New Regulations on Sanction for Violations in Consumer Personal Data Protection

March 7, 2025

The Government has issued Decree No. 24/2025/ND-CP, amending Decree No. 98/2020/ND-CP, which takes effect on February 21, 2025. This decree introduces significant updates on administrative sanctions for violations related to consumer information protection.

 New Regulations 
on Sanction for Violations in Consumer Personal Data Protection

Notably, Decree 24/2025/ND-CP increases penalties for certain violations compared to Decree 98/2020/ND-CP and expands the list of offenses subject to administrative sanctions. Key updates include:

Fines ranging from VND 20,000,000 – 30,000,000 for the following violations:

  • Engaging a personal data processor without consumer consent or failing to establish a formal authorization/contract specifying the responsibilities of both parties.
  • Failing to fulfill or inadequately implementing a consumer’s right to be informed about data processing activities.
  • Collecting or using consumer information without proper consent or inaccurately/inconsistently with the declared purpose and scope.
  • Failure to comply with consumer requests regarding the review, correction, update, deletion, transfer, or cessation of data processing.
  • Failure to delete consumer information after the retention period expires, as required by the applicable consumer data protection regulations or legal provisions.

Fines of VND 30,000,000 – 40,000,000 for the following violations:

  • Failure to receive, process, or respond to consumer complaints, requests, or inquiries related to data processing activities.
  • Failure to notify competent authorities of data system incidents within the required timeframe.
  • Lack of appropriate security and safety measures when collecting, storing, or using consumer information, or failure to implement preventive measures against data security violations.
  • Unauthorized transfer of consumer information to third parties without obtaining the consumer’s consent as required by law.

Note: If the violation is committed by an organization or involves sensitive personal data, the fine is doubled. If the violation is committed by a large-scale digital platform operator, the fine is quadrupled.

Decree 24/2025/ND-CP also introduces new penalties for violations in online transactions, particularly those involving consumer information, including:

  • Fines of VND 50,000,000 – 70,000,000 for digital platform operators that violate authorization or outsourcing rules in consumer data processing. This includes: Failure to establish a formal authorization document when engaging a third party for data processing; Establishing an authorization agreement without clearly defining the scope and data protection responsibilities; Engaging a third party for data processing without consumer consent.

  • Fines of VND 100,000,000 – 200,000,000 for intermediary digital platform operators that fail to verify the identity of individuals selling products, goods, or services on their platforms.

Recommendations:

To minimize legal risks, particularly the risk of administrative sanctions, it is recommended to:

1/ Conduct a comprehensive review of all consumer personal data processing activities to identify potential compliance gaps, with a focus on obligations under the 2023 Law on Protection of Consumer Rights.

2/ Implement necessary compliance measures, remediate any gaps, and strengthen data protection safeguards to enhance security and ensure the organization’s data processing practices meet regulatory standards.

 

PrivacyCompliance prides itself on its team of experts having achieved numerous internationally recognized certifications such as CIPM, CIPP/E, CISA, CISM, CRISC®, ISO27001 Lead Auditor, etc. With tried-and-tested knowledge and capacity, PrivacyCompliance is confident in being able to provide in-depth and comprehensive solutions on personal data compliance and protection.


Privacy Compliance

IN-HOUSE DPO VS. OUTSOURCED DPO – WHICH SOLUTION SAVES COSTS AND ENSURES COMPLIANCE?

  💥 IN-HOUSE DPO VS. OUTSOURCED DPO – WHICH SOLUTION SAVES COSTS AND ENSURES COMPLIANCE?   🔒 Decree No. 13/2023 and the Draft Law on Personal Data Protection require all businesses to appoint a Data Protection Officer (DPO). The draft law explicitly gives businesses the right to choose between appointing an internal DPO or engaging […]

Learn more

Privacy Compliance

THE DPO AND A CULTURE OF DATA PROTECTION – THE KEY TO BUILDING LASTING TRUST

🌟 THE DPO AND A CULTURE OF DATA PROTECTION – THE KEY TO BUILDING LASTING TRUST In the digital age, personal data is both a valuable asset and a vulnerable one. That’s why the role of the Data Protection Officer (DPO) goes beyond legal compliance—it serves as a foundation for embedding a strong culture of […]

Learn more

Privacy Compliance

WHICH BUSINESSES ARE REQUIRED TO APPOINT A DATA PROTECTION OFFICER (DPO)?

Here is the English translation of your content, localized for clarity and professional tone: 🔒 WHICH BUSINESSES ARE REQUIRED TO APPOINT A DATA PROTECTION OFFICER (DPO)? 👉 Under Decree No. 13/2023/NĐ-CP, any organization that processes sensitive personal data—such as health information, biometric data, financial data, religious beliefs, etc.—is required to appoint a Data Protection Officer […]

Learn more