Bao Hoa
 |
| Captain Pham Ngoc Hoa from the Ministry of Public Security’s Cyber Security and High-Tech Crime Prevention Department addresses concerns from foreign-invested enterprises about the Law on Personal Data Protection, at a conference in Hanoi on April 10__Photo: Bao Hoa |
Statistics from the Ministry of Public Security (MPS) show that between 2023 and 2025, authorities uncovered more than 30 cases involving the illegal purchase, sale and theft of personal data. During this period, approximately 160 million data files across sectors such as healthcare, education, banking, finance, electricity, insurance and telecommunications were unlawfully acquired and exploited.
In 2025 alone, cyberattacks caused losses exceeding USD 10 trillion worldwide, while damage in Vietnam was estimated at around VND 8 trillion (USD 303.4 million).
Against this backdrop, strengthening the personal data protection framework has become an urgent task to safeguard privacy and ensure national data sovereignty.
The first notable legislation in this area is Government Decree 13/2023/ND-CP, which was issued in April 2023 and took effect in July of the same year. It is considered the first legal foundation for personal data protection in Vietnam.
The Law on Personal Data Protection (PDP Law) was passed two years later in June 2025, marking a significant step forward in protecting the privacy of citizens and businesses. Effective on January 1 this year, the law introduces penalties of up to 5 per cent of a company’s previous year’s revenue in Vietnam for violations related to cross-border data transfers. The law’s guiding text, Government Decree 356/2025/ND-CP, was issued in December 2025 and also took effect from the beginning of 2026, replacing Decree 13.
Most recently, a draft decree on administrative sanctions for violations in cybersecurity and personal data protection was released in March for public comment. The draft further clarifies some provisions of the PDP Law and specifies penalties for different types and levels of violations.
To help businesses navigate this evolving legal framework, a conference themed “Personal Data Protection Law Forum - Compliance Challenges and Solutions for FDI Enterprises” was held recently by the Vietnam Office Machine Association, the Asia Legal law firm and the digital solutions consulting company FSI Vietnam. Among the most pressing concerns raised by businesses were cross-border employee data transfers and the requirement to appoint data protection personnel.
Impact assessment for cross-border data transfers
A key issue discussed at the conference was the preparation of impact assessment reports for cross-border data transfers.
Under the PDP Law, an impact assessment report must be prepared and submitted to MPS within 60 days from the date of the first data transfer in three categories: when personal data stored in Vietnam is transferred abroad; when personal data is transferred to organisations or individuals abroad; or when personal data collected in Vietnam is processed by platforms located outside the country.
However, many businesses remain uncertain as to whether their activities fall into these categories. For example, questions were raised about whether using cloud computing services to ‘report’ employee data to overseas parent companies constitutes a cross-border transfer and, consequently, is subject to the impact assessment reporting requirement.
According to Luu Xuan Vinh, managing partner at Asia Legal, if the cloud storage is used solely for internal management purposes, companies would be exempt from submitting the report, as per Article 20 of the PDP Law.
“However, if a company [in Vietnam] gives a foreign entity the permission to access those files and process the employees’ personal data, then obviously, the company will have to perform a cross-border data transfer impact assessment,” he said.
Identifying the purpose for data storage or transfer is a key point that businesses can rely on to assess whether they must prepare the report, according to Captain Pham Ngoc Hoa from the Cybersecurity and High-Tech Crime Prevention Department (A05) of MPS.
To do this, companies must carefully review what would happen to the data once it is transferred to corporations abroad.
“For instance, if you state that the purpose is to serve internal personnel management within the corporation, then what is the scope of that action?” Hoa said, adding that if using cloud computing, companies must clearly state whether it is only for storage, as a repository, or if it is a system that they will use for other purposes as well.
Hoa stressed that apart from specific exemptions prescribed by law, all cross-border data transfers must undergo impact assessment, including cases in which parent companies abroad collect personal data of employees from subsidiaries in Vietnam for personnel management or talent development purposes.
“All data processing activities between a company in Vietnam and its overseas parent company should be consolidated into a single impact assessment document,” Hoa said.
Currently, such reports can only be submitted directly to the MPS, although online submission via the National Public Service Portal is under development.
Data protection personnel requirements
The requirement to appoint or hire specialised data protection personnel has also raised concerns among enterprises, especially the matter of who qualifies as a data protection officer (DPO).
Under Decree 356, data protection personnel must have a college degree or higher, and at least two years of experience in the field of law, information technology, cybersecurity, data security, risk management, compliance control, human resource management, or organisational structure. They must also be trained and equipped with legal knowledge related to personal data protection.
To make it clearer to businesses, Hoa affirmed that there are no further requirements for a DPO apart from these. Companies can choose between having internal staff to handle data protection procedures or hiring professional services.
“The choice should be made based on a close review of the functions and responsibilities of the data protection officer and department, which have been specifically defined in Decree 356,” she said.
Regarding the question of which institutions are qualified to train DPOs in Vietnam, according to Captain Hoa, the PDP Law is very open on this aspect and does not stipulate any requirements for an organisation to qualify or be licensed to train DPOs.
“This enables companies to have diverse choices and allows the market to determine the quality of the training,” she said. “Companies can explore the market to find a credible organisation that can provide data protection training that strictly adheres to Vietnam’s regulations.”
Risk management perspective
Data from MPS shows that the number of cross-border data transfer impact assessment reports submitted by FDI enterprises is significantly higher than that of other business groups, which demonstrates the group’s high compliance with Vietnam’s regulations.
This raises a question of how to improve compliance among domestic businesses, given that over 90 per cent of Vietnamese companies are small- and medium-sized enterprises, where regulatory awareness is often low.
MPS, on the one hand, acknowledged the challenges that businesses face in complying with data protection regulations, which was reflected in 80 per cent of the total submitted reports having substandard quality. However, the ministry, on the other hand, encouraged businesses to see the impact assessment procedure not merely as an obligation, but as a tool to control risks in their own data transfers.
“We want companies to understand that performing the data transfer impact assessment should be one of their regular activities,” Hoa said, adding that once companies have completed a satisfactory assessment report, they will be able to use information therein to monitor their compliance with personal data protection regulations.-
