You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

January 5, 2026

New Decree Provides Guidance for Vietnam’s Personal Data Protection Law

Subscribe to Updates

On December 31, 2025, the government of Vietnam promulgated Decree No. 356/2025/ND-CP detailing and guiding the implementation of the new Personal Data Protection Law (PDPL) that was issued in June 2025. The new decree, like the PDPL, entered into force on January 1, 2026, with the previous Decree No. 13/2023/ND-CP on personal data protection ceasing effect on the same day.

Some key points of the new decree include the following:

  • Comprehensive lists of basic and sensitive personal data are provided, which will require companies to review again their existing documents and data type classification to ensure compliance.
  • New timelines are established for responding to specific data subject requests. These timelines are more reasonable and longer than the previous 72-hour requirements.
  • Additional consent guidelines are provided, prohibiting default consent or ambiguous instructions that confuse data subjects about giving or withholding consent.
  • Mandatory content for data transfer agreements/clauses in particular cases is provided. This covers, among other things, (i) the legal basis for the transfer of personal data; (ii) responsibilities for personal data protection during the transfer and processing of personal data; (iii) responsibilities for ensuring the exercise of the rights of personal data subjects; and (iv) responsibilities for coordination and compliance of the parties in cases where violations of personal data protection regulations are detected.
  • The qualifications and responsibilities of data protection officers (DPOs) and data protection departments include, among others, having been trained and fostered in legal knowledge and professional skills regarding personal data protection. There are no specific provisions governing the qualifications or requirements for organizations that provide data protection training or education.
  • New mandatory templates and requirements are provided in relation to data processing impact assessment and data transfer impact assessment, and for cases in which companies need to re-submit assessments to the regulator.
  • Stricter requirements are applied to enterprises providing data processing services, including mandatory licensing, annual compliance and credibility assessments, and impact assessments dossiers approved by the relevant authorities.
  • Specific notification requirements are introduced for violations relating to personal location data and biometric data.
  • Personal data must be de-identified before being traded on a data trading platform.
  • Small enterprises and startups have a five-year grace period from the effective date of the PDPL to comply with regulations on preparing impact assessment dossiers and designating departments and/or personnel to protect personal data. Business households and micro-enterprises are exempted from these regulations. The grace period and exemptions, however, do not apply (i) when the scale of processing reaches 100,000 or more personal data subjects; (ii) in the provision of data processing services; or (iii) in cases where sensitive personal data is directly processed.
  • Specific provisions are set out concerning data protection in relation to banking, credit information activities, AI, metaverse technologies, big data, blockchain, cloud computing, and related fields.

Outlook

With the PDPL and its guiding decree already in effect, it is imperative that companies proactively assess and implement the new requirements to ensure ongoing compliance. Organizations are also encouraged to continuously monitor regulatory updates and additional guidance to remain informed and adequately prepared for any changes.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

January 6, 2026
On December 30, 2025, Thailand’s Electronic Transactions Development Agency (ETDA) notified digital marketplace operators of a consolidated list of “high‑risk products” that are subject to strict monitoring on digital platforms. The list was jointly prepared by the Thai Industrial Standards Institute (TISI) and the Food and Drug Administration (FDA) to guide platform compliance in the initial phase of implementation of the Electronic Transaction Committee’s Notification on Other Measures for Marketplace for Goods with Specific Characteristics under Section 18(2) of the 2022 Royal Decree on Digital Platform Businesses Requiring Notification B.E.2568 (2025). The notice is addressed to operators of digital platform services that function as product marketplaces with specific characteristics laid out in the notification. The ETDA states that the TISI and the FDA are closely monitoring the high‑risk product categories on digital platforms, and the published list serves as the baseline reference for platform screening during the initial phase of the notification’s implementation. High‑Risk Product List The list aggregates categories of products that are illegal to sell online or are otherwise tightly regulated under Thai law, with an emphasis on health-related products, controlled substances, medical devices, and a wide range of industrial products that require certification or compliance with specified Thai Industrial Standards, as detailed below. Prohibited and tightly controlled health products. This includes all categories of modern medicines subject to control other than general household remedies; all categories of controlled herbal products except for over-the-counter herbal products; narcotics; psychotropic substances; and medical devices requiring use in medical facilities or a physician’s prescription. Selected industrial products requiring heightened controls. The list highlights dozens of TISI-regulated items commonly sold online. Examples include pacifiers, rice cookers, electrical wire, food wrap film, crayons, washing machines and dryers, air conditioners, electric cookers and air fryers, water heaters, microwave ovens, LED luminaires, hair dryers
Read More
December 30, 2025
On December 17, 2025, Laos’ Ministry of Industry and Commerce (MOIC) issued a notice introducing a new digital system that allows e-commerce businesses to obtain required certificates and licenses through an online, application-based platform. Notice No. 3988, which will take effect on February 1, 2026, introduces the E-Trust platform, a downloadable application that allows e-commerce businesses to remotely obtain acknowledgement certificates and business operating licenses. New Digital Registration Options Under the previous framework established by the Decree on E-commerce (2021), businesses were required to complete registration exclusively through paper-based submissions. The new system now offers businesses two registration options: Traditional paper-based process at the Division of E-commerce Management within the MOIC; or Electronic registration and renewal through the E-Trust platform. This change is expected to streamline procedures, reduce administrative burdens, and enhance accessibility for businesses operating outside Vientiane. The E-Trust platform facilitates compliance for both individuals and legal entities required to submit applications and renewals for required certificates and licenses. The development is particularly beneficial for businesses located in remote provinces, as it eliminates the need for physical travel and significantly accelerates processing times. Compliance Requirements and Penalties Businesses must obtain or renew the required certificates and licenses to avoid sanctions under the Decision on Fines and Other Measures for Violation of the Decree and Regulations on E-commerce (No. 2828/MOIC, dated November 11, 2025). Penalties for noncompliance may include monetary fines and other enforcement measures.
Read More
December 26, 2025
Thailand has granted ride-sharing platforms additional time to comply with new regulatory requirements, extending the compliance deadline to March 31, 2026 (replacing the previous deadline of October 2, 2025). The postponement was made official on December 18, 2025, when Thailand’s Electronic Transactions Development Agency (ETDA) published the second Notification Regarding Supervision of Ride-Hailing Platforms Classified as High-Impact Digital Platform Services under the Royal Decree on Digital Platform Service Businesses. The notification provides additional time for ride-sharing platforms and drivers to transition to full regulatory compliance. The extension replaces the effective date provision of the earlier notification and applies specifically to ride-hailing activities. Background The postponement responds to feedback from operators and driver groups regarding challenges converting private vehicles into legally registered public vehicles, including complex registration procedures, high compliance costs, and operational delays. The Department of Land Transport (DLT) is concurrently reforming its vehicle registration and driver verification processes to streamline operations. Given these issues, the Electronic Transactions Committee has deferred enforcement to provide an adjustment period for operators and drivers to meet compliance requirements. Ongoing Obligations While the effective date has been deferred, the substantive obligations imposed on ride-sharing platforms remain fully intact. Operators must continue preparing to comply with the additional duties applicable to high-impact digital platform services, beyond the general requirements under the digital platform services framework. Operators are expected to use the extended transition period to finalize operational and compliance readiness ahead of enforcement on March 31, 2026. Key focus areas include: Integration with DLT vehicle-registration systems Deployment of robust driver and passenger identity verification mechanisms Updates to platform terms of service, driver-onboarding standards, and internal operational policies Preparation for ETDA reporting obligations and future audit and review processes Next Steps While the postponement replaces the previous effective date with the new March 31, 2026,
Read More
December 26, 2025
The Bank of Thailand (BOT) has released the Guidelines for Digital Fraud Management, which took effect on December 17, 2025, incorporating certain amendments to the draft guidelines issued in March 2025. These official guidelines aim for end-to-end digital fraud prevention, with a particular focus on mule accounts, to enhance trust and security in Thailand’s financial system. The guidelines apply to “financial service providers,” including: Financial institutions and special financial institutions under the Financial Institution Business Act; and Operators of Inter-institutional Fund Transfer System e-money services and e-fund transfer services under the Payment Systems Act. Besides commercial banks and e-money operators that offer fund-transfer services, other providers may adopt requirements based on risk proportionality and baseline standards set out in the guidelines (for instance, an e-money operator that does not offer e-fund transfer services could consider implementing a fraud monitoring and detection system according to the risk level of its service). The guidelines establish the following key requirements: Policy and oversight. Directors and senior executives of financial service providers must adopt appropriate “end-to-end” fraud management policies and KPIs to manage digital fraud, covering prevention, monitoring, detection, management, resolution, and support for affected customers. The fraud management policy must be regularly reviewed, and whenever there is a situation or change that significantly affects the efficiency of the fraud management. Any significant update to the policy must first be approved by the board of the financial service provider. The BOT also encourages providers to collaborate in establishing industry standards aligned with applicable laws and regulations to ensure consistency and best practices across the sector. Fraud management processes. Financial service providers must establish a clear framework for managing digital fraud throughout the customer lifecycle—from customer onboarding to service termination—covering at least the following processes: Know your customer (KYC) and customer due diligence (CDD):
Read More