Vietnam: Prime Minister adopted Implementing Regulations of Law on Personal Data Protection including data protection regulation

On 31 December 2025, the Prime Minister adopted Implementing Regulations of Law on Personal Data Protection including data protection regulation, which will enter into force on 1 January 2026. The Implementing Regulations further specify the regulatory requirements established by the framework of the Law on Personal Data Protection. Articles 3 and 4 specify the distinction between basic personal data and sensitive personal data, with the latter requiring stricter security and confidentiality. Article 5 sets out the procedures for data controllers and processors to comply with data subject requests, including specific response and completion timelines for requests, while Article 6 sets out the methods for obtaining data subject consent for processing of personal data. The Implementing Regulations also set out additional data protection requirements for a range of specific processing activities, such as financial activities, big data processing, AI systems, blockchain, and cloud computing, including maintaining mechanisms to explain the use of personal data by algorithms to data subjects. Further, the Implementing Regulations specify the duties of internal data protection departments and providers of data protection services. The detailed requirements for personal data impact assessments, which controllers and processors must carry out, are set out in Articles 19 and 20. Controllers and processors must must prepare, maintain, and submit an impact assessment dossier to the protection agency within 60 days, detailing their processing activities, risks, and safeguards, and must be updated every 6 months, or, in case of major organisational or operational changes, within 10 days. Such assessments, applicable for both processing and cross-border transfer of personal data, must be updated every 6 months or immediately within 10 days for specific organisational or operational changes. Under Article 41, small businesses are exempt from the requirement to appoint dedicated data protection personnel and conduct impact assessment for 5 years from the effective date of the Law on Personal Data Protection, unless they provide data processing services, directly handle sensitive data, or process the data of over 100’000 individuals. Finally, Article 28 of the Implementing Regulations specifies the necessary details for processors or controllers to include in notifications for violations of personal data protection regulations to data protection agencies.