Vietnam’s PDPL - Key Changes in the Draft Implementing Decree (Consultation, Sept 2025)

 

Introduction - how this draft fits into Vietnam’s data regime

Vietnam’s data framework has moved fast in two years. First came Decree 13/2023/ND-CP on personal data protection (effective 1 July 2023), which introduced DPIAs and cross-border impact files. Then the National Assembly adopted the Law on Data (No. 60/2024/QH15), effective 1 July 2025, a horizontal law on digital data governance (data categories, data markets/infrastructure, and treatment of “core” and “important” data, including when those are moved abroad). Next, on 26 June 2025, the National Assembly passed the dedicated Personal Data Protection Law (PDPL, No. 91/2025/QH15), effective 1 January 2026, which upgrades the decree-level rules into statute, tightens consent/governance, and keeps a transfer-impact assessment + reporting model for sending Vietnamese data overseas. Finally, the draft Implementing Decree now out for consultation (September 2025) is what operationalizes the PDPL in practice - procedures, templates, timelines, and enforcement touchpoints.

Why both PDPL and the Data Law matter

• PDPL = personal data playbook. It governs privacy principles, consent design (including no pre-consent tracking), sensitive data, data-subject rights, controller/processor duties, and cross-border transfer dossiers and suspension powers.
• Data Law = system-level guardrails. It sets the broader rules for digital data activities and introduces special handling for core/important data - including definitions of when moving or processing those across borders is in scope. If a dataset is both personal and core/important, expect to meet PDPL obligations and the Data Law’s additional conditions.

How this article helps

• We unpack the draft Implementing Decree in plain language for websites, apps, cloud, and vendors.
• We benchmark key parts against EU GDPR and the ePrivacy Directive (with concrete GTM/GA/Adobe examples) so teams can align designs and controls faster.
• For cross-border flows, we show how the PDPL transfer-impact model intersects with the Data Law’s treatment of “core/important” data and what that means for your architecture and contracts.
• We cover the potential for an EU adequacy decision for Vietnam and set out a realistic timeline for the process.

Link to Official draft Decree (VN)

Scope and who must comply with the PDPL

• Applies to Vietnamese organizations/people, foreign entities in Vietnam, and foreign entities involved in processing data of Vietnamese citizens (and persons of Vietnamese origin whose nationality is not yet determined and who are residing in Vietnam and have been issued a citizen ID.) - i.e., an extraterritorial hook based on whose data you touch.

What counts as sensitive personal data (big expansion)

• “Sensitive” now explicitly includes: race/ethnicity, religion, health, biometrics/genetics, sex life/sexual orientation, criminal data, location, electronic identity, banking/financial/credit data, telco subscriber activity/history, and - critically for digital teams - “data tracking behavior and the use of telecom, social media, online media and other online services”. Treating online behavioral tracking as sensitive is a major shift.

Consent rules (design and proof)

• You may collect consent via verifiable methods (written, voice, SMS, email/website/app, or other verifiable ways). You must be able to prove method/time/content and the data subject’s identity.
• No pre-ticked boxes or confusing nudges. Defaults must respect privacy; dark patterns are out.
• If processing sensitive data, you must tell people that it’s sensitive when seeking consent. (This directly hits analytics/ads/fingerprinting that track behavior).
• Consent lasts until the data subject changes their mind (or an authority orders otherwise). The burden of proof sits with you.

What this means for banners/SDKs: if you do behavior tracking, treat it as sensitive; get an opt-in that clearly flags “sensitive data”; and don’t load tracking scripts before that choice. (This also aligns with EU ePrivacy Directive practice that forbids access to a device before consent.)

Data subject rights - tight timelines

You must set up processes/forms and then meet short service levels:

• Withdraw/restrict/object: acknowledge within 2 working days; stop within 7 working days (extendable up to +10 days with notice).
• Access/correct: acknowledge within 2 working days; complete within 10 working days (15 if processors/third parties must act; +10 possible with notice).
• Provide/erase: acknowledge within 2 working days; complete within 10 working days (15 if processors/third parties involved; +10 with notice).
• Controllers must have clear procedures to deliver these rights.

Cross-border transfers (CBT)

• Pre-transfer Data Transfer Impact Assessment (DTIA) is required for sending Vietnamese citizens’ data abroad. The DTIA dossier must cover parties’ contacts (including your data-protection staff), purposes, data-flow diagrams, protection measures/standards, system diagrams, third-party onward-sharing rules, self-assessment of compliance, and receiving party’s protection level and risk assessment. 
• The DTIA must be prepared before transfer and a copy filed with the authority within 60 days of commencing processing.
• The authority can order suspension of CBT if used against national interests, if you don’t follow required procedures, or in case of data leaks.
• DTIA exemptions include: government transfers; employees’ data stored in the cloud; the data subject self-transfers their data; journalism/communications; already-public transfers; emergencies to protect life/health/property or perform legal duties; HR management across borders under lawful labor rules; and routine cross-border transactions (logistics, remittance, hotels, visas).

Security, cloud and blockchain

• Cloud: cloud providers must comply with VN data-protection law, ensure appropriate technical/organizational measures, and you must encrypt personal data at rest and in transit with strict access control. Contracts must spell out roles/flows and compliance obligations.
• Blockchain: do not store raw personal data on-chain; only encrypted data or hashes; use strong crypto; run annual compliance reviews and a DPIA before deploying blockchain that could significantly impact rights.

Breach notification

• For breaches involving location or biometric data, notify affected individuals within 72 hours, report to the authority, and keep an incident record for 5 years (min.). If you can’t notify everyone in time for technical/urgent reasons, publish on your official electronic channel and send individualized notices as soon as possible.

Governance: Data-protection personnel (DPO-like) and audits

• You must designate qualified data-protection personnel (or a department) in writing, with defined functions/powers, meeting the draft’s competency and assessment requirements (and, for external DP service providers, meeting the draft’s heightened experience criteria).
• Responsibilities include: policies/processes, delivering data-subject rights, periodic compliance reviews and risk control, DTIAs and DPIAs, incident intake/reporting, and technical security measures and emergency plans.
• The specialized authority will run regular and ad-hoc inspections; you’ll be told 15 working days in advance of scope/timing/team for planned checks.
• The authority will also organize training and competency assessments for data-protection professionals.

What changes most for digital teams

1. Behavioral tracking = sensitive data
   Any analytics/ads/fingerprinting/session-replay that “tracks behavior” of users on telecom/social/online services is sensitive. Your consent must explicitly tell users you’re processing sensitive data, and you must not load trackers before opt-in.
2. No dark patterns; default opt-in is banned
   Consent UX must be clean, not nudging users into “Agree”. Pre-checked toggles are prohibited.
3. Much faster rights SLA than GDPR
   2-day acknowledgments; completion in 7–15 working days (with limited extensions). Build ticketing/automation now.
4. Cross-border due diligence
   If any vendor processes Vietnamese data abroad (even cloud support teams), prepare a DTIA with data-flow diagrams and risk controls; watch for suspension triggers.
5. Cloud encryption and contracts
   Encrypt at rest/in transit, define roles/flows in contracts, require provider compliance, and change-notification.
6. Breach playbook for location/biometrics
   Bake in the 72-hour user notice + authority report, + 5-year incident log.

PDPL draft vs GDPR and ePrivacy Directive - Consent Requirements

What triggers consent

• PDPL draft (VN): Treats many common web practices (analytics/ ads/ fingerprinting/ behavior tracking) as sensitive personal data → requires explicit, informed opt-in and you must tell users it’s sensitive when asking. Also bans pre-ticked boxes/dark patterns and puts the burden of proof on you.
• GDPR + ePrivacy Directive (EU): GDPR defines valid consent as freely given, specific, informed, unambiguous (Art. 4(11)) with conditions in Art. 7; ePrivacy Directive Article 5(3) requires prior consent before any storage/access on the device (that’s all non-essential cookies, pixels, SDKs, etc.).

Pre-consent tracking

• PDPL draft: Functionally requires no tracking before consent (and stricter still if “sensitive”).
• EU: Same practical outcome-system-level blocking until opt-in; UI banners alone aren’t enough.

How to present/collect

• PDPL draft: Consent must be verifiable (method/time/content/identity) and no dark patterns; if processing sensitive data, that must be stated at the point of consent.
• EU: EDPB stresses transparency and avoidance of dark patterns; first-party loading of the consent UI is fine only if it doesn’t access the device before the user chooses (e.g., just rendering the modal). 

Proof and audit trail

• PDPL draft: Controller must be able to prove valid consent.
• EU: Regulators increasingly expect demonstrable proof of consent and clear logs.

Technical necessity / strictly-necessary cookies

• EU (ePrivacy): Consent is not required for two narrow cases - (i) storage/access solely for transmission and (ii) storage/access strictly necessary to provide an information-society service explicitly requested by the user (e.g., login/session, basket, load-balancing). Everything else (analytics/ads/fingerprinting/telemetry for invoicing/tag management) needs prior opt-in.
• VN (PDPL): There’s no cookie-specific clause. Instead, PDPL allows processing without consent where necessary to fulfill contractual obligations (including the service provider’s obligations) and in a few other limited cases (e.g., legal obligations, vital interests; “legitimate interest” exists but is narrow - mainly to prevent infringement by third parties). So, strictly necessary features can rely on this necessity ground; analytics/ads/profiling/telemetry remain opt-in. Controllers must implement monitoring and safeguards when using a consent exemption.

The ePrivacy Directive is a device-access rule (cookies/SDKs) with a narrow ‘strictly necessary’ exemption; PDPL is a processing law with limited consent exemptions (e.g., contract necessity). The result is similar for essentials, but behavioral tracking still requires opt-in.

Bottom line for product/marketing

• If it touches the device, gate it. Treat behavioral tracking as sensitive under PDPL; in EU, treat it as non-essential → prior opt-in required. Prefer first-party consent flows to reduce legal risk and avoid pre-consent access.

PDPL draft vs GDPR - Cross-Border Data Requirements

Pre-transfer assessment and paperwork

• PDPL draft (VN): Requires a pre-transfer Data Transfer Impact Assessment (DTIA) with a dossier covering purposes, roles/contacts (incl. data-protection staff), data-flow/system diagrams, safeguards/standards, onward-sharing rules, self-assessment of compliance, and an assessment of the recipient’s protection level and risks. Authority may order suspension of transfers; specific exemptions exist (e.g., life/health emergencies, journalism, certain HR/logistics contexts).
• GDPR (EU): Requires a transfer mechanism (e.g., adequacy, SCCs, BCRs) and, post-Schrems II, a Transfer Impact Assessment to verify essentially equivalent protection plus supplementary measures where needed. (GDPR expressly governs transfers outside the EU/EEA.)

Regulatory posture

• PDPL draft: More procedural upfront (DTIA dossier before sending VN citizens’ data abroad) with explicit suspension powers.
• GDPR: More mechanism-driven (SCCs/BCRs/adequacy) with a risk-based TIA guided by EDPB; enforcement can restrict/suspend flows, but pre-approval isn’t always required.

Operational takeaways

• Map all data flows touching VN data subjects and prepare a DTIA pack (diagrams, controls, vendor reviews).
• For EU flows, ensure your SCCs + TIA + technical measures stack is defensible; avoid third-party tools that silently export telemetry. (Regulators flag cross-border risks alongside consent failures.)

Note: Vietnam’s new Law on Data also introduces limits on cross-border data transfers and data-localization (sovereign data-centre) requirements for certain sectors and purposes. Those provisions are not covered here - this article focuses on the PDPL and its draft Implementing Decree.

Concrete examples  -  CDPs, GTM, Google Analytics, Adobe Analytics

(EU ePrivacy/GDPR vs. Vietnam PDPL draft)

Vietnam’s largest organizations - including banks, securities firms, insurers, and national retailers - commonly deploy Google Tag Manager (GTM), Google Analytics, Adobe Analytics/Experience Cloud, and Customer Data Platforms (CDPs) like Segment, mParticle, or Adobe Experience Platform to orchestrate tags, measure behavior, unify profiles, and activate audiences. Under the PDPL draft, these tools are high-impact because they collect and process behavioral signals (treated as sensitive personal data) and frequently connect to non-VN infrastructure, bringing cross-border transfer duties into scope. The draft requires explicit, provable consent for non-essential processing and cross-border documentation where data leaves Vietnam. In practice, that means no pre-consent collection or forwarding by GTM/GA/Adobe or by CDP SDKs/server-side collectors, and no routing (e.g., GTM Server, Adobe Experience Platform Edge Network, CDP HTTP APIs) until opt-in is captured and logged (method, time, content). For CDPs specifically, ingesting page events, identifiers, or behavioral attributes into a CDP before explicit consent is non-compliant; treat the CDP and its downstream “destinations” as recipients and include their regions/endpoints in your PDPL cross-border dossier where data leaves Vietnam.

Why these examples: The sections below focus on GTM (tag orchestration), Google Analytics (measurement), and Adobe Analytics/Experience Cloud (enterprise analytics) because together they represent the most common enterprise stack patterns in Vietnam and concentrate the key PDPL compliance touchpoints: collection of behavioral/sensitive data, creation/use of online identifiers, server-side/edge forwarding, and calls to non-VN endpoints. Apply the same rule set to CDPs: if GTM/GA/Adobe collect and route to a CDP, nothing may be ingested or forwarded until explicit opt-in is recorded. With that lens, here’s the tool-by-tool breakdown (EU ePrivacy/GDPR vs. Vietnam PDPL draft).

Google Tag Manager (GTM)

EU (ePrivacy Directive + GDPR)

• Treat GTM as device access and therefore non-essential.
• Do not load GTM at all before consent. Contacting Google domains (even just to fetch GTM) constitutes access and is not technically necessary for providing the requested service or collecting consent.
• Practical rule: block GTM entirely until the user has given an explicit opt-in. A banner alone is not enough if GTM initializes in the background.

Vietnam (PDPL draft)

• There is no enumerated ‘strictly necessary cookie’ carve-out like the EU’s ePrivacy Directive.
• Treat GTM as non-essential and block it pre-consent.
• If GTM calls Google endpoints outside Vietnam, include it in your cross-border transfer documentation under the draft decree.

Google Analytics (GA4)

EU

• Not strictly necessary → require explicit consent before loading any GA library or sending any pings.
• Consent gating is separate from international transfer compliance; you need both.

Vietnam (PDPL draft)

• GA is behavioral analytics → explicit consent first.
• If any processing occurs outside Vietnam, cover it in your PDPL cross-border file (DTIA-style pack under the draft).

Adobe Analytics (via Experience Platform Web SDK / Edge Network)

EU

• As a rule, explicit consent is required before loading.
• France (CNIL) is the outlier: it permits a narrow, strictly framed first-party audience-measurement exemption without consent. This is not the norm across the EU. Outside France, DPAs expect prior opt-in for Adobe Analytics (and similar tools).
• Note: the UK has introduced a statistical-purposes path in its new regime, but that’s not EU law and is out of scope here.

Vietnam (PDPL draft)

• Block Adobe scripts until explicit consent.
• If collection/processing routes through non-VN regions (e.g., regional edges/cloud), treat as cross-border and document accordingly.
• Modern Adobe Analytics implementations often use the Experience Platform Web SDK and Edge Network to collect and route data to Analytics and other Adobe apps; treat these as non-VN endpoints when applicable and include them in your PDPL cross-border file.

Cross-border reminder 

• EU: Consent gating under the ePrivacy Directive is mandatory regardless of your transfer mechanism (e.g., DPF or SCCs). Handle consent first, then ensure a valid transfer basis.
• Vietnam: Consent gating is mandatory where applicable, and in addition, you must prepare the cross-border transfer dossier required by the PDPL draft (data-flow diagrams, safeguards, recipients, etc.).

PDPL compliance takeaway

To be compliant with the PDPL, do not load or collect via GTM, GA, Adobe, or any CDP SDK/server-side collector before explicit consent. If any data is routed to non-VN endpoints (e.g., GTM Server, Adobe Experience Platform Edge Network, CDP destinations), capture consent first, then complete the required cross-border transfer dossier.

EU Adequacy for Vietnam  -  what to expect and when

Status today. The European Commission has not opened an adequacy procedure for Vietnam, and Vietnam is not currently on the EU’s adequacy list. Vietnam’s Personal Data Protection Law (PDPL, No. 91/2025/QH15) was adopted on June 26, 2025, and will apply from January 1, 2026. To operationalize the PDPL, the Ministry of Public Security has released a draft implementing Decree for public consultation (Sept 16–26, 2025). In practice, the Commission typically considers adequacy after the law and its implementing rules are in force and there is evidence of effective, independent supervision and enforcement. Until then, EU→VN transfers should continue to rely on Article 46 tools (e.g., SCCs + TIAs).

What the Commission will assess (GDPR Art. 45). To conclude that Vietnam ensures a level of protection “essentially equivalent” to the EU’s, the Commission evaluates: (i) the legal framework (rule of law, human rights, redress), (ii) independent supervisory authorities and their powers, (iii) enforcement effectiveness, (iv) limitations/oversight on public-authority access (national security, law enforcement), and (v) onward-transfer controls and international commitments. This is a formal process with an EDPB opinion and a Member State committee vote before adoption.

How long it can take (recent benchmarks). Timelines vary, but recent files help frame expectations:

• Republic of Korea  -  procedure launched in H1 2021, adopted 17 Dec 2021 (~6–9 months from launch).
• United States (EU-US DPF)  -  political framework 2022 → adequacy adopted 10 July 2023; upheld by the EU General Court on 3 Sept 2025. (Illustrates the multi-step review and litigation context.)

Realistic outlook. If the Commission were to open an assessment after PDPL is in force and its implementing decree is operational, a best-case window - based on recent precedents - would still be many months from launch to adoption, and depends on demonstrable independent oversight, redress, and limits on state access. Until then, EU-to-VN transfers should continue to rely on Article 46 tools (e.g., SCCs + TIAs and supplementary measures).

Why this matters for your roadmap.

• Do not plan on adequacy for 2025–early 2026. Keep SCCs/TIAs in place for any EU→VN flows.
• Treat consent gating (ePrivacy Directive in the EU; opt-in under PDPL) and transfer compliance as separate requirements - you need both. The DPF example shows adequacy can stabilize transfers, but it never replaces cookie/consent rules.

Bottom line: An adequacy decision for Vietnam is possible in the future if PDPL’s implementation proves essentially equivalent on the Article 45 criteria, but there is no Commission timeline yet. Build for compliance now (consent-first + SCCs/TIA), and treat adequacy - if and when it comes - as a later optimization, not a dependency.

Planning for compliance

• Inventory and classify: map all cookies/SDKs/pixels/beacons/fingerprinting. Flag anything that tracks behavior as sensitive. 
• Gate everything pre-consent: ensure zero device access until opt-in; update your banner text to explicitly name “sensitive data” for behavioral tracking. (No pre-ticked boxes.)
• Rights workflow: set up 2-day acknowledgments and 7/10/15-day fulfillment; template extension notices (+10 days max).
• Cross-border: build your DTIA template with party contacts (incl. DPO), diagrams, controls, recipient adequacy, risk mitigations.
• Cloud: verify encryption at rest and in transit, access control, and add the required contract clauses.
• Governance: appoint qualified data-protection personnel; document mandates; set up annual compliance reviews and training.
• Breach runbook (location/biometrics): 72-hour user notice + authority report + 5-year logging.

How AesirX can help you meet the PDPL

• Block-before-consent: AesirX CMP stops all non-essential tags (incl. GTM/Google tags under Consent Mode) until explicit opt-in; support category-based choices; no dark patterns; generate audit-ready consent logs stored first-party (VN-hosted option).
• Security & VN-first hosting: Run AesirX CMP consent logs and AesirX Analytics event data on infrastructure you control in Vietnam (self-hosted or VN cloud). AesirX First-Party Server supports encryption in transit and at rest; you manage access controls and retention - reducing cross-border exposure and supporting PDPL security obligations.
• Regional logic: Serve VN-specific consent text/flows and honor GPC and other regional regimes where relevant.
• Baseline your risk (free): Run the Privacy Scanner to detect any cookies/SDKs firing before consent.
• Expert review: Request a Privacy Review if you’re unsure what to change - or if a site/app needs remediation.
• Stay compliant over time: Privacy Monitoring catches regressions; loading third parties without due consent can be costly under the PDPL.
• Hands-on implementation: Our team can implement and document the controls end-to-end (consent, analytics, tag gating, DTIA inputs).

Read more and find our solutions and services on AesirX.io 

If you are based in Ho Chi Minh City or visiting for the Vietnam Cloud and Datacenter Convention 2025 you can attend my keynote on “The Sovereign Stack: VN-Hosted First-Party Data Under Vietnam’s New Data Laws” to learn more about the new Data Law and coming PDPL.

Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO, AesirX.io

Note: The PDPL decree is a draft and may still evolve before promulgation; however, the direction is clear: first-party, consent-first, no pre-consent tracking, strong governance, and documented cross-border diligence.

Note: AesirX does not provide legal advice and does not act as your DPO. We partner with Vietnam-based legal specialists for the legal requirements. AesirX focuses exclusively on technical compliance - review, implementation, and monitoring of first-party consent and analytics controls.