data, the right to request restriction of processing, the right to data portability, and the right to object to automated decision-making.

The most frequently encountered situations in Japanese company operations include deletion requests from former employees, opt-out requests from customers to stop unwanted communications, and requests to correct HR data. These requests must be processed within the legally prescribed response deadlines, and the outcomes must be recorded.

The practical keys are consolidating the intake channel for requests and reaching internal agreement on response SLAs. When sales staff, customer support, and HR each handle requests independently, missed responses and deadline overruns are prone to occur. A realistic approach is to receive requests through an inquiry form or help desk, with the DPO or legal department performing initial triage.

Regarding deletion requests, a key issue is whether data must also be erased from backups and systems operated by external contractors. Maintaining a data inventory—a map of what data exists where—can dramatically reduce the investigation time required for each request.

The PDPD requires businesses meeting certain conditions to appoint a Data Protection Officer (DPO) or an equivalent responsible department. Representative targets include businesses that process sensitive data in large volumes and businesses that process data as a core part of their operations.

At local subsidiaries of Japanese companies, a common pattern is to appoint a DPO for the Vietnamese entity under the direction of the parent company's global CISO or CPO. A dedicated appointment is not strictly required, but since the DPO serves as the point of contact for regulatory inquiries, it is necessary to select someone with an understanding of both Vietnamese law and the company's business operations.

In practice, options include assigning the role concurrently to a legal staff member and an IT staff member, or outsourcing the DPO function to an external specialist firm or consulting company. Even when outsourcing, it is important to designate one internal point person and ensure a structure that allows for day-to-day coordination with the external DPO.

The DPO's primary responsibilities include maintaining Records of Processing Activities (ROPA), conducting Privacy Impact Assessments (PIAs), responding to regulatory inquiries, and delivering internal training. While these may appear to be documentation tasks, their essence lies in building consensus with business units and embedding practices into operations—making it a role that functions best when filled by someone who can engage directly on the ground.

Cross-border data transfers (transfers outside the country) are the most significant issue for Japanese companies. They are relevant to virtually all business operations—coordination with headquarters, sharing among group companies, and the use of cloud services. The PDPD clearly defines formal requirements, including advance notification of transfers and the submission of Transfer Impact Assessment (TIA) documentation.

Businesses conducting cross-border transfers are required to prepare a Transfer Impact Assessment (TIA) document and notify the relevant authorities. The TIA must include the purpose of the transfer, the country of the recipient, the types of data being transferred, the impact on data subjects, and security management measures.

The notification timing is defined as "within a specified period after the transfer commences," making it a retroactive submission—a point that differs from GDPR's prior approval model. In practice, however, it is safer to complete the internal review and finalize a draft of the documentation before the transfer begins. Treating post-notification as a reason to defer documentation preparation is risky: if the relevant materials are not in order when authorities make inquiries, the time required to respond will increase significantly.

Even after documents are submitted, there is an obligation to update them if the situation at the transfer destination or the nature of the processing changes. Organizations should design a TIA review cycle triggered by events such as organizational restructuring, group company reorganizations, or the introduction of new SaaS tools.

Many Japanese companies have their headquarters' IT departments centrally managing cloud configurations across the entire ASEAN region. In such cases, it is not sufficient for only the Vietnam entity to maintain TIA documentation; coordination is required to align with the headquarters' global policy.

For the legal basis of cross-border transfers, it is common practice to combine consent-based grounds with non-consent grounds such as contractual or legal obligations. The mainstream approach among Japanese companies is to incorporate a mechanism equivalent to GDPR's Standard Contractual Clauses (SCC) into internal policies, thereby ensuring data sharing between group companies is underpinned at the contractual level.

Over-reliance on consent creates the risk that operations will be disrupted if a data subject withdraws their consent. For example, if employee HR data is shared with headquarters solely on the basis of consent, a claim of "consent withdrawal" during resignation negotiations or disputes could cause operational breakdowns. It is advisable to transition to an internal contract model that uses performance of an employment contract as the legal basis.

When establishing SCC-equivalent contracts, the data sharing agreement connecting headquarters, regional holding companies, and local entities (Intra-Group Data Transfer Agreement) should explicitly set out security management measures, notification policies for data subjects, and the allocation of liability in the event of a breach. Since this typically requires joint work between the legal and IT departments, it is more efficient to define roles and responsibilities early on.

For Japanese companies, the area requiring particular attention is the sharing of HR and customer data with headquarters. Transfers of Vietnam entity employee data to Japan occur on a routine basis in connection with payroll processing, social insurance, performance evaluations, and compliance training.

For HR data, the primary legal basis should be performance of the employment contract, while items more prone to consent-related issues—such as evaluation records and disciplinary records—should be examined individually. Establishing rules for the retention period and disposal procedures for data of former employees will facilitate smooth responses to deletion requests and explanations during audits.

Sharing customer data with headquarters is an area that does not align well with the centralization of marketing automation (MA) and CRM systems at headquarters. A configuration in which a global MA tool distributes Vietnamese customer lists from a headquarters server raises issues on both the transfer procedure and consent design fronts. A design decision will be required: either provision region-specific data stores, or abandon headquarters consolidation in favor of local storage.

For those designing cross-border data governance across the entire ASEAN region, the related article ASEAN Cross-Border AI Projects — Multilingual RAG and Localization (slug: asean-cross-border-ai-multilingual-rag-localization-guide) also addresses the key considerations when integrating AI.

A PIA (Privacy Impact Assessment) is a document that prospectively evaluates the impact of data processing on the rights and freedoms of individuals. The PDPD requires the preparation of a PIA for the processing of sensitive data, cross-border transfers, automated decision-making, and similar activities. For AI-related projects, it is effectively mandatory.

The obligation to prepare a PIA arises in relation to processing activities deemed high-risk. Representative examples include the processing of sensitive data (health, biometric, financial, religious, sexual orientation, etc.), cross-border transfers, automated decision-making and profiling, and the processing of data relating to children or vulnerable groups.

Among the scenarios most frequently encountered at Japanese companies are: the use of AI in performance evaluations, drawing inferences from customer behavioral data for marketing purposes, and handling employee vital data in manufacturing processes. It is more efficient to determine whether a PIA is required at the project planning stage and to incorporate that determination as part of the planning phase.

Even in cases where it has been determined that a PIA is not required, it is recommended to document the reasoning behind that determination. Being able to immediately answer the question "why was a PIA not conducted?" during an authority inquiry helps maintain the consistency of risk management.

As an operational approach for making this determination, a practical implementation is to add checkboxes for "Does this involve personal data?" and "Is a PIA required?" to the approval request template for new projects, with legal and DPO review built into the drafting stage.

The minimum items that should be included in PIA documentation are: the purpose of processing, the types and scope of data, the impact on data subjects, security management measures, and residual risk assessment. While referencing the GDPR DPIA template, the documentation should be adapted to align with Vietnamese legal terminology and regulatory requirements.

Documentation must undergo internal legal and DPO review before being submitted through the format and channel designated by the authorities. When cross-border transfers are involved, submission is often made together with a Transfer Impact Assessment (TIA), making it important to ensure consistency between the two documents.

A common practical pitfall is treating documentation as a "one-time task." PIAs must be updated whenever processing activities or transfer destinations change, and organizations should design a review cycle triggered by events such as organizational restructuring, the introduction of new SaaS tools, or changes to AI models.

Ensuring the quality of a PIA requires more than formal documentation—the specificity of risk mitigation measures is also scrutinized. Rather than simply stating "strengthen access controls," drilling down into who will review which permissions and at what point in time will significantly increase persuasiveness during regulatory review.

When AI is involved, additional considerations are added to the PIA. First, the source and lawfulness of training data. Second, the impact of inference results on individuals and the means for raising objections. Third, the alignment between model update cycles and data retention periods.

When personal data is used as training data, the PIA should document the scope of consent, the explicit legal basis, and the notification policy for data subjects. Particular attention is needed when configurations such as LLM fine-tuning or RAG pull data from a parent company, as this creates a dual issue involving cross-border transfers.

Automated decision-making based on inference results (such as HR screening, credit assessment, and churn prediction) requires a design that explains the impact to data subjects and ensures opportunities for human review. From an AI governance perspective, AI-Native Organizations and the Chief AI Officer (slug: ai-native-organization-cao-design-guide) and Building an ASEAN AI Governance Framework (slug: asean-ai-governance-framework-guide) organize organizational design and decision-making flows, and are recommended references when structuring a PIA.

AI utilization and the PDPD are adjacent domains. Integrating PIA operations with an "AI ethics review" can reduce duplicated internal work.

The PDPD provides a framework of administrative penalties for violations, and notification obligations are imposed when a data breach occurs. It is important to understand both the penalty framework and the practical aspects of crisis response.

Violations of the PDPD are subject to a graduated system of sanctions, ranging from administrative penalties (fines) to, in some circumstances, criminal liability. Factors considered in determining the severity of sanctions include the seriousness of the violation, the scale of affected data subjects, and whether the violation is a repeat offense. The specific fine framework is being developed in conjunction with penalty decrees related to violations of the Cybersecurity Law and personal data protection regulations.

For Japanese companies, the greater risk lies not in the monetary amount of the fines themselves, but in the reputational impact and risk of business suspension that can result from regulatory intervention. When a violation becomes public, it often extends to the parent company's IR activities and global audits, meaning it rarely remains an issue confined to the Vietnamese subsidiary alone.

While tracking the latest information on penalties is a role for local law firms, it is advisable for organizations to internally map out "impact scenarios in the event a violation is discovered." Sharing concrete loss scenarios—such as fines, business suspension, contract termination, and customer attrition—with senior management facilitates smoother allocation of compliance budgets.

Incorporating the existence of penalties into employee training is also effective. Communicating "what happens to the business if a violation occurs" tends to foster greater compliance awareness on the ground than simply saying "follow the rules because they exist."

In the event of a personal data breach, the PDPD requires notification to the authorities and data subjects within a prescribed timeframe. Delays or omissions in notification are treated as independent violations in their own right.

Items to be included in the notification are: a summary of the breach (date and time of occurrence, date and time of discovery, types and volume of data affected), the cause and scope of impact, the response measures taken and future countermeasures, and advice for minimizing harm. Since both the format and content must satisfy regulatory requirements, it is important to prepare notification templates and decision-making workflows in advance during normal operations.

The practical key is the existence of an incident response playbook that involves the IT department, legal, communications, and senior management. Organizations should establish a structure capable of moving from breach detection to notification within 72 hours, and verify its functionality through tabletop exercises one to two times per year.

When the Vietnamese subsidiary acts alone, parent company reporting, global PR, and customer communications tend to fall behind. It is advisable to establish communication protocols with the parent company's CISO, legal, and communications teams during normal operations, so that immediate escalation is possible in the event of an incident.

Alongside technical response measures, breach management that provides data subjects with honest information and supports the minimization of harm will contribute to long-term trust recovery.

This section organizes the key items to verify in internal reviews when advancing practical compliance with Vietnam's PDPL. Any area where you cannot answer "Yes" should be prioritized for remediation.

First, is a data inventory in place? The starting point is having a visible inventory (ROPA) at the Vietnam entity level that captures "where," "what type of," and "whose" personal data the company holds.

Second, does the consent acquisition flow meet PDPD requirements? Examine three points for each of your HR systems, CRM, and marketing tools: purpose-specific consent, withdrawal routes, and record retention.

Third, are TIA documents for cross-border transfers in place? Confirm that transfers to headquarters, group companies, and SaaS providers are fully covered and that a change management cycle is operating.

Fourth, is the DPO appointment and operational structure functioning? To avoid a situation where appointment exists in name only, design the request intake route, response SLA, and internal training cycle.

Fifth, is an incident response playbook prepared? Document the detection, notification, reporting, and remediation flow for data breaches, and verify its functionality through tabletop exercises.

Sixth, is a coordination framework with headquarters established? This includes alignment between global policies and Vietnamese law, communication channels with the headquarters CISO, legal, and PR teams, and escalation paths for incidents.

If all six items can be answered with "Yes," the explanatory materials needed for a regulatory inquiry will be largely in order.

The following are concise answers to representative questions received from our clients regarding Vietnam's PDPL.

Q1: What is the difference between Vietnam's PDPL and PDPD? PDPD refers to Decree 13/2023, a decree-level regulation that constitutes the core rules currently in effect. PDPL corresponds to a higher-level law in progress, representing the movement to elevate the Decree to the statutory level. In practice, the PDPD together with subsequent penalty decrees and operational guidance is often collectively referred to as the "PDPL framework."

Q2: Should preparations begin before market entry? There is a possibility of falling under PDPD regulations from the moment a lead list is acquired during market research. Since beginning compliance efforts after entity establishment creates a period during which existing data handling operates in a non-compliant state, it is advisable to begin preparations in parallel with market entry planning.

Q3: Is it illegal to consolidate employee data from a Vietnam entity into the headquarters' HR system? It is not illegal, but it is subject to PDPD cross-border transfer regulations. It can be operated lawfully by using the performance of an employment contract as the primary legal basis, preparing TIA documentation, and formalizing a notification policy for employees.

Q4: We want to automate customer support with an AI chatbot. What should we be careful about? Since personal data is used for inference, consent acquisition, PIA, and data retention periods must be built into the design at the planning stage. A configuration that delegates inference to the headquarters' generative AI infrastructure raises a dual issue of cross-border transfer, so it is worth considering an option that keeps inference entirely within Vietnam.

Q5: If a violation is discovered, how far-reaching could the impact be? In addition to administrative penalties, the impact may cascade beyond the monetary fine amount, including operational suspension guidance, contract termination by counterparties, customer attrition, and spillover to headquarters IR. It is advisable to prepare damage scenario estimates and use them as a basis for securing a compliance budget.

Vietnam's PDPL (the personal data protection framework centered on Decree 13/2023) is an unavoidable issue for Japanese companies already operating in or considering entry into Vietnam. By addressing the six pillars of consent acquisition, data subject rights, DPO appointment, cross-border transfers, PIA, and incident response, the explanatory materials needed for a regulatory inquiry will be largely in order.

As data protection laws continue to develop across ASEAN, approaching the matter as part of an ASEAN-wide data governance framework—rather than addressing Vietnam in isolation—will reduce the long-term burden. A practical design approach is to establish a common framework covering data inventory, consent management infrastructure, cross-border transfer procedures, and incident response playbooks, then layer country-specific differences on top.

In the context of AI adoption, integrating PIA with an "AI ethics review" and embedding data protection requirements from the planning stage enables a development workflow with no costly rework. The ability to align headquarters' AI governance framework with local law while balancing aggressive AI investment with defensive compliance is what will be required of companies expanding into ASEAN going forward.

Since the operation of PDPD is a domain that will continue to evolve, maintaining close collaboration with local law firms while continuously updating internal structures is what will underpin long-term business continuity.