Acts involving the buying and selling of personal data (PD) may be penalized up to 10 times the revenue generated from such violations. Cross-border data transfer violations may incur a fine of up to 5% of the previous year’s revenue.

Continuing the 9th session, the National Assembly this morning voted to pass the Law on Personal Data Protection.

Previously, National Assembly delegates discussed the draft law in groups and in the plenary hall. After revisions and feedback, the finalized draft consists of 5 chapters and 39 articles (reduced by 2 chapters and 29 articles), with 19 articles removed, 21 merged into 9, and 2 new articles added.

According to the National Assembly Standing Committee, the draft law ensures consistency with the existing legal system, aligns with relevant international treaties to which Vietnam is a party, and is designed to be enforceable.

Notably, Article 8 on handling violations of personal data protection law has been restructured based on the nature, severity, and consequences of infractions. For example, the act of trading personal data may be penalized up to 10 times the profit gained from the violation.

In cases involving illegal cross-border transfer of personal data, the maximum fine may reach 5% of the previous year's total revenue. Other violations may result in fines up to 3 billion VND (approximately 118,000 USD), with individuals facing fines at half the rate imposed on organizations.

In the June 25 report explaining, revising, and finalizing the draft law, the National Assembly Standing Committee stated it had directed the use of the standardized term "cross-border personal data transfer" to align with the Data Law and adopted a post-audit mechanism. This involves reviewing impact assessment files only when necessary, rather than requiring prior approval in most cases, thus easing procedures for businesses.

Organizations and agencies are only required to prepare personal data processing files once for the entire operational period, updating them when changes occur. Authorities will only inspect these files when deemed necessary.

Additionally, if an impact assessment has already been conducted in accordance with the law, there is no need to conduct a similar risk assessment under the Data Law.

The draft also extends personal data protection to individuals with limited or lost legal capacity, and those with cognitive or behavioral challenges, to ensure comprehensive safeguards.

To reduce regulatory burdens, the Standing Committee introduced provisions allowing small and startup businesses to opt out of preparing impact assessment files and appointing data protection personnel for up to five years after the law takes effect. Micro-enterprises and household businesses are exempt altogether.

The law also outlines entities responsible for personal data protection, including a dedicated unit under the Ministry of Public Security, designated personnel within organizations, personal data protection service providers, and individuals or entities mobilized to participate in data protection efforts.

The Vinh