Vietnam's Personal Data Protection Law (PDPL) Takes Effect Alongside Implementing Decree 356 and Strict CTIA Dossier Mandates

Vietnam's data protection and governance landscape has undergone a sweeping modernization with the official entry into force of the Personal Data Protection Law (PDPL - Law No. 91/2025/QH15) on January 1, 2026. This landmark legislation elevates Vietnam's data protection framework from an executive decree to a formal legislative act.

Complementing the PDPL, the Vietnamese government enacted Decree No. 356/2025/ND-CP (Decree 356) on December 31, 2025, providing the detailed implementation measures required for compliance. This operates alongside the Law on Data (Law No. 60/2025/QH15), which took effect in July 2025 to establish a comprehensive state-supervised model for digital data (both personal and non-personal).

Defining Cross-Border Transfers

Under the PDPL and Decree 356, a cross-border transfer of personal data is defined as the transfer of personal data of Vietnamese citizens outside the territory of Vietnam in any form. This includes:

• Directly sending or transmitting data abroad.
• Allowing overseas entities to access, exploit, or process data stored in Vietnam through cloud computing platforms, servers, or information systems located outside the country (such as a parent company's central Human Resources Management (HRM) system or hosting on AWS, Azure, or Google Cloud).

The Cross-Border Transfer Impact Assessment (CTIA) Dossier

Prior to or within a strict post-transfer window, the transferring party must prepare and submit a Cross-Border Transfer Impact Assessment (CTIA) dossier under Article 18 of Decree 356. The dossier must contain:

1. An impact assessment report drafted in accordance with Form No. 09 (found in the Appendix to Decree 356).
2. Copies of the contracts or agreements governing the cross-border transfer, which must explicitly outline the data protection responsibilities of both the transferring and receiving parties.
3. The transferring organization's internal privacy policies, procedures, and security regulations.

Submission Timeline and Authority Review

The submission and review process is highly structured:

• Submission Window: The completed CTIA dossier must be submitted to the competent personal data protection authority (the Ministry of Public Security - MPS) via its online system, in person, or by post within 60 days from the date the cross-border transfer is first carried out. Under legal counsel advice, companies should finalize this dossier before initiating transfers to mitigate compliance and operational risks.
• Review Process: The MPS reviews the dossier and issues an assessment result within 15 days of receiving a valid and complete submission. If the dossier is incomplete or non-compliant, the MPS can request supplementation within 30 days before issuing a final decision.
• Suspension Powers: Crucially, if the transferred data is found to pose risks to national security or cybersecurity, the competent authority has the right to immediately order a suspension of the data transfer.

Impact on Multinational Compliance Strategies

For compliance teams, Vietnam's new model relies on a state-supervised, post-transfer oversight mechanism. This contrasts with more flexible models in the region (like Singapore's accountability-based model) and requires multinational corporations to proactively build compliance strategies from the data architecture stage, ensuring all cross-border data flows are documented, contractually safeguarded, and backed by a formal CTIA dossier.