Decree No. 356/2025/ND-CP (‘Decree 356’), effective from 1 January 2026, provides comprehensive guidance for implementing certain provisions of the Personal Data Protection Law (‘PDPL’). Compared with Decree No. 13/2023/ND-CP, Decree 356 marks a clear shift from a principle-based framework to more specific, concrete compliance requirements that are practically enforceable and verifiable.

This update outlines the key provisions of Decree 356 that organisations should comply without delay.

I. Highlights of Decree 356

1. Stricter compliance obligations for handling sensitive personal data

Decree 356 provides a wider non-exhaustive list of sensitive personal data as compared to previous regulations.[1] Notably:

• Sensitive personal data in the banking sector now includes: account login credentials, bank card details, transaction history, and customers’ financial, securities, and insurance information held by authorised entities.
• Login credentials for personal electronic identity accounts, including images of identity cards and citizen identity cards, are freshly added to the sensitive data list.
• Decree 356 also adds behavioural tracking data relating to the use of telecommunications, social networks, online media, and other online services.

Processing sensitive personal data requires the establishment of access control rules, processing procedures, and appropriate security measures (such as physical security for storage and transmission devices, encryption, anonymisation, etc). Moreover, when seeking consent to process sensitive personal data, the data subject must be clearly informed that the data is sensitive.[2]

On a related note, Decree 356 introduces specific breach-notification duties for incidents involving the following types of sensitive personal data: personal location data or biometric data. The data controller or controller-processor must notify not only the Ministry of Public Security (‘MPS’) but also affected data subjects within 72 hours from discovery. Where individual notification is not feasible due to technical or emergency circumstances, a public notice must be issued via official online channels, followed by individual notification when possible. Breach records must be retained for at least five years after remediation.[3]

2. Higher standards for obtaining consent

Decree 356 specifies and tightens the requirements for valid consent, requiring businesses to review how consent mechanisms are designed:

• Consent may be obtained in writing or via recorded calls, SMS, email, websites, platforms, applications, or other verifiable means.
• Consent mechanisms must allow verification of when consent was given, what it covers, and the identity of the data subject.
• Default consent, implied consent, or consent obtained through coercive or misleading designs that blur the distinction between consent and non-consent are explicitly prohibited.[4]

3. More detailed and stringent rules on personal data transfer

Decree 356 mandates that –

• Data transfer agreements must cover purposes, responsibilities, legal grounds, and protection of data subject rights.
• Internal data sharing, where consistent with established processing purposes, must be governed by internal controls to ensure lawful use and prevent unauthorised disclosure to third parties.
• Personal data must be anonymised before any trading on data exchanges.

It also requires tighter control over paid data transfer activities, and clearer delineation of the roles of parties involved in data processing.[5]

These new rules require businesses to establish agreements, control systems, security measures, and end-to-end compliance mechanisms throughout the entire data transfer and processing lifecycle.

4. Detailed sector-specific personal data protection requirements

The Decree imposes tailored compliance requirements on businesses in regulated and technology-driven sectors, including finance, banking, credit information, and activities involving big data, AI, blockchain, virtual environments, and cloud computing. Notably:

• Finance, banking, and credit information: Businesses must meet heightened data-governance standards, including applying data-protection rules, logging all processing activities, and conducting annual compliance assessments.[6]
• Big data processing: Businesses must limit data collection, strengthen staff training, control third-party access, and implement mandatory technical safeguards such as multi-factor authentication, encryption, anonymisation, and continuous monitoring.[7]
• AI systems and virtual environments: Businesses must ensure transparency and accountability, provide clear notice, explain core algorithmic principles, and allow data subjects to opt out where automated processing or inferred data may identify individuals.[8]

5. New requirements on qualifications of personal data protection officers

For the first time, Decree 356 requires that a personal data protection officer in agencies and organisations must (i) hold at least a college degree, (ii) have a minimum of two years’ post-graduation experience in relevant fields, and (iii) have received formal training in personal data protection laws and related professional skills.[9]

6. Data processing service providers

Under Decree 356, data processing services cover activities such as operating automated processing systems, online data collection, data analytics, mining, and encryption. Businesses providing these services must be Vietnamese entities, obtain a data processing services certificate from the MPS, and meet prescribed personnel, technical, and operational requirements.[10]

II. Enforcement landscape

Decree 356 subjects businesses to regular and ad hoc inspections for personal data protection compliance. Inspections may be triggered by suspected violations, directives from competent authorities, or routine state management, and may cover overall compliance status, impact assessments (including for cross-border transfers), and the provision of personal data processing services.[11]

With the regulatory landscape evolving rapidly, delaying compliance is no longer an option for businesses. Privacy practices now face close scrutiny from regulators and the public, and enforcement tools are expanding.

This scrutiny is set to increase further when the long-anticipated decree on administrative sanctions for data protection comes into force. Draft 2.0 of the Sanctioning Decree introduces a robust enforcement regime, including significant fines, license and business suspensions, and corrective actions such as mandatory data deletion and system remediation. While there is no officially announced issuance timeline, we can expect that the decree will be issued in the first half of 2026 to pave the way for active enforcement by the MPS. It is therefore essential for businesses to identify and address any compliance gaps as a matter of priority.

[1] Article 4

[2] Article 6.4

[3] Article 29

[4] Article 6

[5] Article 7

[6] Article 8

[7] Article 9

[8] Article 10

[9] Article 13.2

[10] Articles 21 and 22

[11] Article 31

Authors: Yen Vu, Ly Nguyen, Uyen Doan

TAGS

• Vietnam
• Personal Data
• Data Protection
• Enforcement landscape