VCI Legal – December 31, 2025

I. Introduction 

1. The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) establishes a legal framework to protect individuals’ personal data and applies to organisations that collect, process, or share such data in the EU. Following Brexit, the United Kingdom adopted its own version, known as the UK GDPR, which retains substantially similar provisions to the EU GDPR. 
2. Russia also issues the Russian Federal Law of 27 July 2006 No. 152-FZ on Personal Data (“Law on Personal Data” or “LPD”) as the main legal basis for personal data protection. Although Russia is not a member of the European Union, as a result, the EU jurisdiction, including the GDPR, does not extend over the territory of the Russian Federation. However, subsidiaries, branches and representative offices of Russian entities, which operate within EU territory, seem to fall within the GDPR scope of application. Consequently, Russian entities operating in the EU may face a double burden in terms of bringing their processes into compliance with both Russian data protection regulations and the GDPR, and vice versa.  
3. China adopted the Personal Information Protection Law (“PIPL”) on 20 August 2021, marking the country’s first comprehensive data protection legislation. Influenced by key principles of the EU GDPR, the PIPL sets out rules for the collection and processing of personal information and officially came into effect on 1 November 2021. 
4. The U.S. lacks a single, comprehensive federal data protection law. Instead, data privacy is governed by a patchwork of sector-specific federal statutes (Privacy Act of 1974, Children’s Online Privacy Protection Act (COPPA), Hepal Insurance Portability and Accountability Act (HIPAA), etc.) and state-level laws (e.g., CCPA/CPRA in California, CPA in Colorado, VCDPA in Virginia, etc.) 
5. Vietnam has also passed the Law on Personal Data Protection 2025 and Law on Data 2024, marking a significant milestone, represents the country comprehensive legal framework dedicated to the protection of personal data. 
6. This paper provides a comparison of the legislations on the following: 

• • Scope of application and definition 
  • Legal grounds for lawful processing 
  • Controller/operator and processor obligations 
  • Individual’s rights 
  • Penalties and remedies 

Scope of application and personal scope

Personal data protection regimes in the EU and the UK, Russia, China, Vietnam and the United States are built upon the common premise of protecting the personal data of natural persons. All jurisdictions extend their regulatory reach to both public authorities and private entities involved in personal data processing. However, notable distinctions arise with regard to personal scope and the criteria for determining the applicability of the law.

Under the GDPR, protection is afforded to natural persons irrespective of nationality or place of residence, and the regulation expressly applies to the processing of their personal data in a wide range of contexts. In contrast, Russian law does not expressly condition protection on nationality or residence, but in practice centres on data relating to Russian nationals. China’s PIPL applies primarily to the processing of personal data of natural persons within China, while also recognising certain extraterritorial circumstances. Vietnam’s Law on Personal Data Protection adopts a more restrictive approach, applying mainly to Vietnamese citizens and persons of Vietnamese origin residing in Vietnam who hold official identification. In the United States, the lack of a comprehensive federal framework has resulted in a patchwork of sector-specific federal laws and state-level regulations, which generally apply based on residency or territorial nexus within individual states.

Controllers, operators and processors

The allocation of responsibilities between entities involved in personal data processing constitutes a key element of data protection regulation. The GDPR establishes a clear distinction between “controllers,” who determine the purposes and means of processing, and “processors,” who process data on behalf of controllers, with each category subject to specific obligations.

Russian law adopts a comparable functional approach by defining “operators” as entities that organise and carry out personal data processing, although it does not formally recognise the concept of a processor as a separate legal category. China’s PIPL departs from the GDPR model by introducing the concept of “personal information processors,” which encompasses entities that independently determine the purposes and methods of processing, thereby subsuming roles that would otherwise be divided between controllers and processors. Vietnamese law recognises personal data controllers and processors, defining processors as entities that process data on behalf of controllers under contractual arrangements. In the United States, while traditional federal laws do not employ the controller–processor dichotomy, several recent state privacy statutes have begun to adopt these concepts, albeit with varying definitions and scopes.

Territorial scope and extraterritorial application

Significant differences can be observed in the territorial reach of personal data protection laws. The GDPR is characterised by its explicit extraterritorial application, extending to controllers and processors established outside the EU where they target individuals within the Union or monitor their behaviour. This approach has become a reference point for global data protection standards.

By comparison, Russian law does not expressly regulate extraterritorial processing, though localisation requirements effectively extend its influence to foreign entities handling data of Russian nationals. China’s PIPL expressly provides for extraterritorial application where processing activities outside China aim to provide products or services to individuals in China or analyse their behaviour. Vietnam’s law allows for application to foreign entities involved in or related to personal data processing activities, though the criteria for such application remain relatively broad and underdeveloped. In the United States, extraterritorial reach is determined indirectly through federal and state laws that apply where personal data of U.S. residents is collected or processed, even by entities established abroad.

Material scope and types of data

All examined jurisdictions regulate the processing of personal data by automated means and recognise enhanced protection for sensitive or special categories of personal data, such as data relating to health, religion, political opinions or ethnicity. Nevertheless, approaches diverge in relation to anonymisation, pseudonymisation and manual processing.

The GDPR provides detailed definitions of pseudonymisation and excludes anonymous data from its scope of application. Russian law introduces the concept of depersonalisation, while China’s PIPL distinguishes between anonymisation and de-identification, excluding anonymised information from regulatory oversight. Vietnamese law does not expressly regulate anonymisation or de-identification, and its application to manual processing remains unclear. In the United States, definitions and regulatory treatment of de-identified data vary by sector and state, with most laws excluding such data from their scope under specific conditions.

Lawful grounds for processing

Across all jurisdictions, personal data processing is generally permitted on the basis of consent, contractual necessity, legal obligations, protection of vital interests, and legitimate interests. However, the GDPR provides the most comprehensive and structured framework, including explicit provisions governing special categories of data and processing necessary for the establishment, exercise or defence of legal claims.

Other jurisdictions adopt more limited or fragmented approaches. Russian and Vietnamese laws allow processing for judicial and enforcement purposes, while China’s PIPL does not expressly address processing in judicial activities. In the United States, processing for legal claims is typically permitted through statutory exemptions rather than as a general legal basis, reflecting the sector-specific nature of U.S. data protection law.

About VCI Legal:

VCI Legal is an award-winning business law firm in Vietnam with a wide range of legal and corporate services, among other things, corporate, banking & finance, tax, labor & HR, real estate and dispute resolution with special focus on international investment disputes, We also offer our specialized type of service called “In-House Counsel Service” with the aim of assisting our clients in dealing with all types of internal and external issues arising from their day-to-day operations and business activities. With our offices in both Hanoi and Ho Chi Minh City, we have a tremendous depth of experience in providing well-reasoned and comprehensive legal advice to not only multinationals and Fortune 500 companies, but also small and medium enterprises.

Our professional team comprises one of the leading law firms in Vietnam with service quality highly recommended and acknowledged by international legal service reviewers such as: The Legal 500, AsiaLaw Profiles, IFLR, KPMG’s Tax Directors’ Handbook, Acquisition International, ACQ Global, Global Law Experts, Finance Monthly, and Chambers & Partners.

For many years, VCI Legal has been ranked among the top law firms in Vietnam for corporate, finance, insurance, taxation, employment, intellectual property and investment. With a “Can Do Attitude” combined with a “Know How” capacity, our firm is big enough to provide comprehensive legal support for any in-house legal matters, yet small enough to care about each of our clients. We undertake each engagement with the mindset of a long-term relationship, with the will to give whatever it takes to understand and fulfill your needs.

Ho Chi Minh City

Suite P7-42.18, Vinhomes Central Park, 720A Dien Bien Phu, Thanh My Tay Ward, Ho Chi Minh City, Vietnam

Tel.: (+84) 028 3827 2029 Fax: (+84) 028 3823 4436

Hanoi

Suite 1903, Floor 19, W1 Tower, Vinhomes Westpoint, Pham Hung, Tu Liem Ward, Hanoi City, Vietnam

Tel.: (+84) 024 3936 4985 – (+84) 024 3936 4987

Affiliated Offices: Beijing – Shanghai – Hanoi – Ho Chi Minh City – Singapore – New Delhi – Dubai – Doha – Zurich Paris – Rome – Brescia – Washington D.C. – Los Angeles