Decree 356 Explained: A Clear, Urgent Guide to Vietnam Personal Data Protection Decree 356 for Businesses
/ Insights / Articles / Decree 356 Explained: A Clear, Urgent Guide to Vietnam Personal Data Protection Decree 356 for Businesses

Decree 356 Explained: A Clear, Urgent Guide to Vietnam Personal Data Protection Decree 356 for Businesses

Published on: Jul 03, 2026 | Author: Marketing & Communications

Vietnam’s personal data protection regime enters a new operational phase with Decree No. 356/2025/ND-CP (Decree 356). The decree takes effect on January 1, 2026 and replaces Decree No. 13/2023/ND-CP, acting as the main implementing regulation for the Law on Personal Data Protection (PDPL). In practice, it aims to translate statutory principles into enforceable obligations and provide more procedural clarity on consent, data subject rights, cross-border transfers, and impact assessments. For business teams, the immediate takeaway is that informal privacy practices will be harder to defend. Decree 356 is framed around demonstrable, audit-ready compliance and clearer internal accountability.

A major change is scope. Decree 356 explicitly includes foreign entities that process personal data of Vietnamese citizens, even if processing occurs outside Vietnam. That extraterritorial framing matters for multinational HR systems, digital platforms, cloud operations, and shared analytics environments. The decree also sharpens the distinction between basic personal data and sensitive personal data, and it expands and details the sensitive category. Sources list sensitive data to include financial information, biometric identifiers, precise location data, behavioral tracking data, health records, and account credentials. Photos of Vietnam ID/Citizen Cards are also classified as sensitive personal data. Once data is classified as sensitive, stricter requirements apply, including stronger consent expectations, access control, security measures, and internal governance.

What Businesses Must Change First: Consent, Controls, and Proof

Decree 356 tightens what “valid consent” looks like in day-to-day workflows. Compared with Decree 13, it is described as more prescriptive and enforceable. Consent designs must avoid default or pre-ticked consent, and they must avoid forced or misleading mechanisms. Separate consent is required for separate processing purposes, and organizations must retain evidence of valid consent. This pushes marketing flows, onboarding screens, HR portals, and vendor forms into the compliance spotlight. Where sensitive personal data is involved (such as Vietnam ID card photos), additional obligations can be triggered, including appointing a personal data protection officer, conducting a personal data processing impact assessment, notifying data subjects about the processing of sensitive data, and implementing strict access controls for handling, transferring, storing, and deleting that data.

Impact assessments are another practical pressure point. Decree 356 provides more specific regulations on the order, procedures, and dossiers for personal data processing impact assessments and cross-border personal data transfer impact assessments. It also dedicates the entirety of Article 7 to detailed guidance on the transfer of personal data. For many organizations, that means data mapping and classification are no longer “best practices” but threshold tasks. Sources note that incomplete data inventories can expose compliance gaps, especially in cross-border transfers, automated processing, and third-party data sharing. Decree 356 also introduces explicit expectations for AI systems and virtual environments, including transparency and accountability, clear notice, explaining core algorithmic principles, and enabling opt-out where automated processing or inferred data may identify individuals.

Read also Inside Vietnam’s AI Data Center Boom: The Real Story Behind Vietnam AI Data Center Investment

Decree 356 includes exemptions, but they are conditional and should be validated against actual processing. Micro-enterprises and household businesses are exempt from appointing data protection officers and from performing impact assessments. Small enterprises and startups receive a five-year grace period starting January 1, 2026 for DPO appointment and certain operational standards, but only if they do not process sensitive personal data directly, do not handle personal data at scale (defined in the sources as more than 100,000 individuals), and do not serve as a data processing service provider. Separately, the decree adds qualifications for personal data protection officers, requiring at least a college degree, a minimum of two years’ post-graduation experience in relevant fields, and formal training in personal data protection laws and related professional skills. For regulated “data processing services” (including operating automated processing systems, online data collection, data analytics, mining, and encryption), sources indicate providers must be Vietnamese entities, obtain a data processing services certificate from the MPS, and meet prescribed personnel, technical, and operational requirements.

When does Decree 356 take effect, and what does it replace?

Decree 356 takes effect on January 1, 2026. It replaces Decree No. 13/2023/ND-CP and implements provisions of the PDPL.

How does Vietnam personal data protection Decree 356 change consent requirements for businesses?

It prohibits default or pre-ticked consent and forced or misleading consent mechanisms. It also requires separate consent for separate purposes and requires businesses to retain evidence of valid consent.

What types of data are treated as sensitive under Decree 356?

Sources list sensitive data to include financial information, biometric identifiers, precise location data, behavioral tracking data, health records, and account credentials. Photos of Vietnam ID/Citizen Cards are also treated as sensitive personal data.

Do small companies get any exemptions or grace periods under Decree 356?

Micro-enterprises and household businesses are exempt from DPO appointment and impact assessments. Small enterprises and startups can receive a five-year grace period from January 1, 2026 if they meet conditions, including not processing sensitive data directly and not handling data at scale (more than 100,000 individuals).

What are “data processing services” under Decree 356?

They cover activities such as operating automated processing systems, online data collection, data analytics, mining, and encryption. Sources state providers must be Vietnamese entities and obtain an MPS data processing services certificate while meeting prescribed requirements.

Unlock the potential of your business in dynamic markets with our expert consulting services.

With over 40 years of excellence, we deliver innovative solutions tailored to your needs.

Contact Us Today
Download Whitepaper

/ Contact Us

Speak to advisors with experience in the Vietnam market

 

  • No results found