New Decree Implementing the Law on Personal Data Protection Passed

Introduction

On 31 December 2025, the Government passed Decree 356/2025/ND-CP (“Decree 356“) on detailed regulations of certain articles and implementation measures of the Law on Personal Data Protection (“PDP Law“). Decree 356 provides the long-awaited guidance to implement the recent PDP Law that was passed on 26 June 2025.

Both the PDP Law and Decree 356 took effect from 1 January 2026. It replaces Decree 13/2023/ND-CP on personal data protection (“Decree 13“), which stood as Vietnam’s main personal data protection regulation for more than two years.

Key Features

Basic Personal Data and Sensitive Personal Data

Decree 356 sets out a non-exhaustive list of personal data classified as basic personal data and sensitive personal data.

The list of basic personal data under Decree 356 is largely unchanged from Decree 13. However, Decree 356 introduces significant changes to the scope of sensitive personal data. It now includes (among others) information relating to private life, personal secrets, or family secrets, login names and passwords for access to an individual’s electronic identification account, images of identity cards, citizen identity cards, or national identity cards, data tracking behaviour and usage activities of telecommunications services, social networks, online communication services, and other services in cyberspace.

Exercise of Data Subject Rights

Decree 356 sets out new timelines for responding to and complying with the requests of data subjects. The specific timelines depend on the relevant rights being exercised by the data subjects – e.g. withdrawal of consent, restriction to processing, objection to processing, rectification or deletion of personal data.

Data controllers and controller-processors are required to establish clear procedures and processes, and design forms for data subjects to exercise their rights.

Consent Requirements

Decree 356 further clarifies the requirements for obtaining consent under the PDP Law. The manner of obtaining consent must ensure verifiability as to the identity of the data subject who has given consent, the time at which consent was given, and the scope of the consent. The manner of obtaining consent can be recorder or documented: (i) in writing; (ii) by recorded telephone call; (iii) by consent syntax via SMS message; (iv) via email, websites, platforms, or applications that have technical mechanisms for obtaining consent; or (v) by other appropriate methods that can be printed or reproduced in written form, including in electronic or other verifiable formats.

Data controllers and controller-processors must retain records of the consent, and they bear the burden of proving that valid consent was obtained. They are not permitted to establish default consent mechanisms or create unclear or misleading prompts that may cause confusion between consent and non-consent for data subjects. Any default settings must comply with personal data protection principles and respect the rights of data subjects.

Transfer of Personal Data

Decree 356 introduces specific provisions that govern the transfer of personal data. It regulates, among others, the relationships between data controllers and data processors and/or third parties. Decree 356 now introduces specific content requirements that need to be included in data transfer agreements.

Where personal data is shared between departments within the same agency or organisation for processing consistent with the established processing purposes, internal procedures must be put in place to control such sharing. Measures must also be implemented to prevent internal personnel from unlawfully sharing personal data with third parties.

Detailed Provisions on Personal Data Protection in Specific Sectors and Industries

Decree 356 elaborates the sectoral requirements for personal data protection in the PDP Law. These include specific responsibilities in financial, banking and credit information activities, big data processing, artificial intelligence, metaverse, blockchain technology, and cloud computing.

DPO Requirements and Engagement of External Personal Data Protection Service Providers

In line with the PDP Law, Decree 356 stipulates specific requirements for data protection officers. Under the PDP Law, organisations and individuals are permitted to designate a department or personnel with sufficient qualifications and capacity responsible for personal data protection (“PDP Department” and “PDP Personnel“), or engage organisations or individuals providing personal data protection services.

The conditions for designating PDP Personnel focus on academic qualifications, working experience in regulated fields and the need to obtain training in personal protection data law and related professional skills. Members of the PDP Department must include individuals that meet all of these conditions.

The designation of the PDP Department and PDP Personnel must be formalised through an official written instrument. A confidentiality agreement with the PDP Personnel can be signed to include provisions for liability exemptions. This suggests that personal liability could potentially attach to such personnel in the absence of such an agreement.

For the first time, the regulations now expressly allow companies to engage external organisations or individuals to provide personal data protection services. These service providers must meet statutory requirements to operate. The engagement must be formalised through a service contract, and companies must disclose information about these external service providers to data subjects and other relevant parties.

Cross-border Transfer of Personal Data

Decree 356 clarifies circumstances that are regarded as cross-border transfers of personal data. They include:

1. personal data storage activities involving the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of Vietnam, or to cloud computing services of foreign service providers;

2. the transfer of personal data from agencies, organisations, or individuals in Vietnam to recipient organisations or individuals located overseas; and

3. the processing of personal data collected in Vietnam and transferred to platforms located outside the territory of Vietnam to continue processing.

Save for certain regulated exemptions, companies that engage in cross-border transfers of personal data must prepare and file with the relevant authority a cross-border personal data transfer impact assessment (“TIA“). This requirement is not new, having been introduced in Decree 13. However, as a welcome change, Decree 356 introduces important exemptions to this requirement, in addition to the exemptions available under the PDP Law, including:

1. journalism and media activities conducted in accordance with law;

2. cross-border transfers of personal data that have been lawfully made public in accordance with law;

3. emergency situations where it is genuinely necessary to provide personal data across borders in order to protect life, health, or the safety of property of individuals, or to perform duties or obligations prescribed by law;

4. cross-border transfers of personal data for the purpose of cross-border human resources management in accordance with internal rules, labour regulations, and collective labour agreements as prescribed by law; and

5. the provision of personal data across borders for the purpose of entering into contracts or carrying out procedures relating to cross-border transportation, logistics, remittances, payments, hotel services, visa applications, or scholarship applications. 

Detailed Procedures, Processes, and Forms for Personal Data Processing Impact Assessment (“PDPIA“) and TIA

Decree 356 contains regulations on the content, procedures, and new standard forms for the preparation and submission of a PDPIA and TIA. It replaces the forms previously provided under Decree 13.

Where applicable, companies must submit the PDPIA and TIA within 60 days from the date when it processes personal data or from the date the cross-border personal data transfer is carried out. The relevant authority will then assess and provide a response within 15 days on whether the dossier is compliant or non-compliant. This is the first time that specific timelines for PDPIA and TIA filings are being regulated by the Government.

If the PDPIA or TIA is incomplete or non-compliant, the relevant authority will conduct an assessment and request the applicant to complete the dossier within 30 days. Notably, Decree 356 specifies that where the completion is not undertaken in accordance with the regulations, the authority may consider imposing administrative penalties for breach of personal data protection regulations.

Breach Notification Requirements

Decree 356 requires organisations and individuals to submit a personal data breach notification to the competent authority in writing, or online via the National Portal on Personal Data Protection, using the prescribed form. All required information must be included in the form.

In addition, where a personal data breach involves location data or biometric data, specific measures must be implemented by data controllers and controller-processors, including notifying the affected data subject within 72 hours, reporting the data breach to the state authorities, and retaining records of the breach for at least five years.

Data Processing Services

Decree 356 introduces a new list of personal data processing services that are now regulated as specific business activities. Service providers must meet certain eligibility criteria to operate in these areas. The regulated services include:

1. providing and operating systems or automated software to process personal data on behalf of data controllers or data controller-processors;

2. scoring, rating, or assessing the creditworthiness or trustworthiness of data subjects;

3. collecting and processing personal data online via websites, applications, software, and social networks;

4. collecting and processing personal data through healthcare websites, applications, software, health monitoring tools, and medical services;

5. collecting and processing of personal data through educational applications or software with monitoring features, such as attendance tracking, video recording, behavioural assessment, or emotion recognition;

6. analysing and exploiting personal data, including using analytical tools to identify information, trends and patterns, and applying data mining techniques to extract value, predict user behaviour, or optimise services;

7. encrypting personal data during transmission and storage;

8. automated personal data processing using big data technologies, artificial intelligence, blockchain, or metaverse platforms; and

9. application platform services that provide personal location data.

Companies that provide any of these services must be established and operate in accordance with Vietnamese law, and must satisfy requirements relating to personnel, infrastructure, systems, equipment, facilities, and technology. They are also required to obtain compliance results for the PDPIA and TIA.

The Ministry of Public Security is responsible for issuing Certificates of Eligibility for the Provision of Personal Data Processing Services.

Further Information

Please feel free to reach out to our contact partners should you have queries on the above development.