On 1 January 2026, Vietnam’s new personal data (“PD”) protection regime came into force with the effectiveness of Law No. 91/2025/QH15 on Personal Data Protection (“PDPL”) and Decree No. 356/2025/ND-CP detailing and implementing the PDPL (“Decree 356”), which replaces Decree No. 13/2023/ND-CP (“Decree 13”).

The PDPL and Decree 356 mark a significant shift in Vietnam’s PD protection regime, establishing a more comprehensive and enforceable legal framework. This new regime requires companies to pay close attention to their PD protection obligations and to proactively ensure their legal compliance. This article highlights key issues under the PDPL and Decree 356 that all companies should be aware of.

1. Overview: Why does PD protection matter and how could it affect my company?

Every company processes PD in its daily business operations. PD is a core element of almost all business interactions, from internal communications to major commercial transactions. Although PD protection was first introduced in Vietnam in 2023 under Decree 13, the absence of strong enforcement mechanisms and clear sanctions make many companies to treat compliance as a low priority, as it pose no immediate financial or legal risks.

The new PD protection legal framework establishes a fully institutionalized and enforcement-oriented regime, requiring companies to take PD protection seriously as a matter of legal compliance and risk management. Compared to Decree 13, the new framework introduces substantial changes that more clearly guide companies toward PD compliance, while also imposing penalties for non-compliance that may directly and immediately affect a company’s interests.

2. Key highlight: What should my company know?

• Appointment of PD protection officer or department or Oursourcing thereof: The first and most fundamental obligation of your company is to appoint a PD protection officer or a department in charge of those duties (collectively, the “DPO”), with their clear duties stated in an official corporate document. The DPO must meet several legal requirements under Decree 356, including, amongst others, (i) possessing a college degree or higher, (ii) 2-year working experience in relevant fields, e.g. legal affairs, information technology, cybersecurity. The laws are silent on residency or nationality requirements applicable to the DPO.

The DPO plays an a key role in ensuring the company’s compliance with PD protection regulations since s/he is responsible for training and guiding all personnel in terms of PD within the company, developing internal policies and governance regulations, and preparing documentation to ensure lawful PD processing. The company may appoint an in-house DPO or engage a qualified PD protection service provider to satisfy these requirements.

• Consent: The company must standardize the consent collection procedures and post-collection storage to comply with increasingly stringent regulations, including in the event of a dispute, the burden of proof of consent from the data subject rests with (i) the data controller and (ii) data controller-cum-processor. Consent by default is clearly not permitted under PDPL and Decree 356. Alternatively, consent must be obtained after the data subjects fully understand legally required information, and all consent records must be fully traceable. In other words, a privacy notice/statement with required information must be available to the data subjects and then a prior explicit consent of the data subjects must be obtained by the company.

• PD Transfer: On an important note, PDPL and Decree 356 provide that PD transfer (whether on chargeable basis or not) for processing by laws, e.g. for providing services to the data subjects or for serving the legitimate interests of such data subjects, would not be deemed PD sale (which is normally prohibited by laws). This helps discriminate PD transfer and PD sale in many cases where the company involves in PD processing on chargeable basis. However, the relevant parties should note that PD transfer from PD transferor to PD transferee must have PD transfer agreements with statutory contents.

• Administrative compliance obligations: PD processing impact assessment (“DPIA”) and/or an outbound PD transfer impact assessment (“TIA”) must be established by not only one but 3 paties, including (i) data controller, (ii) data controller-cum-processor and (iii) data processor from the date of PD processing and the same must be submitted by the aforementioned parties to the Ministry of Public Security within 60 days from the date of PD processing/ outbound PD transfer. However, the company is exempted from establishment of the TIA in several cases, including oversea PD transfer for the purpose of cross-border personnel management in accordance with labor rules, regulations, and collective bargaining agreements as prescribed by laws.

For the first time, it is required that the State authority shall evaluate and provide a response regarding whether the DPIA/TIA meets or does not meet the requirements as prescribed by laws within 15 days upon recieving the supplementation request from the State authority (rather than just request for supplement only if such document fails to meet the requirements, without any turnaround time, as experienced under the old Decree 13).

For company that has already submitted DPIA and/or TIA under the old Decree 13, resubmission of new dossiers is not required, but any updates to previously submitted dossiers must comply with the procedures and new templates prescribed under the PDPL and Decree 356.

• Employment-related obligations: Under the role of an employer, the company typically needs to obtain the consent of candidates on how the PD is processed (e.g. shared, retained) before processing the their PD for recruitment purpose. For employment, where an employment contract is terminated and no other agreement exists, the company needs to consider the statutory archive requirement period to retain the ex-employees’ PD in their archived corporate files. Without such basis, the company is required to immediately delete the PD of the relevant ex-employee.

• Specific regulatory requirements to various sectors: The PDPL and Decree 356 introduce PD protection regime for technology-related fields (including big data processing, AI and metaverse technologies, blockchain, and cloud computing) as well as for the banking, finance and credit information sector.

• License for specific PD processing services (other than PD processing associated with a typical service): PD processing service has been introduced as a new conditional business line under the laws on investment. Then, Decree 356 provides further guidelines on (i) specific services/activities classified as PD processing service, e.g. service for scoring, ranking, and evaluating the trustworthiness of data subjects, services for collecting and processing PD online from websites, applications, software, and social networks, and (ii) statutory conditions applicable to PD processing service provider, including obtainment of license/certificate on satisfaction of the conditions for providing PD processing service from the Ministry of Public Security.

• Exemption for micro-enterprises, small enterprises, and start-ups: These entities are exempt from the obligation to appoint the DPO and to conduct and submit a DPIA and TIA during the first five years from 01 January 2026.

• Potential penalties: Pursuant to PDPL, if a company fails to fully comply with the laws, the company may encounter with an administrative penalty of up to five percent (5%) of the company’s revenue and/or up to VND 3 billion, subject to the seriousness of the violation.

3. Actions to take: What should my company do to comply with the new PD protection framework?

• Appointment of/Outsourcing a DPO: As a first step, if your company do not fall within exemption cases, the company should appoint or oursource a qualified DPO to plan and coordinate PD compliance activities, as the DPO possesses the necessary expertise to walk all members of the company through the compliance process

• Assessment and improvement of current PD practices: led by the DPO, relevant company members should conduct a comprehensive assessment of their current PD processing activities and protection measures to identify the types of PD being processed, the number of data subjects involved, and respective plan the compliance actions required.

• Preparation and submission of DPIA and TIA: If the company that have not yet submitted DPIA and TIA, relevant members should coordinate to serve the preparation and submission of these dossiers as soon as possible.

For further details or sector-specific guidance, or should you need any assistances in assessing and implementing PD compliance for your company, please contact us via the email address or phone number provided in the footer below. We are ready to support you in navigating these regulatory and complicated changes with confidence.

—

Các tệp đính kèm

• LEGAL UPDATE PAPER - Highlights PDPL and Decree 356 (127 kB)