Vietnam: Implementing Regulations of Law on Personal Data Protection including data protection regulation entered into force

On 1 January 2026, the Implementing Regulations of the Law on Personal Data Protection including data protection regulation entered into force. The Implementing Regulations further specify the regulatory requirements established by the framework of the Law on Personal Data Protection. Articles 3 and 4 specify the distinction between basic personal data and sensitive personal data, with the latter requiring stricter security and confidentiality. Article 5 sets out the procedures for data controllers and processors to comply with data subject requests, including specific response and completion timelines for requests, while Article 6 sets out the methods for obtaining data subject consent for processing of personal data. Articles 19 and 20 specify that entities controlling or processing personal data must prepare, maintain, and submit an impact assessment dossier to the protection agency within 60 days, detailing their processing activities, risks, and safeguards. Such assessments, applicable for both processing and cross-border transfer of personal data, must be updated every 6 months or immediately within 10 days for specific organisational or operational changes. Article 23 specifies that organisations providing personal data processing services must establish security and risk management frameworks, conduct regular compliance assessments, ensure lawful processing purposes, and verify client identities. Article 28 specifies required details to include in notifications for violations of personal data protection regulations, and that they must be submitted to the protection agency via the designated form. Under Article 41, small businesses are exempt from the requirement to appoint dedicated data protection personnel and conduct impact assessment for 5 years from the effective date of the Law on Personal Data Protection, unless they provide data processing services, directly handle sensitive data, or process the data of over 100’000 individuals.