Vietnamlawmagazine

Le Tuan Anh, Vuong Son Ha, and Tran Tu Anh

Vision & Associates[1]

National Assembly deputies press the buttons to pass the Law on Personal Data Protection__Photo: VNA

This article introduces notable provisions of the new regime on personal data protection that is introduced with the entry into force of the Personal Data Protection Law and guiding Decree, particularly the provisions on data protection officer, data classification, cross-border data transfer and data transfer agreement, data processing and transfer impact assessment, and licensed data processing services.

On January 1, Vietnam’s new regime on personal data protection was introduced with the entry into force of Law 91/2025/QH15 on Personal Data Protection (PDPL) and implementing Decree 356/2025/ND-CP dated December 31, 2025 (Decree 356), which replaces Decree 13/2023/ND-CP dated April 17, 2023, on personal data protection (Decree 13).

The PDPL and Decree 356 mark a significant shift in Vietnam’s personal data protection regime, establishing a more comprehensive and enforceable legal framework. This new regime requires companies to pay close attention to their personal data protection obligations and proactively ensure their legal compliance. This article highlights key issues under PDPL and Decree 356 in comparison with Decree 13 that all companies should be aware of.

Why does personal data protection matter and how could it affect a company?

Every company processes personal data in its daily business operations. Personal data is a core element of almost all business interactions, from internal communications to major commercial transactions. Personal information protection mechanism was first established in Vietnam since 2006 under different legal documents, a Decree exclusively dedicated for personal data protection, was just issued in 2023, but the absence of strong enforcement mechanisms and clear sanctions make many companies to treat compliance as a low priority, as it poses no immediate financial or legal risks.

The new legal framework on personal data protection establishes a fully institutionalized and enforcement-oriented regime, requiring companies to take personal data protection seriously as a matter of legal compliance and risk management. Compared to the PDPD, the new framework introduces substantial changes that more clearly guide companies toward personal data protection compliance, while also imposing penalties for non-compliance that may directly and immediately affect a company’s interests. 

What should a company know?

Appointment or outsourcing of personal data protection officer: The first and most fundamental obligation of a company is to appoint a personal data protection officer (or a unit in charge of data protection), with his specific duties stated in an official corporate document. While a data protection officer was required for processing sensitive personal data under PDPD which did not regulate the qualification of data protection officers, now such an officer must be appointed in every company processing personal data and meet several requirements under Decree 356, including, among others, (i) possessing a college degree or higher; and (ii) having two years’ working experience in relevant fields, e.g., legal affairs, information technology and cybersecurity. The regulations are silent on residency or nationality requirements applicable to data protection officers.

The data protection officer plays a key role in ensuring the company’s compliance with personal data protection regulations since he is responsible for training and guiding all personnel in terms of personal data within the company, developing internal policies and governance regulations, and preparing documentation to ensure lawful personal data processing. The company may appoint an in-house data protection officer or engage a qualified individual or institutional provider of data protection protection services to satisfy these requirements.

Classification of personal data: One of the first steps a company must take when processing personal data is to determine whether such data is listed as basic personal data or sensitive personal data, since sensitive personal data is subject to stricter protection requirements.

In addition, when processing personal data of 10,000 or more Vietnamese data subjects, companies should assess whether such data qualifies as core data or important data under the 2024 Law on Data and guiding texts, which may trigger enhanced supervision by the Ministry of Public Security (MOPS) and the Ministry of National Defense (MOND).

Consent: The company must standardize the consent collection procedures and post-collection storage to comply with increasingly stringent regulations, including in the event of a dispute, the burden of proof of consent from the data subject rests with the data controller and the data controller-cum-processor. Consent by default is clearly not permitted under PDPL and Decree 356. Alternatively, consent must be obtained after the data subjects fully understand legally required information, and all consent records must be fully traceable. In other words, a privacy notice/statement with required information must be available to the data subjects and then a prior explicit consent of the data subjects must be obtained by the companies. 

Personal data transfer: On an important note, PDPL and Decree 356 provide that personal data transfer (whether on a chargeable basis or not) for processing by law, e.g., for providing services to the data subjects or for serving the legitimate interests of such data subjects, would not be deemed personal data sale (which is normally prohibited by law). This helps discriminate personal data transfer and personal data sale in many cases in which the company involves in personal data processing on a chargeable basis. However, the relevant parties should note that personal data transfer from a data exporter to a data importer must be conducted under a personal data transfer agreement with statutory contents stipulated in Decree 356 for the first time, which should be better in writing as it shall be attached to the dossier for personal data processing impact assessment (DPIA dossier) and the dossier for personal data transfer impact assessment (DTIA dossier) mentioned below.

Administrative compliance obligations: DPIA dossier and/or an outbound personal data TIA dossier must be established by three parties, namely the data controller, the data controller-cum-processor and the data processor, from the date of personal data processing, and must be submitted by the aforementioned parties to the MOPS within 60 days from the date of personal data processing/outbound personal data transfer. However, the company is exempted from establishment of the DTIA in several cases, e.g., storage of its employees’ personal data on a cloud computing service; overseas personal data transfer for the purpose of cross-border personnel management in accordance with labor rules, regulations, and collective bargaining agreements as prescribed by law.

For the first time, it is required that the concerned state authority must evaluate, and provide a response regarding whether the DPIA/DTIA dossier meets or does not meet the law-specified requirements within 15 days after receiving the dossier (under the previous Decree on personal data protection, the concerned state authority would just request supplementation of the DPIA/DTIA dossier only if such dossier fails to meet the statutory requirements, without any requirement on the time limit for the state authority to give feedback). The DPIA/DTIA dossier must be completed within 30 days from the date of receipt of the state authority’s request, and any compliance failure may be subject to administrative penalties (under the previous Decree on personal data protection, this time limit was 10 days and there was no penalty for such compliance failure).

For a company that has submitted the DPIA and/or DTIA dossier to the MOPS’s Department of Cyber ​​Security and Hi-tech Crime Prevention under the previous Decree on personal data protection, resubmission of a new dossier is not required, but any updates to the previously submitted dossier must comply with the procedures and new templates provided in PDPL and Decree 356.

Please note that if to-be-processed data, which are not personal data, are on the list of important data or the list of core data, the data exporter must prepare a DPIA or DTIA dossier before cross-border processing or transferring personal data and send one original to MOPS or MOND, using the standard form, at least 15 days before proceeding with data processing. For core data, except certain cases provided by law, MOPS or MOND shall assess the DPIA or DTIA dossier within 10-15 days, then the data exporter shall be notified in writing of the assessment results, and only after receiving a satisfactory assessment result, the data exporter may decide on the cross-border data processing or processing.

Employment-related obligations: With the role of an employer, a company typically needs to obtain the prior consent of candidates on how their personal data is processed (e.g., shared, retained) for recruitment purpose. For employment, where an employment contract is terminated and no other agreement exists, the company needs to consider the statutory period to retain the ex-employees’ personal data in their corporate files. Without such basis, the company is required to immediately delete the personal data of the relevant ex-employee.

Specific regulatory requirements for various sectors: PDPL and Decree 356 introduce the personal data protection regime for technology-related fields (including big data processing, AI and metaverse technologies, blockchain, and cloud computing) as well as for the banking, finance and credit information sectors.

License for specific personal data processing services (other than personal data processing associated with a typical service): Personal data processing service has been introduced as a new conditional business line under the law on investment. Then, Decree 356 provides further guidelines on (i) specific services/activities classified as personal data processing services, e.g., services for scoring, ranking, and evaluating the trustworthiness of data subjects, services for collecting and processing personal data online from websites, applications, software, and social networks; and (ii) statutory conditions applicable to personal data processing service providers, including obtainment of a license/certificate of eligibility for providing personal data processing services from MOPS.

Liability exemption for micro-enterprises, small-sized enterprises and startups: These entities are exempted from the obligation to appoint data protection officers and to conduct and submit DPIA and DTIA dossiers during the first five years from January 1, 2026, except those providing personal data processing services or directly processing sensitive personal data or personal data of a large number of data subjects.

Potential penalties: Under previous regulations, violations of personal information protection regulations were subject to a monetary fine varying from VND 10-70 million and forced deletion of personal information. Pursuant to PDPL, a company, which fails to fully comply with the relevant laws, may encounter with an administrative penalty of up to 5 per cent of the company’s revenue and/or up to VND 3 billion, depending on the severity of the violation.

Actions to take: What should a company do to comply with the new personal data protection framework?

Appoint/Outsource a data protection officer: As a first step, if your company does not fall into exemption cases, it should appoint or outsource a qualified data protection officer to plan and coordinate compliance activities for personal data protection, as the data protection officer possesses the necessary expertise to walk all members of the company through the compliance process.

Assess and improve personal data practices: Led by the data protection officer, relevant company members should conduct a comprehensive assessment of their current personal data processing activities and protection measures to identify the types of personal data being processed, the number of data subjects involved, and the compliance actions required.

Prepare and submit DPIA and DTIA dossiers: If the company has not yet submitted the DPIA and DTIA dossiers, relevant members should coordinate with one another to serve the preparation and submission of these dossiers as soon as possible.-

[1]