Personal Data Protection in Vietnamese Digital Health

Vietnam moved from a decree-level personal data protection regime to a dedicated primary law on 1 January 2026, when Luật 91/2025/QH15 — Luật Bảo vệ dữ liệu cá nhân — and its implementing Nghị định 356/2025/NĐ-CP entered into force. The new Law and its implementing decree expressly repealed the prior Nghị định 13/2023/NĐ-CP, which had governed personal data protection from 1 July 2023 to 31 December 2025. There is no parallel operation: from 1 January 2026 controllers and processors apply the new Law and Decree alone.

Why this matters for digital health:

• Telemedicine platforms (Luật 15/2023/QH15 Article 53; Nghị định 96/2023/NĐ-CP Article 87) process sensitive health data at scale.
• Electronic medical records — bệnh án điện tử — and the inter-facility connectivity required under Luật 15/2023 put patient health data into shared infrastructure.
• E-prescription with the 14-character national prescription code (Thông tư 11/2025/TT-BYT amending Thông tư 02/2018 GPP) routes patient identifiers and drug-dispensing data through the national pharmacy system.
• The drug-traceability system links manufacturer, wholesaler, retailer and patient records.
• BHYT (Bảo hiểm Y tế) processing of health-insurance claims involves diagnosis and treatment data.
• Clinical trials process detailed health and sometimes genetic data of trial subjects.

Scope of this page:

• What changed on 1 January 2026.
• Definitions: personal data vs. sensitive personal data; why health data is sensitive.
• Data subject rights under Article 4 of the Law.
• Lawful bases and consent — including specific consent for sensitive health data.
• Controller / processor duties: DPIA filing, DPO, security, breach notification.
• Cross-border transfer of personal data — the mandatory 60-day filing with Bộ Công an / Cục A05 using Mẫu 09.
• Data localisation — Luật An ninh mạng + Nghị định 53/2022/NĐ-CP for in-scope online services.
• Healthcare-sector cross-cutting rules (Luật 15/2023, Nghị định 96/2023, Thông tư 11/2025).
• Sanctions — administrative (Article 8 of the Law) and criminal (Article 288 of Bộ luật Hình sự).
• Practical compliance checklist for telemedicine, EMR, e-prescription, drug-traceability and clinical-trial operators.

Legal stack at a glance:

• Luật 91/2025/QH15 — primary law, 5 chapters and 39 articles, passed 26 June 2025 by the 15th National Assembly at the 9th session, effective 1 January 2026.
• Nghị định 356/2025/NĐ-CP — 31 December 2025, effective 1 January 2026, 5 chapters and 42 articles, with 10 annexed forms (notably Mẫu 09 — cross-border transfer impact-assessment report).
• Luật An ninh mạng 24/2018/QH14 + Nghị định 53/2022/NĐ-CP — data localisation regime, unchanged by the 2025 reform.
• Bộ luật Hình sự Article 288 — criminal liability for unauthorised disclosure or trade of personal information on computer networks.
• Luật Khám bệnh, chữa bệnh 15/2023/QH15 Article 69 — patient rights including confidentiality of medical-record information and the right to access and copy one’s own record.
• Nghị định 96/2023/NĐ-CP Article 87 — IT security and data-protection conditions for telemedicine operating facilities.
• Thông tư 11/2025/TT-BYT (amending Thông tư 02/2018 GPP) — pharmacy software connectivity to the national pharmacy / e-prescription system and the 14-character electronic prescription code.

Definitions you need:

• "Dữ liệu cá nhân" — personal data, any information attached to or identifying a natural person.
• "Dữ liệu cá nhân nhạy cảm" — sensitive personal data — a defined sub-set that includes health data, biometric data, genetic data, sexual orientation, religious belief, political opinion, financial account, criminal record and other categories listed in the Law and Decree. Health-sector controllers must **notify the data subject in advance and in writing** that the data being collected is sensitive — a specific obligation not present for ordinary personal data.
• "Bên kiểm soát dữ liệu" (controller) and "Bên xử lý dữ liệu" (processor) carry distinct duties; joint controllers must enter into a written allocation of responsibilities.
• "Chuyển dữ liệu cá nhân xuyên biên giới" — cross-border transfer of personal data, replacing the 2023 terminology of "transfer of personal data abroad" and covering both transfers to overseas servers and access from overseas to data stored in Vietnam.

Data subject rights (Article 4 of Luật 91/2025/QH15): Right to be informed of the processing, to consent or refuse, to withdraw consent at any time, to access, view and rectify, to request provision or deletion, to restrict processing, to object to processing, to complain, to denounce, to sue, to claim damages, and to demand protective measures from the controller and from authorities. Nghị định 356/2025/NĐ-CP sets a **2-working-day** initial response window for receipt and logging of subject requests, with a longer substantive deadline for action.

Lawful bases and consent for health data:

• Consent is the default basis, and for sensitive health data the consent must be specific, informed and separately documented.
• Article 19 of the Law provides narrow exceptions in emergencies, public-interest defence, life-saving circumstances and certain statutory obligations — including treating emergencies under Luật 15/2023.
• A healthcare controller MUST NOT transfer patient data to a third-party health, life or social-insurance service provider without a written request from the patient, except where Article 19 applies.

Controller / processor duties:

• DPIA: every controller processing sensitive personal data must compile a personal-data processing impact assessment (hồ sơ đánh giá tác động xử lý dữ liệu cá nhân) and file it with Cục An ninh mạng và Phòng, chống tội phạm sử dụng công nghệ cao (A05) of Bộ Công an within 60 days of starting processing. Telemedicine, EMR, e-prescription, drug-traceability, clinical-trial sponsor / CRO and BHYT-handling controllers all fall within this trigger because of the sensitive-data definition.
• DPO — bộ phận hoặc nhân sự chuyên trách bảo vệ dữ liệu cá nhân: mandatory for organisations processing sensitive personal data, which captures the healthcare sector by default. The DPO is the point of contact for data subjects and for A05.
• Security: technical and organisational measures commensurate with the risk — encryption, access controls, segregation, retention controls, audit logging.
• Breach notification: within **72 hours** to A05 of Bộ Công an, with detailed records retained at least 5 years. Where the breach involves biometric data or location data, notification to the affected data subject within 72 hours or as soon as possible is also required.
• Children’s data: processing requires consent of the parent or legal guardian; for children aged 7+ the child’s assent must also be obtained.

Cross-border transfer of personal data:

• Terminology under the 2025 Law: "chuyển dữ liệu cá nhân xuyên biên giới".
• Mandatory **báo cáo đánh giá tác động chuyển dữ liệu xuyên biên giới (Mẫu 09)** filed with Cục A05 within 60 days of starting the transfer; the report must include the transfer contract or commitments and evidence of protective controls in the receiving jurisdiction.
• Narrow exemptions: international shipping or payment contracts, overseas study, emergency medical treatment abroad, and a 5-year delayed-filing window for small enterprises whose business does not involve data.
• Foreign telemedicine providers serving Vietnamese patients from overseas servers fall within scope and must either route via a Vietnamese-licensed facility (see Medibase Telemedicine reference page) or file the cross-border transfer dossier.
• Extraterritorial application: Luật 91/2025/QH15 applies to foreign organisations processing personal data of Vietnamese residents from abroad.

Data localisation under Luật An ninh mạng + Nghị định 53/2022/NĐ-CP:

• Luật 91/2025/QH15 itself does not impose a blanket localisation mandate; localisation continues to be governed by the Cybersecurity Law and Nghị định 53/2022.
• In-scope online services storing Vietnamese-user personal data must store that data in Vietnam for a minimum period. Foreign-invested telemedicine and EMR platforms should run a separate localisation assessment in parallel to the DPIA.

Sanctions:

• Article 8 of Luật 91/2025/QH15 codifies the administrative penalty caps directly in the Law itself — a significant change from the 2023 framework which relied on the general Decree 15/2020/NĐ-CP on sanctions in telecoms and IT.
• Unlawful sale of personal data: fine up to **10 times the illegal revenue**.
• Violations of cross-border personal-data transfer rules: fine up to **5 % of prior-year revenue** of the violating organisation.
• Other violations: fine up to **VND 3 billion** for organisations; individuals face half the organisational cap.
• A dedicated administrative-penalty decree on cybersecurity and personal data protection was in public consultation by Bộ Công an in early 2026 and will set the procedural detail; until it is promulgated, A05 enforces under the Law’s direct penalty provisions.
• Criminal liability: Bộ luật Hình sự Article 288 ("Tội đưa hoặc sử dụng trái phép thông tin mạng máy tính, mạng viễn thông") — fine VND 30–200 million, or imprisonment up to 3 years, with aggravated penalties up to 7 years.
• Healthcare-sector administrative penalties under Nghị định 117/2020/NĐ-CP remain in force for non-data healthcare violations and may be cumulated with data-protection penalties.

Healthcare-sector cross-cutting rules:

• Luật 15/2023/QH15 Article 69 — patient confidentiality and right to access / copy own medical record. The controller of an EMR system must be able to deliver a copy of the record to the patient on request.
• Nghị định 96/2023/NĐ-CP Article 87 (clause 1) — telemedicine facilities must guarantee safe transmission, display, processing and storage of clinical data and enter contractual data-protection terms with technology suppliers.
• Thông tư 11/2025/TT-BYT — pharmacy software must connect to the national pharmacy / e-prescription system; dispensing is only against electronic prescriptions carrying the 14-character national code; patient identifiers flowing through this pipe are sensitive health data, and pharmacy operators inherit DPIA, DPO and breach-notification duties.
• Luật 15/2023/QH15 Article 112 — the chapter establishing the personal health information system (hệ thống thông tin sức khỏe cá nhân) and the requirement for facilities to deploy EMR and e-prescription and to connect to the national healthcare-activity management information system .

Practical compliance checklist (telemedicine, EMR, e-prescription, traceability, clinical-trial operators): 1. Map the data flows: classify every category as personal data, sensitive personal data, or non-personal data. Health data is sensitive by default. 2. Update consent forms: separate, specific consent for sensitive-data processing, with the express notice that data is sensitive. 3. Compile and file the DPIA dossier with Cục A05 within 60 days of starting processing; update on material change. 4. Designate a DPO (or DPO team) and publish the contact channel. 5. Cross-border transfer: scope all overseas recipients (cloud regions, parent-company analytics, foreign CROs, foreign sponsors), file Mẫu 09 with A05, and put in place transfer contracts with protective controls in the receiving jurisdiction. 6. Data localisation: run a separate Cybersecurity Law / Nghị định 53/2022 assessment for in-scope online services and provision Vietnam-region storage where required. 7. Breach playbook: 72-hour notification window to A05; biometric / location breaches additionally notify subjects. 8. Records retention: at least 5 years for breach records and processing logs. 9. Vendor contracts: data-processor terms with specific allocation of duties, sub-processor controls, audit rights, deletion at termination. 10. Cross-link governance: align with Luật 15/2023 patient-rights workflows (Article 69), Nghị định 96/2023 telemedicine controls (Article 87), and Thông tư 11/2025 pharmacy-software connectivity.

• Reference only, not legal advice. Always verify against the consolidated text of Luật 91/2025/QH15 and Nghị định 356/2025/NĐ-CP on vanban.chinhphu.vn and against current Bộ Công an / Cục A05 guidance.

Foundational law:

• Luật 91/2025/QH15 — Luật Bảo vệ dữ liệu cá nhân, passed 26 June 2025, effective 1 January 2026. 5 chapters, 39 articles. Article 4 (data subject rights), Article 8 (administrative penalty caps), Article 19 (lawful processing exceptions).
• Luật An ninh mạng 24/2018/QH14 — cybersecurity, data-localisation hook.
• Luật Khám bệnh, chữa bệnh 15/2023/QH15 Article 69 (patient confidentiality and record access); Article 112 (personal health information system) .
• Bộ luật Hình sự (Penal Code) Article 288 — unauthorised disclosure or trade of personal information on computer networks.

Decree:

• Nghị định 356/2025/NĐ-CP — 31 December 2025, effective 1 January 2026, implements Luật 91/2025/QH15. 5 chapters, 42 articles, 10 annexed forms (Mẫu 09 — cross-border transfer impact assessment report).
• Nghị định 53/2022/NĐ-CP — data localisation under the Cybersecurity Law.
• Nghị định 96/2023/NĐ-CP Article 87 — telemedicine IT security and data protection.
• Nghị định 117/2020/NĐ-CP (amended by Nghị định 124/2021/NĐ-CP) — administrative sanctions in healthcare.

Circular:

• Thông tư 11/2025/TT-BYT — pharmacy software connectivity to the national pharmacy / e-prescription system; 14-character electronic prescription code.
• Thông tư 18/2026/TT-BYT — special-control medicines, including prohibition on remote prescribing of narcotic, psychotropic and precursor substances (cross-cuts data protection).

Superseded:

• Nghị định 13/2023/NĐ-CP — repealed by Nghị định 356/2025/NĐ-CP from 1 January 2026.

Sanctions and enforcement authority:

• Cục An ninh mạng và Phòng, chống tội phạm sử dụng công nghệ cao (A05) — Bộ Công an. Primary enforcement body for Luật 91/2025/QH15 and Nghị định 356/2025/NĐ-CP.
• A dedicated administrative-penalty decree on cybersecurity and personal data protection is in public consultation.

Law and decree:

• Luật 91/2025/QH15 — https://vanban.chinhphu.vn/?pageid=27160&docid=214590
• Luật 91/2025/QH15 (original text via vbpl.vn) — https://vbpl.vn/TW/Pages/vbpq-van-ban-goc.aspx?ItemID=179252
• Nghị định 356/2025/NĐ-CP — https://vanban.chinhphu.vn/?pageid=27160&docid=216387
• Nghị định 13/2023/NĐ-CP (repealed 1/1/2026) — https://vanban.chinhphu.vn/?pageid=27160&docid=207759
• Luật Khám bệnh, chữa bệnh 15/2023/QH15 — https://vanban.chinhphu.vn/?pageid=27160&docid=207396
• Nghị định 96/2023/NĐ-CP — https://vanban.chinhphu.vn/?pageid=27160&docid=209491
• Bộ luật Hình sự Article 288 — https://thuvienphapluat.vn/hoi-dap-phap-luat/dieu-288-bo-luat-hinh-su-quy-dinh-ve-toi-dua-hoac-su-dung-trai-phep-thong-tin-mang-may-tinh-mang-vi-138065165.html

Sectoral guidance:

• Bộ Công an — sectoral notes on personal data protection — https://bocongan.gov.vn/chinh-sach-phap-luat/bai-viet/bao-ve-du-lieu-ca-nhan-trong-mot-so-hoat-dong-1754989261
• Cross-border transfer Mẫu 09 procedural note (VDPC) — https://vdpc.vn/thu-tuc-thong-bao-danh-gia-tac-dong-chuyen-du-lieu-ca-nhan-ra-nuoc-ngoai/
• Penalty draft decree (Bộ Công an public consultation 2026) — https://thuvienphapluat.vn/chinh-sach-phap-luat-moi/vn/ho-tro-phap-luat/chinh-sach-moi/107459/

Operational portals:

• Bộ Công an / Cục A05 — https://bocongan.gov.vn
• Bộ Y tế — https://moh.gov.vn
• Cục Quản lý Khám, Chữa bệnh — https://kcb.vn
• Bảo hiểm Xã hội Việt Nam (BHYT — VSS) — https://baohiemxahoi.gov.vn

Medibase cross-references:

• Reference — Telemedicine — /practice/telemedicine/
• Reference — Medical Practice Licensing — /practice/practice-licensing/
• Reference — Healthcare Facility Licensing — /practice/facility-licensing/
• Reference — Drug Distribution & Retail (e-prescription pipeline) — /medicine/distribution-retail/
• Reference — Special-Control Medicines — /medicine/special-control/

17 April 2023 — Government issues Nghị định 13/2023/NĐ-CP, Vietnam’s first comprehensive data-protection decree (effective 1 July 2023).

12 June 2018 — Quốc hội passes Luật An ninh mạng 24/2018/QH14, providing the data-localisation hook.

15 August 2022 — Government issues Nghị định 53/2022/NĐ-CP detailing data-localisation rules.

26 June 2025 — Quốc hội khóa XV passes Luật 91/2025/QH15 (Luật Bảo vệ dữ liệu cá nhân) at the 9th session — first dedicated primary law on personal data protection in Vietnam.

31 December 2025 — Government issues Nghị định 356/2025/NĐ-CP implementing Luật 91/2025/QH15 and expressly repealing Nghị định 13/2023/NĐ-CP.

1 January 2026 — Luật 91/2025/QH15 and Nghị định 356/2025/NĐ-CP enter into force. Healthcare controllers must have DPIA, DPO and breach-notification machinery in place; cross-border transfers require Mẫu 09 filings.

Early 2026 — Bộ Công an publishes draft administrative-penalty decree on cybersecurity and personal data protection for public consultation .