How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 1)

Immediately following the entry into force of the Law on Personal Data Protection and Decree No. 356/2025/ND-CP, the latest development is that the draft decree on administrative sanctions for violations in the field of personal data protection is being circulated for consultation in accordance with the legislative process, with a view toward adoption in the near future. This development creates a new landscape for enterprises. Businesses are transitioning from a stage of considering whether to apply mandatory requirements in personal data processing to a stage requiring urgent implementation before being subject to enforcement actions by regulatory authorities. Accordingly, what acts are considered violations in the field of personal data protection, and what penalties apply? The following provides a consolidated overview.

Table of contents:

1. Violations of Personal Data Protection Principles

The protection of personal data is governed by law based on the following six core principles:

Lawfulness: Compliance with the Constitution, the Law on Personal Data Protection, and other relevant legal provisions is mandatory.
Purpose limitation and scope: The collection and processing of personal data must be conducted strictly within a specific, explicit, and lawful purpose and scope.
Accuracy and storage limitation: Personal data must be accurate and updated, amended, or supplemented when necessary. Data shall only be retained for a period appropriate to the processing purpose, unless otherwise provided by law.
Implementation of comprehensive protection measures: Appropriate and effective organizational, technical, and human measures must be implemented to ensure the security of personal data.
Proactive prevention and handling of violations: Entities must proactively prevent, detect, deter, and strictly handle violations relating to personal data protection in a timely manner.
Balancing of interests: Personal data protection must be aligned with national and public interests, socio-economic development, national defense, security, and foreign affairs, while ensuring a balance with the lawful rights and interests of organizations and individuals.

Accordingly, any violation of the above principles may result in the following administrative penalties under the Draft Decree:

A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:

Processing personal data in violation of legal regulations;
Collecting or processing personal data beyond the defined scope or purpose;
Failure to ensure accuracy of personal data or failure to update, amend, or supplement when necessary;
Retaining personal data beyond the period appropriate for the processing purpose;
Failure to implement effective organizational, technical, or human measures to protect personal data;
Failure to proactively prevent, detect, or address violations related to personal data protection;
Failure to ensure alignment between personal data protection and national interests, socio-economic development, and lawful rights of relevant parties.

A fine ranging from VND 70,000,000 to VND 100,000,000 shall be imposed for the following acts:

Processing personal data against the State of the Socialist Republic of Vietnam or adversely affecting national defense, security, social order, or lawful rights and interests of organizations and individuals;
Obstructing personal data protection activities;
Abusing personal data protection activities to commit unlawful acts;
Processing personal data in violation of legal regulations;
Using another person’s personal data or allowing others to use one’s personal data for unlawful purposes;
Trading personal data, unless otherwise permitted by law;
Misappropriating, intentionally disclosing, or losing personal data.

Additional sanctions: Confiscation of exhibits and means used for administrative violations; suspension of personal data processing activities for a period from 01 to 03 months in certain cases.

Given the strict sanctioning framework, personal data protection is no longer an operational option but a mandatory priority for enterprises to mitigate enforcement risks, particularly in the event of data breaches or complaints from data subjects.

2. Violations of Data Subject Rights

In personal data processing relationships, the rights of data subjects are central to compliance. Enterprises must identify the applicable rights and the extent of such rights based on the type of personal data collected, its lifecycle, storage location, and relevant legal provisions. Besides, failure to facilitate the exercise of such rights or delays in responding to data subject requests may expose enterprises to the following risks:

A fine ranging from VND 70,000,000 to VND 100,000,000 shall be imposed for the following acts:

Personal data controllers and personal data controller-processors fail to establish clear processes, procedures, and templates for the exercise of data subject rights, in alignment with personal data processing activities and the responsibilities of relevant departments; and fail to ensure that data subjects are informed of the procedures for exercising their rights as prescribed under the Law on Personal Data Protection;
Upon receipt of a valid request from a data subject to withdraw consent to the processing of personal data, to restrict processing, or to object to processing in accordance with prescribed procedures, personal data controllers and personal data controller-processors fail, within 02 working days, to respond and provide complete information to the data subject regarding the procedures for cessation of processing and to implement such cessation within 15 days, except in cases where processing does not require the data subject’s consent;
Upon receipt of a valid request from a data subject to access, review, or request correction of personal data, or to obtain a copy of personal data in accordance with prescribed procedures, personal data controllers and personal data controller-processors fail, within 02 working days, to respond and provide complete information regarding the procedures, and to implement such request within 10 days;
Upon receipt of a valid request from a data subject for deletion of personal data in accordance with prescribed procedures, personal data controllers and personal data controller-processors fail, within 02 working days, to respond and provide complete information regarding the procedures, and to implement such deletion within 20 days;
Upon receipt of a valid request from a data subject to implement measures and solutions for the protection of their personal data in accordance with prescribed procedures, the competent authority or any agency, organization, or individual involved in personal data processing fails, within 02 working days, to respond and provide complete information regarding the procedures, and to implement such measures within 15 days.

In practice, these statutory timelines present significant operational challenges for enterprises, particularly given the volume and complexity of personal data processed across multiple sources. Compliance capability will depend heavily on internal preparedness, including procedures, templates, and dedicated personnel.

3. Violations of Data Subject Consent

In the digital era, “consent” is a fundamental requirement in the relationship between data subjects and processing entities. Any infringement of this autonomy or inability to demonstrate valid consent may trigger severe penalties under Article 59 of the Draft Decree:

A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:

Processing personal data without the consent of the data subject, unless otherwise permitted by law;
Forcing data subjects to consent to processing for purposes beyond the agreed scope;
Failure to express consent in a clear, specific, and verifiable form capable of being printed or reproduced, including electronic formats.

A fine ranging from VND 70,000,000 to VND 100,000,000 shall be imposed for the following acts:

Continuing to process personal data after the data subject has withdrawn consent or upon written request from competent authorities;
Processing personal data based on silence or lack of response from the data subject;
Failure by controllers or controller-processors to demonstrate that valid consent has been obtained.

The progressive codification of data subject rights under the Law on Personal Data Protection and Decree No. 356/2025/ND-CP is further reinforced in the Draft Decree on administrative sanctions. Under this framework, violations committed by enterprises in relation to the processing of personal data without obtaining valid consent, or without retaining adequate evidence demonstrating that such consent has been duly obtained from data subjects, are subject to relatively severe penalties. Accordingly, enterprises are required to assess their existing governance mechanisms, operational structures, and the e-commerce or digital platforms they utilize in order to design and implement appropriate mechanisms for recording and storing data subject consent. It should be expressly noted that the use of pre-ticked boxes or reliance on a data subject’s “silence” as a form of consent does not constitute valid consent under applicable regulations. Consent must be evidenced by a clear and affirmative action on the part of the data subject.

4. Violations Relating to Withdrawal of Consent

The right to withdraw consent ensures that data subjects retain control over their personal data. Any obstruction or disregard of such requests is subject to sanctions under Article 60:

A fine ranging from VND 25,000,000 to VND 50,000,000 shall be imposed for the following acts:

Obstructing or making it difficult for data subjects to withdraw consent;
Failure to inform data subjects of potential consequences of withdrawal.

A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:

Failure to cease processing after withdrawal of consent;
Failure to require relevant third parties to cease processing.

In light of the foregoing sanctioning framework, it is evident that the mechanism for withdrawal of consent must be as accessible and straightforward as the mechanism for granting consent. Enterprises should avoid practices such as concealing the “unsubscribe” or withdrawal option, or imposing burdensome or overly complex administrative procedures when data subjects seek to cease the sharing of their personal data on digital platforms. Enterprises are entitled to inform customers that the withdrawal of consent may result in certain service disruptions (for example, the inability to receive promotional notifications); however, such disclosures must be made in an objective and transparent manner. Furthermore, with respect to relevant third parties, upon a data subject’s withdrawal of consent, the enterprise is obligated to notify and require its partners and outsourced data processors to cease processing activities accordingly. This necessitates that enterprises incorporate robust data protection provisions, including Data Processing Agreements (DPAs), within their contracts with third parties.

The establishment of a clear and transparent consent withdrawal mechanism not only enables enterprises to comply with the Draft Decree but also serves as a critical means of maintaining trust-based relationships with customers.

5. Violations Relating to Correction of Personal Data

The right to correction ensures that personal data accurately reflects reality and mitigates risks associated with inaccurate information. Violations under Article 61 include:

A fine ranging from VND 25,000,000 to VND 50,000,000 shall be imposed for the following acts:

Denying data subjects access to review or correct their personal data after collection based on consent;
Refusing correction requests due to technical or other reasons;
Delaying or failing to correct data after agreeing to the request;
Failure to notify the data subject within 02 working days when correction is not feasible;
Processing entities or third parties correcting data without written approval from the controller and confirmation of data subject consent.

The correction of a data subject’s personal data to ensure its accuracy and consistency with reality is mandatory. In cases where immediate correction is not feasible due to technical constraints, enterprises must establish automated notification mechanisms or provide an official response to the data subject within 02 working days, in order to avoid non-compliance. For complex datasets that cannot be directly amended, enterprises are required to implement procedures for receiving requests and carrying out alternative correction measures. Under no circumstances should a request be refused solely on the basis of technical difficulty, unless supported by a clear and lawful justification.

In addition, enterprises, in their capacity as personal data controllers, should expressly stipulate in their contractual arrangements that any correction of personal data by partners or third-party processors must be subject to prior written approval from the enterprise. This is to prevent unauthorized modifications or loss of control over personal data.

The Draft Decree on administrative sanctions comprehensively addresses the full spectrum of legal obligations imposed on enterprises in relation to personal data processing, including violations arising from the failure to appoint personnel responsible for personal data protection, failure to prepare data processing impact assessment dossiers, and failure to establish dossiers for cross-border data transfers. Notably, in addition to monetary fines, certain violations may also be subject to penalties calculated based on revenue. For further details, reference should be made to Part 2, which sets out the specific sanctioning levels currently contemplated under the Draft Decree for personal data protection violations.

Time of writing: 30/03/2026

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn

Why choose CDLAF’s service?

We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
Strict information security procedures throughout the service performance and even after the service is completed.

You can refer for more information:

What should advertising enterprises prepare to comply with the personal data protection law?

Responsibilities of Enterprises when employing Foreign Workers

Is it Mandatory for Enterprises to Appoint Personal Data Protection Personnel?

How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 2)

Guidelines for Drafting a Personal Data Protection Policy Under the New Law (Part 1)

Capital Contribution Errors: Losing The Right To Become A Member Or Shareholder Due To Misunderstanding The Nature Of The Transaction