Vietnam: Implementing Regulations of Law on Personal Data Protection including operational license requirement entered into force

On 1 January 2026, the Implementing Regulations of the Law on Personal Data Protection including operational license requirement entered into force. The Implementing Regulations further specify the regulatory requirements established by the framework of the Law on Personal Data Protection. Article 22 of the Implementing Regulations grants the Ministry of Public Security exclusive authority to issue, reissue, replace, and revoke certificates for providing personal data processing services, to be delegated to the personal data protection agency. Article 25 details the application requirements and the 30-day review process for obtaining a certificate, requiring submissions of business and personnel documents to the protection agency. Article 26 outlines the simpler procedures for reissuing a certificate due to loss, damage, or changes, typically completed within five working days. Article 27 specifies the conditions under which a certificate can be revoked, such as failing to meet operational requirements or violating data protection laws.