On 1 January 2026, Vietnam’s new personal data (“PD”) protection regime was introduced with the entry into force of Law No. 91/2025/QH15 on Personal Data Protection (“PDPL”) and Decree No. 356/2025/ND-CP dated 31 December 2025, detailing and implementing the PDPL (“Decree 356”), which replaces Decree No. 13/2023/ND-CP dated 17 April 2023 on Personal Data Protection (“PDPD”).
The PDPL and Decree 356 mark a significant shift in Vietnam’s PD protection regime, establishing a more comprehensive and enforceable legal framework. This new regime requires companies to pay close attention to their PD protection obligations and to proactively ensure their legal compliance. This article highlights key issues under the PDPL and Decree 356 in comparison with the PDPD that all companies should be aware of.
Overview: Why does PD protection matter and how could it affect a company?
Every company processes PD in its daily business operations. PD is a core element of almost all business interactions, from internal communications to major commercial transactions. Personal information protection mechanism was first established in Vietnam since 2006 under different legal documents, a Decree exclusive dedicated for PD protection, i.e. PDPD, was only issued in 2023, but the absence of strong enforcement mechanisms and clear sanctions make many companies to treat compliance as a low priority, as it pose no immediate financial or legal risks.
The new PD protection legal framework establishes a fully institutionalized and enforcement-oriented regime, requiring companies to take PD protection seriously as a matter of legal compliance and risk management. Compared to the PDPD, the new framework introduces substantial changes that more clearly guide companies toward PD compliance, while also imposing penalties for non-compliance that may directly and immediately affect a company’s interests.
Key highlight: What should a company know?
- Appointment of PD protection officer or department or Oursourcing thereof: The first and most fundamental obligation of your company is to appoint a PD protection officer or a department in charge of those duties (collectively, the “DPO”), with their clear duties stated in an official corporate document. While DPO was required for processing sensitive PD under the PDPD which did not regulate the DPO qualification; now the DPO must be appointed in every company processing PD and meet several legal requirements under Decree 356, including, amongst others, (i) possessing a college degree or higher, (ii) 2-year working experience in relevant fields, e.g. legal affairs, information technology, cybersecurity. The laws are silent on residency or nationality requirements applicable to the DPO.
The DPO plays an a key role in ensuring the company’s compliance with PD protection regulations since he/she is responsible for training and guiding all personnel in term of PD within the company, developing internal policies and governance regulations, and preparing documentation to ensure lawful PD processing. The company may appoint an in-house DPO or engage a qualified individual or institutional provider of PD protection service to satisfy these requirements.
- Classification of PD: One of the first steps a company must take when processing PD is to determine whether such data is listed as basic PD or sensitive PD, since sensitive PD is subject to stricter protection requirements.
In addition, when processing PD of 10,000 or more Vietnamese data subjects, companies should assess whether such data qualifies as core data or important data under Law on Data 2024 and its guiding legal documents, which may trigger enhanced supervision by the Ministry of Public Security (“MOPS”) and the Ministry of National Defense (“MOND”).
- Consent: The company must standardize the consent collection procedures and post-collection storage to comply with increasingly stringent regulations, including in the event of a dispute, the burden of proof of consent from the data subject rests with (i) the data controller and (ii) data controller-cum-processor. Consent by default is clearly not permitted under PDPL and Decree 356. Alternatively, consent must be obtained after the data subjects fully understand legally required information, and all consent records must be fully traceable. In other words, a privacy notice/statement with required information must be available to the data subjects and then a prior explicit consent of the data subjects must be obtained by the companies.
- PD Transfer: On an important note, PDPL and Decree 356 provide that PD transfer (whether on chargeable basis or not) for processing by laws, e.g. for providing services to the data subjects or for serving the legitimate interests of such data subjects, would not be deemed sale of PD sale (which is normally prohibited by laws). This helps discriminate PD transfer and PD sale in many cases where the company involves in PD processing on chargeable basis. However, the relevant parties should note that PD transfer from a data exporter to a data importer must have PD transfer agreements with statutory contents stipulated by Decree 356 for the first time, which should be better in writing as it shall be attached to DPIA and TIA dossiers mentioned below.
- Administrative compliance obligations: PD processing impact assessment (“DPIA”) dossier and/or an outbound PD transfer impact assessment (“TIA”) dossier must be established by not only one but 3 paties, including (i) data controller, (ii) data controller-cum-processor and (iii) data processor from the date of PD processing and the same must be submitted by the aforementioned parties to the MOPS within 60 days from the date of PD processing/ outbound PD transfer. However, the company is exempted from establishment of the TIA in several cases, e.g. storage of its employees’ PD on a cloud computing service; overseas PD transfer for the purpose of cross-border personnel management in accordance with labor rules, regulations, and collective bargaining agreements as prescribed by laws.
For the first time, it is required that the State authority shall evaluate and provide a response regarding whether the DPIA/TIA dossier meets or does not meet the requirements as prescribed by laws within 15 days upon receiving the dossier (rather than the State authority would just request for supplement to the DPIA/TIA dossier only if such dossier fails to meet the statutory requirements, without any regulation on time limit for the State authority’s feedback, as experienced under the old Personal Data Protection Decree (“PDPD”)). The DPIA/TIA dossier must be completed within 30 days from the date of the State authority’s supplement request and any compliance failure may be subject to administrative penalties (this time limit was 10 days from the date of the State authority’s supplement request and there was no penalty for such compliance failure under the old PDPD).
For company that has already submitted DPIA and/or TIA dossiers to Department of Cyber Security and Hi-tech Crime Prevention directly managed by the MOPS under the old PDPD, resubmission of new dossiers is not required, but any updates to previously submitted dossiers must comply with the procedures and new templates prescribed under the PDPL and Decree 356.
Please note that if to-be-processed data, which are not PD, fall within the list of important data or the list of core data; the data exporter must prepare a DPIA or TIA dossier before cross-border processing or transferring PD and send one original copy to the MOPS or the MOND using the standard form at least 15 days before proceeding with data processing. For core data, except for certain cases provided for by law, the MOPS or the MOND shall assess the DPIA or TIA dossier within 10-15 days, the data exporter shall be notified in writing of the assessment results, and only after receiving a satisfactory assessment result, the data exporter may decide on the cross-border data processing or processing.
- Employment-related obligations: Under the role of an employer, company typically needs to obtain the consent of candidates on how the PD is processed (e.g. shared, retained) before processing the their PD for recruitment purpose. For employment, where an employment contract is terminated and no other agreement exists, the company needs to consider the statutory archive requirement period to retain the ex-employees’ PD in their archived corporate files. Without such basis, the company is required to immediately delete the PD of the relevant ex-employee.
- Specific regulatory requirements to various sectors: The PDPL and Decree 356 introduce PD protection regime for technology-related fields (including big data processing, AI and metaverse technologies, blockchain, and cloud computing) as well as for the banking, finance and credit information sector.
- License for specific PD processing services (other than PD processing associated with a typical service): PD processing service has been introduced as a new conditional business line under the laws on investment. Then, Decree 356 provides further guidelines on (i) specific services/activities classified as PD processing service, e.g. service for scoring, ranking, and evaluating the trustworthiness of data subjects, services for collecting and processing PD online from websites, applications, software, and social networks, and (ii) statutory conditions applicable to PD processing service provider, including obtainment of license/certificate on satisfaction of the conditions for providing PD processing service from the MOPS.
- Exemption for micro-enterprises, small enterprises, and start-ups: These entities are exempted from the obligation to appoint the DPO and to conduct and submit DPIA and TIA dossiers during the first five years from 1 Janury 2026, except for those providing PD processing services or directly processing sensitive PD or PD of a large number of data subjects.
- Potential penalties: If violations of personal information protection was subject to a monetary fine varying from VND 10 million to VND70 million and forced deletion of personal information under pervious laws; pursuant to PDPL, a company, which fails to fully comply with the laws, may encounter with an administrative penalty of up to five percent (5%) of the company’s revenue and/or up to VND 3 billion, subject to the seriousness of the violation.
Actions to take: What should a company do to comply with the new PD protection framework?
- Appointment of/Outsourcing a DPO: As a first step, if your company do not fall within exemption cases, the company should appoint or oursource a qualified DPO to plan and coordinate PD compliance activities, as the DPO possesses the necessary expertise to walk all members of the company through the compliance process
- Assessment and improvement of current PD practices: led by the DPO, relevant company members should conduct a comprehensive assessment of their current PD processing activities and protection measures to identify the types of PD being processed, the number of data subjects involved, and respective plan the compliance actions required.
- Preparation and submission of DPIA and TIA: If the company that have not yet submitted DPIA and TIA, relevant members should coordinate to serve the preparation and submission of these dossiers as soon as possible.
For further details or sector-specific guidance, or should you need any assistances in assessing and implementing PD compliance for your company, please contact us via email: [email protected] or phone number: +84-24-3934 0629. We are ready to support you in navigating these regulatory and complicated changes with confidence.