New features of Decree 356/2025 compared with Decree 13/2023 on Personal Data Protection

Taking effect on January 1, 2026, Decree No. 356/2025/ND-CP provides guidelines for the 2025 Law on Personal Data Protection, replacing Decree No. 13/2023/ND-CP. LuatVietnam presents a quick overview of the new points in Decree 356 compared to the previous Decree 13.

1. Changes of the List of basic personal data

The list of basic personal data is stipulated in Article 3 of Decree 356/2025/ND-CP. Compared to the list under Clause 3, Article 2 of Decree 13/2023, the new regulation includes several changes:

• "Identity Card (CMND) number" (replaced by "Identity Card" (Căn cước)), "Personal tax identification number," "Social insurance number," and "Health insurance card number" are removed as they have been unified under the “Personal identification number”.
• Information on family relationships now includes "spouse" (husband and wife); previously, Decree No. 13/2023/ND-CP only specified "parents" and "children."
• "Personal data reflecting activities and history of activities of the individual in the cyberspace" is no longer listed as basic personal data (it has been listed as sensitive personal data under Decree 356).

2. Changes to the List of sensitive personal data

Compared to Decree 13, Decree 356 expands and further specifies sensitive personal data, including:

• Data on crimes or violations of law is now considered sensitive data, whereas previously only data regarding criminal offenses and acts was classified as sensitive personal data.
• More detailed regulations on data in the banking sector, including usernames and passwords for accessing bank accounts; bank card information; and data on bank account transaction histories.
• Information on activities and transactions in the fields of securities companies and insurance companies is now considered sensitive personal data (previously, this only applied to banking transactions).
• Added data tracking behavior and activities in the use of telecommunications services, social networks, online communication services, and other services in cyberspace.

Furthermore, Article 4 of Decree 356 emphasizes:

"4. During the sensitive personal data processing, the agencies and organizations must establish regulations on access delegation limits, processing procedures, and confidentiality measures."

3. Duration for responding to and processing data subject requests

While Decree 13 only provided a general 72-hour duration for responsibilities related to fulfilling data subject requests, Decree 356 clarifies the process as follows:

• Within 02 working days, the personal data controlling and processing party shall respond to requests to withdraw consent for personal data processing, to restrict personal data processing, or to object to personal data processing.
• Withdrawal/restriction/objection to personal data processing: To be completed within 15 days (or 20 days if involving a personal data processor or a third party) (Clause 2, Article 5).
• Access/correct/ request correction of personal data: Implement the request within 10 days (or 15 days if involving a personal data processor or a third party) (Clause 3, Article 5).
• Deletion of personal data: Implement the deletion within 20 days (or 30 days if involving a personal data processor or a third party) (Clause 4, Article 5).

Additionally, one extension may be granted depending on the complexity of the request, the personal data controller or the personal data controlling and processing party shall notify the personal data subject of the reasons for the extension and shall be responsible for demonstrating that such extension is necessary and reasonable (Clauses 2, 3, 4, and 5, Article 5).

4. Storing the consent of the personal data subject; prohibition of establishing default consent mechanisms.
Clauses 2 and 3 of Article 6 in Decree 356 emphasize:

" 2. The personal data controller and the personal data controlling and processing party shall store the consent of the personal data subject. In case of a dispute, the responsibility for proving the consent of the personal data subject lies with the personal data controller or the personal data controlling and processing party.

3. The personal data controller and the personal data controlling and processing party shall not establish default consent mechanisms or create unclear or misleading instructions that cause confusion between consent and non-consent for the data subject. Default settings must ensure the principles of personal data protection and respect the rights of personal data subjects. These are new requirements that were not stipulated in Decree 13.”

5. Detailed provisions on transfer of personal data

Decree 356 dedicates the entirety of Article 7 to providing detailed guidance on the transfer of personal data:

• Parties must establish an agreement on the transfer of personal data with specific contents (purpose, type of personal data, duration, legal basis, protection responsibilities, responsibilities for ensuring the exercise of the rights, coordination in case of detection of violations, etc.).
• The transfer of sensitive personal data: Must be subject to physical security measures, measures of encryption, anonymization of personal data, and other confidentiality measures during the transfer process.
• In cases of personal data transfer with a charge to provide services to personal data subjects or to serve the legitimate interests of personal data subjects: They must establish technical systems and transparent mechanisms to enable personal data subjects to give accurate and explicit consent for each transfer. Personal data may only be processed strictly for the transfer purposes to which the personal data subject has consented, and such purposes must be consistent with the registered business lines.
• Internal Sharing: Processes must be developed to control the sharing and use of personal data in compliance with regulations.
• Data Exchanges: Personal data must be de-identified before being traded on a data exchange.

In Decree 13, "transfer" was primarily addressed in the context of preventing of collecting, transferring, purchasing and selling personal data without the consent of data subjects is a violation of law (Article 22).

6. Strict personal data protection in specific sectors

Decree 356 sets out specific requirements for personal data protection in various fields:

• Finance, banking and credit information activities (Article 8): Banks are responsible for notifying the specialized agency for personal data protection and the personal data subjects within 72 hours of detecting the leakage or loss of sensitive data of personal data subjects.
• Personal data in big data processing (Article 9): Requires the use of strong authentication methods, with a minimum of multi-factor authentication (passwords, PINs combined with one-time passwords, digital signature devices, or biometric factors), delegate access to ensure that only authorized persons can access personal data.
• AI and Metaverse Systems (Article 10): Personal data subjects shall have the right to edit, anonymize, and delete identification profiles, including in case platforms store behavioral history data.
• Blockchain Technology (Article 11) and Cloud Computing (Article 12).

7. Conditions for personal data protection personnel and personal data protection departments in agencies and organizations

Clause 2, Article 13 stipulates that personal data protection personnel designated by an agency or organization must meet the following competency requirements:

• Have a college-level degree or higher;
• Have at least 02 years of work experience (from the time of graduation) in one of the fields of legal affairs, information technology, cybersecurity, data security, risk management, compliance control, human resources management, personnel organization;
• Have received training and further training in legal knowledge and professional skills related to personal data protection..

This is also a new provision that was not previously stipulated in Decree 13.

In addition to the above, Decree 356 provides more specific regulations on the order, procedures, and dossiers for personal data processing impact assessments and cross-border personal data transfer impact assessments. Attached to the decree are 10 templates and forms for these procedures. Enterprises should take note of these to ensure compliance with the new regulations.