The Personal Data Protection Law 2025 (“PDPL 2025”), which takes effect on 1 January 2026, represents a major development in Vietnam’s legal framework for privacy and personal data protection. As businesses become increasingly data-driven, employee information has emerged as one of the most used, and legally sensitive, types of data. Routine categories of information such as recruitment records, identification data, or performance evaluations, along with sensitive information like health details or biometric identifiers, all fall within the scope of PDPL 2025. If managed improperly, these categories of data may expose businesses to significant legal liability.
A central change introduced by PDPL 2025 is the substantial expansion of what constitutes employee personal data, accompanied by a reinforced requirement for transparency. Under the new law, nearly all information relating to employees is regarded as personal data. This includes basic identification and contact details, salary and payroll information, bank account numbers, health data, location information, and even workplace camera footage. Because of this broad classification, businesses are required to clearly inform employees whenever their data is collected or processed. Such notice must include the purposes of processing, the scope of data collected, the applicable retention periods, and the rights employees have concerned their data. Crucially, businesses must be able to demonstrate actual compliance with these transparency obligations rather than merely referencing them in employment contracts or internal rules.
PDPL 2025 also strengthens the requirement for explicit consent in certain employee-data processing activities. Any processing that involves particularly sensitive or intrusive practices—such as fingerprint or facial-recognition timekeeping systems, the collection of health information, location tracking of company vehicles or work devices, the use of security camera footage for purposes beyond security, the sharing of employee data with third parties, or the transfer of such data abroad, may only be conducted with the employee’s clear, specific, and voluntary explicit consent. For consent to be valid, businesses must provide clear explanations, obtain the employee’s affirmative agreement, keep records of that consent, and allow the employee to withdraw it at any time. Pre-collected data or implied consent does not meet the standards set by the new law.
For categories of sensitive personal data, particularly biometric and health information, PDPL 2025 goes a step further by requiring businesses to conduct a Data Protection Impact Assessment (DPIA) before any processing takes place. A DPIA evaluates whether the processing is necessary, assesses its impact on employees’ privacy, considers potential risks in the event of data incidents, and identifies technical or organizational measures that reduce such risks. Authorities may request to review the DPIA during inspections, making it a critical component of a business’s compliance framework.
The new law also imposes stringent obligations regarding the storage, sharing, and deletion of employee data. Companies must establish retention periods that are appropriate to the purposes for which the data is collected and processed, and they must implement sufficient security measures to prevent unauthorized access. Sharing employee data with third parties is permissible only when there is a valid legal basis or when explicit consent has been obtained. When an employment relationship comes to an end, businesses must assess the data they hold and delete or destroy any information that is no longer necessary, except where continued storage is expressly required by law. Over-retention of employee data has been a persistent issue in practice, and PDPL 2025 seeks to address this challenge by imposing stricter data-minimization and deletion obligations.
Overall, PDPL 2025 creates a far more demanding regulatory environment for the management of employee data in Vietnam. To meet these requirements, businesses must review their existing data-processing activities, update internal procedures, and adopt more robust governance mechanisms. Beyond ensuring compliance, these changes offer companies an opportunity to improve transparency, build stronger trust with employees, and reduce legal risks in a business landscape increasingly shaped by the responsible use of data.
The Personal Data Protection Law 2025 (“PDPL 2025”), which takes effect on 1 January 2026, represents a major development in Vietnam’s legal framework for privacy and personal data protection. As businesses become increasingly data-driven, employee information has emerged as one of the most used, and legally sensitive, types of data. Routine categories of information such
Vietnam is poised for a major leap in its financial and economic development following its reclassification by global index provider FTSE Russell from a frontier market to a secondary emerging market. Scheduled to take effect in September 2026, this upgrade marks a pivotal moment in Vietnam’s integration into global capital markets and is expected to
In recent years, Vietnam has continued to strengthen its position as an attractive destination for foreign direct investment (FDI), not only within Southeast Asia but also on a global scale. Recent developments, including major administrative reforms and adjustments to the country’s administrative boundaries, have been accompanied by a series of updates to the legal framework—particularly
