Effective 1 January 2026, Decree 356/2025/ND-CP (Decree 356) of the Government replaces the previous Decree 13/2023/ND-CP (Decree 13) and provides detailed guidance for the implementation of the new Personal Data Protection Law (PDPL). This newsletter discusses key highlights of Decree 356, noting that certain provisions remain broad or technically demanding and will require close monitoring of enforcement practice and forthcoming guidance from authorities.

Decree 356 issues a detailed list of basic personal data and sensitive personal data. The overall structure follows the previous Decree 13, but several data types used in business operations are now expressly classified as sensitive. For example, behavioral tracking and usage data across telecom, social networks, online media, and cyberspace services are reclassified from basic to sensitive, and the sensitive list now clearly includes bank account details, bank card information and transaction history, and images of ID documents.

When processing sensitive personal data, organizations must establish internal rules on access authorization, processing procedures and security measures. Transfers of sensitive personal data require enhanced measures, including physical security of storage or transmission devices, encryption, anonymization, and other appropriate safeguards.

Subject to further guidance from the authorities, Decree 356 seems to leave room for interpretation as to the level of technical sophistication required in practice.

Decree 356 replaces the strict and widely debated “72-hour rule” under Decree 13 with longer and more differentiated timelines, depending on the type of request from data subjects and whether processing is handled directly or via processors or third parties, with extension mechanism for complex cases. Organizations, being data controllers or data controller-processors, must formalize processes and forms to ensure compliance.

Decree 356 clarifies that consent must be verifiable as to time, scope of consent, and identity of the data subject, with the burden of proof remaining with the data controller and data controller-processor. Acceptable methods include written forms, recorded calls, SMS syntax, email, websites, platforms or applications with consent mechanism, among other verifiable methods. Default consent and misleading interface designs are expressly prohibited.

Decree 356 introduces a detailed and stricter regime for personal data transfers, both externally and internally, including binding transfer agreement, fee-involved personal data transfer, and internal data sharing.

Decree 356 significantly raises compliance expectations for group data flows, outsourcing and data monetization models, and requires businesses to standardize transfer and internal data sharing rules, contracts and other documentations.

Higher and sector-specific requirements apply to areas such as finance-banking, including application of technical standards, annual compliance assessments and detailed information provision before obtaining consent.

Decree 356 also introduces comprehensive obligations for data processing involving big data, artificial intelligence, blockchain, cloud computing and virtual environments, with a strong emphasis on technical safeguards and accountability.

Organizations must formally appoint a DPO or data protection department (DPD) by a written decision, containing certain mandatory details. Decree 356 stipulates requirements for DPO, including minimum education qualification, at least two years’ relevant experience (e.g., legal, IT, cybersecurity, compliance, HR), and dedicated personal data protection training. The role may be outsourced to qualified individuals or service providers, subject to contractual arrangements.

Decree 356 provides more detailed procedural and substantive guidance to DPIA and CDTIA submissions. Notably:

a)    Expanded CDTIA exemption cases: In addition to exemptions under the PDPL, Decree 356 exempts certain cross-border transfers from the obligation to submit CDTIA, including journalism, publicly disclosed data, emergencies, cross-border HR management, and transfers necessary for signing contracts or conducting procedures relating to cross-border transport, logistics, payments, travel, visas or scholarships.

b)    Dossier content: The DPIA and CDTIA templates attached to Decree 356 have been overhauled and become more technically demanding compared to those under Decree 13, requiring detailed descriptions of data flows, system architecture, security measures, risk assessment and mitigation plans, and, for CDTIA, assessment of overseas recipients’ safeguards.

c)    Regulatory appraisal timeline: A key new point is the introduction of a 15-day timeline for the competent department under the Ministry of Public Security to assess dossiers on a pass/fail basis, with a 30-day remediation period if the dossier is deemed incomplete or non-compliant. This reflects a shift from a purely filing-based regime under Decree 13 to a substantive review mechanism.

Small and start-up enterprises are exempt from the requirements to file the DPIA and appoint DPO/DPD for up to five years, while household businesses and micro-enterprises are completely exempt from the same obligations, unless they (i) provide personal data processing services, (ii) process sensitive personal data, or (iii) process data of 100,000 or more data subjects.

Given the number of open and practice-dependent issues, close monitoring of enforcement guidance and early engagement in compliance planning are essential.