Vietnam: Law on Personal Data Protection including data protection authority governance enters into force

On 1 January 2026, the Law on Personal Data Protection enters into force. The Law delineates the structure, powers, and responsibilities of the data protection authorities. Article 36 formally designates the Ministry of Public Security (MPS) as the lead, central data protection authority. The Ministry of Public Security is responsible for the unified state oversight of data protection, issuing guidelines, handling complaints, and promoting international cooperation (Article 33, 36). Article 36 also creates a hybrid model where sector-specific ministries (e.g., health, finance) and local governments have management responsibilities within their respective domains, under the overarching framework of the MPS. Article 20 states that on a case-specific basis, the authority in charge of personal data protection has the power to audit, conduct inspections, and block data transfers on national security grounds. Article 21 states that the authority in charge of personal data protection shall oversee the completion of the personal data processing impact assessment dossier by the data controller and/or processor. Article 23 formally designates the authority in charge of personal data protection as the recipient of data breach notifications and the lead entity for handling violations.