Decree 356/2025 vs. Decree 13/2023: Updates on Personal Data Protection in Vietnam

On June 26, 2025, the Law on Personal Data Protection (PDP) 2025 was officially passed, coming into effect on January 1, 2026. Along with it, Decree 356/2025/ND-CP was enacted to provide detailed guidance on the new law, effectively superseding Decree 13/2023/ND-CP. This article provides a comprehensive Vietnam PDP Decree update, focusing on the critical comparison: Decree 356/2025 vs. Decree 13/2023: Updates on personal data protection in Vietnam. By analyzing these key changes, we aim to help organizations and individuals ensure optimal compliance in 2026 and mitigate unnecessary legal risks.

Data processing as a conditional business line subject to licensing by the Ministry of Public Security

Decree 356/2025 has established a legal framework for the business of processing personal data. Organizations and individuals wishing to conduct business in personal data processing must obtain a Certificate of Business Eligibility from the Ministry of Public Security and must meet the conditions stipulated in Article 22 of Decree 356/2025:

• Legal form: The organization or enterprise must be legally established and operating under Vietnamese law.
• Personnel: The person in charge of processing personal data must be a Vietnamese citizen residing in Vietnam; have a management and operational team that meets professional requirements; and have at least 3 personnel with the qualifications as stipulated in Clause 2, Article 13 of the Decree.
• Technical requirements: Possess infrastructure, equipment, facilities, and technology suitable for processing personal data.
• Legal dossiers: Have satisfactory results for the personal data processing impact assessment dossier and, in the case of transferring personal data abroad, have a cross-border personal data transfer impact assessment dossier.

Within 30 days from the date of receiving a complete and valid dossier, the specialized agency for personal data protection will assess, review, and decide whether to grant a Certificate of eligibility to conduct personal data processing services.

The list of sensitive personal data has been expanded

In Vietnam PDP Decree update, Decree 356/2025 has expanded the scope and more clearly specified the types of sensitive personal data, as shown in the following points:

• Data related to individuals’ illegal activities is now defined as sensitive personal data, instead of being limited only to violations that warrant criminal prosecution as before.
• More detailed regulations are in place for data in the banking sector, including login names, passwords for accessing bank accounts, bank card information, transaction history, and other related data.
• The scope of sensitive data is expanded to the securities and insurance sectors, meaning that information about the activities and transactions of clients at securities and insurance companies is also protected at a high level, not just limited to the banking sector.
• A group of data tracking behavior, habits, and activities using telecommunications services, social networks, online media services, and other services in cyberspace is added.

Thus, the expansion of the list of sensitive personal data under Decree 356/2025 reflects a trend towards strengthening the protection of individuals’ privacy in the context of digitalization, while also placing higher demands on organizations and businesses to comply with the law in the process of collecting, processing, and securing personal data.

Time limit for exercising the rights of personal data subjects

One of the new points in Vietnam PDP Decree update – Decree 356/2025 compared to Decree 13/2023 on guiding the protection of personal data is the specific and clear regulation of the time limits for exercising the rights of personal data subjects. According to Article 5 of the Decree, the timeframes are defined as follows:

• For rights such as withdrawing consent, requesting restrictions on processing, or objecting to the processing of personal data, the data controller or processor must respond within 2 working days and fulfill the request within 15 days; in cases involving a third-party data processor, the maximum time limit is 20 days.
• For requests to view, edit, or provide personal data, the fulfillment must be completed within 10 days; requests to delete personal data must be fulfilled within 20 days.

Appointment of a DPO (Data Protection Officer) is mandatory

According to Article 13 of Decree 356/2025/ND-CP, data protection personnel (DPOs) designated by agencies and organizations must meet the following competency requirements:

• Education: College degree or higher;
• Experience: At least 2 years of work experience (since graduation) related to one of the following fields: legal affairs, information technology, cybersecurity, data security, risk management, compliance control, human resource management, or organizational structure;
• Training and Development: Has received training and development in legal knowledge and professional skills related to personal data protection.

Mandatory requirements regarding qualifications and experience for DPOs aim to enhance the professionalization of the personal data protection personnel position, considering it a specialized technical and legal role. This contributes to improving the effectiveness of personal data protection in practice while also requiring businesses and organizations to proactively review, assign, or train suitable personnel to avoid the risk of violations in the process of complying with personal data laws.

Timelines for processing requests from personal data subjects

Unlike Decree 13/2023, which only stipulated a general 72-hour timeframe for data subject responses to requests, Decree 356/2025 established more specific and detailed timelines, including:

• Within 2 working days, the personal data controller and the personal data processing controller must respond to requests to withdraw consent to personal data processing, restrict personal data processing, or object to personal data processing.
• In cases where the subject requests to stop processing/withdraw consent/restriction/objection: this must be done within 15 days (in some cases involving the processing party/third party, it may take 20 days);
• In cases where the subject requests to view/edit/provide personal data, this must be done within 10 days (in cases involving the processing party/third party: 15 days);
• In cases where the subject requests to delete personal data: this must be done within 20 days (in cases involving the processing party/third party: 30 days);

Strict regulations on the conditions for transferring data abroad

Article 18 of Decree 356/2025/ND-CP tightens the conditions for transferring data abroad (transferring personal data across borders).

• Enterprises are required to prepare a cross-border data transfer impact assessment dossiers (Form No. 09) and notify the Ministry of Public Security (via Form 01a/01b).
• In particular, there must be a written agreement binding the data recipient abroad on legal responsibility and a commitment to protect the rights of Vietnamese data subjects.

This poses a significant challenge for multinational companies or enterprises using cloud services with servers located abroad. To comply properly, you need to thoroughly understand the conditions for transferring personal data overseas and prepare the necessary documentation carefully.

New forms on personal data protection

A major shift in Decree 356/2025 vs. Decree 13/2023: Updates on personal data protection in Vietnam is the detailed classification of administrative forms. This allows enterprises to accurately identify the required templates, thereby preventing application rejections due to non-compliance.

The above highlights the Decree 356/2025 vs. Decree 13/2023: Updates on Personal Data Protection in Vietnam. At Viet An Law, with our team of experienced experts, we are ready to provide in-depth legal consulting services on personal data protection, helping enterprises best prepare for this important change.