Vietnam’s personal data protection regime enters a new operational phase with Decree No. 356/2025/ND-CP (Decree 356). The decree takes effect on January 1, 2026 and replaces Decree No. 13/2023/ND-CP, acting as the main implementing regulation for the Law on Personal Data Protection (PDPL). In practice, it aims to translate statutory principles into enforceable obligations and provide more procedural clarity on consent, data subject rights, cross-border transfers, and impact assessments. For business teams, the immediate takeaway is that informal privacy practices will be harder to defend. Decree 356 is framed around demonstrable, audit-ready compliance and clearer internal accountability.
A major change is scope. Decree 356 explicitly includes foreign entities that process personal data of Vietnamese citizens, even if processing occurs outside Vietnam. That extraterritorial framing matters for multinational HR systems, digital platforms, cloud operations, and shared analytics environments. The decree also sharpens the distinction between basic personal data and sensitive personal data, and it expands and details the sensitive category. Sources list sensitive data to include financial information, biometric identifiers, precise location data, behavioral tracking data, health records, and account credentials. Photos of Vietnam ID/Citizen Cards are also classified as sensitive personal data. Once data is classified as sensitive, stricter requirements apply, including stronger consent expectations, access control, security measures, and internal governance.
What Businesses Must Change First: Consent, Controls, and Proof
Decree 356 tightens what “valid consent” looks like in day-to-day workflows. Compared with Decree 13, it is described as more prescriptive and enforceable. Consent designs must avoid default or pre-ticked consent, and they must avoid forced or misleading mechanisms. Separate consent is required for separate processing purposes, and organizations must retain evidence of valid consent. This pushes marketing flows, onboarding screens, HR portals, and vendor forms into the compliance spotlight. Where sensitive personal data is involved (such as Vietnam ID card photos), additional obligations can be triggered, including appointing a personal data protection officer, conducting a personal data processing impact assessment, notifying data subjects about the processing of sensitive data, and implementing strict access controls for handling, transferring, storing, and deleting that data.
Impact assessments are another practical pressure point. Decree 356 provides more specific regulations on the order, procedures, and dossiers for personal data processing impact assessments and cross-border personal data transfer impact assessments. It also dedicates the entirety of Article 7 to detailed guidance on the transfer of personal data. For many organizations, that means data mapping and classification are no longer “best practices” but threshold tasks. Sources note that incomplete data inventories can expose compliance gaps, especially in cross-border transfers, automated processing, and third-party data sharing. Decree 356 also introduces explicit expectations for AI systems and virtual environments, including transparency and accountability, clear notice, explaining core algorithmic principles, and enabling opt-out where automated processing or inferred data may identify individuals.
Decree 356 includes exemptions, but they are conditional and should be validated against actual processing. Micro-enterprises and household businesses are exempt from appointing data protection officers and from performing impact assessments. Small enterprises and startups receive a five-year grace period starting January 1, 2026 for DPO appointment and certain operational standards, but only if they do not process sensitive personal data directly, do not handle personal data at scale (defined in the sources as more than 100,000 individuals), and do not serve as a data processing service provider. Separately, the decree adds qualifications for personal data protection officers, requiring at least a college degree, a minimum of two years’ post-graduation experience in relevant fields, and formal training in personal data protection laws and related professional skills. For regulated “data processing services” (including operating automated processing systems, online data collection, data analytics, mining, and encryption), sources indicate providers must be Vietnamese entities, obtain a data processing services certificate from the MPS, and meet prescribed personnel, technical, and operational requirements.
When does Decree 356 take effect, and what does it replace?
How does Vietnam personal data protection Decree 356 change consent requirements for businesses?
What types of data are treated as sensitive under Decree 356?
Do small companies get any exemptions or grace periods under Decree 356?
What are “data processing services” under Decree 356?