How to Stay Compliant with Vietnam’s New Personal Data Protection Regime
Businesses operating in Vietnam should understand the country’s evolving personal data protection framework and implement appropriate governance measures to meet regulatory requirements while supporting global data management practices.
Key takeaways
- Vietnam’s Personal Data Protection Law has broad extraterritorial scope, requiring compliance from many foreign companies that process personal data connected to Vietnam.
- Businesses should assess whether they must complete DPIA and TIA filings, implement compliant data processing agreements, and meet cross-border data transfer requirements.
- The new regime significantly strengthens enforcement, making proactive compliance and robust data governance essential to avoid substantial penalties.
Q1. Who must comply with Vietnam’s personal data protection regime?
Vietnam’s Personal Data Protection Law (PDP Law) has broad application. It applies to Vietnamese organizations and individuals, foreign entities operating in Vietnam, and foreign entities directly involved in processing personal data of Vietnamese citizens or eligible persons of Vietnamese origin residing in Vietnam.
As a result, compliance obligations may extend beyond Vietnam-based operations to overseas headquarters, regional shared-service centers, cloud service providers, software vendors, and other entities that access, store, transfer, or process Vietnam-related personal data.
Q2. What are the key filing and reporting obligations?
Under the PDP Law, Decree 356, and Decision 778, organizations may need to submit notifications, assessments, and regulatory filings to the Cybersecurity and High-Tech Crime Prevention Department (A05).
Key obligations generally include:
- Personal Data Processing Impact Assessment (DPIA) dossier: Required for personal data processing activities.
- Cross-Border Personal Data Transfer Impact Assessment (TIA) dossier: Required for cross-border transfers of personal data.
- Dossier updates: Required when there are material changes to processing activities, cross-border transfers, organizational structure, or previously reported information.
DPIA and TIA dossiers are generally due within 60 days from the start of the relevant processing or cross-border transfer activity. Businesses should also maintain supporting documentation, including data processing agreements, internal policies, records of processing activities, and evidence relating to designated data protection personnel.
Q3. What obligations apply to vendors and service providers?
Vendors that process personal data on behalf of another organization are generally classified as Data Processors under the PDP Law. They may process personal data only under a valid agreement with the Data Controller and must implement appropriate technical and organizational safeguards.
Key obligations include:
- Entering into a compliant personal data processing agreement with the client;
- Processing personal data only for authorized purposes;
- Implementing adequate security and data protection measures;
- Cooperating with regulatory inspections and investigations; and
- Maintaining records demonstrating compliance with applicable requirements.
In addition, organizations that provide personal data processing services as a business activity may be required to obtain a Certificate of Eligibility for Personal Data Processing Service Business from the MPS.
To qualify, service providers must generally:
- Be legally established in Vietnam;
- Appoint qualified PDP personnel;
- Maintain appropriate infrastructure and security systems;
- Employ personnel with relevant data protection expertise; and
- Complete required impact assessment filings, including DPIA and, where applicable, cross-border transfer assessments.
Businesses engaging third-party service providers should conduct due diligence to verify that vendors can meet Vietnam’s personal data protection requirements and, where applicable, hold the necessary certifications.
Q4. What are the penalties for noncompliance?
The PDP Law introduces significantly stronger enforcement mechanisms and financial penalties than those available under Vietnam’s previous regulatory framework.
Depending on the nature of the violation, organizations may face:
- Administrative fines;
- Suspension of processing activities;
- Remedial orders;
- Confiscation of unlawful gains; and
- Other corrective measures imposed by competent authorities.
Notably:
- Violations involving the purchase or sale of personal data may be subject to fines of up to 10 times the unlawful revenue generated from the violation.
- Unlawful cross-border transfers may be subject to fines of up to 5 percent of the enterprise’s preceding year’s revenue.
- Other personal data protection violations may be subject to fines of up to VND 3 billion.
Additional enforcement guidance is expected through a forthcoming decree on administrative penalties for personal data protection violations.
Q5. How should businesses prepare for inspections or audits?
Although certain small businesses may benefit from limited exemptions or deferred implementation periods, organizations should not assume that they are exempt from compliance obligations.
Under the current framework:
- Small enterprises and startups may postpone certain obligations, including DPIA, TIA, and DPO requirements, for up to five years from the effective date of the PDP Law.
- Household businesses and micro-enterprises may be exempt from certain obligations.
However, these exemptions generally do not apply to organizations that:
- Provide personal data processing services;
- Directly process sensitive personal data; or
- Process personal data relating to 100,000 data subjects or more.
Furthermore, exempt entities must still comply with core obligations, such as obtaining valid consent, implementing security measures, and protecting data subject rights.
To prepare for potential inspections, businesses should maintain updated documentation, internal policies, records of processing activities, incident response procedures, employee training records, and evidence supporting DPIA and TIA filings.
Q6. What practical steps should companies prioritize in 2026?
For many organizations, 2026 will be a transition year focused on operationalizing compliance.
Priority actions should include the following:
- Establish a governance framework: Assign data protection responsibilities, define accountability structures, and implement internal policies.
- Review consent and privacy notices: Update consent mechanisms, privacy notices, and record-keeping practices to meet PDP requirements.
- Map data processing activities: Identify personal data processed, document data flows, and assess cross-border transfers.
- Prepare regulatory filings: Complete DPIA and TIA assessments, maintain supporting records, and update filings as needed.
- Strengthen third-party risk management: Review vendor agreements, assess security controls, and establish oversight procedures.
Q7. Can an overseas parent company access the personal data of its Vietnam subsidiary without a personal data processing agreement?
No. The PDP Law does not provide a blanket exemption for transfers within a corporate group. An overseas parent company and its Vietnam subsidiary are treated as separate legal entities and must establish a lawful basis for any access to or transfer of personal data.
Where the overseas parent receives, accesses, stores, or otherwise processes personal data from the Vietnam subsidiary, the arrangement may constitute:
- Personal data processing by a third party;
- A controller-processor relationship; and/or
- A cross-border personal data transfer.
Accordingly, businesses should generally ensure that:
- Appropriate intra-group data processing agreements are executed;
- Data subjects have been properly informed of the transfer;
- Any required consent has been obtained where applicable;
- Cross-border transfer requirements are satisfied; and
- The TIA dossier has been prepared and submitted where required.
Multinational groups should therefore review internal data sharing arrangements carefully. Routine access by regional headquarters, global HR systems, centralized customer relationship management platforms, cloud infrastructure providers, or shared service centers may trigger compliance obligations under Vietnam’s new PDP framework.
Setting up a business in Vietnam requires navigating company registration, local approvals, and work permit processes. We help FDI companies by preparing and submitting documentation, coordinating with authorities, and ensuring compliance, so they can start operations smoothly and focus on growth.
About Us
Vietnam Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Hanoi, Ho Chi Minh City, and Da Nang in Vietnam. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Indonesia, Singapore, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.
For a complimentary subscription to Vietnam Briefing’s content products, please click here. For support with establishing a business in Vietnam or for assistance in analyzing and entering markets, please contact the firm at vietnam@dezshira.com or visit us at www.dezshira.com
- Previous Article European Firms Remain Optimistic on Vietnam: Highlights from EuroCham Q2 2026 BCI
- Next Article





