The development of artificial intelligence (“AI”) has had an impact on many aspects of social life. However, the development and widespread use of AI and the widespread use of social networks may pose risks to the right to privacy in general and to personal data in particular, as a large volume of data used by these technologies is directly derived from users’ personal information.
In response to the potential risks posed by AI, Vietnam has promulgated the Law on Personal Data Protection, effective from 01 January 2026 (the “PDP Law”). This Law establishes core principles governing the processing of personal data, sets out a unified legal framework for the collection, processing, storage, sharing, and transfer of personal data, and strengthens the responsibilities of organizations and individuals in safeguarding the lawful rights and interests of data subjects.
Within the scope of this article, CDLAF focuses on clarifying several key issues concerning the relationship between the application of AI and personal data rights under the PDP Law, including: (i) Principles of Personal Data Protection in AI Systems under the PDP Law; (ii) Specification of Personal Data Protection in AI Systems under Decree No. 356/2025/ND-CP; and (iii) The Relationship between the PDP Law and the Law on Artificial Intelligence.
1. Principles of Personal Data Protection in AI Systems under the PDP Law
The PDP Law establishes fundamental principles governing all personal data processing activities, including the development and use of AI systems. Accordingly, the collection and processing of personal data must comply with the following basic principles:
- The processing of personal data in an AI environment must comply with the PDP Law and other relevant laws and regulations, and must be consistent with Vietnam’s ethical standards and traditional customs;
- AI-based systems and services must incorporate appropriate personal data security measures; appropriate authentication, identification, and access control mechanisms must be applied in personal data processing;
- Personal data processing by AI must be classified according to risk levels in order to apply appropriate personal data protection measures;
- AI systems that use personal data must not be used or developed in a manner that harms national defense, national security, public order and safety, or infringes upon the life, health, honor, dignity, or property of others.
2. Specification of Personal Data Protection in AI Systems under Decree No. 356/2025/ND-CP
In parallel with the PDP Law, Decree No. 356/2025/ND-CP further specifies the protection of personal data throughout the design, deployment, and operation of AI systems. Accordingly, personal data protection in AI systems is not limited to the data collection stage but must be ensured throughout the entire data processing lifecycle, from data input and model training to algorithm operation and the exploitation of output results.
Specifically, Article 10 of Decree No. 356/2025/ND-CP provides that:
Organizations and individuals are entitled to use personal data for the research and development of AI systems and other automated systems, provided that compliance with personal data protection regulations is ensured.
Data derived from AI inference results that can be used to identify, or help identify, a specific individual must be subject to personal data protection measures in accordance with the law.
Personal data controllers and personal data controllers and processors are responsible for informing data subjects of automated personal data processing activities, explaining the operating principles of the algorithms and their impacts on the lawful rights and interests of data subjects, and providing options for data subjects to opt out.
Organizations and individuals applying personal data protection measures in AI systems shall:
- Research, develop, and deploy systems that meet cybersecurity standards and comprehensive data protection standards for AI systems, with particular attention to information security, algorithm reliability, system stability, and cyberattack prevention;
- Establish mechanisms for monitoring AI system operations from two perspectives: supervision by competent state authorities, and accountability to personal data subjects by personal data controllers and personal data controllers and processors;
- Develop personal data protection mechanisms in accordance with appropriate standards, and establish monitoring systems and early-warning mechanisms for cybersecurity risks;
- Establish control mechanisms to prevent the misuse of AI and virtual environments for activities that infringe upon national security, public order, and public safety;
- Conduct periodic compliance assessments with personal data protection regulations at least once per year;
- Ensure that personal data subjects have the right to rectify, anonymize, and delete identification records, including in cases where platforms store behavioral history data.
3. The Relationship between the PDP Law and the Law on Artificial Intelligence
Alongside the promulgation of the PDP Law, the Law on Artificial Intelligence (the “AI Law”) has also been enacted and officially takes effect from 01 March 2026, reflecting Vietnam’s trend toward a risk-based approach to AI governance, consistent with many international legal models.
Under this approach, AI systems used in sectors such as finance, banking, credit information services, and advertising—where large volumes of users and personal data are processed—are considered to pose higher legal risks, particularly systems that directly affect individuals’ lawful rights and interests, such as credit scoring, customer ranking, automated credit decisions, or fraud detection. These systems are therefore subject to stricter regulatory requirements, with personal data protection identified as a key pillar closely linked to transparency, accountability, and algorithmic control.
Notable points of intersection between the PDP Law and the AI Law include:
First, principles governing personal data protection and AI activities
Although Article 4 of the AI Law and Article 3 of the PDP Law regulate different areas, they reflect a consistent legislative spirit of placing human beings, human rights, and individuals’ lawful interests at the center of technological development and application. Accordingly, AI principles emphasize the protection of privacy, data security, and human responsibility in controlling AI systems, while personal data protection principles require legal compliance, accuracy, security, and purpose limitation in data usage. This convergence demonstrates that the processing and use of personal data in AI activities must simultaneously comply with both personal data protection principles and the fundamental principles governing AI activities.
Second, the obligation to classify risk levels
Clause 4, Article 30 of the PDP Law requires that personal data processing by AI be classified according to risk levels to enable appropriate personal data protection measures. These risk levels are further specified in Clause 1, Article 9 of the AI Law, including:
- High-risk AI systems: systems that may cause significant harm to life, health, lawful rights and interests of organizations or individuals, national interests, public interests, or national security;
- Medium-risk AI systems: systems that may mislead, influence, or manipulate users due to users’ inability to recognize that they are interacting with an AI system or AI-generated content;
- Low-risk AI systems: systems that do not fall under the above categories.
Third, prohibited acts
Article 7 of the AI Law prohibits the collection, processing, or use of personal data for the development, training, testing, or operation of AI systems in violation of personal data protection regulations. In addition, Article 30 of the PDP Law prohibits the use or development of AI systems that use personal data to harm national defense, national security, public order and safety, or infringe upon the life, health, honor, dignity, or property of others.
Accordingly, both the PDP Law and the AI Law share a common legislative intent: strictly prohibiting the use of personal data for the development, training, testing, or operation of AI systems where such use does not comply with legal requirements. In the context where personal data constitutes a critical input for AI systems, these two laws jointly establish In the context where both the PDP Law and the AI Law will be concurrently applied from 2026, enterprises need to proactively prepare at an early stage to avoid high-risk data processing activity. Deploying AI solutions without integrating personal data governance may result in widespread legal violations, particularly as regulatory authorities intensify supervision and accountability requirements. Therefore, rather than viewing AI purely as a technological solution, enterprises should regard AI as a high-risk data processing activity requiring close coordination among technology, legal, and risk management functions. This approach not only helps ensure legal compliance but also contributes to building customer trust and promoting sustainable development in the digital era.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 02/01/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Internal control responsibilities and data sharing within organizations
- Personal data protection Personnel under Decree 356: In-house Implementation or Hiring Professional External Services?
- Conditions for the transfer of data to partners to be considered “valid”
- Regulations regarding Personal Data under current Personal Data Protection Law
- Data and Legal Considerations in Outsourcing Contracts (Part 1)
