In the digital era, personal data is no longer just a collection of scattered information, it has become an immensely valuable form of “digital asset.” Every online activity, from creating an account, shopping on e-commerce platforms, interacting on social media, to making transactions via banking applications, leaves behind a trail of data. When such data is collected or used without authorization, individuals may face serious risks, including financial loss, identity theft, or sophisticated and unpredictable privacy violations.
1. Why Must We Protect Personal Data?
As technology evolves, the amount of personal data collected each day has skyrocketed. In 2024 alone, hackers stole 994 TB of data globally, with 534 TB publicly sold. Vietnam has also been heavily affected, suffering losses of nearly USD 16 billion from online scams in 2023.
Source: chongluadao.vn
Digital platforms and online services collect user data to analyze behavior, optimize advertisements, and increase revenue. However, when data collection lacks transparency or when security systems are weak, personal information can be easily exposed. Meanwhile, cyberattacks are becoming increasingly sophisticated: in 2024, Vietnam recorded more than 1,300 large-scale cyberattacks, and 46% of businesses admitted to having been attacked at least once.
This highlights that personal data is not only highly vulnerable to unauthorized access but also valuable enough to become a primary target of cybercriminals.
Source: Vietnam Law Newspaper – “Personal Data Safety in the Digital Age”
2. Causes Behind the Risk of Data Insecurity
One major cause is the rapid development of technologies such as AI, IoT, and blockchain, while cybersecurity systems fail to keep pace, leaving numerous vulnerabilities for hackers to exploit.
In addition, the awareness of individuals and businesses about data protection remains low. Using the same password across platforms, disabling two-factor authentication, storing unencrypted data, or allowing unrestricted access significantly increases the risk of data leaks. Vietnam also faces a shortage of high-quality cybersecurity professionals, whereas cybercriminals are becoming more organized, well-funded, and technologically advanced.
Although regulations on data protection currently exist across various legal documents — including the 2013 Constitution, the 2015 Civil Code, the 2015 Law on Network Information Security, and the 2018 Law on Cybersecurity — the rules remain scattered and inconsistent. The issuance of Decree 13/2023/ND-CP laid important groundwork for personal data protection. Notably, starting from January 1, 2026, the Personal Data Protection Law 2025 will take effect, establishing a more comprehensive, clear, and unified legal framework.
3. How the Law Defines Violations of Personal Data
Under Article 7 of the Personal Data Protection Law 2025, violations include:
- Any unauthorized processing, use, or disclosure of personal data that affects national security or lawful rights and interests of individuals or organizations.
- Collecting or exploiting personal data for purposes against the State or to disrupt social order and security.
- Obstructing personal data protection activities or abusing such activities to commit violations.
- Illegally buying or selling personal data, except where permitted by law.
- Stealing, intentionally exposing, destroying personal data, or using others’ data for unlawful purposes.
Image designed by DNP Viet Nam Law Firm
4. Sanctions for Personal Data Violations
4.1 Administrative Penalties
When employees violate personal data protection regulations, organizations may impose disciplinary actions depending on the severity of the misconduct — such as reprimands, warnings, temporary suspension, or even termination. Beyond internal sanctions, individuals may face penalties under specialized laws.
The Personal Data Protection Law 2025, passed on June 26, 2025, and effective from January 1, 2026, sets out mechanisms for handling violations in Article 8. Depending on the nature and consequences of the act, violators may face administrative penalties or criminal prosecution. If damage is caused, compensation is required.
The law imposes particularly high fines for certain acts. Specifically:
- Illegal trading of personal data may result in fines up to 10 times the unlawful gains, or up to VND 3 billion if such gains cannot be determined.
- Violations related to cross-border data transfers may incur fines of up to 5% of the violator’s total revenue from the preceding year.
- For individual violators, the penalties are half of those applied to organizations.
4.2 Criminal Prosecution
In severe cases, violators may face criminal liability under the 2015 Criminal Code. Relevant offenses include:
- Article 159 – Infringement of privacy or safety of letters, telephone, and other communications (applicable to unauthorized appropriation, disclosure, or distribution of personal data).
- Article 288 – Illegal provision or use of information on computer or telecommunications networks (commonly applied to illegal trading of personal data).
- Article 290 – Using computer or telecommunications networks to appropriate property (often seen in scams involving stolen personal data).
- Article 331 – Abusing democratic freedoms to infringe upon the State, organizations, or individuals (applied when data violations cause serious harm).
Depending on the conduct, level of damage, and consequences, penalties may include fines, non-custodial reform, imprisonment, or additional penalties. These measures aim to deter violations and safeguard data subjects amid the growing digital landscape.
5. What Should Be Done to Protect Personal Data?
Businesses must begin by protecting employee and customer data throughout its entire lifecycle — from collection and storage to use and deletion. They must clearly disclose the purpose of data collection, obtain explicit consent, and allow users to withdraw consent. Organizations must implement access permissions, establish data management processes, and delete data once it is no longer needed.
Additionally, organizations and individuals must comply with Decree 13/2023/ND-CP, which requires:
- Appointing a dedicated data protection officer or department,
- Applying technical security measures such as encryption, firewalls, and intrusion prevention systems,
- reviewing contracts with third parties,
- Updating privacy policies, and
- Building procedures to handle data subject requests.
Preparation for compliance with the Personal Data Protection Law 2025 is equally essential to foresee risks, strengthen internal processes, and avoid legal violations once the law takes effect.
Protecting personal data is not only a legal obligation but also a critical factor in building trust with customers, partners, and employees. In an age of increasingly sophisticated cyberattacks, organizations can only safeguard themselves by understanding the law, strictly complying with regulations, and proactively implementing strong security systems. This is the only viable path to reducing risks and preserving the reputation of both businesses and individuals in the digital era.
—————————————-
DNP VIET NAM LAW FIRM
🏢Address: 5th Floor, 52 Nguyen Thi Nhung Street, Van Phuc Estate, Hiep Binh Ward, Ho Chi Minh City, Viet Nam.
📞 Hotline: 0987 290 273 (Đinh Văn Tuấn Lawyer).
📩 Email: info@dnp-law.com.
Website: https://www.dnp-law.com/
