Vietnam's Draft Decree on Personal Data Protection: What Companies Need to Know Before January 2026

October 2025 Update: Critical Preparations for the New Privacy Regime

In October 2025, Vietnam's Ministry of Public Security released a pivotal draft decree that provides detailed implementation guidance for the country's 2025 Personal Data Protection Law (PDPL). For organizations operating in Vietnam or processing data of Vietnamese citizens, this isn't just another regulatory update—it's a comprehensive framework that will fundamentally reshape data protection compliance requirements starting January 1, 2026.

Why This Draft Decree Matters

The PDPL, passed by Vietnam's National Assembly in June 2025, established a robust legislative framework for data protection. However, many critical details were left to be clarified through implementing regulations. The October 2025 Draft Decree fills these gaps, providing the operational clarity that businesses desperately need.

The Draft Decree clarifies personal data protection requirements and conditions, as well as procedures and enforcement mechanisms under the PDPL, marking a significant step toward shaping Vietnam's comprehensive data protection regime. With an anticipated effective date of January 1, 2026, organizations have a narrow window to ensure compliance.

Expanded Definition of Sensitive Personal Data

One of the most significant changes in the Draft Decree is the dramatic expansion of what constitutes "sensitive personal data." This matters because sensitive data requires restricted access, strict processing procedures, and heightened security measures.

What's New in the Sensitive Data Category?

The Draft Decree explicitly includes several new categories beyond those listed in Decree 13/2023, including account usernames and passwords, banking card information, bank account transaction history, financial and credit information from credit institutions and foreign bank branches, data on telecommunications subscriber activity and history, and data tracking behavior or usage of telecommunications services, social networks, online media services, and other services in cyberspace.

This expansion has profound implications:

Digital Identity and Online Activity: The inclusion of digital identities, browsing history, and online activity means that companies operating websites, mobile apps, or digital platforms in Vietnam must treat this data with the same rigor as traditional sensitive categories like health information.

Financial Transaction Data: The decree covers financial, credit, and insurance transaction information at credit institutions, foreign bank branches, payment intermediary service providers, securities organizations, insurance organizations, and other authorized entities. Fintech companies and payment processors face particularly stringent requirements.

Telecommunications and Social Media: Social networks, OTT service providers, and telecommunications companies must implement enhanced protections for user activity data and service usage patterns.

Practical Implications

Organizations should immediately:

• Conduct a data inventory to identify which data types now fall under "sensitive" classification
• Review and upgrade security measures for newly classified sensitive data
• Update privacy policies and consent mechanisms to reflect expanded sensitive data categories
• Implement access controls that restrict sensitive data to authorized personnel only

Data Protection Officer Requirements: Stricter Than GDPR

The Draft Decree sets detailed qualifications for Data Protection Officers (DPOs) and Data Protection Departments (DPDs), creating requirements that are actually more stringent than the EU's GDPR.

Qualifications for Internal DPOs

Organizations must ensure their internal DPOs have a university degree, at least three years of experience in legal affairs, personal data processing, cybersecurity, data security, risk management, or compliance management, completion of a basic training course on personal data protection issued by a competent training organization in Vietnam, meeting the required level in the professional personal data protection assessment program by the A05 department, knowledge of data protection laws and processing activities of the organization, and not having relevant criminal records in the fields of data, information technology, and telecommunications.

Key Appointment Requirements

The appointment of the data protection officer or department must be in writing, specifying roles, responsibilities, and authority related to personal data protection. Organizations must execute confidentiality agreements with their DPOs, which may include liability exemption provisions.

External Service Provider Option

Organizations struggling to find qualified internal candidates can engage external service providers. Organizations may engage qualified individuals or organizations as data protection service providers and must make information about them publicly available to data subjects and other relevant parties.

However, external providers must meet similar qualification standards and obtain a Certificate of Eligibility to conduct personal data processing services from the competent data protection authority, valid for five years.

Who Must Appoint a DPO?

Almost universally, organizations processing personal data in Vietnam must appoint a DPO or establish a DPD. With only a few exceptions, organizations must designate a DPD or DPO with the required qualifications.

Limited Exemptions: Exemptions from DPO and DPD appointment obligations will not apply to small and startup enterprises, household businesses and micro-enterprises if they exceed a scale of 100,000 data subjects (for small and startup enterprises) or 500,000 data subjects (for household businesses and micro-enterprises).

Impact Assessments: DPIA and CTIA Requirements

The Draft Decree provides crucial clarity on Data Processing Impact Assessments (DPIA) and Cross-border Transfer Impact Assessments (CTIA), two compliance pillars that have caused confusion since Decree 13.

DPIA Requirements

Organizations must prepare and submit DPIAs within 60 days of commencing personal data processing activities. The assessments must include:

• Detailed data flow diagrams
• Comprehensive security plans
• Risk analysis and mitigation strategies
• Documentation of processing purposes and legal bases

CTIA Requirements for Cross-Border Transfers

Any organization transferring personal data outside Vietnam must conduct a CTIA. The Draft Decree provides new exemptions for the preparation and submission of DTIAs, such as journalism and media activities, cross-border personnel management, cross-border data transfers for contract execution, logistics, payments, or visa applications.

However, most business activities involving cross-border data flows will still require CTIA submission.

Update Obligations

DTIAs and DPIAs must be updated every six months in the event of new purposes for processing or transferring personal data, or a change in the data controller, data controller-processor, data processor, or a third party involved. Immediate updates within 60 days are required if the entity is reorganized, terminated operation, dissolved, or declared bankrupt, if there are changes to the personal data protection service provider, or if new or changes to business lines or services involving personal data registered in DPIA or CTIA dossiers occur.

Inspection Framework

The competent authority may conduct inspections of cross-border data transfer no more than once a year, unless a violation of personal data protection regulations is detected, or a data leak or loss incident occurs for personal data of Vietnamese citizens. Organizations should maintain comprehensive documentation to facilitate these inspections.

Timeline and Compliance Urgency

The clock is ticking. It is anticipated that the Decree will be issued and effective from January 1, 2026. The Draft Decree was open for public consultation until September 26, 2025, and the final version is expected to closely mirror the draft with potential minor adjustments.

Why Companies Must Act Now

Organizations cannot afford to wait for the final decree text. The core requirements are clear, and implementation requires significant time and resources:

1. Personnel Recruitment and Training: Finding and certifying qualified DPOs takes time
2. Systems and Process Changes: Upgrading data protection frameworks, implementing new controls
3. Documentation: Preparing DPIAs and CTIAs requires comprehensive data mapping and risk assessment
4. Vendor Management: Engaging external service providers requires due diligence and contract negotiation

Actionable Steps for Immediate Compliance

Organizations should review their current data processing activities and cross-border transfers to identify areas needing immediate attention. They must develop and implement robust DPIA and CTIA frameworks, including detailed data flow diagrams and security plans, while assigning responsibilities to personnel for monitoring and documenting necessary updates.

Step 1: Data Mapping and Classification (Weeks 1-3)

• Inventory all personal data processing activities
• Identify which data falls under the new "sensitive" categories
• Map cross-border data flows
• Document data retention periods and purposes

Step 2: Gap Analysis (Weeks 3-5)

• Compare current practices against Draft Decree requirements
• Identify deficiencies in technical, organizational, and personnel controls
• Assess DPO qualification gaps
• Review existing vendor contracts for data protection clauses

Step 3: Personnel and Governance (Weeks 5-8)

• Recruit or designate internal DPO candidates
• Arrange required training and certification programs
• Alternatively, begin vendor selection for external DPO services
• Establish written appointment documentation with clear roles and responsibilities
• Execute confidentiality agreements

Step 4: Technical and Organizational Measures (Weeks 8-12)

• Upgrade security controls for sensitive data
• Implement access restriction mechanisms
• Update consent management systems
• Enhance breach detection and response capabilities
• Deploy data encryption and pseudonymization where appropriate

Step 5: Documentation and Assessments (Weeks 10-14)

• Prepare comprehensive DPIA documentation
• Develop CTIAs for all cross-border transfers
• Create data flow diagrams and security architecture documentation
• Update privacy policies and notices
• Submit DPIAs and CTIAs to the A05 department (Ministry of Public Security)

Step 6: Training and Communication (Ongoing)

• Train all staff handling personal data on new requirements
• Establish internal policies and procedures
• Create incident response playbooks
• Communicate changes to data subjects and business partners

Special Considerations for Different Organization Types

Multinational Corporations

Cross-border data transfers require particular attention. Global SaaS platforms, cloud service providers, and companies using centralized data processing must carefully evaluate whether their operations trigger CTIA requirements and ensure appropriate legal mechanisms are in place.

Small and Medium Enterprises

While some exemptions exist, exemptions do not apply if businesses exceed a scale of 100,000 data subjects (for small and startup enterprises) or 500,000 data subjects (for household businesses and micro-enterprises). Even exempt organizations should prepare for eventual compliance as they grow.

Financial Services and Fintech

The expanded sensitive data definitions place heightened obligations on banks, payment processors, and financial technology companies. Every transaction history, credit record, and financial interaction now requires the highest level of protection.

Technology Platforms and Social Media

Companies operating social networks, telecommunications services, or online platforms must treat user activity data, browsing history, and behavioral tracking information as sensitive personal data with corresponding security obligations.

Enforcement and Penalties

Vietnam's regulatory approach demonstrates serious commitment to enforcement. In just the first half of 2025, authorities uncovered 56 illegal data trading operations involving over 110 million records. The government has shown willingness to take dramatic action, including blocking access to major platforms that refuse compliance.

The PDPL establishes severe penalties:

• Fines up to 10 times the revenue earned from selling or buying personal data
• Fines up to 5% of annual revenue for cross-border data transfer violations
• Maximum fines of VND 3 billion (approximately $120,000 USD) for other violations

Beyond financial penalties, non-compliance can result in blocked access to the Vietnamese market—a business-ending consequence for companies dependent on Vietnamese customers.

Looking Ahead: Vietnam's Data Protection Ecosystem

The Draft Decree represents one component of Vietnam's broader digital governance strategy. The country is simultaneously developing:

• A comprehensive Law on Data (effective July 2025)
• Regulations on core and critical data classification
• Frameworks for data-driven business models and data marketplaces
• Enhanced cybersecurity requirements

Organizations should view PDPL compliance not as an isolated initiative but as part of a comprehensive approach to operating in Vietnam's increasingly regulated digital economy.

Conclusion: The Time to Prepare Is Now

Vietnam's Draft Decree on Personal Data Protection transforms the country's privacy landscape from principle to practice. The expanded sensitive data categories, rigorous DPO requirements, and comprehensive impact assessment obligations create a compliance framework that rivals—and in some aspects exceeds—the EU's GDPR.

With an effective date of January 1, 2026, organizations have approximately two months to achieve compliance. Given the complexity of requirements and the time needed for personnel recruitment, systems implementation, and documentation preparation, immediate action is essential.

Companies that proactively address these requirements will not only avoid penalties but also position themselves as trusted data stewards in one of Asia's fastest-growing digital markets. Those that delay risk not only financial penalties but potential exclusion from the Vietnamese market entirely.

About ComplianceHub: Stay informed about global privacy regulations and compliance requirements. For more updates on APAC data protection laws, visit ComplianceHub.wiki.

Disclaimer: This article provides general information and should not be construed as legal advice. Organizations should consult with qualified legal counsel regarding their specific compliance obligations under Vietnam's Personal Data Protection Law and Draft Decree.