Tiếng Việt

NEED-TO-KNOW LEGAL ISSUES IN PERSONAL DATA PROTECTION

by | Mar 30, 2026 | Company, EN, Legal Guidance

NEED-TO-KNOW
LEGAL ISSUES IN PERSONAL DATA PROTECTION

1. OVERVIEW

  • Promulgation and Entry into Force: The Law on Personal Data Protection (Law No. 91/2025/QH15) was ratified by the National Assembly on June 26, 2025. To provide further details, the Government issued Decree No. 356/2025/ND-CP on December 31, 2025. Both legal documents officially come into force as of January 1, 2026. From this date, Decree No. 13/2023/ND-CP shall cease to have effect.
  • Scope and Regulated Entities: The Law applies to Vietnamese agencies, organizations, and individuals; foreign agencies, organizations, and individuals in Vietnam; and foreign entities directly participating in or involved in the processing of personal data of Vietnamese citizens and persons of Vietnamese origin without determined nationality residing in Vietnam who have been issued with identification certificates.
  • Transitional Provisions: Personal data processing activities conducted with the consent of data subjects or under agreements as prescribed in Decree No. 13/2023/ND-CP before the effective date of this Law shall continue to be carried out without the need to obtain new consent. Dossiers for impact assessment of personal data processing and cross-border transfer received by authorities before the effective date continue to be used, however, any updates made after the effective date must comply with the new Law. Notably, small-sized enterprises and startups may choose whether or not to implement regulations on preparing impact assessment dossiers and designating personal data protection personnel within 5 years from the effective date. This exemption does not apply if the entity provides personal data processing services, directly processes sensitive personal data, or reaches a processing scale of 100,000 or more personal data subject matters. Household businesses and micro-enterprises are also eligible for these exceptions under similar conditions.

 2. KEY ISSUES TO NOTE

Firstly, Classification and Principles of Personal Data Processing

  • Main Content: Personal data is categorized into two groups: Basic personal data (including surname, middle name, and given name, date of birth, place of residence, phone number, images of the individual, etc.). Sensitive personal data (including opinions on religion, health status biometric data and genetic characteristics, financial, banking, and credit information, location data, etc.). The collection and processing of personal data must be conducted with the consent of the personal data subject matter, except for specific cases such as protecting the life and health of the data subject or others in urgent cases or responding to emergencies.
  • Legal Basis: Article 2, Article 9 and Article 19 of the Law on Personal Data Protection 2025; Article 3, Article 4, and Article 5 of Decree No. 356/2025/ND-CP.
  • Conditions, Procedures and Obligations: In the course of processing sensitive personal data, agencies and organizations must establish regulations on access authorization and restriction, processing procedures, and confidentiality measures. Personal data controlling parties and personal data processing and controlling parties must develop clear procedures and forms for the exercise of the rights of the personal data subject matter (such as the right to withdraw consent or request data deletion). Response and implementation timelines are strictly regulated: authorities/organizations must respond within 02 working days and complete the implementation within 10 to 30 days depending on the type of request (e.g., 10 days for modification, 15 days for cessation of processing, and 20 days for deletion).
  • Relevant Entities: All individuals, enterprises, and organizations participating in or involved in the collection and storage of customer or employee information.

Secondly, Preparation of Impact Assessment Dossiers for Personal Data Processing and Cross-border Transfer

  • Main Content: The personal data controlling party, personal data processing and controlling party, and personal data processing party are mandatory to prepare impact assessment dossiers when performing personal data processing or cross-border personal data transfer. This includes activities such as transferring personal data collected and stored in Vietnam to server systems or cloud computing services located outside the territory of Vietnam.
  • Legal Basis: Articles 20, 21 and 22 of the Law on Personal Data Protection 2025; Articles 17 to 20 of Decree No. 356/2025/ND-CP.
  • Conditions, Procedures and Obligations: Relevant entities must prepare and send 01 original complete dossier to the personal data protection authority (Ministry of Public Security) within 60 days from the date of commencement of personal data processing or cross-border transfer. Dossiers must be updated biannually (every 6 months) if there are changes to the purposes of transfer/processing or changes in the parties involved. Immediate updates must be performed within 10 days in cases of reorganization, operational termination, or when new business services concerning personal data processing arise.
  • Relevant Entities: Personal data controlling and processing parties, especially foreign entities, and organizations utilizing international software solutions or cross-border cloud platforms.

Thirdly, Assignment of Forces, Units, and Personnel for Personal Data Protection

  • Main Content: Agencies and organizations are responsible for designating personal data protection units or personnel with adequate capacity or hiring independent personal data protection service providers.
  • Legal Basis: Article 33 of the Law on Personal Data Protection 2025; Articles 13 to 16 of Decree No. 356/2025/ND-CP
  • Conditions, Procedures and Obligations: Designated personnel must hold at least a college-level degree or higher and have at least 02 years of working experience (or 03 years in the case of individuals providing hired services) related to fields such as legal affairs, information technology, risk management, or compliance control. These individuals must have received training and advanced training in legal knowledge and professional skills relating to personal data protection. The designation of personnel or units must be formalized through an official written document of the relevant agency or organization.
  • Relevant Entities: All agencies, organizations, and enterprises are generally required to comply. However, small-sized enterprises, startups, household businesses, and micro-enterprises are eligible for an exception and may choose whether or not to implement these personnel regulations within 05 years from the effective date of the Law. This exemption does not apply if the entity provides personal data processing services, directly processes sensitive personal data, or reaches a processing scale of 100,000 or more personal data subject matters.

Fourthly, Notification of Incidents and Violations of Personal Data Protection

  • Main Content: Whenever violations against personal data protection regulations are detected that may harm national defense, security, social order, and safety or infringe on the life, health, honor, dignity, and property of personal data subject matters, organizations and individuals must issue notices to the competent authorities.
  • Legal Basis: Article 23 of the Law on Personal Data Protection 2025; Articles 8, 28, and 29 of Decree No. 356/2025/ND-CP.
  • Conditions, Procedures and Obligations: The notification to the personal data protection authority (Ministry of Public Security) must be issued within 72 hours from the detection of such violations. The personal data controlling party or personal data processing and controlling party must prepare a written confirmation of violations, implement measures to remedy consequences, and cooperate with the personal data protection authority in handling the violation.
    Special Note: For organizations operating in finance, banking, and credit information activities, or when a violation incident involves personal location data or biometric data, the organization is mandatory to notify both the personal data protection authority and the affected personal data subject matter within no more than 72 hours from the time the violation is detected.
  • Relevant Entities: Entities engaged in large-scale personal data collection, providers of platform application services providing personal location data, banks, credit institutions, securities institutions, and insurers.

Fifthly, Business of Providing Personal Data Processing Services

  • Main Content: Activities such as services for analysis and utilization of personal data; services for scoring, rating, and assessing the creditworthiness of personal data subject matters; and providing/operating automated systems and software to process personal data on behalf of the personal data controlling party (e.g., SaaS, cloud computing) have officially become business lines for personal data processing services.
  • Legal Basis: Articles 21 to 27 of Decree No. 356/2025/ND-CP
  • Conditions, Procedures and Obligations: Organizations wishing to conduct business in this field are mandatory to obtain a Certificate of eligibility for providing personal data processing services issued by the Ministry of Public Security. Business conditions include: the head responsible for professional matters related to personal data processing must be a Vietnamese citizen permanently residing in Vietnam; having at least 03 personnel satisfying the statutory competency conditions for personal data protection; meeting standards for infrastructure, equipment systems, facilities, and technology suitable for the processing services. The application dossier includes: An application (Form No. 04), a business proposal, and relevant personnel dossiers (diplomas and documents proving qualifications).
  • Relevant Entities: Digital technology enterprises, tech companies (AI, Big Data, Blockchain, Cloud), data analysis centers, and organizations providing enterprise software services or behavioral advertising.

In summary, to ensure compliance, relevant organizations and individuals may need to perform the following:

  • Review and classify personal data: Clearly distinguish between basic personal data and sensitive personal data within current storage systems.
  • Standardize procedures and forms: Update internal regulations and contracts; establish lawful methods to obtain consent from personal data subject matters and develop mechanisms to facilitate the exercise of their rights.
  • Designate specialized personnel or units: Issue decisions to appoint personal data protection personnel or a personal data protection unit satisfying the statutory competency conditions or enter into contracts with independent personal data protection service providers.
  • Complete Impact Assessment Dossiers (DPIA/TIA): Prepare and submit dossiers for personal data processing impact assessment and/or cross-border personal data transfer impact assessment to the personal data protection authority (Ministry of Public Security) no later than 60 days from the date of commencement of processing or transfer.
  • Establish incident response procedures: Ensure the internal capability to record and notify the competent authorities within 72 hours from the detection of personal data leaks or violations.
  • Apply for a Certificate of Eligibility: For entities engaged in the business of providing personal data processing services, prepare qualified personnel and infrastructure, and develop a business proposal to apply for a Certificate of eligibility for providing personal data processing services issued by the Ministry of Public Security.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Translate »