Vietnam’s Decree 356/2025/ND-CP and Decree 165/2025/ND-CP: Navigating the Dual-Layered Cross-Border Data Transfer Framework

Vietnam has established a complex, dual-layered data governance and cross-border transfer regime. Compliance teams must navigate two distinct but overlapping primary laws and their respective implementing regulations:

1. The Personal Data Protection Law (PDPL - Law No. 91/2025/QH15) (effective January 1, 2026), implemented by Decree No. 356/2025/ND-CP.
2. The Law on Data (Law No. 60/2024/QH15) (effective July 1, 2025), implemented by Decree No. 165/2025/ND-CP.

Together, these laws govern personal and non-personal data exports, introduce strict impact assessment mandates, and propose severe revenue-based administrative fines for non-compliance.

1. The Dual-Layered Cross-Border Transfer Compliance Regime

To manage outbound data transfers from Vietnam, multinational corporations must classify their data flows along two primary tracks:

Track A: Personal Data Transfers under PDPL 2025 & Decree 356/2025/ND-CP

• Dossier Requirement (CTIA): Under PDPL 2025, entities transferring personal data abroad must prepare and submit a detailed Cross-Border Transfer Impact Assessment (CTIA) dossier to the Ministry of Public Security (MPS) within 60 days from the date of the first transfer.
• Key Exemptions: Crucially, certain standard transfers are exempt from the CTIA filing requirement. These include:
  • Transfers of employee personal data stored on centralized global cloud systems.
  • Instances where Vietnamese data subjects independently and directly transfer their own data abroad.

Track B: Core and Important Data Transfers under the Law on Data & Decree 165/2025/ND-CP

• Scope Expansion: The Law on Data applies broadly to all digital data (both personal and non-personal) and regulates "Important Data" and "Core Data" (as defined by lists issued by the Prime Minister). Important and core data are defined as information that could impact national defense, security, foreign affairs, macroeconomics, or social stability.
• Assessment Mandate: Under Decree 165/2025/ND-CP, data owners or administrators must conduct a separate data transfer impact assessment focusing on potential risks (such as data leakage and national security concerns) before transferring core or important data abroad.
• Overlap Resolution: To prevent double-reporting, the regulatory framework includes a critical carve-out: where data qualifies as both personal data and core or important data, an impact assessment under the PDPL 2025 is not required. The transfer is instead governed entirely by the stricter Law on Data regime of Decree 165/2025/ND-CP.

2. Looming Enforcement: Revenue-Based Fines and Penalties

Enforcement of these dual regimes is set to tighten significantly under a proposed draft decree on cybersecurity and personal data protection administrative sanctions:

• Revenue-Based Fines: For serious cross-border data transfer violations, the draft decree proposes fines of up to 5% of an enterprise's annual turnover in Vietnam. This represents a massive increase in financial exposure for multinational corporations.
• Illicit Gains Multiplier: Violations involving the unauthorized buying, selling, or trading of personal data may face administrative fines of up to 10 times the illegal gains derived from the conduct.
• Local Presence Mandate: Foreign enterprises operating in digital sectors (such as telecommunications, e-commerce, cloud storage, online applications, and gaming) that fail to comply with cybersecurity or data protection obligations after formal warnings may be compelled to establish a physical branch or representative office in Vietnam.

3. Action Items for Compliance Teams

To align global data infrastructure with Vietnam's complex regulatory environment, compliance teams should:

1. Map and Classify Data: Conduct a comprehensive data mapping exercise to determine if any outbound data flows fall under the "Important Data" or "Core Data" thresholds, or if they qualify as standard personal data subject to PDPL 2025.
2. Execute CTIAs: Prepare and file the CTIA dossiers within the 60-day window for standard personal data transfers, ensuring that intra-group data transfer agreements (DTAs) are updated with Vietnam-specific clauses.
3. Establish Logging and Retention Protocols: Implement centralized logging systems capable of retaining system logs, user access details, IP addresses, and data processing activities. Under Decree 165/2025/ND-CP, organizations managing core or important data must maintain these logs throughout the data lifecycle and conduct regular backup and recovery drills.
4. Appoint a Local DPO: Formally designate a Data Protection Officer or specialized unit responsible for receiving and reporting violations, and managing emergency response plans in the event of a breach.