i Table of contents 929

Doing Business In... 2025

VIETNAM Law and Practice Contributed by: Thang Nguyen, Minh Nguyen and Nguyet Le, ACSV Legal

• Stricter protection measures for professional securities investors when engaging in the corporate bond market. • New conditions for private and public securi - ties issuance, including additional require - ments for eligible investors and new rules on suspension and cancellation. • New conditions for private and public securi - ties issuance. • More eligibility requirements, relaxed share redemption rules and stricter cancellation events. Law on Personal Data Protection On 26 June 2025, the National Assembly offi - cially approved the Law on Personal Data Pro - tection (PDPL), which will take effect on 1 Janu - ary 2026. This legislation aims to unify Vietnam’s data regulations and applies across sectors like AI, banking, healthcare, insurance, digital plat - forms, and cloud-based services. It imposes fines of up to ten times the revenue or VND3 billion (whichever is higher) for data trading, up to 5% of the violator’s revenue of the preceding year or VND3 billion (whichever is higher) for data cross-border transfer violations, and up to VND3 billion for other breaches. Addi - tionally, according to the PDPL, small and start- up enterprises is exempt from the obligation to retain a data protection officer/data protection department (DPO/DPD) for five years since 1 January 2026, and household businesses and microenterprises are exempt from the obligation to retain a DPO/DPD if they do not run a busi - ness in personal data processing, do not directly process sensitive data, and do not process per - sonal data of a large number of data subjects.

Notably, the PDPL clarifies the obligations with regards to Data Cross-Border Transfer Impact Assessment (DTIA) and Data Processing Impact Assessment (DPIA). According to the PDPL, applicable reporting companies must submit DPIA or DTIA one time during the company’s life - time within 60 days from the date of processing PD, or from the date of PD cross-border trans - fer. Thereafter, applicable reporting companies must submit the updated versions of the DPIA or DTIA every six months if there is any change, unless the change is in relation to the business line, the DPO/DPD or the company existence and structuring.

923 CHAMBERS.COM

Powered by