If Part 1 focused primarily on the initial stages of data collection and processing, Part 2 will examine the sanctions applicable when enterprises violate regulations concerning the data lifecycle, failure to appoint personnel in charge of personal data processing, violations in operating camera systems, implementation of advertising, cross-border data transfer, and the establishment of internal protection systems.
1. Violations of Regulations on Storage, Deletion, and Destruction of Personal Data
Controlling the data lifecycle is one of the greatest technical and administrative challenges. Maintaining “redundant” data or delaying destruction is not only a waste of resources but also a direct violation of privacy regulations under Article 62 of the Draft Decree:
A fine ranging from VND 25,000,000 to VND 50,000,000 shall be imposed for the following acts:
- Continuing to store personal data when it is no longer consistent with the purpose of collection, or when the data subject has withdrawn consent or requested the deletion or destruction of their personal data;
- Storing personal data without a contract or without written documentation from a competent state authority regulating assigned functions and duties suitable for personal data storage;
- Continuing to process personal data despite an objection from the data subject, provided that the personal data controller or the personal data controller-processors have no legitimate reason to continue such processing;
- Failing to perform data deletion within 02 working days upon the data subject’s request regarding all personal data collected by the personal data controller or the personal data controller-processors, except where otherwise provided by law.
A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:
- Processing personal data for purposes other than those consented to, or where the processing of personal data violates legal regulations;
- Failing to delete personal data that is subject to mandatory deletion under the law.
Many enterprises tend to store the personal data of customers, partners, and employees “forever.” However, under the new regulations, as soon as the collection purpose is achieved or the subject withdraws consent, the data must be deleted immediately. Storing data “no longer in use according to the collection purpose” on servers without a clear legal or contractual basis constitutes a self-imposed risk of being fined. Therefore, periodic data purging is necessary. Any data that is no longer used and lacks a legal basis for retention must be deleted.
2. Violations of Regulations on Processing Data Obtained from Audio and Video Recording in Public Places
In the context of widespread deployment of security surveillance systems (CCTV) and digital recording devices, processing data from these activities is becoming a sensitive compliance issue. The Draft clearly defines penalty levels for enterprises violating obligations set by law when processing data in public places, specifically:
A fine ranging from VND 25,000,000 to VND 50,000,000 shall be imposed for the following act: Recording audio or video in public places and processing personal data obtained from such activities without notifying the subjects so they understand they are being recorded, except where otherwise provided by law.
Additional sanctions: Fixed-term suspension of personal data processing for 01 to 03 months in the event of a second violation under specific regulations.
The law does not prohibit the installation of cameras for security protection, but it prohibits “covert” recording. Notification must be implemented such that data subjects can easily recognize it before entering the recorded area. Consequently, enterprises should consider posting notices regarding audio/video recording in conspicuous locations such as entrances, reception desks, or lobby areas. Signs should feature a clear camera icon accompanied by text notifying the processing of data. If the enterprise’s camera system integrates smart technologies (such as facial recognition or customer density measurement), the data collected shifts from basic personal data to sensitive personal data. This requires notification and protection procedures that are significantly more stringent.
3. Violations of Personal Data Protection Regulations in the Advertising Service Business
In the digital economy, exploiting data for marketing and advertising purposes brings immense commercial value but also poses the most serious risks of privacy infringement. Article 64 of the Draft Decree establishes monetary sanctions with relatively high penalty levels, specifically the following:
A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:
- Organizations or individuals in the advertising service business using personal data other than that of customers transferred by the personal data controller or personal data controller-cum-processor under an agreement, or collected through their own business activities, to conduct advertising services;
- Organizations or individuals in the advertising service business failing to establish methods allowing data subjects to refuse data sharing; failing to determine storage periods; or failing to delete or destroy data when no longer necessary.
A fine of up to 5% of the total revenue of the preceding financial year in Vietnam shall be imposed for violations committed for the second time or more regarding the aforementioned acts (recidivism).
Additional sanctions: Deprivation of the right to use business licenses for sectors involving personal data processing violations for 01 to 03 months; confiscation of exhibits and means of administrative violation; fixed-term suspension of personal data processing for 01 to 03 months.
Note that this is a field involving the processing of a large volume of personal data, especially from various sources and platforms; managing this in accordance with personal data laws is considered a major challenge for enterprises. However, given the penalty mechanism recorded in the Draft, enterprises operating in advertising must pay attention to controlling input personal data streams and establishing mechanisms (buttons/toggles) for data subjects to actively consent to or edit personal information. Furthermore, any advertising or communication campaign should be accompanied by a data governance system: knowing exactly where data comes from, how long it is stored, and when it must be deleted.
4. Violations of Regulations on the Illegal Collection, Transfer, Purchase, and Sale of Personal Data
This group of acts seriously infringes upon data ownership rights and the order of cyberspace management. Article 65 of the Draft Decree stipulates the proposed penalty levels as follows:
A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:
- Transferring personal data outside of the cases permitted by law or contrary to the principles of personal data protection;
- Illegally buying or selling personal data where such acts do not constitute a criminal offense;
- Establishing software systems or technical measures to illegally collect or process personal data;
- Collecting, processing, or using data to develop, train, test, or operate artificial intelligence systems contrary to the regulations of the law on data and personal data protection.
A fine of up to 5% of the total revenue of the preceding financial year in Vietnam shall be imposed for violations committed for the second time or more regarding the acts above.
5. Violations of Regulations on Notification of Personal Data Protection Violations
Transparency and response speed when a data incident occurs are the measures of an enterprise’s responsibility. Article 66 of the Draft Decree sets strict requirements regarding timing and reporting procedures to ensure that functional authorities can intervene promptly:
A fine ranging from VND 25,000,000 to VND 50,000,000 shall be imposed for the following acts:
- The personal data controller or the personal data controller-processors failing to notify, or notifying later than 02 working days to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention and Control) after detecting a violation of personal data protection regulations without a legitimate reason for the delay;
- Providing incomplete notification regarding the contents related to the violation of personal data protection regulations;
- Failing to draft a report (minutes) on the violation of personal data protection regulations;
- Failing to cooperate, or cooperating incompletely, with functional forces and competent authorities in handling violations of personal data protection regulations.
Enterprises should develop a data breach response plan. In this plan, specific personnel should be designated to handle communications with the Ministry of Public Security, and reporting scenarios should be prepared according to prescribed templates. Proactive transparency within the first 48 hours is the best way to protect corporate reputation and minimize legal damages.
6. Violations of Regulations on Personal Data Processing Impact Assessment (DPIA)
The Impact Assessment Dossier (DPIA) is not merely an administrative procedure but a “commitment” to an enterprise’s data protection capabilities. Article 67 of the Draft Decree sets extremely heavy sanctions, proportional to the actual level of data disclosure or loss:
A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:
- The personal data controller or the personal data controller-processors failing to establish or maintain a Personal Data Processing Impact Assessment Dossier from the commencement of data processing;
- The personal data processor failing to establish or maintain a personal data processing impact assessment dossier when performing a contract with the personal data controller;
- Failing to submit 01 original copy to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention and Control) according to Form No. 02a/02b in the Appendix of Decree No. 356/2025/NĐ-CP within 60 days from the date of commencing personal data processing;
- Failing to comply with requests to supplement or finalize the personal data processing impact assessment dossier from the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention and Control).
Specific penalty escalations:
Double the aforementioned fine for acts resulting in the disclosure or loss of personal data of 100,000 to under 1,000,000 Vietnamese citizens. Five times the aforementioned fine for acts resulting in the disclosure or loss of personal data of 1,000,000 to under 5,000,000 Vietnamese citizens.
A fine equal to 5% of the total revenue of the preceding financial year in Vietnam for acts resulting in the disclosure or loss of personal data of 5,000,000 Vietnamese citizens or more.
Additional sanctions: Deprivation of the right to use business licenses for violations in personal data processing for 01 to 03 months; confiscation of exhibits and means of personal data processing; fixed-term suspension of personal data processing for 01 to 03 months.
7. Violations of Regulations on Transferring Personal Data Abroad
In the context of globalization, transferring data abroad is a daily activity but carries the highest risks to national security and privacy. Article 68 of the Draft Decree records penalty levels for violations of cross-border data transfer regulations as follows:
A fine ranging from VND 70,000,000 to VND 100,000,000 shall be imposed for the following acts:
- The data transferor failing to establish a transfer impact assessment dossier for personal data transferred abroad and failing to perform procedures as stipulated in clause 2, Article 18 of Decree No. 356/2025/NĐ-CP;
- Failing to establish or maintain a transfer impact assessment dossier for personal data transferred abroad from the commencement of data processing;
- Failing to submit 01 original dossier to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention and Control) according to Form No. 01a/01b in the Appendix of Decree No. 356/2025/NĐ-CP within 60 days from the date of commencing data processing;
- Failing to notify the Ministry of Public Security in writing regarding the transfer and contact details of the organization/individual in charge after the data transfer is successfully completed;
- Failing to comply with requests to supplement or finalize the transfer impact assessment dossier from the Ministry of Public Security;
- Failing to comply with inspection requests regarding the transfer of personal data abroad from the Ministry of Public Security.
Specific penalty escalations:
Double the aforementioned level for similar violations resulting in the disclosure, loss, or transfer of personal data of 100,000 to under 1,000,000 Vietnamese citizens abroad. Five times the aforementioned level for violations resulting in the disclosure, loss, or transfer of personal data of 1,000,000 to under 5,000,000 Vietnamese citizens abroad.
A fine ranging from 3% to 5% of the total revenue of the preceding financial year in Vietnam for acts resulting in the disclosure, loss, or transfer of personal data of over 5,000,000 Vietnamese citizens abroad.
Final Advice: Re-examine your company’s “data flow map.” If the flow stops at or passes through servers located abroad, complete the impact assessment dossier according to Form 01a/01b immediately. Compliance with inspection and modification requests from the Ministry of Public Security is a mandatory obligation to ensure the legality of data flows permitted for transfer abroad.
8. Violations of Regulations on Personal Data Protection Measures
Protection measures are not only technical barriers but also an enterprise’s commitment to professionalism and responsibility toward customers. Article 69 of the Draft Decree tightens the obligation to build a security foundation, from internal regulations to specialized personnel, to ensure data is not compromised from within:
A fine ranging from VND 50,000,000 to VND 70,000,000 shall be imposed for the following acts:
- Failing to apply personal data protection measures as regulated;
- Failing to build and issue regulations on basic personal data protection; failing to specify tasks to be performed according to the provisions of Decree No. 356/2025/NĐ-CP; and failing to conduct cybersecurity inspections of systems, means, and equipment serving personal data processing before processing, irreversibly deleting, or destroying devices containing basic personal data.
A fine ranging from VND 70,000,000 to VND 90,000,000 shall be imposed for the following act: Failing to designate a department with the function of protecting sensitive personal data; failing to designate personnel in charge of protecting sensitive personal data; and failing to exchange information regarding the department and individuals in charge of sensitive personal data protection with the Specialized personal data protection authority.
Additional sanctions: Deprivation of the right to use business licenses for sectors involving personal data processing violations for 01 to 03 months; confiscation of exhibits and means of personal data processing.
In general, the Draft covers the full spectrum of regulations that personal data laws require enterprises to follow, thereby establishing sanctions for violations when enterprises fail to implement them or do so purely as a formality. Although these regulations are currently at the draft stage, the official effective document generally does not differ significantly. Therefore, for enterprises, whether desired or not, and despite compliance increasing the cost burden, mandatory implementation is something enterprises need to plan for immediately.
Time of writing: 30/03/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 1)
- Capital Contribution Errors: Losing The Right To Become A Member Or Shareholder Due To Misunderstanding The Nature Of The Transaction
- Transactions With Related Parties And Conditions For Validity
