On the morning of June 26, at the 9th Session of the 15th National Assembly , with 433/435 delegates participating in the vote in favor (equal to 90.59% of the total number of National Assembly delegates), the National Assembly passed the Law on Personal Data Protection.
The Law consists of 5 chapters and 39 articles, regulating the protection of personal data; forces and conditions to ensure the protection of personal data; responsibilities of agencies, organizations and individuals regarding the protection of personal data...
The Personal Data Protection Law comes into effect from January 1, 2026.
The National Assembly voted to pass the Law on Personal Data Protection. (Photo: DUY LINH)
Fine of 5% of revenue for violations of cross-border personal data transfer
In Article 8 on handling violations of the law on personal data protection, the Law clearly stipulates that organizations and individuals who commit violations may be subject to administrative sanctions or criminal prosecution depending on the nature, extent, and consequences of the violation. If damage is caused, compensation must be made in accordance with the provisions of law.
The maximum fine for administrative violations against organizations that buy and sell personal data is 10 times the amount of revenue obtained from the violation.
In case there is no revenue from the violation or the fine calculated based on the revenue obtained from the violation is lower than the maximum fine prescribed in Clause 5 of this Article, the fine prescribed in Clause 5 of this Article shall apply.
The maximum fine for administrative violations against organizations that violate regulations on cross-border transfer of personal data is 5% of the organization's revenue of the previous year.
In case there is no revenue of the previous year or the fine calculated based on revenue is lower than the maximum fine prescribed in Clause 5 of this Article, the fine prescribed in Clause 5 of this Article shall apply.
Article 8, Clause 5: The maximum fine for administrative violations in other violations in the field of personal data protection is 3 billion VND.
The law also clearly stipulates that the maximum fine for an individual committing the same violation is one-half the fine for an organization.
The Government shall prescribe the method for calculating the proceeds from the commission of violations of the law on personal data protection.
Applying post-audit mechanism to cross-border personal data transfers
Presenting the report on receiving, explaining and revising the draft Law before the National Assembly pressed the button, Chairman of the National Defense, Security and Foreign Affairs Committee Le Tan Toi said that, taking into account the opinions of the delegates, the draft has added a provision that when exercising rights, data subjects must have the obligation to comply with the principles: in accordance with the law and comply with contractual obligations; must aim to protect the rights and legitimate interests of the personal data subject himself.
At the same time, it is not allowed to cause difficulties or hinder the implementation of legal rights and obligations of the parties and it is not allowed to infringe upon the legitimate rights and interests of the State, other agencies, organizations and individuals.
The Draft Law also strictly regulates the mechanism for implementing the rights of data subjects, personal data processing activities, specifically such as collecting, analyzing, synthesizing, encoding, decoding, editing, deleting, destroying, de-identifying, providing, publicizing, transferring personal data and other activities affecting personal data, and cases of personal data processing without the consent of the data subject.
For cross-border personal data transfers, the draft regulation applies a post-audit mechanism through a cross-border personal data transfer impact assessment dossier and only audits when necessary, instead of requiring prior consent in most cases, facilitating businesses.
Regarding the impact assessment when processing personal data and when transferring personal data across borders, agencies and organizations only need to prepare this record once for the entire operation process and update it when there are changes and the competent authority will conduct an inspection of the record when deemed necessary.
Literature
Source: https://nhandan.vn/phat-toi-da-10-lan-khoan-thu-voi-hanh-vi-mua-ban-du-lieu-ca-nhan-post889580.html
![[Photo] Standing member of the Secretariat Tran Cam Tu chaired a meeting with Party committees, offices, Party committees, agencies and Central organizations.](https://vphoto.vietnam.vn/thumb/402x226/vietnam/resource/IMAGE/2025/7/1/b8922706fa384bbdadd4513b68879951)
Comment (0)