VietnameseDecree 356/2025/ND-CP implementation of Law on Personal Data Protection
ATTRIBUTE
| Issuing body: | Government | Effective date: | Known Please log in to a subscriber account to use this function. Don’t have an account? Register here |
| Official number: | 356/2025/ND-CP | Signer: | Nguyen Hoa Binh |
| Type: | Decree | Expiry date: | Updating |
| Issuing date: | 31/12/2025 | Effect status: | Known Please log in to a subscriber account to use this function. Don’t have an account? Register here |
| Fields: | Information - Communications |
THE GOVERNMENT | THE SOCIALIST REPUBLIC OF VIETNAM |
DECREE
Detailing a number of articles and measures for the implementation of the Law on Personal Data Protection
Pursuant to the Law on Organization of the Government No. 63/2025/QH15;
Pursuant to the Law on Personal Data Protection No. 91/2025/QH15;
Pursuant to the Law on Data No. 60/2024/QH15;
Pursuant to the Law Amending and Supplementing a Number of Articles of the Bidding Law, the Law on Investment in the Form of Public-Private Partnership, the Customs Law, the Law on Value-Added Tax, the Law on Import Duty and Export Duty, the Law on Investment, the Law on Public Investment, and the Law on Management and Use of Public Property No. 90/2025/QH15;
At the proposal of the Minister of Public Security;
The Government hereby promulgates the Decree detailing a number of articles and measures for the implementation of the Law on Personal Data Protection.
Chapter I
GENERAL PROVISIONS
Article 1. Scope of regulation
This Decree provides detailed regulations on Clause 2 and Clause 3 Article 2; Clause 5 Article 4; Clause 3 Article 6; Clause 5 Article 9; Clause 3 Article 17; Clause 7 Article 20; Clause 7 Article 21; Clause 4 Article 22; Clause 5 Article 23; Clause 3 Article 27; Clause 6 Article 30; Point b Clause 4 Article 31; Clause 3 Article 33; Article 35; and Clause 4 Article 38 of the Law on Personal Data Protection, and stipulates measures to organize the implementation of the Law regarding research and development of personal data protection solutions, the specialized agency for personal data protection, the National Portal on Personal Data Protection; the responsibilities of ministries, sectors, and localities in personal data protection; and funds for personal data protection activities.
Article 2. Subjects of application
1. Vietnamese agencies, organizations and individuals;
2. Foreign agencies, organizations and individuals in Vietnam;
3. Foreign agencies, organizations and individuals directly involved in or related to the processing of personal data of Vietnamese citizens and people of Vietnamese origin whose nationality remains unidentifiable and who are living in Vietnam and have been issued identity certificates.
Article 3. List of basic personal data
Basic personal data of an individual include:
1. Family name, middle name and first name shown in birth registration certificate, and other names (if any);
2. Day, month and year of birth; day, month, year of death or missing;
3. Gender;
4. Place of birth, place of birth registration, place of permanent residence registration, place of temporary residence registration, current place of residence, native place, and contact address;
5. Citizenship;
6. Image;
7. Phone number, personal identification number, passport number, driver’s license number, license plate number;
8. Marital status;
9. Information on family relationships (parents, children, spouse);
10. Information on digital account of the individual;
11. Other information affiliated to a specific person or helping identify a specific person which is not mentioned in Clause 4 of this Decree.
Article 4. List of sensitive personal data
1. Sensitive personal data of an individual include:
a) Data revealing racial origin or ethnic origin;
b) Political views; religious or belief-related views;
c) Information on private life, personal secrets, or family secrets;
d) Health status;
dd) Biometric data and genetic characteristics;
e) Data revealing an individual’s sexual life or sexual orientation;
g) Data on crimes or violations of law collected and stored by law enforcement agencies;
h) An individual’s position determined through positioning services;
i) Information on usernames and passwords for accessing an individual’s electronic identification account; images of identity cards, citizen identity cards, or people’s identity cards;
k) Usernames and passwords for accessing bank accounts; bank card information; data on bank account transaction histories; financial and credit information and other information relating to customers’ activities and transaction histories in finance, securities, and insurance at credit institutions, foreign bank branches, intermediary payment service providers, securities companies, insurance companies, and other authorized organizations;
l) Data tracking behavior and activities in the use of telecommunications services, social networks, online communication services, and other services in cyberspace;
m) Other personal data that, under the law, is required to be kept confidential or subject to strict security measures.
2. During the sensitive personal data processing, the agencies and organizations must establish regulations on access delegation limits, processing procedures, and confidentiality measures.
Chapter II
REQUIREMENTS AND CONDITIONS FOR PERSONAL DATA PROTECTION
Article 5. Exercise of rights of personal data subjects
1. Personal data controllers and personal data controlling and processing parties shall develop clear processes, procedures, and forms for the exercise of the rights of personal data subjects, consistent with personal data processing activities and the responsibilities of relevant departments; and shall ensure that personal data subjects are informed of the procedures for exercising the rights prescribed in Clause 1 Article 4 of the Law on Personal Data Protection.
2. Upon receipt of a request to withdraw consent for personal data processing, to restrict personal data processing, or to object to personal data processing in accordance with proper procedures from a personal data subject, the personal data controller or the personal data controlling and processing party shall respond within 02 working days, provide full information to the personal data subject on the procedures for cessation of personal data processing, and implement such cessation within 15 days, except for cases where the personal data processing does not require the consent of the personal data subject as prescribed in Article 19 of the Law on Personal Data Protection. In case it is necessary to require a personal data processor or a third party to cease processing the personal data of the personal data subject, such cessation shall be carried out within 20 days.
Depending on the nature and level of complexity of the request, in case an extension of the processing time is required, only one extension may be granted for a period not exceeding 15 days, the personal data controller or the personal data controlling and processing party shall notify the personal data subject of the reasons for the extension and shall be responsible for demonstrating that such extension is necessary and reasonable.
3. Upon receipt of a request to access, correct, or request correction of personal data, or to provide personal data in accordance with proper procedures from a personal data subject, the personal data controller and the personal data controlling and processing party shall respond within 02 working days, provide full information to the personal data subject regarding the procedures, and implement the request within 10 days. In case it is necessary to require a personal data processor or a third party to correct the personal data of a personal data subject, such correction shall be carried out within 15 days.
Depending on the nature and level of complexity of the request, in case an extension of the processing time is required, only one extension may be granted for a period not exceeding 10 days, the personal data controller or the personal data controlling and processing party shall notify the personal data subject of the reasons for the extension and shall be responsible for demonstrating that such extension is necessary and reasonable.
4. Upon receipt of a request for deletion of personal data in accordance with proper procedures from a personal data subject, the personal data controller and the personal data controlling and processing party shall respond within 02 working days, provide full information to the personal data subject regarding the procedures, and implement the deletion within 20 days. In case it is necessary to require a personal data processor or a third party to provide, delete, or restrict the processing of the personal data of a personal data subject, such actions shall be carried out within 30 days.
Depending on the nature and level of complexity of the request, in case an extension of the processing time is required, only one extension may be granted for a period not exceeding 20 days, the personal data controller or the personal data controlling and processing party shall notify the personal data subject of the reasons for the extension and shall be responsible for demonstrating that such extension is necessary and reasonable.
5. Upon receipt of a request to implement measures and solutions for the protection of the personal data in accordance with proper procedures from a personal data subject, the competent agency or the agency, organization, or individual involved in personal data processing shall respond within 02 working days, provide full information to the personal data subject regarding the procedures, and implement such measures and solutions within 15 days.
Depending on the nature and level of complexity of the request, in case an extension of the processing time is required, only one extension may be granted for a period not exceeding 15 days, the personal data controller or the personal data controlling and processing party shall notify the personal data subject of the reasons for the extension and shall be responsible for demonstrating that such extension is necessary and reasonable.
Article 6. Methods of expressing consent of the personal data subject
1. The methods for obtaining the consent of a personal data subject must ensure verifiability of the identification of the personal data subject who has given consent, as well as the time and content of the consent, including:
a) In writing;
b) By recorded telephone call;
c) By consent syntax via mobile text message;
d) Via email, websites, platforms, or applications with technical mechanisms established to obtain consent;
dd) By other appropriate methods that can be printed or copied in written form, including electronic or other verifiable formats.
2. The personal data controller and the personal data controlling and processing party shall store the consent of the personal data subject. In case of a dispute, the responsibility for proving the consent of the personal data subject lies with the personal data controller or the personal data controlling and processing party.
3. The personal data controller and the personal data controlling and processing party shall not establish default consent mechanisms or create unclear or misleading instructions that cause confusion between consent and non-consent for the data subject. Default settings must ensure the principles of personal data protection and respect the rights of personal data subjects.
4. With respect to obtaining consent for the processing of sensitive personal data, the personal data subject must be informed that the data to be processed constitute sensitive personal data.
Article 7. Transfer of personal data
1. Organizations and individuals transferring personal data in accordance with points a, c, and d, Clause 1, Article 17 of the Law on Personal Data Protection must establish an agreement on the transfer of personal data with the personal data recipient, which shall clearly specify the following contents:
a) Purposes of the personal data transfer;
b) Category of personal data subjects and type of personal data transferred, consistent with the purpose of the transfer;
c) Duration of personal data processing and requirements for the deletion or destruction of personal data upon completion of the transfer purpose;
d) Legal basis for the personal data transfer;
dd) Responsibilities for personal data protection during the transfer and processing of personal data;
e) Responsibilities for ensuring the exercise of the rights of personal data subjects;
g) Responsibilities for coordination and compliance of the parties in case of detection of violations of personal data protection regulations.
2. The transfer of sensitive personal data must be subject to physical security measures for storage and transmission devices, measures of encryption, anonymization of personal data, and other confidentiality measures during the transfer process.
3. In cases of personal data transfer in accordance with points a and d, Clause 1, Article 17 of the Law on Personal Data Protection with a charge to provide services to personal data subjects or to serve the legitimate interests of personal data subjects, the organizations and individuals shall comply with the following provisions:
a) They must establish technical systems and transparent mechanisms to enable personal data subjects to give accurate and explicit consent for each transfer, on the basis of being fully informed of the specific purpose of the transfer and the organization or individual receiving and processing the personal data;
b) Personal data may only be processed strictly for the transfer purposes to which the personal data subject has consented, and such purposes must be consistent with the registered business lines;
c) The types of personal data transferred must be limited to the scope necessary for the transfer purposes;
d) It is prohibited to collect, store, or establish personal data databases from personal data transfer activities for use for purposes other than those to which the personal data subject has consented;
dd) The roles of the personal data controller, personal data processor, and third parties in personal data transfer activities must be clearly identified;
e) The personal data transfer and processing agreement must be concluded prior to the transfer, and the commitments regarding responsibilities and obligations toward the personal data subject must be made.
4. In case the personal data are shared among departments within the same agency or organization for personal data processing consistent with the established processing purposes, such agency or organization shall develop procedures to control the sharing and use of personal data in accordance with regulations, and shall implement measures to prevent and combat the unlawful sharing of personal data with third parties by internal personnel of the agency or organization.
5. Personal data must be de-identified prior to being transacted on a data exchange platform.
6. Agencies, organizations, and individuals that provide personal data under Clause 2, Article 15 of the Law on Personal Data Protection based on each specific request of the personal data subject shall not be regarded as conducting personal data transfer and shall not be required to comply with this Article.
Article 8. Personal data protection in finance, banking and credit information activities
1. Organizations and individuals operating in the fields of finance, banking, and credit information activities are responsible for applying standards and technical regulations on personal data protection; technical regulations on de-identification and anonymization of personal data that are promulgated and applied in Vietnam; conducting periodic assessments of compliance with personal data protection regulations once every year; and recording logs of all personal data processing activities.
2. Organizations and individuals operating in the fields of finance, banking, and credit information, when acting as personal data controllers or personal data controlling and processing parties, shall, when obtaining the consent of personal data subjects, ensure that they clearly specify:
a) Purposes of personal data processing, including credit scoring, credit rating, credit information assessment, and creditworthiness assessment activities, if any;
b) Sources of personal data collection and the parties involved in collecting and sharing personal data;
c) Storage period of personal data;
d) Mechanisms and methods for withdrawal of consent and the policies on deletion and destruction of personal data in accordance with the law.
3. Within 72 hours from the time of detecting the leakage or loss of sensitive data of personal data subjects in the fields of finance, banking, and credit information, the organizations and individuals that directly collect the personal data of the data subjects are responsible for notifying the specialized agency for personal data protection and the personal data subjects. The content of the notification must contain at least the contents prescribed in Clause 1, Article 28 of this Decree.
Article 9. Protection of personal data in big data processing
1. Big data processing containing personal data means the activity of processing personal data on a large scale, on a continuous basis, integrated from multiple different sources, with the capability to analyze behavior, predict trends, or classify users.
2. In case of big data processing containing personal data, the relevant agencies, organizations, and individuals have the following responsibilities:
a) Comply with regulations on personal data protection throughout the data processing process, right from the start of processing;
b) Collect, process, and store personal data only within an appropriate scope and in accordance with specific and clearly defined purposes;
c) Develop appropriate policies on the storage, deletion, and destruction of personal data in compliance with the law;
d) Organize periodic training, dissemination, and awareness-raising activities on personal data security and personal data protection measures for employees, especially personnel directly involved in personal data processing. Enhance awareness of the importance of personal data protection within the organization;
dd) Enter into agreements with third parties, partners, and service providers to ensure full compliance with regulations on personal data protection;
e) Establish appropriate notification and explanation mechanisms for personal data subjects regarding the use of their personal data in big data analytics systems.
3. The agencies, organizations, and individuals shall apply personal data protection measures during big data processing, including:
a) Apply measures to ensure cybersecurity and data security, and to prevent personal data leakage during the storage, processing, and transmission of personal data;
b) Use strong authentication methods, requiring at a minimum multi-factor authentication (passwords, PINs combined with one-time passwords, digital signature devices, or biometric factors), appropriate to the sensitivity level of the personal data; delegate access to ensure that only authorized persons can access personal data;
c) Implement encryption and anonymization of personal data (the process of separating data that identifies a specific individual for separate storage and security, whereby personal data after such processing is used for processing purposes without being able to identify a specific individual) during the transfer or provision of personal data, except where specialized laws provide otherwise or where processing requires data in clear form for the purposes of crime prevention and control, anti-money laundering, ensuring national security, or handling customer complaints and disputes. In such cases, the agencies and organizations must apply additional security solutions to ensure that personal data is not accessed or used unlawfully;
d) Conduct continuous monitoring and use monitoring tools to track access to personal data and detect abnormal activities;
dd) Carry out periodic inspections and assessments of cybersecurity and data security in order to detect, prevent, and remedy security vulnerabilities.
Article 10. Personal data protection in artificial intelligence systems and the metaverse
1. The organizations and individuals are entitled to use personal data for the research and development of self-learning algorithms, artificial intelligence systems, and other automated systems, provided that the compliance with regulations on personal data protection is ensured.
2. Data derived from artificial intelligence inference results, if such data can be used to identify or help identify a specific individual, must be subject to personal data protection measures in accordance with the law.
3. Personal data controllers and personal data controlling and processing parties are responsible for notifying data subjects of automated personal data processing activities, explaining the operating principles of the algorithms and their impacts on the lawful rights and interests of data subjects, and providing options that allow data subjects the right to opt out.
4. The metaverse is a digital universe that combines aspects of social media, online gaming, augmented reality (AR), virtual reality (VR), the Internet, and cryptocurrency, enabling users to interact through virtual reality technologies.
5. The organizations and individuals shall apply personal data protection measures in artificial intelligence systems and the metaverse, including:
a) Research, develop, and deploy systems in compliance with cybersecurity standards and comprehensive data protection standards for artificial intelligence systems, with particular emphasis on information security, algorithm reliability, system stability, and the ability to prevent and combat cyberattacks;
b) Establish mechanisms to supervise the operation of artificial intelligence systems in two respects: supervision by competent state agencies; and accountability to personal data subjects by personal data controllers and personal data controlling and processing parties;
c) Develop personal data protection mechanisms in accordance with appropriate standards, and develop monitoring systems and early-warning mechanisms for cybersecurity risks;
d) Establish control mechanisms to prevent the misuse of artificial intelligence and the metaverse for activities that infringe upon national security or social order and safety;
dd) Conduct periodic assessments of compliance with personal data protection regulations at least once per year.
6. Personal data subjects shall have the right to edit, anonymize, and delete identification profiles, including in case platforms store behavioral history data.
Article 11. Personal data protection in blockchain technology
1. The agencies, organizations, and individuals involved in the processing of personal data using blockchain technology shall be responsible for complying with regulations on personal data protection throughout the research and development of products, services, applications, and systems using blockchain technology, as well as during the processing of personal data.
2. The agencies, organizations, and individuals shall apply personal data protection measures when processing personal data in blockchain technology, including:
a) Apply only secure encryption algorithms, hashing algorithms, and digital signature algorithms;
b) Not store personal data directly on the blockchain; personal data may only be stored after being de-identified, or only the hash values of personal data may be stored;
c) Conduct periodic assessments of compliance with personal data protection regulations at least once per year.
Article 12. Personal data protection in cloud computing
1. The relevant agencies, organizations, and individuals shall apply technical and organizational measures to prevent unauthorized access to personal data upon deploying cloud computing services.
2. The organizations and individuals entering into contracts related to the processing of personal data with cloud computing service providers have the following responsibilities:
a) Clearly stipulating in the contract compliance with Vietnamese law on personal data protection; providing information on the department and personnel in charge of personal data protection; and complying with administrative procedures related to personal data protection in accordance with the law;
b) Clearly defining personal data processing flows, the roles of the parties involved in the provision of cloud computing services, and their corresponding responsibilities;
c) Requiring specific security, technical, and organizational measures, which must be clearly stated in the contract;
d) Promptly notifying relevant parties of any changes that may affect personal data;
dd) Complying with time limits for personal data processing and requirements for deletion and destruction of personal data;
e) Ensuring the exercise of the rights of personal data subjects;
g) Fully implementing technical measures to ensure that access to personal data is appropriately decentralized.
3. Cloud computing service providers shall:
a) Comply with Vietnamese regulations on personal data protection; provide information on the department and personnel in charge of personal data protection; and comply with administrative procedures related to personal data protection in accordance with the law;
b) Require subcontractors to comply with regulations and obligations on personal data protection in accordance with the law;
c) Apply technical and organizational measures appropriate to the scale and level of their personal data processing;
d) Conduct periodic assessments of compliance with personal data protection regulations at least once per year.
4. Personal data stored in cloud computing environments must be encrypted both at rest and during transmission, accompanied by strict access delegation mechanisms.
Article 13. Conditions for personal data protection personnel and personal data protection departments in agencies and organizations
1. The designation of the personal data protection personnel or the personal data protection department must be made in an official written decision of the relevant agency or organization, clearly specifying the assignment, functions, duties, powers, and other requirements related to personal data protection within such agency or organization.
2. Personal data protection personnel designated by an agency or organization must meet the following competency requirements:
a) Have a college-level degree or higher;
b) Have at least 02 years of work experience (from the time of graduation) in one of the fields of legal affairs, information technology, cybersecurity, data security, risk management, compliance control, human resources management, personnel organization;
c) Have received training and further training in legal knowledge and professional skills related to personal data protection.
3. In case the agencies and organizations establish the personal data protection department, all personnel of such department must meet the competency requirements specified in Clause 2 of this Article.
4. The agencies and organizations shall be responsible for assessing and selecting personal data protection personnel.
5. The agencies and organizations shall enter into a confidentiality responsibility agreement with personal data protection personnel and may agree on cases of exemption from liability in the event of violations or damage relating to the protected personal data.
6. The agencies and organizations that designate personal data protection personnel or establish personal data protection departments are responsible for providing training and further training in personal data protection knowledge and skills for such personnel.
Article 14. Duties of the personal data protection department and personal data protection personnel within agencies and organizations
1. The personal data protection department shall have the following functions and duties:
a) Organize the formulation of policies, procedures, regulations, and forms to ensure compliance with the law on personal data protection;
b) Organize the exercise of the rights of personal data subjects;
c) Periodically organize assessments of the organization’s compliance status with the law on personal data protection through reports evaluating the level of fulfillment of obligations as prescribed by law, in order to propose measures to enhance the effectiveness of legal compliance, and to prevent and control risks in personal data processing activities;
d) Prepare dossiers for the assessment of impacts of cross-border transfer of personal data, dossiers for the assessment of impacts of personal data processing; receive and report violations of personal data protection; and perform other requirements of competent agencies in accordance with the laws;
dd) Develop plans and organize the implementation of periodic training and further training in personal data protection in the agency or organization;
e) Organize the implementation of technical measures for personal data security, apply standards and technical regulations on personal data protection, and implement emergency response plans for personal data protection incidents;
g) Conduct research and propose decisions related to personal data protection.
2. Personal data protection personnel shall have the following duties:
a) Advise on the formulation of policies, procedures, regulations, and forms to ensure compliance with the law on personal data protection;
b) Participate in the exercise of the rights of personal data subjects;
c) Participate in periodic assessments of the organization’s compliance status with the law on personal data protection and propose measures to enhance the effectiveness of legal compliance, as well as to prevent and control risks;
d) Prepare dossiers for the assessment of impacts of cross-border transfer of personal data, dossiers for the assessment of impacts of personal data processing; receive and report violations of personal data protection; and perform other requirements of competent agencies in accordance with the laws;
dd) Participate in further training programs and courses on personal data protection;
e) Participate in the implementation of technical measures for personal data security, apply standards and technical regulations on personal data protection, and implement emergency response plans for personal data protection incidents.
Article 15. Individual providing personal data protection services
1. An individual providing personal data protection services is a person who fully meets the competency requirements prescribed in Clause 2 of this Article and is hired by an agency or organization to act as personal data protection personnel.
2. An individual providing personal data protection services must satisfy the following competency requirements:
a) Have a college-level degree or higher;
b) Have at least 03 years of working experience (from the time of graduation) in one of the fields of legal affairs, personal data processing, cybersecurity, data security, risk management, or compliance control;
c) Have received in-depth training and further training in legal knowledge and professional skills related to personal data protection.
3. Agencies or organizations that wish to hire individuals providing personal data protection services shall review the competency conditions specified in Clause 2 of this Article, enter into contracts for the use of personal data protection personnel; publicly disclose information on such personal data protection personnel to personal data subjects and relevant parties.
4. An individual providing personal data protection services has the following responsibilities:
a) Performing the services strictly within the scope and duties specified in the contract, agreement;
b) Not abusing the provision of services to commit acts in violation of law;
c) Delete or destroy personal data processed during the provision of services after the completion of the contract and in accordance with the law.
Article 16. Organization providing personal data protection services
1. An organization providing personal data protection services:
a) Be an organization or enterprise having functions, duties, or business lines and sectors in technology, legal services, or technology and legal consultancy, which is engaged by an agency or organization to provide consultancy on compliance with personal data protection regulations and to perform personal data protection tasks in accordance with an agreement;
b) Have at least 3 personnel who fully meet the capacity conditions specified in Clause 2 Article 15 of this Decree;
c) Have provided products and services related to information security, cybersecurity, information technology, standards assessment, or consultancy on personal data protection.
2. An organization providing personal data protection services must develop the capacity profile demonstrating its capacity for personal data protection and provide such profile to agencies or organizations that wish to use its services. The profile must indicate the business lines and sectors; scale, scope, and experience in service provision; service provision policies; standards, qualifications, and capacity of personnel; and relevant supporting documents and evidence.
3. Agencies or organizations that wish to hire personal data protection services shall review the capacity profile, enter into a service contract and a personal data processing agreement with the personal data protection organization; publicly disclose information on such personal data protection organization to data subjects and relevant parties.
4. Agencies and organizations may, depending on their needs, concurrently designate personal data protection personnel, establish a personal data protection department, and engage individuals or organizations providing personal data protection services.
5. Based on the agreement with the agency or organization engaging personal data protection services, the organization providing personal data protection services shall perform the duties of the personal data protection department for such agency or organization.
6. An organization providing personal data protection services has the following responsibilities:
a) Performing the services strictly within the scope and duties specified in the contract, agreement;
b) Not abusing the provision of services to commit acts in violation of law;
c) Delete or destroy personal data processed during the provision of services after the completion of the contract and in accordance with the law.
Chapter III
PERSONAL DATA-RELATED DOSSIERS, ORDER, AND PROCEDURES
Article 17. Cross-border transfer of personal data
1. Personal data controllers, personal data controlling and processing parties, personal data processors, and third parties shall conduct cross-border transfer of personal data in the following cases:
a) Personal data storage activities involving the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam or to cloud computing services of foreign service providers;
b) Activities involving the transfer of personal data from agencies, organizations, or individuals in Vietnam to recipients that are organizations or individuals located abroad;
c) Activities involving the processing of personal data collected in Vietnam and transferred to platforms located outside the territory of the Socialist Republic of Vietnam for further processing.
2. The specialized agency for personal data protection shall decide to require the party transferring personal data across borders to suspend the cross-border transfer of personal data in the following cases:
a) In case it is discovered that the transferred personal data are used for activities infringing upon national defense or national security;
b) In case there are acts in violation of personal data protection regulations that may cause harm to national defense or national security.
3. Other cases, in addition to those specified at Points a, b, and c Clause 6 Article 20 of the Law on Personal Data Protection, that are not required to comply with the regulations on assessment of the impact of cross-border transfer of personal data include:
a) Journalistic and communication activities conducted in accordance with the law;
b) Cross-border transfer of personal data that has been publicly disclosed in accordance with the law;
c) Emergency situations in which it is genuinely necessary to provide personal data across borders to protect the life, health, and property safety of an individual; or to perform duties and obligations as prescribed by law;
d) Cross-border transfer of personal data for cross-border human resources management in accordance with labor rules, internal labor regulations, and collective labor agreements as prescribed by law;
dd) Provision of personal data across borders for the purpose of entering into contracts or carrying out procedures related to cross-border transportation, logistics, remittance, payment, hotel services, visa applications, or scholarship applications.
Article 18. Conditions, order, procedures, and components of the dossier for assessment of the impact of cross-border transfer of personal data
1. Agencies, organizations, and individuals that conduct cross-border transfer of personal data as prescribed in Clause 1 Article 20 of the Law on Personal Data Protection shall prepare a dossier for assessment of the impact of cross-border transfer of personal data in accordance with this Article.
2. The dossier for assessment of the impact of cross-border transfer of personal data shall include:
a) Report on assessment of the impact of cross-border transfer of personal data using the Form No. 09 in the Appendix to this Decree;
b) A copy of the contract or document on the transfer of personal data demonstrating the binding obligations and responsibilities between the organizations and individuals transferring and receiving personal data across borders;
c) Policies, processes, regulations, forms, and other relevant documents on personal data protection of the agencies, organizations, or individuals conducting cross-border transfer of personal data.
3. The report on assessment of the impact of cross-border transfer of personal data shall include the following contents:
a) Information and contact details of the personal data transferor, the personal data recipient, the personal data processor, and other parties related to the cross-border transfer of personal data;
b) Contact details of the personal data protection department and personnel; organizations or individuals providing personal data protection services (if any) of the personal data transferor and the personal data recipient;
c) Description and explanation of the purpose of the cross-border transfer of personal data, the types of personal data transferred across borders, detailed activities of cross-border transfer and processing of personal data, and a diagram of the personal data processing flow;
d) Description and explanation of the obtaining of consent from personal data subjects, and the policies on storage, deletion, and destruction of personal data;
dd) Measures to ensure personal data security after cross-border transfer, personal data protection measures, and personal data protection standards applied;
e) System diagram and description of the functions of the system for storage and processing of personal data after receipt of cross-border personal data;
g) Procedures for the recipient of cross-border personal data to transfer or provide personal data to third parties;
h) Results of the self-assessment of compliance with personal data protection regulations of the agencies, organizations, or individuals conducting cross-border transfer of personal data;
i) Assessment of the level of personal data protection of the personal data recipient; the level of impact and risks of cross-border transfer and processing of personal data; possible undesirable consequences and damages, and measures to mitigate or eliminate such risks.
4. The dossier for assessment of the impact of cross-border transfer of personal data shall always be available at all times to serve inspection and assessment activities of the specialized agency for personal data protection.
The party transferring personal data across borders shall submit 01 original set of a complete dossier by online method, in person, or via postal service to the specialized agency for personal data protection, enclosed with the Form No. 01a/01b in the Appendix to this Decree, within 60 days from the date of conducting the cross-border transfer of personal data.
5. The specialized agency for personal data protection shall assess and issue the results on whether the dossier for assessment of the impact of cross-border transfer of personal data meets or does not meet the requirements within 15 days.
6. The specialized agency for personal data protection shall assess and request the party transferring personal data across borders to complete the dossier for assessment of the impact of cross-border transfer of personal data within 30 days in case the dossier is incomplete or not in compliance with regulations. In case the party transferring personal data fails to complete the dossier in accordance with regulations, the specialized agency for personal data protection shall consider applying provisions on administrative sanctions in the field of personal data protection.
7. The party transferring personal data across borders shall update and supplement the dossier for assessment of the impact of cross-border transfer of personal data in accordance with Article 20 of this Decree.
Article 19. Conditions, procedures, and components of the dossier for assessment of the impact of personal data processing
1. The personal data controller, the personal data controlling and processing party, and the personal data processor shall prepare and retain the dossier for assessment of the impact of their personal data processing from the time of commencement of the personal data processing.
2. The dossier for assessment of the impact of personal data processing of the personal data controller, the personal data controlling and processing party, and the personal data processor shall include:
a) Report on assessment of the impact of personal data processing in accordance with the Form No. 10 in the Appendix to this Decree;
b) A copy of the contract or agreement on personal data processing, demonstrating the binding obligations and responsibilities among organizations and individuals in the personal data processing activities;
c) Policies, procedures, regulations, forms, and other relevant documents on personal data protection of the personal data controller, the personal data controlling and processing party, and the personal data processor.
3. The report on assessment of the impact of personal data processing shall include the following contents:
a) Information and contact details of the personal data controller, the personal data controlling and processing party, the personal data processor, third party;
b) Contact details of the personal data protection department and personnel; and of organizations or individuals providing personal data protection services (if any) of the personal data controller, the personal data controlling and processing party, the personal data processor, and third party;
c) Description and explanation of the purposes of personal data processing; the types of personal data processed; detailed activities of personal data processing; and the personal data flow diagram;
d) Description and explanation of the obtaining of consent from personal data subjects, and the policies on storage, deletion, and destruction of personal data;
dd) Measures to ensure personal data security; personal data protection measures; system design diagrams; and personal data protection standards applied;
e) Results of the assessment of compliance with regulations on personal data protection;
g) Assessment of the level of impact and risks of personal data processing activities; possible undesirable consequences and damages; and measures to mitigate or eliminate such risks.
4. The dossier for assessment of the impact of personal data processing shall always be available to serve inspection and assessment activities of the specialized agency for personal data protection and shall submit one (01) original by online method, in person, or via postal service to the specialized agency for personal data protection together with the Form No. 02a/02b in the Appendix to this Decree within 60 days from the date of commencement of personal data processing.
5. The specialized agency for personal data protection shall assess and issue results on whether the dossier for assessment of the impact of personal data processing meets or does not meet the requirements within 15 days.
6. The specialized agency for personal data protection shall assess and request the personal data controller, the personal data controlling and processing party, and the personal data processor to complete the dossier for assessment of the impact of personal data processing within 30 days in case the dossier is incomplete or not in compliance with regulations. In case the personal data controller, the personal data controlling and processing party, or the personal data processor fails to complete the dossier in accordance with regulations, the specialized agency for personal data protection shall consider applying regulations on administrative sanctions in the field of personal data protection.
7. The personal data controller, the personal data controlling and processing party, and the personal data processor shall update and supplement the dossier for assessment of the impact of personal data processing in accordance with Article 20 of this Decree.
Article 20. Updating of the dossier for assessment of the impact of personal data processing and the dossier for assessment of the impact of cross-border transfer of personal data
1. The dossier for assessment of the impact of cross-border transfer of personal data and the dossier for assessment of the impact of personal data processing shall be updated periodically every 06 months from the date of the first submission of the dossier in the following cases:
a) In case a new purpose for transfer of personal data or a new purpose for personal data processing arises;
b) In case there arises or there is a change in the personal data controller, the personal data controlling and processing party, the personal data processor, or a third party.
2. The following changes must be updated immediately within 10 days:
a) In case the agency, organization, or unit is reorganized, ceases operations, is dissolved, or goes bankrupt in accordance with the law;
b) In case there is a change in information on the organization or individual providing personal data protection services;
c) In case there arises or there is a change in the business lines, sectors, or services related to personal data processing that have been registered in the dossier for assessment of the impact of personal data processing or the dossier for assessment of the impact of cross-border transfer of personal data.
3. The updating of the dossier for assessment of the impact of personal data processing and the dossier for assessment of the impact of cross-border transfer of personal data shall be carried out in accordance with the Form No. 03a/03b in the Appendix to this Decree and submitted by online method, in person, or via postal service to the specialized agency for personal data protection.
Article 21. Personal data processing services
1. Services for providing and operating automated systems and software to process personal data on behalf of the personal data controller or the personal data controlling and processing party.
2. Services for scoring, ranking, and assessing the creditworthiness level of personal data subjects.
3. Services for collecting and processing personal data online from websites, applications, software, and social networks.
4. Services for collecting and processing personal data through websites, applications, health care software, health monitoring applications, and medical services.
5. Services for collecting and processing personal data through educational applications and software with monitoring elements such as attendance tracking, video recording, behavioral scoring, and emotion recognition.
6. Services for analysis and exploitation of personal data, including: using analytical tools to search for information, trends, and patterns from personal data; applying data mining methods to extract value from personal data, predict user behavior, or optimize services.
7. Services for encrypting personal data during transmission and storage.
8. Services for automated personal data processing based on big data, artificial intelligence, blockchain, and metaverse technologies.
9. Services for application platforms providing personal position data.
Article 22. Conditions for organizations providing personal data processing services
1. Be an organization or enterprise established and operating in accordance with the laws of Vietnam and meeting the conditions prescribed in this Article.
2. Conditions on personnel:
a) The person in charge of professional expertise in personal data processing of the organization must be a Vietnamese citizen permanently residing in Vietnam;
b) Have a management and executive team that satisfies the professional requirements for personal data processing;
c) Have at least 03 personnel meeting the capacity conditions prescribed in Clause 2 Article 13 of this Decree.
3. Have infrastructure, systems of equipment, facilities, and technology suitable for personal data processing services.
4. Have results assessed as satisfactory for the dossier for assessment of the impact of personal data processing and the dossier for assessment of the impact of cross-border transfer of personal data in cases involving cross-border transfer of personal data.
Article 23. Responsibilities of organizations providing personal data processing services
1. Fully comply with the law on personal data protection and the responsibilities and obligations of the personal data controlling and processing parties and the personal data processors.
2. Develop a personal data protection risk management framework appropriate to the services provided.
3. Carry out periodic assessments of the status of compliance and the level of trustworthiness in personal data protection once every year.
4. Apply standards and technical regulations related to data security, personal data protection, and cybersecurity.
5. Formulate regulations on the responsibilities and powers of the organization in personal data processing.
6. Ensure that personal data are processed for proper purposes; limit the collection, transfer, and storage of personal data in an appropriate manner and in accordance with the law; and prevent unauthorized access, collection, use, disclosure, or similar risks in personal data processing activities.
7. In case of acting as a personal data processor, require the personal data controller to obtain the data subject’s consent in accordance with regulations before providing services, ensuring that the data subject is informed of the type of personal data processed, the purpose of processing, and the organization providing personal data processing services.
8. Organizations providing personal data processing services shall carry out organizational identity authentication in accordance with the law on electronic identification and authentication.
Article 24. Authority to grant, re-grant, replace, and revoke the certificate of eligibility for the provision of personal data processing services
1. The Ministry of Public Security shall grant, re-grant, replace, and revoke the certificate of eligibility for the provision of personal data processing services.
2. The Minister of Public Security assigns responsibility to the specialized agency for personal data protection to carry out the granting, re-granting, replacement, and revocation of the certificate of eligibility for the provision of personal data processing services in accordance with regulations.
Article 25. Dossier, order, and procedures for granting the certificate of eligibility for the provision of personal data processing services
1. The dossier for application for the certificate of eligibility for the provision of personal data processing services includes:
a) An application for the certificate of eligibility for the provision of personal data processing services in accordance with the Form No. 04 in the Appendix to this Decree;
b) A copy of the Enterprise Registration Certificate;
c) A written designation of a personal data protection department or a contract for the use of personal data protection services in accordance with regulations;
d) A scheme requiring the issuance of the certificate of eligibility for the provision of personal data processing services;
dd) Diplomas and other documents evidencing the qualifications of the personnel specified at Point c, Clause 2, Article 22 of this Decree;
e) Organizations are not required to submit the documents specified at Point b of this Clause where the competent state agency can retrieve such information from a database.
2. The scheme requiring the issuance of the certificate of eligibility for the provision of personal data processing services shall include the following contents:
a) Necessity and objectives;
b) Contents and sectors proposed for approval;
c) Business lines and sectors, and business plan;
d) Expected scale of personal data processing activities;
dd) Risk management framework for personal data protection;
e) Plan for periodic assessment of the compliance status and level of trustworthiness in personal data protection;
g) Application of standards and technical regulations related to data security and personal data protection;
h) Plan for the use of electronic identification and authentication services;
i) Responsibilities and powers of the organization in personal data processing;
k) Qualified personnel in accordance with regulations.
3. The organization shall submit 01 set of application dossier for the issuance of the certificate of eligibility for the provision of personal data processing services by online method, in person, or via postal service to the specialized agency for personal data protection.
The specialized agency for personal data protection shall evaluate the dossier for application for the certificate of eligibility for the provision of personal data processing services as meeting or not meeting the requirements within 10 days. In case the dossier is incomplete or not in compliance with regulations, the specialized agency for personal data protection shall notify the applying organization in writing to supplement and complete the dossier within 15 days and clearly state the reasons.
4. Within 30 days from the date of receipt of a complete and valid dossier, the specialized agency for personal data protection shall appraise, consider, and decide on the issuance of the certificate of eligibility for the provision of personal data processing services in accordance with the Form No. 05 in the Appendix to this Decree. The certificate of eligibility for the provision of personal data processing services shall be issued in paper form and electronic form; the paper form shall be issued in case the dossier is submitted directly or via postal services or upon request when the dossier is submitted online through the public service portal. In case of refusal to issue the certificate, the specialized agency for personal data protection shall notify the organization in writing and clearly state the reasons.
Article 26. Dossier, order, and procedures for re-issuance and renewal of the certificate of eligibility for the provision of personal data processing services
1. Re-issuance in case the paper copy of the certificate of eligibility for the provision of personal data processing services is lost or damaged.
a) In case the organization has a demand for re-issuance of the paper copy, it shall submit an application using the Form No. 05 in the Appendix to this Decree by online method, in person, or via postal service to the specialized agency for personal data protection.
b) Within 05 working days from the date of receipt of a valid application as prescribed, the specialized agency for personal data protection shall consider and re-issue the certificate of eligibility for the provision of personal data processing services; in case of refusal, a written notification clearly stating the reasons must be issued.
2. Renewal in case of incorrect information or changes to the contents of the certificate of eligibility for the provision of personal data processing services
a) The dossier shall comprise: An application using the Form No. 06 in the Appendix to this Decree; documents and materials evidencing the incorrect information or the changes to the information stated in the issued certificate.
b) The organization shall submit one (01) set of the above dossier by online method, in person, or via postal service to the specialized agency for personal data protection. Within 05 working days from the date of receipt of a complete dossier as prescribed at Point a of this Clause, the specialized agency for personal data protection shall consider and decide on the renewal of the certificate of eligibility for the provision of personal data processing services; in case of refusal, a written notification clearly stating the reasons must be issued.
Article 27. Revocation of the certificate of eligibility for the provision of personal data processing services
1. The certificate of eligibility for the provision of personal data processing services shall be revoked in the following cases:
a) Failure to satisfy any of the conditions specified in Clause 1 and Clause 2 Article 26 of this Decree;
b) Failure to conduct business activities for a period of twelve (12) months or more;
c) Dissolution or bankruptcy in accordance with law;
d) Failure to remedy violations of personal data protection, information security, cybersecurity, or data security in accordance with the requirements of competent state agencies;
dd) Proactive request for suspension or termination of operations.
2. The specialized agency for personal data protection shall decide on the revocation of the certificate of eligibility for the provision of personal data processing services in accordance with the Form No. 07 in the Appendix to this Decree.
3. The organization providing personal data processing services shall be responsible for returning the issued Certificate to the specialized agency for personal data protection within five (05) working days from the date of receipt of the revocation decision.
4. Upon issuing the Decision on revocation of the certificate of eligibility for the provision of personal data processing services, the specialized agency for personal data protection shall make a notification on the National Portal on Personal Data Protection.
Article 28. Contents of the notification of violations of regulations on personal data protection
1. The contents of a notification of violations of regulations on personal data protection shall include:
a) A description of the nature of the violation of personal data protection regulations, including: time, location, acts, organizations, individuals, types of personal data, and the volume of data involved;
b) Contact details of the personal data protection department and personnel, or the organization or individual providing personal data protection services;
c) A description of the potential consequences and damages of the violation of personal data protection regulations;
d) A description of the measures proposed to address and mitigate the harms caused by the violation of personal data protection regulations.
2. The personal data controller, the personal data controlling and processing party, and the third-party processor shall submit the notification of violations of personal data protection regulations to the specialized agency for personal data protection or via the National Portal on Personal Data Protection in accordance with the Form No. 08 in the Appendix to this Decree.
Article 29. Notification of violations on personal position data and biometric data
1. In case of occurring an incident involving a violation on personal data related to position data or biometric data, the personal data controller or the personal data controlling and processing party shall have the following responsibilities:
a) Notify the affected data subjects within 72 hours from the time the violation is detected;
b) Report to the competent state agency in accordance with Article 28 of this Decree;
c) Record, store, and update the violation dossier for inspection, examination, and handling purposes. The organization shall retain the violation dossier for at least 5 years from the date the incident has been fully remedied.
2. The notification to the data subjects under Point a Clause 1 of this Article shall include at least the following contents:
a) Time and method of detecting the violation;
b) Type of data affected (position data, biometric data, or both);
c) Level of severity and the potential risks to the lawful rights and interests of the data subjects;
d) Measures that have been, are being, and will be implemented to remedy the incident and mitigate damages;
dd) Guidance for data subjects on subsequent preventive and remedial measures;
e) Contact information of the personal data protection department, personal data protection personnel, or the organization or individual providing personal data protection services; and the department in charge of receiving and handling personal data incidents within the organization.
3. In case an organization or individual is unable to notify all affected personal data subjects within the time limit specified in Clause 1 of this Article due to technical or emergency reasons, the following measures shall be implemented:
a) Public notification via the organization’s official electronic means, including its website or application;
b) Sending notifications to the relevant personal data subjects as soon as technical conditions permit.
4. In case an organization or individual fails to provide notification within the prescribed time limit or deliberately delays or evades the notification obligation, such organization or individual shall be subject to consideration for handling of violations in accordance with the law.
Chapter IV
IMPLEMENTATION OF PERSONAL DATA PROTECTION
Article 30. Responsibility for international cooperation on personal data protection
1. The specialized agency for personal data protection is responsible for assisting the Ministry of Public Security in carrying out international cooperation on personal data protection.
2. The Ministries, the ministerial-level agencies, and the government agencies shall conduct international cooperation on personal data protection in sectors and fields under their management in accordance with the law and their assigned functions and duties.
3. The provincial-level People’s Committees shall implement international cooperation on personal data protection in accordance with the law and their assigned functions and duties.
Article 31. Inspection of personal data protection activities
1. The inspection of personal data protection activities is conducted on regular and extraordinary basis in the following cases:
a) When there is reasonable suspicion of violations of the law on personal data protection;
b) When directed by a competent agency or official responsible for state management of personal data protection;
c) When performing state management duties as prescribed by law.
2. Subjects of inspection of personal data protection activities:
a) Agencies, organizations, and individuals engaged in personal data processing activities;
b) Organizations and individuals providing personal data processing services;
c) Agencies, organizations, and individuals required to conduct assessment of the impact of personal data processing and assessment of the impact of cross-border transfer of personal data;
d) Agencies, organizations, and individuals related to cases or incidents of violations of personal data protection regulations.
3. Content of personal data protection inspection:
a) Current status of compliance with personal data protection requirements;
b) Activities of assessment of the impact of personal data processing and assessment of the impact of cross-border transfer of personal data;
c) Business activities involving the personal data processing services.
4. The specialized agency for personal data protection issues an inspection decision and notifies the subject of inspection defined in Clause 2 of this Article 15 days in advance regarding the time, content, and composition of the inspection team. In case of unscheduled inspections to promptly verify, detect, or prevent violations of the law on personal data protection, the specialized agency for personal data protection has the right to conduct the inspection immediately without prior notice.
5. The subject of inspection must prepare all inspection contents as specified in Clause 3, this Article and the specific requirements in the inspection decision issued by the specialized agency for personal data protection.
Article 32. Research and development of personal data protection solutions
The agencies, organizations, enterprises, and individuals shall participate in the research, development, and application of personal data protection solutions, including:
1. Develop software systems and equipment for personal data protection;
2. Methods for appraising software and equipment for personal data protection to meet standards;
3. Methods for inspecting hardware and software supplied to ensure they perform their proper functions;
4. Record and manage compliance with regulations on personal data protection;
5. Address risks of personal data leakage and loss;
6. Technical initiatives to enhance awareness and skills regarding personal data protection;
7. Process personal data for statistical and scientific purposes;
8. Solutions enabling personal data subjects to control their own personal data, provide and share data under selective disclosure mechanisms, applying advanced technologies and strategic technologies in conformity with international standards and norms;
9. Personal data protection standards;
10. Other personal data protection solutions in accordance with the law.
Article 33. Contents of state management of personal data protection
1. Issuing, within its competence, or submitting to competent state agencies for issuance, legal normative documents on personal data protection; organizing the implementation of the law on personal data protection.
2. Developing and organizing the implementation of strategies, policies, schemes, projects, programs, and plans on personal data protection.
3. Guiding agencies, organizations, and individuals on measures, procedures, standards, and technical regulations for personal data protection in accordance with the provisions of law.
4. Conducting dissemination and education of the law on personal data protection; communication and dissemination of knowledge and skills on personal data protection.
5. Establishing, training, organize further training, and developing human resources for personal data protection.
6. Conducting inspection, examination, commendation, settlement of complaints and denunciations, and handling of violations of the law on personal data protection in accordance with the law.
7. Carrying out statistics, communication, and reporting on the situation of personal data protection and the implementation of the law on personal data protection to competent state agencies.
8. Organizing preliminary reviews, final reviews, and scientific research on personal data protection; researching and applying scientific and technological advances in personal data protection.
9. Conducting international cooperation on personal data protection.
Article 34. Responsibilities of the Ministry of Public Security
1. Assisting the Government in uniformly implementing state management of personal data protection.
2. Assuming the prime responsibility for developing, issuing, or submitting to competent state agencies for issuance, and guiding the implementation of legal normative documents guiding the implementation of the law on personal data protection.
3. Guiding and deploying personal data protection activities and protecting the rights of data subjects against acts violating the law on personal data protection.
4. Assuming the prime responsibility for and coordinating with the Ministry of Science and Technology in developing standards and technical regulations on personal data protection; technical regulations on de-identification of personal data and anonymization of personal data to be promulgated and applied in Vietnam.
5. Developing, managing, and operating the national portal on personal data protection.
6. Implementing dissemination, propagation, and education of the law, and guiding and providing further training on knowledge and skills on personal data protection for the personal data protection force.
7. Evaluating, conducting preliminary reviews, and summarizing the results of personal data protection work of relevant agencies, organizations, and individuals.
8. Promoting scientific research on personal data protection; researching and applying scientific and technological advances in personal data protection to innovate in the field of personal data protection.
9. Implementing international cooperation activities on personal data protection.
Article 35. Responsibilities of the Ministry of National Defense
1. Coordinating with the Ministry of Public Security and relevant agencies and organizations in arranging personnel and means to protect personal data, and to detect and prevent acts violating regulations on personal data protection within the scope of management.
2. Within the scope of assigned functions and tasks, assuming the prime responsibility for and coordinating with the Ministry of Public Security in conducting assessments of the results of personal data protection for agencies, organizations, and individuals under the scope of management; promoting the application of personal data protection measures; researching and applying advanced security technologies in the processing and protection of personal data in service of national defense activities; and carrying out international cooperation on personal data protection within the scope of management in accordance with the law.
3. Organizing dissemination, propagation, and education of the law, as well as knowledge and skills on personal data protection, for officers, professional soldiers, cadres, civil servants, and public employees under the scope of management.
4. Conducting inspection, examination, supervision, and handling of violations of regulations on personal data protection with respect to agencies, organizations, and individuals under the management scope of the Ministry of National Defense, in accordance with the law and assigned functions and tasks.
Article 36. Responsibilities of the Ministry of Science and Technology
1. Coordinating with the Ministry of Public Security in the development of standards and technical regulations on personal data protection; technical regulations on de-identification of personal data and anonymization of personal data that are promulgated and applied in Vietnam.
2. Coordinating with the Ministry of Public Security and relevant agencies in researching, developing, mastering, and applying personal data protection measures that apply advanced technologies, high technologies, and strategic technologies; forming solutions, products, and services for personal data protection in the process of developing digital government, the digital economy, and the digital society through science and technology programs.
Article 37. Responsibilities of the ministries, the ministerial-level agencies, and the Government agencies
1. Carrying out state management of personal data protection for sectors and fields within their management scope in accordance with the law.
2. Developing and implementing the contents and tasks on personal data protection as stipulated in this Decree.
3. Supplementing personal data protection provisions in the development and implementation of tasks of ministries and sectors.
4. Arranging personnel and establishing personal data protection departments within units under their management; ensuring that capacity requirements are met and that such arrangements are suitable to job positions and professional requirements on personal data protection in accordance with the law.
5. Allocating funds for personal data protection activities in accordance with the current budget management decentralization.
6. Organizing dissemination and education of laws, and providing professional and skills training for officials, civil servants, public employees, and units under their management on personal data protection.
7. Coordinating with the Ministry of Public Security in inspection, examination, supervision, and handling of violations of personal data protection regulations within their management scope.
8. Coordinating with the Ministry of Public Security and the Ministry of Science and Technology in developing guidance and implementing the application of standards and technical regulations on personal data protection for units, organizations, and individuals under their management.
Article 38. Responsibilities of the People's Committees of provinces and centrally run cities
1. Carrying out state management of personal data protection for sectors and fields under their management in accordance with the law on personal data protection.
2. Implementing the provisions on personal data protection as stipulated in this Decree.
3. Arranging personnel and establish personal data protection units within units under their management; ensuring that capacity conditions are met and that such arrangements are suitable to job positions and professional requirements on personal data protection in accordance with the law.
4. Allocating funds for personal data protection activities in accordance with the current budget management decentralization.
5. Organizing dissemination and education of laws and knowledge and skills on personal data protection for officials, civil servants, public employees, citizens, and enterprises within the locality.
6. Organizing capacity further training and advanced training for personnel engaged in personal data protection at all administrative levels; integrating personal data protection content into administrative reform and digital transformation programs.
7. Building systems for statistics, aggregation, and periodic reporting on the status of personal data protection in the locality and submitting such reports to the specialized agency for personal data protection in accordance with regulations.
Article 39. Specialized agency in personal data protection and the National Portal on Personal Data Protection
1. The specialized agency for personal data protection is a unit under the Ministry of Public Security and is responsible for assisting the Minister of Public Security in performing the state management function over personal data protection.
2. The National Portal on Personal Data Protection is a platform providing information for the dissemination of the Party’s guidelines and policies and the State’s laws on personal data protection; supporting guidance and enhancing awareness and skills on personal data protection for agencies, organizations, and individuals; receiving and handling feedback and recommendations from relevant agencies, organizations, and individuals; and performing other activities in accordance with the law on personal data protection.
Article 40. Funds for Personal Data Protection Activities
1. Funds for the implementation of personal data protection includes the state budget; contributions from domestic and foreign agencies, organizations, and individuals; revenues from the provision of personal data protection services; international aid; and other lawful sources of revenue.
2. Funds for personal data protection activities of state agencies shall be ensured by the state budget and allocated in the annual state budget estimates. The management and use of funds from the state budget shall be carried out in accordance with the law on the state budget.
3. Funds for personal data protection activities of organizations and enterprises shall be arranged by such organizations and enterprises themselves and implemented in accordance with regulations.
Chapter V
IMPLEMENTATION ORGANIZATION
Article 41. Regulations on the application of Clause 2 and Clause 3 Article 38 of the Law on Personal Data Protection
1. The small enterprises and start-up enterprises are entitled to choose whether or not to comply with Article 21, Article 22, and Clause 2 Article 33 of the Law on Personal Data Protection within 05 years from the effective date of the Law on Personal Data Protection, except for the small enterprises and start-up enterprises that provide personal data processing services, directly process sensitive personal data, or process personal data from the time when their scale reaches 100,000 or more personal data subjects based on the accumulated total amount of personal data processed.
2. Business households and micro-enterprises are not required to comply with Article 21, Article 22, and Clause 2 Article 33 of the Law on Personal Data Protection, except for business households and micro-enterprises that provide personal data processing services, directly process sensitive personal data, or process personal data from the time when their scale reaches 100,000 or more personal data subjects based on the accumulated total amount of personal data processed.
Article 42. Effect and enforcement
1. This Decree takes effect from January 1, 2026.
2. The Decree No. 13/2023/ND-CP dated April 17, 2023 of the Government on Personal Data Protection shall cease to be effective as from the effective date of this Decree.
3. Amendment to Clause 2 Article 16 of the Decree No. 165/2025/ND-CP dated June 30, 2025 of the Government detailing a number of articles of and measures for the implementation of the Law on Data, as follows:
“2. The protection of core data and important data that constitute personal data shall be carried out in accordance with the provisions of the Law on Personal Data Protection and its guiding documents.
In case of cross-border transfer or processing of core data and important data that constitute personal data, the data controller of such core data and important data shall carry out a dossier for assessment of personal data processing impact and an assessment of cross-border personal data transfer impact in accordance with the law on personal data protection; it is not required to conduct risk assessment or assessment of cross-border data transfer and processing impacts as stipulated in this Decree.”
4. The Ministry of Public Security shall be responsible for guiding, inspecting, and urging the implementation of this Decree.
5. The Ministries, the Heads of ministerial-level agencies, the Heads of Governmental agencies, the Chairpersons of the People’s Committees of centrally-affiliated cities and provinces, the relevant agencies, organizations and individuals shall take responsibilities for implementation of this Decree.
FOR THE GOVERNMENT |
* All Appendices are not translated herein.
VIETNAMESE DOCUMENTS
Decree 356/2025/NĐ-CP DOC (Word)This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
Decree 356/2025/NĐ-CP PDF (Original)This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
ENGLISH DOCUMENTS
Decree 356/2025/NĐ-CP DOC (Word)This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
Decree 356/2025/NĐ-CP PDFThis utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here
