On June 26, 2025, Vietnam enacted the LPDP[1], a milestone that upgraded and consolidated the country’s privacy regime. It builds on Decree 13[2], which has guided personal data protection since July 1, 2023. On December 30, 2025, the Vietnamese government went a step further and replaced Decree 13 with Decree 356[3], which provides guidance for key LPDP provisions. Enterprises and individuals that process personal data in Vietnam should stay alert to the development of the country’s data protection regulations. Rules are being created and implemented quickly, and enforcement is catching up.
1. What are the key obligations and compliance challenges under Vietnam’s New Personal Data Protection Regulations?
Both the LPDP and Decree 356 became effective on January 1, 2026. Many existing rules under Decree 13 have been carried over into the new regime. If a company is already compliant with Decree 13, significant changes to core data governance may not be required. However, the new regime also introduces new requirements to various aspects of personal data processing, such as new requirements for data protection personnel and the need for a license to provide personal data processing services; it also brings revisions to existing law and practice, including revised procedures for impact assessment submissions and adjusted categories of personal data.
- Impact assessments
The obligation to prepare, submit and maintain a data processing impact assessment (“DPIA”) and an offshore data transfer impact assessment (“DTIA”) still exists under the LPDP and Decree 356. However, there are significant changes in the prescribed forms, the submission procedures and update cycle of these impact assessments.
The prescribed forms for the DPIA and DTIA are provided in Decree 356. These new forms mostly require the same information as Decree 13, such as corporate information of the data controller and/or data processor, types of data being collected and processed, purposes of data processing. One of the more significant adjustments is the requirement to map the flow of data and to model the process diagrams and systems for personal data processing. It can be challenging for a company to map the data flows and build the diagrams without careful consideration of its data practices.
These impact assessments, once submitted to the authorities, must be updated every 6 months if there is any change or immediately upon the occurrence of (i) a corporate restructuring or cessation of business, (ii) a change of the personal data protection service provider, or (iii) expansion or amendment of the business scope that concerns the processing of personal data. Decree 356 also indicates that within 15 days of submission, the authority will review the impact assessments and confirm whether the impact assessments are satisfactory or whether they require additional information.
The LPDP waives the requirement for a DTIA, in cases where the data subject personally transmits his or her own data overseas (for example, a data subject uses services provided by an offshore entity).
- Data Protection Personnel
While Decree 13 is silent on the specific requirements for data protection personnel, the LPDP introduces a general framework but defers the specifics to Decree 356. Decree 356 provides that a company can employ data protection personnel or use a third-party provider of data protection services.
Pursuant to Decree 356, a person can qualify as a data protection personnel if s/he (i) holds a college degree, (ii) has at least 3 years of experience in a relevant field (legal, data processing, cybersecurity, data security, risk management and compliance) and (ii) has been trained in legal knowledge and professional skills on protection of personal data. It is still unclear whether such ‘training’ must be conducted at a qualified institution as suggested in an earlier draft of Decree 356. In addition, an entity providing data protection services must (i) have the relevant business lines registered, (ii) have at least 3 qualified data protection personnel and (iii) have products and services in relation to security, cybersecurity, information technology, accreditation or consultation in respect of personal data protection.
- Other notable provisions
Under the current framework, provision of data processing services is a conditional business and requires a license. Decree 356 provides an exhaustive list of data processing services, together with a list of requirements and procedures in connection with the license. It is notable that these services are not clearly included in any business line provided under Decision 36/2025/QD-TTg on Vietnam Standard Industrial Classification. On the other hand, it is understood that only if a company is in the business of providing any of these services, will it be required to obtain a license. If the company conducts such activities in respect of its own data and for its own purposes, these provisions will not apply and a license is not required. It may still be advisable to seek official guidance from the authorities in connection with this matter.
Previously, Decree 13 required that a notice must be filed with the authorities within 72 hours after a data breach occurs but the timeframe under the LPDP has been changed to 72 hours after a company is made aware of a data breach. This adjustment is more reasonable and more manageable. Apart from the required contents of the notice, Decree 356 also includes an additional notice requirement for breaches in connection with location data and biometrics data. This requirement further emphasizes the importance that companies have a comprehensive data inventory.
2. How are cross-border data transfers regulated, and what practical approaches are companies taking?
The LPDP does not create a new, standalone regime for cross-border transfers. Instead, it builds on Decree 13 by strengthening existing obligations, such as preparing and maintaining a DTIA, by clarifying the definition of “cross-border transfer” and by carving out several limited exemptions. As a result, organizations that already comply with Decree 13 for outbound transfers will not need to change their current approach in any material way. However, new obligations arise under the Law on Data[4] and its implementing instruments and companies operating in Vietnam should be aware.
The Law on Data and its implementing instruments introduce separate duties that companies operating in Vietnam must track closely if their data will flow across Vietnam’s borders. Under this framework, data owners must perform data classification, risk assessments, conduct impact assessments for cross-border transfers and processing, and complete prescribed procedures, including obtaining prior approval where Core Data or Essential Data are involved. Decree 165/2025[5] and Prime Minister’s Decision 20/2025[6] further specify that, in certain circumstances, a dataset containing personal data may be classified as Core Data or Essential Data. Fortunately, Decree 356 specifically indicates that if a dataset containing personal data is classified as Core Data or Essential Data, impact assessments need only be conducted once in accordance with Decree 356. In practice, maintaining a rigorous data inventory and granular data-flow maps is indispensable to align business operations with these layered legal requirements.
3. To what extent does the LPDP align with or diverge from global standards such as the EU’s GDPR?
At a high level, Vietnam’s LPDP tracks global standards, particularly the GDPR[7], with extraterritorial reach, familiar principles (purpose limitation, data minimization, transparency), and the LPDP provides comparable rights for data subjects. However, the LPDP operates differently.
The LPDP is firmly consent-centric. As a rule, save for certain special circumstances, processing requires freely given, specific, informed, and unambiguous consent, with a separate consent for sensitive personal data. Narrow exemptions exist (eg, legal obligations, emergency, life or health protection, contractual necessity, or limited “legitimate interests”), but they all function as exceptions and not as broad alternative legal bases. Notably, LPDP recognizes “legitimate interests” as a concept, though still in a restricted form.
Beyond personal data rules, companies must account for the Law on Data’s parallel controls. This dual-track system emphasizes classification of data and clearly demonstrates that national security and public interest are given priority. Regulators retain discretion to scrutinize and, in some cases, pre-approve cross-border data flows. By contrast, the GDPR relies on adequacy decisions, appropriate safeguards (notably Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and limited derogations for specific situations.
In practical terms, a GDPR-compliant data program can be a good baseline for companies in Vietnam. However, Vietnam’s approach will require an additional layer of work, including data classification, impact and risk assessments and filings or approvals. Companies operating in Vietnam should build these steps into their practices and monitor evolving guidance.
4. How are regulators in Vietnam enforcing the law — and what is the current enforcement landscape?
The LPDP confirms that the Ministry of Public Security, specifically the Department of Cybersecurity and High-Tech Crime Prevention (“A05”), is the lead enforcer. A05 also leads enforcement of the Law on Data, reconfirming Vietnam’s policy posture: national security and public interest can outweigh commercial convenience and commercial interests.
However, as with other regulations in Vietnam, the strict framework operates mainly as a deterrent. Companies are expected to maintain dossiers, filings, and records ready for inspection. In 2024, A05 launched the first LPDP compliance inspection program, requiring selected organizations to submit reports and respond to inquiries. Even without a finalized sanctions framework and with a limited target set, the program signaled the future: documentation-heavy inspections. The aim of the program was also to understand implementation challenges and to create a business-friendly regime while making clear that self-enforced compliance is the default.
Channels for public complaints are also expanding. The National Portal of Personal Data Protection enables anyone to report violations. This increases the likelihood that investigations will begin with complaints or tips, rather than from random audits. The LPDP strengthens enforcement by introducing stricter penalties (including revenue-linked fines for serious violations such as trading personal data). This approach reinforces the deterrent effect while a comprehensive sanctions framework is expected to follow soon after January 1, 2026.
Conclusion
Vietnam’s LPDP and Decree 356 mark a decisive shift from fragmented guidance to a unified, consent-centric regime, one that mirrors global privacy principles while including Vietnam-specific controls and documentation expectations. For organizations already aligned with Decree 13 or the GDPR, the path forward only requires recalibration and refinement.
In practice, a successful compliant program should include the following steps:
- build and maintain a data inventory and data-flow maps;
- operationalize DTIA/DPIA updates;
- prepare and meet data protection personnel qualifications;
- tighten the management of cross-border transfer practices, especially where Core or Essential Data may be implicated; and
- prepare incident and inquiry response procedures with complete audit trails.
With complaint channels expanding and inspections heavily reliant on paperwork, strong documentation is both the first line of defense and the fastest route to establish compliance.
For further information, please contact:
Le Ton Viet, Russin & Vecchi
LTViet@russinvecchi.com.vn
[1] Law No. 91/2025/QH15 on Personal Data Protection adopted by the National Assembly on June 26, 2025
[2] Government’s Decree No. 13/2023/ND-CP on personal data protection dated April 17, 2023
[3] Government’s Decree 356/2025/ND-CP guiding certain articles of the LPDP dated December 30, 2025
[4] Law No. 60/2024/QH15 on Data, adopted by the National Assembly on November 30, 2024
[5] Government’s Decree No. 165/2025/ND-CP promulgating certain articles and implementation measures for Law on Data, dated June 30, 2025
[6] Prime Minister’s Decision No. 20/2025/QD-TTg issuing the list of Core Data and Essential Data, dated July 1, 2025
[7] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
