AI Regulation Tracker / Regulation in force
Vietnam's Decree 356 replaces Decree 13, changing impact-assessment and reporting steps
Vietnam issued Decree No. 356/2025/ND-CP on December 31, 2025 and made it effective the next day, alongside the new Personal Data Protection Law. It repeals Decree 13/2023, so existing Vietnam privacy programs need to review their required impact-assessment and reporting steps for January 1, 2026.
Vietnam closed 2025 by rewriting the operating manual for anyone who handles its citizens' personal data. On December 31, 2025, the government promulgated Decree No. 356/2025/ND-CP, the implementing decree for the country's new Personal Data Protection Law, and set it live the very next day, January 1, 2026, the same date the law itself took effect. In the process it repealed Decree 13/2023, the 2023 instrument that had governed Vietnamese data protection until then. For compliance teams, that timing matters: the paperwork that documented a lawful privacy program on December 31 no longer matched the rules on January 1.
From a placeholder decree to a full compliance regime
Decree 13/2023 was Vietnam's first comprehensive data-protection instrument, but it sat below statute level. The 2025 Personal Data Protection Law elevated data protection to a law passed by the National Assembly, and Decree 356 is the detailed guidance that makes it operational. Secondary analyses report a five-chapter, forty-two-article structure, unconfirmed against the official gazette. It converts the law's principles into concrete duties: how to classify data, how to document consent, how to assess processing risk, and how to move data out of the country.
The practical center of gravity is the form set. Controllers must run personal-data-processing impact assessments on the decree's new forms, and per secondary analyses the new reporting-form system is reported to replace the equivalents from Decree 13/2023. An impact assessment that was correctly filed under the old regime does not carry over cleanly; the underlying template changed. Teams that treated the 2023 filings as a one-time exercise now face a migration project, and they face it without the luxury of a phased rollout. The decree also addresses the machinery around those filings, including the specialized personal-data-protection agency and a National Portal on Personal Data Protection that channels reporting, so the obligation is not only new forms but a new place and process for submitting them.
Stricter transfers, a real DPO, and A05 oversight
Three obligations deserve specific attention. First, cross-border transfers face tighter procedures. Any organization moving Vietnamese personal data abroad must meet the decree's transfer-assessment requirements rather than the older Decree 13 process. Second, the decree codifies the role of data-protection personnel, the Vietnamese equivalent of a data-protection officer, with defined functions. Appointing someone in name is not the point; the decree expects that person to be empowered to carry out specified duties. Third, organizations must submit to inspection coordination with the Ministry of Public Security, which per secondary analyses is led by the A05 unit. That places a named regulator behind the paperwork, and it signals that documentation can be tested in practice rather than merely held on file.
Because the decree took effect immediately on promulgation, there was no comfortable grace window to prepare. The change was live before most teams returned from the New Year holiday.
What it does not do
Decree 356 is implementing detail, not a fresh policy departure. It does not replace the Personal Data Protection Law; it executes it. It does not repeal the broader data and cybersecurity instruments that also touch Vietnamese data. And it does not, on the strength of the secondary translations available, hand controllers a long transition runway. The load-bearing facts here, including the five-chapter, forty-two-article structure and the specific new duties, come from the paid luatvietnam.vn translation and reputable firm analyses such as Tilleke & Gibbins, EY Vietnam and Vietnam Briefing. Those are secondary sources. Organizations relying on exact article numbers or form specifications should confirm against the authoritative Vietnamese gazette text at vanban.chinhphu.vn before certifying compliance.
The cross-border angle for US firms
For a US reader, the reach is direct. A US company that markets to, or processes data about, people in Vietnam is a controller under this regime, and its outbound transfers of Vietnamese data now run through the decree's assessment procedure. That procedure sits in the same family as China's PIPL cross-border rules and the European Union's standard contractual clause regime: a documented transfer assessment before data leaves the country. A multinational running a single global privacy program can map Decree 356's transfer and impact-assessment duties onto controls it already maintains for GDPR, but it cannot assume the Vietnamese forms are interchangeable with European ones. The obligation is local, and the enforcing authority is the Ministry of Public Security.
Frequently Asked Questions
What changed under Vietnam's Decree 356/2025/ND-CP?
The decree implements Vietnam's Personal Data Protection Law and repeals Decree 13/2023. Effective January 1, 2026, it introduces a new impact-assessment and reporting-form system, stricter cross-border transfer procedures, codified data-protection-officer duties, and inspection coordination with the Ministry of Public Security.
Who is affected by Decree 356?
Any controller or processor of Vietnamese personal data, in any sector, including foreign and US firms that reach Vietnamese data subjects or transfer their data abroad. Compliance, privacy, legal, and IT security teams all inherit new documentation duties.
When did Decree 356 take effect and is there a grace period?
It was promulgated December 31, 2025 and took effect January 1, 2026, the same day as the Personal Data Protection Law. Because it applied immediately on promulgation, there was no meaningful transition window before the new forms and procedures became mandatory.
Do our old Decree 13 impact assessments still count?
Treat them as obsolete. Per secondary analyses, the new reporting-form system is reported to replace the Decree 13/2023 forms, so processing impact assessments and cross-border transfer assessments should be re-run on the Decree 356 form set rather than carried over.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.