Published in March 2026
Nguyen Thu Huyen |
Nguyen Duc Anh |
Introduction
Drawing on global trends in enhancing personal data protection via legislation, Vietnam’s legal framework on this matter has evolved at pace in recent years. In 2023, Decree No. 13/2023/ND-CP (“Decree 13”) was enacted by the Government, establishing Vietnam’s framework for personal data protection. Building on Decree 13, the National Assembly officially enacted the Personal Data Protection Law (“PDPL”) on June 26, 2025. Subsequently, the Government issued Decree No. 356/2025/ND-CP (“Decree 356”) on December 31, 2025, providing further guidance to certain provisions of the PDPL. Both the PDPL and Decree 356 have taken legal effect from January 01, 2026.
In brief, the PDPL incorporates nearly all regulations under Decree 13 while introducing several major changes and additions. Further detailed by Decree 356, the new regulatory regime introduces fresh compliance challenges for businesses, particularly with the introduction of new penalties for violations, sector-specific regulations, and requirements for appointing personal data protection experts and organizations. Below, we highlight these key changes and additions.
1. Significant penalties for violations of data protection regulations
The PDPL introduces a comprehensive penalty regime for breaches of personal data protection obligations. Under the PDPL, both individuals and organizations may face civil and criminal liabilities for violations, alongside substantial monetary fines.
Regarding administrative sanctions, unlawful personal data trading can attract a penalty of up to ten times the illicit gain derived from the violation, or VND 3 billion, whichever is higher. For breaches related to cross-border data transfers, the penalty may reach up to 5% of the violator’s revenue from the previous year, or VND 3 billion, whichever is higher. Other violations are subject to fines of up to VND 3 billion, with further details on specific penalty levels expected to be issued by the Government in subsequent guidance.
Notably, for multinational corporations, it remains unclear whether the revenue-based penalty will be calculated based on Vietnam-specific revenue, or aggregate global revenue, making non-compliance a large financial risk.
2. More stringent requirements for obtainment of consent from Data Subjects
The PDPL establishes stricter requirements for obtaining consent from Data Subjects for data processing. Specifically, consent from a data subject will be valid only when:
- Voluntary and informed: Consent is only valid if it is voluntary and the data subject is clearly aware of: (i) the types of personal data to be processed and the purpose of the processing; (ii) the identity of the Data Controller or Data Controller-Processor; (iii) the rights and obligations of the data subject;
- Clear and specific: Consent must be expressed in a “clear and specific” manner that is reproducible in writing, including in electronic or other verifiable formats; and
- Unbundled and purpose-specific: Consent must adhere to 04 principles: (i) specifically given for each data-processing purpose; (ii) without requiring also consent to purposes other than the agreed-upon data-processing purpose; (iii) valid until revoked or according to law; and (iv) silence or non-response does not constitute consent.
In addition, the PDPL notably permits data processing without consent in specific cases, which include during emergencies, for the operations of competent state agencies, and to protect the “justifiable rights or interests” of the Data-Controller, Data Processor or Data Controller-Processor in response to violations of those rights or interests. In such cases, supervisory mechanisms are required for processing data without consent.
Decree 356 further reinforces these provisions by providing that in the event of a dispute, the burden of proving valid consent lies with the Data Controller or Controller-Processor, and prohibits default opt-in settings or instituting unclear and confusing instructions between acceptance and non-acceptance.
Further, Decree 356 also introduces strict deadlines for fulfilling data subject requests, including:
- Requests to withdraw consent or restrict processing: require a response within 2 working days, with an execution time limit of 15 (extendable to 20) days;
- Requests to view, edit or provide data: require a response within 2 working days, with an execution time limit of 10 days;
- Requests to delete data: require a response within 2 working days, with an execution time limit of 20 days.
3. New sector- and category-specific regulations
The PDPL introduces new personal data regulations targeting specific sectors, including: (i) employee management, monitoring and recruitment, (ii) healthcare and insurance, (iii) banking and finance, (iv) marketing and advertising, (v) social networks and over-the-top services, and (vi) big-data processing, artificial intelligence, blockchain, metaverse and cloud computing. These specific rules supplement the general obligations under the PDPL, and are expected to increase compliance in these fields.
By way of example, the major regulations for employee management, monitoring and recruitment are:
- Purpose-specific: Employers are permitted to request and process only personal data that is necessary and directly serves the purpose of recruitment.
- Deletion: Personal data of unsuccessful candidates must be deleted or destroyed after the recruitment process is complete, absent a specific agreement to retention. Similarly, upon termination of employment, the employer must delete or destroy the personal data of its employees, absent an agreement to the contrary or for compliance with legal requirements (e.g. for tax or social insurance purposes).
In addition, the PDPL also designates specific categories of personal data as subject to heightened standards for data processing, including (i) data of vulnerable persons; (ii) data from public recordings; and (iii) location and biometric data.
4. Data Protection Department, Officers and Service Providers
Previously, Decree 13 required the appointment of a Data Protection Officer only in specific situations. By contrast, the PDPL now requires all organization that process personal data to either (i) appoint Data Protection Officers (“DPO”) and/or form an internal Data Protection Department (“DPD”), or (ii) hire an external organization or individuals to provide these personal data protection services.
Decree 356 clarifies the specific competency requirements for these roles. Specifically
- Internal DPOs must hold at least a college degree, complete specialized training in data protection, and possess a minimum of 2 years of post-graduation experience in fields such as legal affairs, information technology, cybersecurity, data security, risk management, compliance, or human resources. In case a DPD is formed, its personnel must satisfy the above criteria.
- Individuals providing external DPO services must hold at least a college degree, complete specialized training in data protection, and possess a minimum of 3 years of post-graduation experience in the above fields. Organizations providing third-party DPD services must maintain at least three qualified individuals as personnel.
In addition, organizations providing personal data-processing services are required be fulfil requirements provided under Decree 356, as reflected in certificates of eligibility for provision of personal data processing services issued by the Ministry of Public Security in accordance with the procedure provided under this Decree.
5. Cross-border personal data transfer cases clarified
The PDPL specifies cases considered to be cross-border data transfer are:
- Transfer of personal data stored in Vietnam to data-storage systems outside of Vietnamese territories;
- Transfer of personal data by entities in Vietnam to offshore entities (i.e. agencies, organizations, and individuals); and
- Usage by onshore or offshore entities (i.e. agencies, organizations, and individuals) of offshore data centers to process personal data collected in Vietnam.
6. Impact assessment requirements
The PDPL requires conducting and submitting submit a Data Processing Impact Assessment (“DPIA”) and Cross-Border Personal Data Transfer Impact Assessment (“TIA”) dossier only once throughout the entire operation of an organization or enterprise, subject to periodic updates: (i) every 06 months when changes occur; or (ii) within 10 days upon the occurrence of a reorganization, cessation of operations, dissolution or bankruptcy, changes to the data protection service provider, or the addition of new business lines related to data processing.
Exceptions to the above are provided for (i) employee data on cloud computing services for internal administration; (ii) transfers initiated by data subjects, and (iii) transfers by competent state authorities.
7. Transition
The PDPL has taken legal effect from January 01, 2026, with 02 exceptions for (i) small enterprises and startups not involved in the data processing sector may choose not to comply with impact assessment requirements and appointment of Data Protection Department/Officer for 05 years from the PDPL’s above effective date, and (ii) household businesses and microenterprises not involved in the data processing sector, not processing sensitive personal data, or not processing personal data of a large number of data subjects, are granted a full exemption from certain of such obligations.
Decree 356 further clarifies that these exceptions do not apply if the entity (i) processes sensitive personal data; (ii) engages in the business of providing data processing services; or (iii) reaches a scale of 100,000 data subjects “based on the accumulated results of the total amount of personal data processed.”
8. Outlook
The PDPL and detailed guidance of Decree 356 significantly clarify and strengthen the requirements on personal data protection compared to the previous legal framework, thereby imposing new and more stringent compliance obligations on businesses. With the Law having taken effect on 1 January 2026, enterprises should review their personal data processing activities, assess their current level of compliance, and develop an appropriate compliance roadmap to mitigate legal and financial risks.