The Next Chapter In Data Protection: New Decree Guiding The Personal Data Protection Law
19/01/2026 13:00
On 31 December 2025, Decree No. 356/2025/ND-CP guiding the implementation of the Personal Data Protection Law (Decree 356) was officially issued by the Government. Decree 356 came into effect on 1 January 2026 and replaces Decree No. 13/2023/ND-CP dated 17 April 2023 of the Government on personal data protection (Decree 13), thereby contributing to the effective implementation of the Personal Data Protection Law and ensuring consistency across the legal framework on personal data protection. In this Legal Update, we present notable provisions of Decree 356 and compare them with those of Decree 13, thereby highlighting key changes and their potential implications for businesses.
1. Implementation of data subject rights
Compared to Decree 13, Decree 356 introduces specific procedures and timelines for the data controller, and the data controller and processor to respond and implement data subject requests.
Specifically, Decree 356 clearly requires that the data controller, and data controller and processor must respond within two (2) working days from the date of receipt of a request and provide information on the procedures for fulfilling such requests. While Decree 13 required that data subject requests be fulfilled within seventy-two (72) hours of receipt of such requests, Decree 356 establishes different processing times for each type of data subject request, including provisions for extensions where necessary and reasonable, as detailed in the table below.
Data subject requests | Decree 13 | Decree 356 | ||
By data controller/data controller and processor itself | If the data processor or the third party is involved | Extension period (if any, permitted once only) | ||
Withdrawal of consent, restriction, or objection to processing | Seventy-two (72) hours | Fifteen (15) days | 20 days | Fifteen (15) days
|
Access, rectification, and provision of personal data | Ten (10) days | Fifteen (15) days
| Ten (10) days | |
Erasure of personal data | Twenty (20) days | Thirty (30) days | Twenty (20) days | |
Requests to implement solutions and measures to protect personal data | Not regulated | Fifteen (15) days
| Not applicable | Fifteen (15) days |
2. Internal data protection department and data protection officer
Decree 356 sets out the conditions and qualifications for the internal data protection department (DPD) and the data protection officer (DPO), which were not provided under Decree 13.
(i) Conditions applicable to the internal DPO:
(a) Having a college degree or higher;
(b) Having at least two (2) years of work experience (since graduation) related to one of the following fields: law, information technology, cybersecurity, data security, risk management, compliance control, human resource management, or organisational structure;
(c) Having received training in legal knowledge and professional skills relating to personal data protection.
(ii) Conditions applicable to internal DPD: Personnel in the DPD must satisfy the conditions applicable to DPO as mentioned above.
3. Personal data protection services
Decree 356 expressly allows enterprises to engage personal data protection services offered by either an individual or an organisation, provided that the following conditions are met:
(i) Conditions applicable to individual service providers:
(a) Having a college degree or higher;
(b) Having at least three (3) years of work experience (since graduation) related to one of the following fields: law, personal data processing, cybersecurity, data security, risk management, or compliance control;
(c) Having received in-depth training in legal knowledge and professional skills relating to personal data protection.
(ii) Conditions applicable to organisational service providers:
(a) Being an organisation or enterprise with functions, duties, or business lines in technology, legal services, or consulting on technology or legal matters;
(b) Having at least three (3) employees who fully satisfy the conditions applicable to individual service providers as mentioned above; and
(c) Having already provided products and services related to cybersecurity, information technology, standards assessment, or personal data protection consulting.
4. Cross-border personal data transfer impact assessment
Decree 356 provides additional cases that are exempt from conducting a cross-border personal data transfer impact assessment, thereby significantly reducing unnecessary administrative burdens for businesses. These exemptions include:
(i) Journalism and communication activities in accordance with the law;
(ii) Cross-border transfer of personal data that has been disclosed in accordance with the law;
(iii) Emergencies where it is necessary to transfer personal data across borders to protect life, health, or property safety of individuals or to perform tasks and obligations as prescribed by law;
(iv) Cross-border transfer of personal data for cross-border personnel management in accordance with labour rules and regulations, and collective labour agreements as prescribed by law; and
(v) Provision of personal data across borders for contract conclusion or for carrying out procedures related to cross-border transportation, logistics, remittance, payment, accommodation, visa applications, or scholarship applications.
5. Personal data processing services
This is a new provision introduced by Decree 356. Accordingly, data processing services include, among others, credit scoring services, personal data encryption services, and automated data processing using AI, big data, blockchain, or the metaverse. These services are subject to strict conditions and are required to complete relevant procedures for obtaining certificates of eligibility for providing personal data processing services.
6. Exempt obligations
Under both Decree 13 and Decree 356, certain regulatory obligations may be exempted. However, Decree 356 significantly broadens the scope of exempt obligations, the types of entities eligible, and the duration of exemptions. Specifically:
| Decree 13 | Decree 356 |
Scope of exempt obligations | Designation of DPD and DPO |
|
Entities eligible for exemption |
|
|
Duration of exemptions | Two (2) years from the date of establishment of the entities |
|
Cases not eligible for exemption | Micro, small, and medium-sized enterprises, and start-ups that directly engage in the processing of personal data | Business households, micro enterprises, small enterprises; and start-ups that:
|