New Regulations on Sanction for Violations in Consumer Personal Data Protection

The Government has issued Decree No. 24/2025/ND-CP, amending Decree No. 98/2020/ND-CP, which takes effect on February 21, 2025. This decree introduces significant updates on administrative sanctions for violations related to consumer information protection.

Notably, Decree 24/2025/ND-CP increases penalties for certain violations compared to Decree 98/2020/ND-CP and expands the list of offenses subject to administrative sanctions. Key updates include:

Fines ranging from VND 20,000,000 – 30,000,000 for the following violations:

• Engaging a personal data processor without consumer consent or failing to establish a formal authorization/contract specifying the responsibilities of both parties.
• Failing to fulfill or inadequately implementing a consumer’s right to be informed about data processing activities.
• Collecting or using consumer information without proper consent or inaccurately/inconsistently with the declared purpose and scope.
• Failure to comply with consumer requests regarding the review, correction, update, deletion, transfer, or cessation of data processing.
• Failure to delete consumer information after the retention period expires, as required by the applicable consumer data protection regulations or legal provisions.

Fines of VND 30,000,000 – 40,000,000 for the following violations:

• Failure to receive, process, or respond to consumer complaints, requests, or inquiries related to data processing activities.
• Failure to notify competent authorities of data system incidents within the required timeframe.
• Lack of appropriate security and safety measures when collecting, storing, or using consumer information, or failure to implement preventive measures against data security violations.
• Unauthorized transfer of consumer information to third parties without obtaining the consumer’s consent as required by law.

Note: If the violation is committed by an organization or involves sensitive personal data, the fine is doubled. If the violation is committed by a large-scale digital platform operator, the fine is quadrupled.

Decree 24/2025/ND-CP also introduces new penalties for violations in online transactions, particularly those involving consumer information, including:

• Fines of VND 50,000,000 – 70,000,000 for digital platform operators that violate authorization or outsourcing rules in consumer data processing. This includes: Failure to establish a formal authorization document when engaging a third party for data processing; Establishing an authorization agreement without clearly defining the scope and data protection responsibilities; Engaging a third party for data processing without consumer consent.

• Fines of VND 100,000,000 – 200,000,000 for intermediary digital platform operators that fail to verify the identity of individuals selling products, goods, or services on their platforms.

Recommendations:

To minimize legal risks, particularly the risk of administrative sanctions, it is recommended to:

1/ Conduct a comprehensive review of all consumer personal data processing activities to identify potential compliance gaps, with a focus on obligations under the 2023 Law on Protection of Consumer Rights.

2/ Implement necessary compliance measures, remediate any gaps, and strengthen data protection safeguards to enhance security and ensure the organization’s data processing practices meet regulatory standards.

PrivacyCompliance prides itself on its team of experts having achieved numerous internationally recognized certifications such as CIPM, CIPP/E, CISA, CISM, CRISC®, ISO27001 Lead Auditor, etc. With tried-and-tested knowledge and capacity, PrivacyCompliance is confident in being able to provide in-depth and comprehensive solutions on personal data compliance and protection.