State Bank of Vietnam summarises Personal Data Protection Law introducing consent-based credit scoring and fines up to 5% of revenue

The State Bank of Vietnam has published an overview of Vietnam’s 2025 Personal Data Protection Law and the Prime Minister’s plan to implement it, ahead of the law taking effect on 1 January 2026. The update highlights key requirements affecting financial institutions and credit information activities, alongside broader prohibitions and enforcement parameters. The law prohibits the purchase and sale of personal data and sets out data subject rights including to be informed, give or withdraw consent, access and correct data, request deletion or restriction, object to processing, and seek redress. It also lists seven prohibited acts, including unlawful processing and intentional disclosure or loss of personal data. Administrative penalties include a maximum fine of 5% of the organisation’s prior-year revenue for violations related to cross-border transfers of personal data, with a separate maximum of VND 3 billion for other personal data protection violations. For finance, banking and credit information activities, organisations must protect sensitive personal data and apply safety and security standards, may not use an individual’s credit information for credit scoring, ranking or creditworthiness assessments without the individual’s consent, must collect only necessary personal data from lawful sources, and must notify data subjects where banking, financial or credit account information is leaked or lost. The Prime Minister’s implementation plan sets out tasks, timelines and coordination responsibilities across ministries and local authorities, including the development of a National Portal on Personal Data Protection to provide guidance and receive feedback and petitions related to personal data protection.