Effective from 1 January 2026, Vietnam’s Personal Data Protection Law 2025 (Law No. 91/2025/QH15) and Decree No. 356/2025/ND-CP officially come into force, establishing a comprehensive and enforceable legal framework governing the processing of personal data in Vietnam and the processing of personal data of Vietnamese individuals.

Compared to the former Decree No. 13/2023/ND-CP, the new regime is compliance-driven, requiring organizations not only to adopt internal policies, but also to demonstrate effective data governance capabilities, risk mitigation measures and legal accountability in the event of data incidents.

Key compliance obligations include:

1. Establishing internal personal data protection policies (Article 24 of the Law);
2. Identifying and retaining lawful bases for personal data processing (Articles 17–20);
3. Ensuring and responding to data subject rights (Articles 9–16);
4. Conducting Data Protection Impact Assessments (DPIA) (Article 25; Chapter II of Decree 356);
5. Assessing and notifying cross-border personal data transfers (Article 27; Chapter III of Decree 356);
6. Appointing a data protection officer or dedicated data protection function (Article 28);
7. Establishing procedures for handling personal data breaches and incidents (Article 30).

Accordingly, businesses should proactively:

• Review all personal data processing activities;
• Classify personal data, including sensitive personal data;
• Adopt internal personal data protection policies;
• Establish mechanisms to handle data subject requests;
• Prepare and retain DPIA documentation;
• Conduct cross-border transfer assessments where applicable;
• Appoint responsible data protection personnel;
• Implement incident response and breach notification procedures; and
• Maintain proper records for regulatory inspection.

Organizations may also consider engaging qualified legal and compliance advisors or data protection service providers to support policy development, compliance assessment, DPIA preparation, cross-border transfer filings and ongoing compliance monitoring.

Early preparation of legal, technical and organizational measures will be critical to mitigating legal and regulatory risks under the new personal data protection regime.

Disclaimer

This Newsletter contains only brief notes and includes legislation in force as of January 2026. The information herein is general and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one is entitled to rely on this information, and no one should act on such information without appropriate professional advice obtained after a thorough examination of the particular situation.