In the context of digital transformation, personal data has become one of the most important assets of businesses, present throughout from employee records to customer and partner information, while also posing increasing legal risks.

From January 1, 2026, with the Law on Personal Data Protection 2025 and Decree No. 356/2025/ND-CP officially taking effect, the legal framework for personal data protection in Vietnam has been established comprehensively, consistently, and with high deterrent effect, compelling businesses to change their approach from data management to legal risk governance.

In this article, CNC will analyze the key legal content related to handling violations of personal data protection regulations, including incident notification obligations, accountability mechanisms, and the role of specialized agencies, thereby supporting businesses in their legal compliance and prevention of risks during digital transformation.

Cases of Personal data protection violations in Vietnam

Zalo was fined up to 810 million VND[1]

In late 2025, the update of Zalo service terms quickly garnered the attention of the public and legal experts, particularly the legality of its methods for user consent collection.

According to the new terms, users are required to accept all updated content to continue using the service; failure to agree within a certain period might even result in account termination. This approach raises serious doubts about whether consent still retains its “voluntary” nature as required by personal data protection laws[2]

Illustration. Source: Vietnam Lawer Journal

The controversial content in the new terms includes: an overly broad scope of personal data collection, including sensitive personal data; the application of technical measures to collect and simultaneously process multiple groups of data related to user accounts; terms that restrict or weaken the right to withdraw consent ; as well as disclaimer clauses that risk shifting most legal liabilities from businesses to consumers.[3]

The strong reaction from the user community, experts, and regulatory bodies indicates that compliance risks in personal data protection extend beyond administrative fines as it also entails serious consequences for brand reputation, market trust, and the long-term value of digital platforms. The direct engagement of state management agencies with businesses in this case sends a clear message: user consent collection and management mechanisms will be the focus of supervision in the coming period.

TikTok was fined up to 880 million VND[4]

Not long after the Zalo incident, the TikTok platform was once again penalized, with the fine of up to 880 million VND, for failing to establish a separate mechanism for users to consent or refuse the use of personal data for advertisement and product/service promotion. This “bundling” of consent was deemed an infringement of users’ autonomy over their personal data.

Notably, TikTok was also found to have provided incomplete, non-transparent, and potentially misleading information to users about data collection and usage methods; furthermore, some terms in its general terms of service were concluded to have violated laws on consumer protection and personal data protection[5]. In response to these violations, the Vietnam Competition Commission not only imposed penalties but also required TikTok to cease the acts of violation, and proactively review all internal policies and terms of use to ensure compliance with Vietnamese law.

The case of TikTok shows that the regulatory authorities do not simply focus on data processing activities, instead, they also consider the overall relationship between businesses and users, including information transparency, contract terms structure, and the extent of protection for data subjects’ rights.

From the above cases, it can be seen that violations of personal data protection regulations are no longer isolated risks but have become a systemic phenomenon, linked to human, technical, and internal governance factors. In this context, the question is no longer ‘whether there is a violation or not,’ but rather:

To what extent and under what mechanism will organizations and individuals be held legally responsible for their violations of the laws on personal data protection?

Handling Violations of Personal Data Protection

Based on Article 8 of the Law on Personal Data Protection 2025, acts of violation pertaining to the law on personal data protection, depending on the nature, severity, and consequences of the act of violation , may be subject to administrative penalties; criminal prosecution; and compensation for damages if the act of violation causes loss to the data subject.

• Administrative Penalties for Violations
  • Current Regulations on Administrative Penalties for Violations

Prior to the promulgation of the Law on Personal Data Protection, the regulations on violations of personal data protection were scattered across decrees on administrative penalties in specialized fields. Specifically, Decree No. 15/2020/ND-CP stipulates the maximum fines for certain acts of personal information infringement as follows[6]:

Furthermore, Article 46 of Decree No. 98/2020/ND-CP[7] also stipulates penalties for acts of violation pertaining to consumers’ rights to information protection. Accordingly, the maximum fine shall be 40 million VND, however, the threshold could be increased further in the following cases :

In particular, for acts of violation involving vulnerable consumers, the maximum fine could reach up to 70 million VND.

Overall, the above regulations reflect the initial efforts of the Vietnamese legal system in personal data protection. However, the scope of regulation remains scattered, and the penalties are not commensurate with the nature and consequences of the act of violation , especially in comparison with the potential profits derived from large-scale personal data exploitation.

• Regulations on Administrative Penalties under the Law on Personal Data Protection

The promulgation of the Law on Personal Data Protection marks a significant turning point in privacy protection policies in Vietnam. This Law establishes a unified sanction system that demonstrate greater deterrent effects in comparison to previous administrative regulations.

According to Article 8 of the Law on Personal Data Protection, the maximum fine for organizations violating personal data protection is stipulated as follows:

Note that the above penalties apply to organizations, for individuals committing the same act of violation, the maximum fine shall be equal to half of the maximum fine for an organization.

In addition to fines, the Law on Personal Data Protection also stipulates supplementary penalties such as: Revocation of the business license for personal data processing services or suspension of the business license (from 01 to 03 months) and temporary suspension or cessation of personal data processing activities (from 01 to 03 months).

Compared to previous regulations, the Law on Personal Data Protection represents a clear advancement in terms of scope of regulation, severity of penalties, and deterrence. While previous decrees mainly imposed fines of tens of millions of VND, the Law on Personal Data Protection Law increases the fine cap to billions of VND or calculates the fine based on an fixed percentage of revenue, reflecting a modern approach that accounts for digital economy.

In particular, by accounting for illegal revenue and profit factors in the penalty determination formula, fairness and effectiveness has been greatly enhanced. Additionally, supplementary measures such as operation suspension or license revocation serves not only as punishments but also guidance for compliance and prevention of future violations.

Overall, this transition indicates that Vietnam is moving from a “technical penalty” model to a mechanism for “protection of the fundamental rights” of individuals regarding personal data, laying the groundwork for international integration in the field of data privacy protection.

• Criminal Prosecution

In the context where personal data is becoming an increasingly important asset for businesses, the collection, processing, and sharing of data must strictly comply with legal regulations. However, many businesses still underestimate security, leading to leaks, sales, or misuse of personal data belonging to employees, customers, or partners.

The legal question posed is: under what circumstances may businesses and managers incur criminal liability for violation of personal data protection, and what specific sanctions apply?

From a criminal law perspective, the Criminal Code 2015 (amended 2017) stipulates two offenses directly related to acts of violation pertaining to personal data protection, namely Article 159 – Infringement upon secret information, mail, telephone, telegraph privacy or other means of private information exchange, and Article 288 – Illegal provision or use of information on computer networks or telecommunications networks.

Specifically, according to Article 159, individuals who commit acts of appropriation, eavesdropping, illegal recording, disclosure of private information, or unlawful search and seizure of correspondence – if they re-offend despite having been administratively penalized or disciplined – may be subject to fine, non-custodial reform, or even imprisonment of up to 03 years.

With digital transformation being put to the forefront, the volume of personal data of employees, customers, and partners to be held and processed by enterprises are growing by the days. If the processes for collecting, storing, or sharing information do not comply with legal regulations, the risk of criminal prosecution is entirely possible.

For example, transferring employee data abroad without consent, or sharing customer data with third parties for commercial purposes without clear notification, may be considered illegal use of personal information under Article 288. Similarly, accessing, eavesdropping on, or disclosing internal information (such as emails, private messages of employees) without permission may be prosecuted under Article 159.

Therefore, businesses need to proactively review internal processes, issue internal data security regulations, and train employees to avoid unintentional acts that could lead to criminal violations.

• Damage Compensation

In the event of personal data breaches, the data subject has the right to damage compensation. The legal question posed is: what conditions must be met for a compensation claim to be accepted, and how are damages determined?

According to the general principles of the Civil Code 2015, liability for damages arises only when all three of the following elements are present:

The Law on Personal Data Protection also recognizes the right of data subjects to claim compensation for material and moral damages if their rights and interests are affected by data processing activities.

However, it should be noted that data subjects need to clearly define the damages for their compensation claims to be accepted. Accordingly, damages can be material or non-material. Material damages are actual, quantifiable losses, such as:

Meanwhile, moral damage refers to intangible but real losses, such as feelings of fear, shame, or damage to honor and reputation due to the public disclosure of personal information. The consequences can even include prolonged psychological impact from harassment or threats through leaked data. Victims have the right to claim compensation for moral damages, with the amount of compensation depending on the nature and extent of the harm, and to be considered by the court according to civil laws.

The mechanism for damage compensation in the field of personal data protection not only aims to compensate victims for their losses but also serves as a deterrent and preventive measure for data processing organizations. In the context of digital transformation, clear understanding of civil liability along with with legal compliance is a key factor for organizations to maintain user trust and avoid serious legal risks.

Notes for Businesses

From a business perspective, companies must exercise utmost caution to ensure internal compliance with personal data protection and build safeguard against malicious actors who constantly targeting their databases. Particularly, in the context of increasingly stringent personal data protection regulations, businesses need to be highly vigilant to avoid risks that could cost billions of VND.

To ensure compliance and avoid legal risks, businesses, especially company leaders, HR, IT, and Marketing departments, need to be aware of the following:

• Notification Upon Violation of Personal Data Protection

When a personal data breach occurs, how should organizations and individuals controlling or processing data fulfill their notification obligations, within what timeframe, and with what content to ensure compliance with current personal data protection laws?

According to Article 23 of the Law on Personal Data Protection and Article 28 of Decree No. 356/2025/ND-CP, the obligation to notify data breaches is one of the measures to ensure the accountability of data controllers, data processors, and related third parties.

Additionally, for breaches involving sensitive data (such as location or biometric data), the law requires supplementary notification to affected data subjects within 72 hours of detection. The content of this notification must include at least: the time of detection, the type of data affected, the level of risk, remedial measures, and contact information of the data protection department.

In summary, the notification process upon discovering a violation of personal data protection regulations is carried out as follows:

In practice, notice of personal data breaches are often made in two situations:

First, breaches due to system errors or cyberattacks (e.g., user data leaks, unauthorized access). In this case, the data controller or processor must initiate the incident response process, prepare a breach report, notify the competent authority within 72 hours, and proactively provide detailed information on the extent of damage, the amount of data affected, and remedial measures.

Second, breaches related to sensitive data, such as the disclosure of biometric information or an individual’s location data. In such cases, in addition to notifying the state authority, the organization must also send a direct notification to the affected data subjects, ensuring they are aware of the risks and given instructions on self-protection measures. If full notification cannot be made within 72 hours due to technical reasons, the organization must make a public announcement through official websites and continue to send personalized notifications as soon as circumstances permit.

Maintaining records and retaining information on data breaches for at least five years from the date the incident is resolved helps ensure transparency and facilitates inspections and audits by competent authorities

Thus, in all cases of personal data breaches, the notification obligation is mandatory, with a time limit of 72 hours from the time of detection. Relevant parties must promptly notify the competent authority, prepare a breach report, and inform data subjects (especially in cases of sensitive data). Failure to comply with the time limit or intentional delay in notification may be considered an administrative violation and subject to penalties under the law on personal data protection.

• Strict Compliance with Personal Data Protection Regulation

According to Article 35 of the Law on Personal Data Protection and Article 31 of Decree 356/2025/ND-CP, inspection of compliance with personal data protection regulations are conducted in both regular and sudden manners to ensure effective state management as well as timely detection and handling of data breaches.

Specifically, the competent authority for personal data protection has the right to conduct inspections in the following cases:

(i) There are grounds to suspect violations of personal data protection regulations;

(ii) There is an order from a competent state management agency or officer; or

(iii) To serve state management purposes as prescribed by law.

In principle, for regular inspections, the competent authority will issue an inspection decision and notify the enterprise 15 days in advance regarding the time, content, and composition of the inspection team. However, in cases of sudden inspections, since their purposes is to timely verify, detect, or prevent data breaches, the competent authority has the right to conduct the inspection immediately without prior notice.

This regulation indicates that compliance with personal data protection laws cannot be superficial or periodic. Businesses must maintain a continuous state of compliance, from data collection, storage, and processing procedures to legal documentation and internal control mechanisms, in order to be ready to meet the inspection requirements of competent authorities in all situations.

• Businesses Must Conduct Data Protection Impact Assessments

One important obligation that businesses often overlook is Data Protection Impact Assessment (DPIA).

According to current regulations, businesses, as personal data controllers or personal data controllers and processors, are responsible for the preparation and archiving of impact assessment records for their data processing activities[8]. This is not merely a formal administrative procedure but a self-review mechanism to:

• Identify the types of data being collected and processed (basic data or sensitive data);
• Assess whether the processing purpose is lawful and proportionate;
• Identify potential risks to the lawful rights and interests of data subjects;
• Propose technical and organizational measures to mitigate the risk of data breaches.

In particular, for activities in relation to processing of sensitive data, large-scale data processing, cross-border data transfers, or the application of new technologies (AI, Big Data, user behavior analysis, etc.), impact assessments become even more necessary.

In practice, many businesses focus only on obtaining consent without establishing a systematic internal risk assessment process. This can lead businesses to be in a state of “surface compliance” while still facing the risk of penalties if an incident occurs.

Therefore, businesses should:

(i) Issue an internal impact assessment process;

(ii) Assign a specialized department (usually Legal/Compliance in coordination with IT);

(iii) Update and review periodically when there are changes in the business model or data processing technology.

Proactively conducting DPIAs not only helps mitigate legal risks but also demonstrates the business’s accountability in data governance.

• Exercise caution during consumer consent collection

Data subjects’ consent collection is one of the important legal bases for businesses to process personal data. However, in reality, many businesses still approach this issue superficially, without fully considering consumers’ autonomy and the strict requirements of personal data protection laws.

Sometimes, not all forms of “tick-box” consent are considered valid. Businesses need to avoid actions such as:

(i) Bundling multiple processing purposes into a single general consent;

(ii) Designing “pre-ticked box” default clauses;

(iii) Forcing customers to consent to data processing beyond what is necessary to use the service.

From a compliance perspective, the analysis of cases in part 1 above serves as an important practical lesson for businesses in developing policies and terms related to personal data protection. Consumer consents must be designed on the basis of voluntariness, transparency, withdrawability, and absence of “coercive” conditions, to avoid similar legal risks and negative reactions in the future.

Managed by

Tran Thi Hanh Nhan | Associate Phone: (84) 32 703 0033 Email: nhan.tran@cnccounsel.com

Nguyen Le Anh Thu | Legal Assistance Phone: (84) 28 6276-9900 Email: thu.nguyen@cnccounsel.com

Contact

For more information, please contact

CNC Vietnam Law Firm Co., Ltd

Address:       2A1 Nguyen Thi Minh Khai, Sai Gon Ward, Ho Chi Minh City

Phone:          028 6276 9900

Hotline:         0916 545 618

Email:           contact@cnccounsel.com

Website:       cnccounsel

We would be pleased if you could visit the office of CNC, where you could exchange with the most suitable Lawyers for your specific circumstances. However, if you could not make the time for direct meeting, please feel free to contact us via the email: contact@cnccounsel.com or call (+84-28) 6276 9900

Disclaimers:

This article is prepared or used for the purposes of introducing or updating the clients on the issues and/or developments of the legal perspectives in Vietnam. The information contained in this article shall not constitute an advice of any kind, and could be subject to change without prior notice.

——————————————————————————–

[1] Vietnam Competition Commission, “Ủy ban Cạnh tranh Quốc gia xử phạt vi phạm hành chính đối với Công ty Cổ phần Tập đoàn VNG (Zalo)”, [https://vcc.gov.vn/default.aspx?page=news&do=detail&id=301efa2c-02d6-4df6-9b57-2291a6293060], accessed on 10/02/2026

[2] Y Nhu “Điều khoản mới của Zalo và vấn đề bảo đảm quyền cho người sử dụng”, Vietnam Lawyer Journal, accessed on 10/02/2026

[3] Zalo’s Terms of Services, last updated on 26/12/2025, [https://zalo.vn/dieukhoan/], accessed on 10/02/2026

[4] Vietnam Competition Commission, “Ủy ban Cạnh tranh Quốc gia xử phạt vi phạm hành chính đối với Công ty TikTok Pte. Ltd”, [https://vcc.gov.vn/default.aspx?page=news&do=detail&id=0868962a-8fdf-4683-a2c3-0dd3456fe5d5], accessed on 10/02/2026

[5] Luu Hiep, “Tik Tok bị xử phạt 880 triệu đồng”, Public Security News, [https://cand.com.vn/Cong-nghe/tiktok-bi-xu-phat-880-trieu-dong-i794895/], accessed on 10/02/2026

[6] Articles 84, 85, 86 of Decree No. 15/2020/ND-CP, amended and supplemented by Decree No. 14/2022/ND-CP

[7] Amended and supplemented by Decree No. 24/2025/ND-CP

[8] Article 28, Law on Personal Data Protection 2025