According to the Personal Data Protection Law 2025, sensitive data refers to information that, if disclosed, misused, or illegally exploited, could infringe upon an individual’s honor, dignity, property, life, freedom, or privacy; or directly affect the lawful rights and interests of businesses, individuals, and organizations protected by law. In practice, following a series of User Data leaks, the legal framework governing personal data protection has recently been strengthened to better regulate emerging activities related to personal data, including sensitive personal data.
In the context of diversified business activities, working methods, and the rapid development of digital technology and AI as at present, enterprises are holding a vast amount of sensitive personal data, but to ensure that they truly understand which types of sensitive personal data they possess and what legal obligations they are required to comply with when performing a series of actions such as collecting, processing, or transferring such data — actions that sometimes even the enterprises themselves do not fully realize — the law imposes specific obligations on them. The following article will provide a clearer discussion of this matter.
1. When every sector encounters sensitive data
Sensitive personal data refers to personal data associated with an individual’s privacy, the infringement of which directly affects the lawful rights and interests of agencies, organizations, and individuals, as listed in the categories promulgated by the Government. It is not only banks or hospitals that process sensitive data. Today, any enterprise that digitalizes its operations — from human resources to marketing — may be operating within this high-risk legal zone.
So, what types of information are considered sensitive data? Currently, the Personal Data Protection Law has not yet provided detailed provisions on this matter. However, Decree No. 13/2023/NĐ-CP has enumerated categories of information understood to constitute sensitive personal data, and we observe that when sub-law documents are issued to provide further guidance, they will, to some extent, inherit the principles of the existing regulations. Accordingly, sensitive personal data includes data relating to:
- Political opinions and religious beliefs;
- Health status and private life recorded in medical records, excluding information about blood type;
- Information relating to racial or ethnic origin;
- Information concerning inherited or acquired genetic characteristics of an individual;
- Information about physical attributes and unique biological characteristics of an individual;
- Data on crimes and criminal acts collected and stored by law enforcement authorities;
- Customer information held by credit institutions, branches of foreign banks, providers of intermediary payment services, and other authorized organizations, including: identification information of customers as prescribed by law; account information; deposit information; asset custody information; transaction information; and information on organizations or individuals acting as guarantors at credit institutions, bank branches, or intermediary payment service providers;
- Location data of individuals determined through location-based services;
- Other types of personal data prescribed by law as special and requiring appropriate security measures.
2. Which sectors are holding large volumes of sensitive personal data?
The first to be mentioned is the healthcare sector, under which it is not merely the storage of personal data, but rather that hospitals, health check-up centers, and testing laboratories are currently holding a vast amount of sensitive data belonging to individuals undergoing medical examination and treatment. Such sensitive data are recorded in medical records, test results, genetic data, and psychological conditions, and even include health-related habits collected from wearable devices. In certain cases, cross-border transfers of sensitive data are carried out for the purpose of testing or diagnosing medical conditions that cannot yet be performed in Vietnam.
Next is the group comprising the financial, banking, and insurance sectors. In recent times, a number of leaks of users’ credit information have raised alarming concerns about the management and control of personal data security, particularly regarding sensitive personal data. We will not, for the time being, discuss the extent of damage caused by data breaches involving financial and banking data as compared to those in other sectors. However, we can first recognize that the damage resulting from leaks of sensitive information such as account numbers, transactions, credit histories, eKYC facial images, fingerprints, or insurance beneficiary information may lead to fraud, asset misappropriation, or money laundering. Therefore, the Personal Data Protection Law 2025 requires financial institutions to comply with relevant legal provisions; to apply measures for preventing unauthorized access, use, disclosure, or modification of customers’ personal data; to establish solutions for restoring customers’ personal data in case of loss; and to ensure confidentiality during the collection, provision, and processing of customers’ personal data for credit information assessment purposes.
In addition, sectors such as sociology, application development, and e-commerce are also collecting a large volume of sensitive data. When the law comes into effect together with accompanying sanctions such as penalties or suspension of data-related activities, we believe that these sectors and fields should take the lead in complying with legal provisions on personal data protection so that, at the very least, their business operations will not be disrupted.
3. Core legal obligations regarding sensitive data
The Personal Data Protection Law has not yet concretized the specific obligations that enterprises holding sensitive data must perform, and in the coming time, when the implementing regulations are issued, the manner in which the law imposes requirements on enterprises in protecting sensitive data will be more specifically provided. As for Decree No. 13/2023/ND-CP, it stipulates that enterprises must apply measures to protect sensitive personal data, such as designating a department in charge of personal data protection, appointing personnel responsible for personal data protection, and exchanging information about such department and personnel with the specialized authority for personal data protection. In cases where the Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, or the Third Party is an individual, the information of the individual performing such function must be provided. The data subject must also be informed that his or her sensitive personal data is being processed.
In the context where the Personal Data Protection Law 2025 has become the legal framework governing all data processing activities, understanding, controlling, and demonstrating compliance with respect to sensitive data is no longer a choice but a mandatory requirement. CDLAF accompanies enterprises in building data maps, conducting Data Protection Impact Assessments (DPIA), and establishing sensitive data governance frameworks, helping organizations move from reactive compliance to proactive risk management, thereby protecting both trust and brand value in the era of the data-driven economy.
Time of writing: October 14, 2025
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
-
- Key considerations for Enterprises for Private placement of Shares
- New Provisions under the Corporate Income Tax Law effective from October 1, 2025
- Divorce involving foreigners in Vietnam and division of assets
- Conditions and issues to note when foreigners divorce in Vietnam
- When should enterprises enter into a short-term or long-term foreign loan agreement?
