During daily operations, most enterprises have been and are currently collecting and processing personal data (“PD”), at times inadvertently. From the retention of customer information for post-sales services and the management of personnel records, to the collection of data during marketing campaigns and the use of cookies or behavioral analysis tools on websites – all such activities pertain directly to PD.

This article provides a comprehensive summary of 04 primary task groups that enterprises must grasp and comply with regarding PD protection activities in accordance with prevailing legal regulations, as illustrated below.

PD includes familiar information such as: (i) Full name, date of birth, gender, telephone number, address, personal image, nationality, marital status; family information; personal digital account information; and other information associated with and identifying a specific individual (“Basic PD”)[1]; or (ii) Data concerning racial or ethnic origin; political or religious opinions; health status; biometric data, genetic characteristics; financial data; data concerning sexual life or sexual orientation; data on legal violations; location determined via positioning services; citizen identity card, usernames, identification passwords; and others data requiring confidentiality or security measures (“Sensitive PD”)[2].

This data serves not only as “material” for business operations but is also intrinsically linked to the privacy of each individual who is a data subject (“DS”). However, it is common in practice that many enterprises are still: (i) Collecting data in excess of necessary requirements; (ii) Failing to fully establish a legal basis (particularly valid consent from DS); (iii) Failing to establish internal procedures to control access, usage, and sharing of data; or (iv) Lacking a mechanism to handle data leakage or breach incidents.

These seemingly “normal” activities entail significant legal risks as the legal framework for PD protection in Vietnam is becoming increasingly comprehensive and oriented toward protecting the lawful rights and interests of DS.

Relevant prevailing legal instruments directly governing this matter include:

a. The Law on Personal Data Protection 2025, No. 91/2025/QH15, issued by the National Assembly on 26 June 2025, effective from 1 January 2026 (“Law on PD Protection”); and

b. Decree No. 356/2025/ND-CP issued by the Government on 31 December 2025, effective from 1 January 2026 (“Decree 356”).

In our assessment, PD protection obligations are no longer a matter of formal compliance but have become a mandatory requirement inherently linked to risk management and the protection of corporate reputation. Enterprises, in their capacity as PD controllers and/or PD processors, must bear responsibility throughout the data lifecycle – from collection, storage, usage, and sharing to the erasure or destruction of data – and must ensure that all processing activities are grounded in a valid, transparent, and secure legal basis. We have summarized these into 04 primary task groups, as detailed below:

1. Establishment and promulgation of internal regulations on PD protection

An enterprise may act as a PD controller, a PD processor, or concurrently both, provided it determines the purposes and means and directly processes part or all the PD. To fulfill the responsibilities corresponding to the aforementioned roles, an enterprise must first develop an internal PD protection compliance procedure. This involves the proactive development of policies, processes, regulations, and forms to ensure compliance with PD protection laws, the safeguarding of the DS’s lawful rights, and the confidentiality of PD collected by the enterprise. Our recommendations for the development of these procedures include (i) a PD protection process and (ii) a process for responding to and fulfilling DS requests.

1.1. PD protection process

When establishing this process, enterprises must stipulate the following matters:

a. Specific identification of information categorized as PD based on legal regulations;

b. Procedures and methods for collecting and storing DS consent regarding the use of PD;

c. Authorities and responsibilities of personnel and departments in PD protection, including the delegation of access rights and access limitations for each type of PD (including Basic PD and Sensitive PD);

a. Procedures for the erasure, destruction, and de-identification of PD in cases where: requested by the DS; the processing purpose is fulfilled, or the storage period expires; or pursuant to a state authority’s decision or an agreement between the parties[3];

b. Procedures for the collection of and notification regarding the measures and scope of collecting employee PD through technological or technical means (such as surveillance cameras or operational management software)[4].

1.2. Process for handling DS requests

Upon receiving a DS request in accordance with the law, the enterprise must respond to and execute the request while facilitating the DS’s exercise of their rights. The resolution process must comply with the statutory timelines summarized below[5]:  

2. Establishing PD agreements with relevant parties

2.1. Developing general terms and conditions on PD protection (the “TnC”)

The TnC are developed, promulgated, and provided by the enterprise to the DS to inform them of the general terms and conditions regarding the use and protection of PD, with the following primary contents:

a. Purposes of PD processing (must be consistent with the purposes for which DS consent was obtained);

b. Types of PD processed, including Basic PD and Sensitive PD, if applicable;

c. PD processing procedures (including key stages such as collection, storage, usage, transfer, sharing, erasure, and protection of PD);

d. Rights and obligations of the DS;

e. Identification of the PD controller or the PD controller and processor;

f. Authorities and responsibilities of each department within the enterprise regarding PD protection. In this regard, the enterprise may cross-reference the internal policies and regulations developed as described in Section 1.

Enterprises must collect and store DS consent for these TnC in accordance with the regulations set forth in Section 2.3 below.

2.2. Developing PD protection clauses in specific agreements

The following are our recommendations regarding common contracts and agreements in business operations:

a. For labor contracts, in addition to standard provisions, enterprises should incorporate distinct clauses on PD protection and processing that align with their specific operational needs. These should stipulate the purpose of use, the types of PD collected, and the sharing, exploitation, storage, and erasure of employee PD. In the absence of a detailed agreement, enterprises are legally required to erase or destroy the provided employee information upon termination of the labor contract[6].

b. For contracts in the credit sector, by regulation, credit institutions must develop clauses concerning PD, including: the purpose of processing (encompassing credit scoring and rating activities, if any); the source of PD collection; the parties authorized to share PD; the storage duration; and the mechanism for the DS to exercise the right to withdraw consent or request PD erasure. Failing a detailed agreement, credit institutions are prohibited from using the DS’s credit information for scoring, rating, or creditworthiness assessment without the DS’s confirmed consent[7].

c. For PD transfer agreements, these agreements are established between the enterprise and a PD processor or a third party. This also applies when the enterprise engages external specialized service providers, such as cloud computing or external DPO services (as defined in Section 3). A PD transfer agreement must include the following core contents[8]: transfer purpose; the subjects and types of PD being transferred; the processing duration and requirements for PD erasure/destruction; the legal basis; the responsibility for PD protection; the implementation of DS rights; and coordination in handling violations.

Specific considerations for PD protection in these instances include: (a) For the transfer of Sensitive PD, the enterprise must implement physical security measures for storage and transmission devices, while simultaneously performing encryption or de-identification of the PD[9]; (b) For paid transfer activities, the enterprise must establish a technical system to obtain the DS’s specific consent for each transfer[10]. The recipient is not permitted to unilaterally collect or store data to form an independent database from this source for purposes other than those agreed upon[11]; (c) The enterprise, in its role as the controller, is responsible for assessing and selecting suitable PD processors to ensure they possess sufficient capacity to implement protective measures.

2.3. Collection and storage of DS consent

As a principle, all PD processing activities must obtain DS consent prior to collection, analysis, or transfer. Enterprises are only permitted to process PD without consent in certain special emergency cases or for public interest[12]; however, they must still establish PD processing regulations, determine the responsibilities of the parties, and develop a mechanism to receive and handle feedback from relevant parties[13].

DS consent is only legally valid when established voluntarily, and the DS must be fully informed of: the types of PD being processed; the processing purposes; the organizations and individuals involved in the processing; and the relevant rights and obligations[14]. Consent must be expressed through clear and specific methods that are printable or copyable in writing, including electronic or verifiable formats. Valid methods of collection include[15]: (i) Physical paper documents with direct signatures; (ii) Audio recordings of the customer’s consent; (iii) Confirmation via telephone SMS syntax; (iv) Via email, websites, platforms, or applications with technical consent-capture settings (e.g., “agree” tick-boxes); or (v) Other methods that can be printed or copied in writing, including electronic or verifiable formats.

When collecting DS consent, enterprises must note the following:

• Silence or non-responsiveness from the DS shall not be construed as consent[16].
• In cases involving multiple PD processing purposes, the DS must be permitted to consent to each purpose individually rather than providing blanket consent[17].
• Do not establish default consent methods or provide unclear instructions that cause misunderstanding between consent and non-consent for the DS[18].
• When seeking consent to process Sensitive PD, the DS must be notified that the data to be processed is Sensitive PD[19].

Enterprises must store DS consent to serve as evidence in the event of a dispute, as the burden of proof regarding DS consent rests with the enterprise[20].

3. Assignment and appointment of personnel in charge of PD protection

Enterprises must establish or appoint a PD protection department or personnel (Data Protection Officer – “DPO”) or hire a PD protection service provider that meets the following requirements.

a. Internal personnel: Must hold a college degree or higher; have at least 02 years of working experience in fields such as legal, information technology, cybersecurity, risk management, or human resources management; and must be trained and fostered in specialized legal knowledge regarding PD protection[21].

b. Individual DPO service providers: Must have at least 03 years of working experience in relevant fields and must have undergone intensive training in PD protection[22].

c. Organization DPO service providers: Must have the function of providing DPO services; have a minimum of 03 personnel who satisfy the criteria for individual service providers mentioned above; and have provided products or services related to confidentiality, cybersecurity, information technology, or assessment and consultancy on PD protection[23].

Enterprises must issue a written decision to appoint or establish a DPO department, clearly defining the scope of work, authorities, and responsibilities of the DPO[24]. In cases where external services are utilized, the enterprise must disclose DPO information to the DS[25].

Note on exemptions: Small, micro, and startup enterprises are exempt from the obligation to appoint a DPO for a period of 05 years starting from 01 January 2026. This exemption does not apply if the enterprise falls into one of the following two cases. (i) Directly processing Sensitive PD; or (ii) Processing data of 100,000 DS or more based on the cumulative total volume of processed data[26].

4. Implementation of PD-related procedures

4.1. Preparation and submission of PD processing impact assessment dossiers

Enterprises, in their capacity as PD controllers and PD processors, are responsible for preparing, storing, and submitting one 01 original PD processing impact assessment dossier to the specialized PD protection authority (the Department of Cybersecurity and High-Tech Crime Prevention) within 60 days from the date of commencement of PD processing activities[27]. Within 15 days following the submission, the aforementioned authority shall return the results to the enterprise[28].

This dossier is prepared once for the entire duration of the enterprise’s operations and includes the following documents^[29]:

• A PD processing impact assessment report;
• Copies of contracts or agreements regarding PD processing;
• Policies, procedures, regulations, forms, and other relevant documents concerning PD protection.

4.2. Preparation of impact assessment dossiers for cross-border PD transfer

Enterprises must fulfill this obligation when transferring the PD of Vietnamese citizens abroad, including storing data on systems located outside the territory of Vietnam or utilizing offshore platforms for processing. Similar to the PD processing impact assessment, the enterprise must prepare a dossier and submit the original to the specialized authority within 60 days from the date of commencement of the data transfer activities[30] and must complete and resubmit the dossier if it fails to meet the requirements. The dossier includes[31]:

• A cross-border PD transfer impact assessment report;
• Copies of contracts or documents for PD transfer;
• Policies, procedures, regulations, forms, and other documents related to PD protection of the agencies, organizations, or individuals performing the PD transfer.

4.3. Updating dossiers

Enterprises must update the aforementioned dossiers (via the National Portal on PD Protection[32]) in the following cases:

• Periodic updates every 06 months from the initial submission when[33]: (i) a new PD transfer purpose or a new PD processing purpose arises; or (ii) there is an emergence of or change in the PD controller, the PD controller and processor, the PD processor, or a third party.
• Update the dossier within 10 days in cases of [34]: (i) organizational restructuring, termination of operations, dissolution, or bankruptcy; (ii) a change in the PD protection service provider; or (iii) the occurrence of changes in business lines or services related to the registered PD processing.

[1] Article 3 Decree 356.

[2] Article 4.1 Decree 356.

[3] Article 14.1 Law on PD Protection.

[4] Article 25.3 Law on PD Protection.

[5] Article 5 Decree 356.

[6] Article 25.2(c) Law on PD Protection.

[7] Article 27.1 Law on PD Protection.

[8] Article 7.1 Decree 356.

[9] Article 7.2 Decree 356.

[10] Article 7.3 (a) Decree 356.

[11] Article 7.3(d) Decree 356.

[12] Specific cases pursuant to Article 19.1 Law on PD Protection.

[13] Article 19.2 Law on PD Protection.

[14] Article 9.2 Law on PD Protection.

[15] Article 6.1 Decree 356.

[16] Article 9.4(d) Law on PD Protection.

[17] Article 9.4(a) Law on PD Protection.

[18] Article 6.3 Decree 356.

[19] Article 6.4 Decree 356.

[20] Article 6 Decree 356

[21] Article 13.2 Decree 356.

[22] Article 15.2 Decree 356.

[23] Article 16.1 Decree 356.

[24] Article 13.1 Decree 356.

[25] Article 15.3 and 16.3 Decree 356.

[26] Article 38.2 Law on PD Protection and Article 41.1 Decree 356.

[27] Article 21.1 Law on PD Protection.

[28] Article 19.5 and 19.6 Decree 356.

[29] Article 19.2 Decree 356.

[30] Article 20.2 Law on PD Protection.

[31] Article 18.2 Decree 356.

[32] Article 22.3 Law on PD Protection.

[33] Article 20.1 Decree 356.

[34] Article 20.2 Decree 356.

Disclaimer: This article is prepared by PTN Legal LLC (“PTN Legal”) solely for the purpose of providing reference information to readers. PTN Legal does not commit to or guarantee the accuracy or completeness of this information. The content of the article may be amended, adjusted, or updated without prior notice. PTN Legal shall not be liable for any errors or omissions in this article or for any damages arising from its use in any circumstances.