• Instgram
  • LinkeIn
  • Lexologoy
One Asia Lawyers > NEWSLETTER > Vietnam > Vietnam: Personal Data Protection Landscape – Overview of the early 2026

Vietnam: Personal Data Protection Landscape – Overview of the early 2026

2026年05月19日(火)

We published a newsletter regarding Personal Data Protection Landscape – Overview of the early 2026. To view PDF version, please click the following link.

Personal Data Protection Landscape – Overview of the early 2026

Personal Data Protection Landscape – Overview of the early 2026

15th May, 2026
One Asia Lawyers Vietnam Office

I. Introduction

Vietnam’s personal data protection framework has entered a more mature phase with the effectiveness of the Law on Personal Data Protection No. 91/2025/QH15 (“PDPL”) from January 2026, and Decree No. 356/2025/ND-CP (“Decree 356”), which provides detailed guidance for its implementation. These instruments replace and expand upon the earlier Decree No. 13/2023/ND-CP, marking a transition from a principle-based regime to a more structured and enforceable compliance system.
In addition, a draft of a penalty decree in the fields of cybersecurity and personal data protection was released for obtaining public opinion in March, and Decision No. 778/QD-BCA (“Decision 778”) has been enacted to update detailed regulations in handling personal data protection procedures, in alignment with the changes under PDPL and Decree 356, revealing the country’s enthusiasm in creating a comprehensive legal framework for personal data protection.
As we have delved into PDPL in another newsletter, we will proceed with analyzing guidelines under Decree 356 and its practical implications in this update.

II. Game-Changing Reforms for Foreign-invested Enterprises in early 2026

1. Operationalization of Consent Requirements[2]

Under the PDPL, consent is a core legal basis for processing personal data. Decree 356 clarifies that consent must be explicit, verifiable, and prohibits implied consent, which objects the opt-out mechanism that many companies have used. In particular, the forms of obtaining the data subject’s consent includes:

  • In writing;
  • By recorded phone calls;
  • Consent syntax via mobile text messages;
  • Via email, websites, platforms, or applications with technical mechanisms established to obtain consent;
  • Other appropriate methods that can be printed or reproduced in writing, including electronic forms or other verifiable formats.


This represents a significant shift from prior practice, where foreign-invested enterprises (“FIEs”) often relied on standardized global templates. Thus, companies must now implement systems capable of capturing, storing, and evidencing valid consent in compliance with the abovementioned forms and store these consent forms for explanation in case of disputes or inspection.

Required action for FIEs: Review the current form of obtaining the data subject’s consent.

2. Mandatory Data Protection Function[3]

While the PDPL vaguely mentions that a data protection department or officer (“DPO”) is necessary, Decree 356 elaborates on the DPO requirements and responsibilities. Specifically, a DPO needs to be appointed via the company’s official appointment decision which clarifies the function, rights, and other requirements of the DPO tasks. Even when the company uses an outsourced DPO, such a decision is still essential, apart from an outsourcing DPO contract between the company and the DPO service provider.
Also, the DPO must satisfy the following criteria:

  • (a) Hold at least a college degree or higher;
  • (b) Have at least 02 years of working experience (from the time of graduation) in one of the following fields: legal affairs, information technology, cybersecurity, data security, risk management, compliance control, human resources management, or personnel organization;
  • (c) Have received training and professional development in legal knowledge and professional skills related to personal data protection.


Regarding (c), there has been no guidance in the form of training that satisfies this requirement. In practice, the competent authority, particularly the Department of Cybersecurity and High-Tech Crime Prevention (“A05”), requires a certificate for recognizing any personal data protection training. Therefore, it is recommended that the DPO-to be joins a personal data protection course at a training institution, especially those that collaborate with or are organized by A05.
With more detailed DPO regulations, multinational companies now need to localize compliance structures, as reliance solely on regional or headquarters-level compliance teams may not meet regulatory expectations.
Required action for FIEs:

  • Re-evaluate the current DPO’s qualifications based on the new DPO criteria.
  • Check if there is an official appointment decision for the DPO and supplement, if necessary.

3. Enforcement of Data Subject Rights[4]

Upon receipt of a data subject’s request to enforce his/her rights, the data controller, or data controller cum processor (“Data Processor”) shall process such request within the following timelines:

  • General response: The Data Processor shall acknowledge and provide an initial response within 02 (two) working days from receipt.
  • Withdrawal of consent, restriction or objection: The Data Processor shall implement the request within 15 days, or 20 days where coordination with a processor/third party is required.
  • Access, rectification, or data provision: the Data Processor shall implement the request within 10 days, or 15 days where coordination with a processor/third party is required.
  • Deletion of Personal Data: The Data Processor shall implement the request within 20 days, or 30 days where coordination with a processor/third party is required.
  • Protection Measures Requests: The Company shall implement appropriate measures within 15 days.
  • Extension: Where necessary due to the nature or complexity of the request, the Company may extend the processing time once, provided that the Data Subject is notified in advance with reasons. The extension shall not exceed the original timeframe applicable to the relevant request.


Under the former statutory timeline regulated in Decree No. 13/2023/ND-CP, the timeline was stricter as all requests must be handled within 72 hours upon the receipt of such request. Thus, the new timeline under Decree 356 is much more relaxing and flexible for each type of request.
Required action for FIEs: Review the current procedure of handling the data subject’s requests and revise based on the Decree 356’s timeline.

4. Exemptions for small or startup enterprises[5]

Though PDPL has prescribed several requirements for small or startup enterprises to be exempted from the obligations of DPO appointment and the personal data processing impact assessment, Decree 356 has supplemented some requirements for this group. To be more specific, Decree 356 these enterprises are only exempted if they also meet these 03 (three) requirements:

  • Does not conduct the personal data processing service
  • Does not directly process sensitive personal data
  • The accumulated number of data subjects processed has not reached 100,000.


Required action for FIEs: When considering whether your company falls into the exemption cases of DPO appointment and the personal data processing impact assessment, please consider the abovementioned 03 (three) factors apart from the capital, revenue, and number of employees as usual.

5. Personal Data Transfer Mechanism[6]

Decree 356 consolidates the regulations on personal data transfer under a dedicated provision (Article 7), instead of scattering them as in the previous decree. It sets out clearer and more structured requirements for data transfers.
In particular, a data transfer must comply with the following key requirements:

  • A data transfer agreement must be established, covering prescribed contents.
  • Appropriate security measures must be applied when transferring sensitive personal data.
  • Even intra-group transfers must be subject to internal control procedures and safeguards to prevent unauthorized disclosure to third parties.
  • Additional conditions apply for paid transfers or those based on legitimate interests.


Required action for FIEs: Although not entirely new, these more detailed requirements mean FIEs should proactively review existing data transfer practices and supplement necessary documentation and safeguards, including data transfer agreements, internal control procedures, and relevant security measures to ensure compliance.

6. Cross-border Transfer Impact Assessment and Data Processing Impact Assessment[7]

Decree 356 introduces significant changes to the submission of Personal Data Processing Impact Assessment (DPIA) and Cross-border Transfer Impact Assessment (CTIA) reports. For the first time, a two-way appraisal mechanism with legal deadlines has been formally established. Key updates include:

  • 15-day appraisal deadline: The authority must issue a formal compliance decision within 15 days of receiving a valid dossier.
  • 30-day remediation period: Submitters have up to 30 days to rectify incomplete dossiers, with potential administrative penalties for non-compliance.
  • New forms and process flow requirements: The new forms impose more requirements than before, particularly the inclusion of process flows. The mechanism for updating CTIA/DPIA content has also changed.


Required action for FIEs: Review the existing DPIA/CTIA dossiers, update CTIA/DPIA according to the regulation, update process documentation.

III. Conclusion

Decree 356 represents a significant step forward in Vietnam’s data protection regime, providing much-needed clarity while also raising the standard for compliance. Although certain uncertainties remain, particularly in relation to enforcement and penalties, the overall direction is clear: Vietnam is moving toward a stricter, more structured, and more actively enforced framework.
FIEs should take proactive steps to strengthen their compliance systems, as early preparation will be critical in mitigating legal and operational risks in the evolving regulatory landscape. They should also closely monitor ongoing regulatory developments, particularly upcoming regulations on sanctions and enforcement, to ensure timely updates to their compliance approach and avoid potential risks.
———

[1] Vietnam: Introduction to Law on personal data protection | One Asia Lawyers
[2] Article 6 of Decree 356
[3] Article 13 of Decree 356
[4] Article 5 of Decree 356
[5] Article 41 of Decree 356
[6] Article 7 of Decree 356
[7] Articles 18, 19 and 20 of Decree 356


  |