Vietnam’s Personal Data Protection: Key Requirements under Decree 356

January 26, 2026 Posted by Vietnam Briefing Written by Yanyan Shang Reading Time: 6 minutes

Vietnam’s personal data protection requirements have entered a new phase with the adoption of Decree No. 356/2025/ND-CP (“Decree 356”). Companies now face expanded extraterritorial reach, mandatory impact assessments, and new, rigorous standards for consent and cross-border data transfers, requiring immediate compliance updates.

Seamlessly Manage Your Operations Across Multiple Asian Markets

Effective January 1, 2026, Decree 356 replaces Decree No. 13/2023/ND-CP, serving as the primary implementing regulation for the Law on Personal Data Protection (PDPL). It translates statutory principles into enforceable operational obligations, closing previous compliance gaps and providing procedural clarity on consent, data subject rights, cross-border transfers, and impact assessments.

This article examines the decree’s key provisions, from its expanded extraterritorial scope to stricter operational responsibilities, and highlights initial compliance priorities for businesses operating in Vietnam.

DOING BUSINESS IN VIETNAM EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.

Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate Vietnam’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in Vietnam knowledge. Start exploring

Expanded scope of application and data classification

Vietnam’s updated data protection regime significantly expands its scope by explicitly including foreign entities that process personal data of Vietnamese citizens, regardless of where the processing occurs.

It also sharpens the legal distinction between basic personal data and sensitive personal data, expanding and detailing the latter category. Specifically:

Sensitive data now includes financial information, biometric identifiers, precise location data, behavioral tracking data, health records, and account credentials.
Processing sensitive personal data triggers stricter requirements on consent, access control, security measures, and internal governance.
Data mapping and classification become threshold compliance tasks rather than best practices, as incomplete data inventories immediately expose businesses to compliance gaps, particularly in cross-border transfers, automated processing, and third-party data sharing.

Core compliance obligations for data controllers and processors

The compliance obligations under Decree 356 signal a shift toward demonstrable, audit-ready compliance rather than informal or ad hoc privacy practices.

Exemptions for small-scale entities

Decree 356 balances statutory rules with practical realities by providing key exemptions, including:

Exemption for micro-enterprises and household businesses: These businesses are not required to appoint Data Protection Officers (DPOs) or perform impact assessments; and
Exemption for small enterprises and startups: These entities receive a five-year grace period starting January 1, 2026, during which they are not obligated to meet DPO appointment or operational standards, provided that they:
- Do not process sensitive personal data directly;
- Do not handle personal data at scale (more than 100,000 individuals); and
- Do not serve as data processing service providers.

Strengthened consent requirements.

Decree 356 converts Vietnam’s PDP framework into a set of enforceable operational duties for data controllers and data processors. A central change lies in strengthened consent requirements.

Scalable digital infrastructure tailored to local environments

Organizations must obtain consent through verifiable methods and maintain clear evidence of when, how, and for what purpose consent was granted. The decree expressly prohibits the following practices:

Default consent settings;
Pre-ticked boxes; or
Interface designs that blur the distinction between consent and refusal.

This rule renders businesses fully responsible for providing proof.

Structured procedural timelines

The framework introduces structured procedural timelines for exercising data subject rights. Controllers must acknowledge requests within two working days and complete actions within strict statutory deadlines:

10 days for access/rectification;
15 days for withdrawing consent; and
20 days for deletion requests (extended if third parties are involved).

These fixed timelines replace the former 72-hour rule under Decree 13 and require formalized internal workflows and escalation mechanisms.

Mandatory comprehensive documentation

Organizations must now maintain comprehensive documentation, including internal data protection policies, consent records, processing logs, and impact assessment dossiers. For sensitive personal data, organizations must implement enhanced security measures, including strict access controls, encryption, anonymization, and continuous monitoring.

PDP personnel and governance requirements

Specified requirements for PDP personnels

Decree 356 prescribes the qualifications and responsibilities of individuals involved in PDP in Vietnam. It distinguishes between in-house personnel designated by agencies or organizations for PDP and individuals providing PDP services under contract.

Item	Designated PDP personnel (in-house)	Individual providing PDP services (external)
Position type	Internal staff member designated by an agency or organization	External individual hired under a service contract
Minimum education	College degree or higher	College degree or higher
Minimum experience	At least 2 years after graduation	At least 3 years after graduation
Relevant fields	Legal, IT, cybersecurity, data security, risk management, compliance, HR/organization	Legal, personal data processing, cybersecurity, data security, risk management, compliance
Training level	Trained and advanced-trained in PDP	Trained and in-depth trained in PDP
Main responsibilities	Internal compliance: policies, data subject rights, risk assessment, impact assessments, incident response	Provide services only within the contract scope
Compliance oversight	Actively monitors and improves organizational compliance	No internal compliance management role
Handling violations	Receives and reports PDP violations	Must not abuse services to violate the law
Data handling after work ends	Not specifically regulated	Must delete and destroy personal data after contract completion

Eligibility requirements for PDP service providers

When organizations delegate data protection responsibilities, service providers need to demonstrate sufficient staffing, relevant technical expertise, and prior experience. The requirements include:

Involvement in functions, tasks, or business areas related to technology, legal services, or a combination of both, and hired by an agency or organization to offer advice on compliance with PDP laws and to carry out PDP duties as per agreements;
Employing at least three personnel who meet the competency standards outlined in Decree 356;
Providing products or services related to confidentiality, cybersecurity, information technology, standards assessment, or consulting on PDP.

New governance and accountability requirements inside organizations

Identify Business Risks with Entity Health Checks and Partner Review Services

Responsibilities extend beyond policy drafting to include data processing and cross-border transfer impact assessments, breach coordination within statutory timelines, periodic staff training, and internal compliance audits.

HR must address employee data handling and training, IT must embed technical safeguards, and legal and compliance functions must oversee documentation, audits, and regulatory engagement, reshaping internal operating models around data governance.

Cross-border data transfers and impact assessment obligations

Scope of cross-border personal data transfers

Cross-border personal data transfers are defined broadly under the new rules, encompassing direct transfers, offshore storage, cloud-based processing, and onward processing of data collected in Vietnam. As a result, routine arrangements such as regional data hubs, global HR systems, centralized Customer Relationship Management (CRM) platforms, and overseas analytics environments now fall clearly within the scope of cross-border transfer regulation.

Data transfer impact assessment requirements

To manage these risks, the decree introduces mandatory data transfer impact assessment dossiers. Organizations engaging in cross-border transfers must prepare and submit a comprehensive assessment within 60 days from the start of the transfer via the Ministry of Public Security’s portal. The dossier must document transfer purposes, data categories, consent mechanisms, security safeguards, recipient protections, and risk mitigation measures.

Authorities review the filing within 15 days and may require revisions if documentation proves incomplete or insufficient.

Enforcement powers and compliance implications

Regulators now have explicit authority to suspend or halt cross-border transfers where data is used in ways that threaten national security or where serious violations of data protection obligations occur. For multinational enterprises, shared service centers, and cloud-dependent businesses, this framework raises practical challenges.

Organizations must reassess data localization assumptions, strengthen vendor controls, and align cross-border data architectures with Vietnam-specific compliance requirements to avoid operational disruption.

Sector and technology-specific rules

Sector-specific rules

Navigating digital growth across Asian markets

Targeted compliance obligations now apply to sectors and technologies that process personal data at scale or pose elevated risk. In the finance, banking, and credit information sectors, organizations must apply approved technical standards, maintain end-to-end processing logs, conduct annual compliance assessments, and adhere to strict breach notification protocols specific to the financial sector.

Consent notices must also disclose scoring, profiling, and credit evaluation activities with clear retention periods.

Technology-specific rules

For AI systems, big data analytics, blockchain, cloud computing, and metaverse platforms, the decree establishes a forward-looking governance framework:

Organizations must limit collection to defined purposes, implement strong encryption and access controls, and apply anonymization or de-identification where feasible.
AI-driven processing that affects individuals requires transparency on automated decision logic, meaningful explanations of impact, and opt-out mechanisms.
Blockchain deployments must avoid storing identifiable personal data on-chain, while cloud contracts must clearly allocate data protection responsibilities.

Recommendation for businesses

Enforcement powers expand significantly under the new regime, granting authorities broad inspection and supervisory authority, including routine and ad hoc compliance reviews. Organizations must maintain complete records of data processing activities, impact assessments, and breach incidents, with certain records retained for at least five years.

In the event of a breach involving sensitive personal data, businesses must notify regulators within 72 hours.

Notably, for the finance and banking sectors, as well as breaches involving biometric or location data, organizations must also notify the affected data subjects within this same 72-hour window.

Non-compliance exposes organizations to severe penalties, including administrative fines, suspension of cross-border data flows, and potential license revocation. Beyond legal exposure, forced remediation and system disruptions can severely undermine commercial partnerships and customer trust.

How Dezan Shira & Associates can help

Decree 356 introduces detailed operational, documentation, and governance requirements that may require businesses to reassess their existing data protection frameworks. Dezan Shira & Associates supports companies operating in Vietnam with end-to-end personal data protection compliance, including:

PDP legal advisory to interpret Decree 356 obligations and sector-specific rules;
Compliance audits to identify gaps in data processing, consent mechanisms, and cross-border transfers;
Drafting and updating PDP policies, internal rules, and data processing contracts; and
Preparation and submission of Data Protection Impact Assessments (DPIA) and Transfer Impact Assessments (TIA) in line with statutory requirements.

For tailored advice on complying with Decree 356 and managing data protection risks in Vietnam, please contact our team to schedule a consultation: Vietnam@dezshira.com.

About Us

Vietnam Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Hanoi, Ho Chi Minh City, and Da Nang in Vietnam. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Indonesia, Singapore, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to Vietnam Briefing’s content products, please click here. For support with establishing a business in Vietnam or for assistance in analyzing and entering markets, please contact the firm at vietnam@dezshira.com or visit us at www.dezshira.com