Vietnam's Data Privacy Evolution: From Decree 13 (2023) to the Personal Data Protection Law (2026)

A Comprehensive Guide for Global Organizations on the New Compliance Landscape

In 2023, Vietnam took a significant foundational step in data privacy with the enactment of Decree 13/2023/ND-CP (PDPD). This decree established the first comprehensive framework for personal data protection in the country. However, Vietnam is rapidly elevating its commitment to data privacy.

On June 26, 2025, the National Assembly passed the new Personal Data Protection Law (PDPL), which will take effect on January 1, 2026, and will replace Decree 13.

This is not a minor update; it is a fundamental shift from a government decree to a comprehensive, high-level Law. For global organizations, this transition introduces significantly stricter obligations, new sector-specific rules, and severe financial penalties.

This article, compares the 2023 Decree to the new 2026 Law, providing a vital resource for companies seeking to navigate this new landscape. 

Key Comparison: Decree 13 (2023) vs. The PDPL (2026)

Understanding the differences between the 2023 decree and the 2026 law is the first step toward compliance. The new PDPL builds on the foundation of Decree 13 but expands its scope, power, and penalties dramatically

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Why the 2026 Law Changes Everything for Global Organizations

The transition from Decree 13 to the PDPL is a "game-changer" for three key reasons:

  • Massive Financial Risk: The move to revenue-based fines (up to 5% of annual revenue) aligns Vietnam with major global regulations like GDPR. This elevates data privacy from a legal-box-ticking exercise to a C-suite-level financial and reputational risk.
  • Broader, Deeper Scope: The inclusion of non-electronic data and specific rules for sectors like HR and Finance means compliance programs must be far more detailed. A "one-size-fits-all" approach that may have worked for Decree 13 will fail under the 2026 Law.
  • No "Complacent" Compliance: Organizations that are compliant with Decree 13 are not automatically compliant with the 2026 Law. A full gap analysis, policy rewrite, and system update will be required.

Q&A: Navigating the 2026 PDPL

Q1: We are compliant with Decree 13. Are we safe for the 2026 Law?

A1: No. Compliance with Decree 13 is only the first step. The 2026 Law is significantly stricter, with new rules on consent, sector-specific data, and much higher fines. You must conduct a gap analysis to identify and remedy new compliance obligations.

Q2: What is the single biggest new risk in the 2026 Law?

A2: The financial penalties. The introduction of fines based on annual revenue (up to 5%) for violations like cross-border data transfers represents a massive financial risk that demands executive-level attention.

Q3: We are a small business operating in Vietnam. Do we get any relief?

A3: Yes. The 2026 Law provides a valuable 5-year grace period for small businesses and startups from the requirements to appoint a Data Protection Officer (DPO) and file Data Protection Impact Assessments (DPIAs). However, you must still comply with all other core provisions, such as obtaining valid consent and honoring data subject rights.

Q4: How does the new law affect our HR and hiring processes?

A4: The 2026 Law has specific rules for employment. For example, you must now delete the personal data of candidates who are not hired (unless they consent to retention). Your HR data handling, employee contracts, and monitoring policies must all be reviewed for compliance.

Conclusion

Vietnam's 2026 Personal Data Protection Law is a clear signal of its commitment to robust data privacy. It marks a move towards a mature, high-stakes regulatory environment. Global organizations can no longer view Vietnamese data privacy as a minor compliance item.

Proactive preparation is essential to mitigate the significant financial and operational risks. By seeking expert advice from Formiti Data International and leveraging the power of the Privacy360 platform, you can confidently manage the transition, ensuring your organization is not only compliant but also demonstrates a strong commitment to data protection in Vietnam. Click here for a free consultation