What is Decree 356/2025/ND-CP? What businesses need to do

1. What is Decree 356/2025/ND-CP?

Decree 356/2025/ND-CP was issued on the basis of Law on Data No. 60/2024/QH15 and Law on Personal Data Protection No. 91/2025/QH15, with the mandate to elaborate the provisions that both laws delegate to the Government for detailed guidance. Comprising 5 chapters, 42 articles, and 1 annex containing 10 standard forms, the Decree covers the full lifecycle of personal data, from collection and processing through to storage, deletion, and cross-border transfer.

Compared with Decree 13/2023/ND-CP, the new version introduces three core changes. First, administrative procedures are fully standardized through official forms, so businesses know exactly what to submit and where. Second, emerging technology sectors, namely artificial intelligence, blockchain, and cloud computing, receive dedicated data protection rules for the first time. Third, licensing conditions for personal data processing services are more stringent, accompanied by a mechanism for issuing and revoking compliance certificates.

2. Who does Decree 356/2025/ND-CP apply to?

The scope of the Decree is considerably broader than many businesses realize. Under Article 2, three categories of entities are subject to regulation:

• Vietnamese agencies, organizations, and individuals across all sectors that process personal data.
• Foreign agencies, organizations, and individuals operating within Vietnamese territory.
• Foreign organizations that directly participate in or are otherwise involved in the processing of personal data of Vietnamese citizens and ethnic Vietnamese individuals of undetermined nationality residing in Vietnam who have been issued a citizen identification card (Article 2.3).

Practical note: Foreign SaaS platforms, mobile applications, or websites with users in Vietnam are subject to compliance requirements under this Decree, even if all infrastructure is hosted outside Vietnam.

Exemptions: sole proprietorships and micro-enterprises that do not offer personal data processing services, do not handle sensitive data, and process fewer than 100,000 data subjects are exempt from certain obligations under Article 41.2.

3. How is personal data classified under Decree 356?

Correctly identifying the type of personal data being processed is an essential first step, as the level of legal obligation depends directly on this classification.

3.1 Basic personal data

Article 3 lists 11 categories of information constituting basic personal data, including:

• Full name, middle name, and birth name, as well as any other names used.
• Date, month, and year of birth; date, month, and year of death or disappearance.
• Gender.
• Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current address, hometown, and contact address.
• Nationality.
• Individual photographs.
• Phone number, personal identification number, passport number, driving licence number, vehicle licence plate number.
• Marital status.
• Information about family relationships (parents, children, spouse).
• Information about an individual's digital accounts.
• Any other information linked to or enabling the identification of a specific individual that does not fall within the sensitive data categories (Article 3.11).

3.2 Sensitive personal data

Under Article 4.1, sensitive data encompasses 13 categories requiring a higher level of protection: data revealing racial or ethnic origin; political views or religious beliefs; private life, personal secrets, and family secrets; health status; biometric and genetic data; data concerning sex life and sexual orientation; data relating to criminal offences and legal violations; geolocation; login credentials and passwords for electronic identification accounts, images of ID cards and citizen identity cards; bank account information, financial transaction history, credit, securities, and insurance records; and data on behavior in using telecommunications services and social networks. Organizations processing sensitive data must establish access control policies with restricted permissions, dedicated processing procedures, and specific security measures (Article 4.2).

Note: User behavior data on social networks, GPS location data, and bank account information are all classified as sensitive data. Many e-commerce and fintech businesses are currently processing sensitive data without adequate protective measures in place.

4. Mandatory obligations for businesses

4.1 Establishing a valid consent mechanism

Consent mechanisms are the foundation of all data processing activities. Consent collection methods must be verifiable, capturing the fact that the data subject gave consent, along with the time and scope of that consent. Five valid consent methods are recognized (Article 6.1):

• In writing.
• Via a recorded phone call.
• Via an SMS consent syntax.
• Via email, website, platform, or application with a technical consent collection mechanism.
• Via other appropriate methods that can be printed, copied in writing, in electronic form, or in a verifiable format (Article 6.1(e)).

The data controller may not set default opt-in methods or create misleading instructions that blur the distinction between consent and refusal. Default settings must adhere to the principles of personal data protection and fully respect the rights of the data subject (Article 6.3). Importantly, in the event of a dispute, the burden of proving consent rests with the data controller (Article 6.2).

4.2 Preparing and submitting a Data Processing Impact Assessment (DPIA)

Personal data controllers, entities that both control and process data, and personal data processors must prepare and retain a Data Processing Impact Assessment from the moment personal data processing begins (Article 19.1). One original copy of the file must be submitted to the competent personal data protection authority (the Department of Cybersecurity and High-Tech Crime Prevention, A05) within 60 days of commencing personal data processing (Article 19.4), using Form 02a (for organizations) or Form 02b (for individuals) annexed to the Decree.

The content of the DPIA file under Article 19.3 includes:

• Information and contact details of all parties involved in data processing.
• Description and justification of processing purposes, data categories, and data flow diagrams.
• Consent mechanism and data retention, deletion, and destruction policies.
• Data security measures, protective controls, applicable standards, and system design diagrams.
• Results of the personal data protection compliance assessment.
• Assessment of the level of impact and risk, together with risk mitigation measures.

The file must be updated every 6 months from the date of first submission, or within 10 days whenever a new processing purpose arises, the data controller or processor changes, or the organization is restructured or ceases operations (Article 20).

4.3 Appointing a Data Protection Officer (DPO)

The designation of a personal data protection officer or a data protection unit must be formalized in writing by the relevant organization, setting out the assignment, functions, duties, authority, and other requirements (Article 13.1). An internal DPO must satisfy three conditions under Article 13.2:

• An associate degree or higher.
• At least 2 years of relevant experience in legal affairs, information technology, cybersecurity, data security, risk management, compliance, or personnel management.
• Completion of training and professional development in personal data protection law and practice.

When engaging an external individual to provide DPO services, the minimum experience requirement increases to at least 3 years, and the individual must have in-depth expertise in legal affairs, personal data processing, cybersecurity, data security, risk management, or compliance (Article 15.2). A data protection service provider must have at least 3 qualified personnel meeting the criteria above and must have experience in supplying security and cybersecurity products or services, or in providing personal data protection consulting (Article 16.1(b) and (c)).

4.4 Responding to data subject requests within prescribed timeframes

Upon receiving a request from a data subject, the data controller must acknowledge it within 2 working days and complete the action within the specific deadlines set out in Article 5. The table below summarizes the mandatory timeframes:

5. Which sectors and technologies are particularly affected?

5.1 Finance, banking, and credit

Organizations and individuals active in finance, banking, and credit information services are required to: apply technical standards and norms for personal data protection including de-identification and anonymization norms published and adopted in Vietnam; conduct annual compliance assessments for personal data protection; and maintain a full activity log of all personal data processing operations (Article 8.1).

In particular, when seeking customer consent, entities in this sector must explicitly state all personal data processing purposes, including credit scoring, credit rating, and creditworthiness assessment activities where applicable; the sources from which data is collected and the parties involved in collecting and sharing it; the retention period; the mechanism for withdrawing consent; and the data deletion and destruction policy (Article 8.2). Within no more than 72 hours of detecting a breach or loss of sensitive data, the organization that directly collected the data must notify both the competent authority and the affected data subjects (Article 8.3).

5.2 Cloud computing

When entering into contracts with cloud computing service providers, organizations are required to: include in the contract explicit provisions on compliance with Vietnamese law on personal data protection and information on the data protection unit and personnel; clearly define personal data flow, the roles of each party, and their respective responsibilities; specify required security measures in the contract; immediately notify all relevant parties of any changes that may affect personal data; and comply with processing timelines, data deletion and destruction requirements, and ensure the exercise of data subject rights (Article 12.2).

Cloud computing service providers, in addition to the above obligations, must apply technical and organizational measures commensurate with the scale and nature of their data processing and conduct annual compliance assessments (Article 12.3). A critical requirement: personal data stored on cloud platforms must be encrypted at rest and in transit, with strictly enforced access controls (Article 12.4). Businesses currently using foreign cloud storage should immediately review their existing contracts against these requirements.

5.3 Artificial intelligence and metaverse systems

Organizations and individuals may use personal data for the research and development of machine-learning algorithms, artificial intelligence systems, and other automated systems, provided they comply with personal data protection regulations (Article 10.1).

Two key requirements stand out. First, data derived from AI inference outputs that can be used to identify or help identify a specific individual must be subject to personal data protection measures as prescribed by law (Article 10.2). Second, the data controller is responsible for notifying data subjects about automated personal data processing, explaining the operating principles of the algorithm, and disclosing the impact on the data subject's legitimate rights and interests (Article 10.3). Within a metaverse environment, data subjects must have the right to edit, anonymize, or delete their identification profile, even where the platform retains behavioral history (Article 10.6).

5.4 Blockchain technology

When processing personal data on a blockchain network, organizations must not store personal data directly on the chain; storage is only permitted once the data has been de-identified, or where only a hash value of the personal data is stored on the chain (Article 11.2(b)). Only secure encryption, hashing, and digital signature algorithms may be applied (Article 11.2(a)). These requirements directly affect Web3, NFT, and DeFi projects with users in Vietnam.

6. Cross-border personal data transfers: Procedures and documentation

This provision directly affects businesses that use SaaS services, email platforms, CRM systems, or management systems hosted on foreign servers. Under Article 17.1, the following three scenarios constitute a cross-border personal data transfer and require the preparation of an impact assessment file:

• Data storage activities that involve transferring personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam, or to the cloud computing service of a foreign provider.
• Activities involving the transfer of personal data from Vietnamese agencies, organizations, or individuals to recipients who are foreign organizations or individuals.
• Processing activities where personal data collected in Vietnam is transferred to a platform outside the territory of the Socialist Republic of Vietnam for continued processing (Article 17.1(a), (b), (c)).

Certain activities are exempt from the cross-border data transfer impact assessment requirement under Article 17.3:

• Press and media activities in accordance with applicable law.
• Cross-border personal data transfers that have been made public as prescribed.
• Emergency situations to protect human life, health, or property.
• Cross-border personal data transfers for cross-border human resources management in accordance with internal labor regulations and collective labor agreements.
• The provision of personal data across borders for the purpose of entering into contracts, or performing related procedures concerning cross-border transportation, logistics, remittances, payments, hotel accommodation, visa applications, or scholarship applications (Article 17.3).

Process: Prepare the impact assessment file using Form 09 (Impact Assessment Report) together with Form 01a (for organizations) or Form 01b (for individuals), and submit one original copy to the competent personal data protection authority within 60 days of commencing cross-border personal data transfer (Article 18.4). The competent authority assesses and returns results within 15 days; incomplete files must be supplemented within 30 days (Article 18.5 and 18.6).

7. Personal data processing service licensing: Conditions and procedures

Article 21 lists 9 categories of personal data processing services that require a licence, including: services for providing and operating automated systems or software on behalf of data controllers; credit scoring, rating, and creditworthiness assessment services; online personal data collection and processing services from websites, applications, software, and social networks; personal data collection and processing services through health and medical care applications; education services involving monitoring components; personal data analysis and mining services; encryption services for data in transit and at rest; automated data processing services based on big data, artificial intelligence, blockchain, and the metaverse; and application platform services providing personal location data (Article 21).

To obtain a Certificate of Eligibility to Provide Personal Data Processing Services, an organization must meet the conditions set out in Article 22:

• Legal requirement: The entity must be an organization or enterprise established and operating under Vietnamese law.
• Personnel requirements (Article 22.2): The head of the professional division must be a Vietnamese citizen permanently residing in Vietnam; the management and operations team must meet the expertise requirements for data processing; and at least 3 qualified personnel meeting the competency conditions under Article 13.2 must be in place.
• Infrastructure requirements (Article 22.3): The organization must have infrastructure, systems, equipment, facilities, and technology appropriate to the personal data processing service it provides.
• Documentation requirements (Article 22.4): Satisfactory DPIA results and, where cross-border data transfer is involved, satisfactory cross-border data transfer impact assessment results.

Licensing procedure: The organization submits one complete application set using Form 04 to the competent personal data protection authority. The authority reviews the file within 10 days and issues the Certificate according to Form 05 within 30 days of receiving a complete and valid file (Article 25.3 and 25.4). The Ministry of Public Security is responsible for issuing, re-issuing, replacing, and revoking Certificates (Article 24.1).

A Certificate will be revoked in the following circumstances (Article 27.1):

• Failure to maintain one of the conditions specified in Article 26.1 or 26.2 of the Decree.
• No service activity for 12 months or more.
• Dissolution or bankruptcy in accordance with applicable law.
• Failure to remediate violations relating to personal data protection, information security, cybersecurity, or data security as required by a competent state authority.
• Voluntary application to suspend or terminate operations.

8. What incentives are available for small businesses and startups?

Article 41 of the Decree establishes a dedicated and flexible transitional mechanism for small businesses and startups. Small enterprises and startup businesses may choose whether or not to comply with the provisions of Article 21 (personal data processing services), Article 22 (licensing conditions), and Article 33.2 of the Personal Data Protection Law for a period of 5 years from the effective date of the Personal Data Protection Law (Article 41.1).

Sole proprietorships and micro-enterprises are not required to comply with Articles 21 or 22 or Article 33.2 of the Personal Data Protection Law (Article 41.2).

Note: Neither small businesses and startups nor sole proprietorships and micro-enterprises qualify for these incentives if they: provide licensed personal data processing services, directly process sensitive personal data, or process personal data from 100,000 or more data subjects in cumulative total (Article 41.1 and 41.2).

9. Personal data breach notification: The 72-hour procedure

When a personal data breach occurs involving location data or biometric data, the personal data controller must notify affected data subjects within no more than 72 hours of discovering the breach; report to the competent state authority under Article 28 of the Decree; and record, retain, and update the breach file for inspection, review, and handling purposes. Organizations must retain breach records for a minimum of 5 years from the date the incident is fully remediated (Article 29.1).

The breach notification sent to affected data subjects must include (Article 29.2):

• The time and manner in which the breach was discovered.
• The type of data affected (location, biometric, or both).
• The severity of the breach and potential risks to the data subject's legitimate rights and interests.
• Measures that have been, are being, and will be taken to remediate the incident and minimize harm.
• Guidance for data subjects on preventive and protective steps they can take.
• Contact information for the data protection unit, designated personnel, or the team responsible for receiving and handling personal data incidents within the organization.

10. A 6-step compliance roadmap for businesses under Decree 356

The following priority sequence is derived directly from the content of the Decree, progressing from foundational steps to completion:

11. Conclusion

Decree 356/2025/ND-CP is more than a technical guidance document; it represents a milestone in Vietnam's transition from a framework-level regulatory environment to concrete enforcement in personal data protection. With 10 standardized forms, clear deadlines for each obligation, and a licensing mechanism for data processing services, businesses no longer have grounds to delay building their compliance systems. Starting today, following the six-step roadmap outlined above, is the most direct route to satisfying legal requirements while building trust with customers in an era where data is a core asset.

Contact the VNETWORK team for consultation on infrastructure solutions that meet the personal data protection requirements under Decree 356/2025/ND-CP.

12. Disclaimer and references

This article is compiled for general informational purposes and does not constitute legal advice. The analyses, interpretations, and examples presented reflect VNETWORK's views based on research of legal documents and do not substitute for the advice of a qualified lawyer or legal expert. Businesses should seek specialized legal counsel before making any compliance decisions.

References:

• Law on Personal Data Protection No. 91/2025/QH15, passed by the 15th National Assembly, effective 01/01/2026. Full text available here.
• Decree No. 356/2025/ND-CP dated 31 December 2025 of the Government on detailed provisions and implementation measures for the Law on Personal Data Protection, signed by Deputy Prime Minister Nguyen Hoa Binh on behalf of the Government, effective 01/01/2026. Full text available here.

FAQ - Frequently asked questions about Decree 356/2025/ND-CP

1. When does Decree 356/2025/ND-CP take effect?

Decree 356/2025/ND-CP takes effect on 01 January 2026 under Article 42.1. From that same date, Decree No. 13/2023/ND-CP dated 17 April 2023 on personal data protection ceases to be in force.

2. Are foreign businesses required to comply with Decree 356?

Yes. Under Article 2.3, foreign agencies, organizations, and individuals that directly participate in or are involved in the processing of personal data of Vietnamese citizens fall within the scope of the Decree, regardless of where their technical infrastructure is located.

3. What is a DPIA file and how long do businesses have to submit it?

A Data Processing Impact Assessment (DPIA) is a set of documents describing all of an organization's personal data processing activities, including purposes, data categories, protective measures, and risk assessment. Under Article 19.4 of the Decree, one original copy of the file must be submitted to the competent personal data protection authority within 60 days of commencing personal data processing.

4. Are sole proprietorships subject to Decree 356?

Under Article 41.2, sole proprietorships and micro-enterprises are not required to comply with provisions concerning licensed personal data processing services and related licensing conditions. However, if a sole proprietorship or micro-enterprise provides personal data processing services, directly processes sensitive data, or processes data from 100,000 or more data subjects, full compliance is mandatory.

5. How quickly must a personal data breach be notified?

Under Article 29.1, when a breach involving location data or biometric data occurs, the personal data controller must notify affected data subjects within no more than 72 hours of discovering the breach. For sensitive data in the finance and banking sector, the deadline for notifying the competent authority is also 72 hours under Article 8.3.

6. Does using foreign cloud services require a cross-border data transfer file?

Yes. Under Article 17.1(a), storing personal data on a cloud computing service provided by a foreign provider is treated as a cross-border data transfer and requires the preparation of an impact assessment file, which must be submitted to A05 within 60 days under Article 18.4.

7. What qualifications must a DPO (Data Protection Officer) meet under Decree 356?

Under Article 13.2, an internal DPO must hold an associate degree or above, have at least 2 years of relevant experience in legal affairs, IT, cybersecurity, data security, risk management, compliance, or personnel management, and have completed professional training in personal data protection. An external individual providing DPO services must have at least 3 years of experience under Article 15.2.