On 31 December 2025, the Government issued Decree 356/2025 guiding the implementation of the PDPL 2025, which took effect on 1 January 2026. Decree 356/2025 provides critical detailed guidance and, notably, resolves several ambiguities under the PDPL 2025 framework. This post highlights the key takeaways from this new regulation.

1.         Expansion of "sensitive personal data": ID Cards and login credentials

As compared to the Draft PDPL Decree, Decree 356/2025 expands the scope of sensitive personal data to explicitly include:

• Login name and passwords of digital identity account: (Tài khoản định danh điện tử). Under Decree 13/2023, this may be captured by “information about digital account” of data subject, which is classified merely as basic personal data; and

• Images of ID cards (thẻ căn cước), citizens ID cards (thẻ căn cước công dân), and people’s identity card (chứng minh nhân dân) (collectively, ID Cards).

While it seems that this provision aim to combat identity theft and fraud (e.g., recent scams involving the impersonation of public authorities to appropriate assets), it presents a major compliance hurdle for the eKYC procedures across all sectors. Previously, under Decree 13/2023, the specific text information contained on an ID Card (such as full name, place of residence) was generally classified as basic personal data, unless it fell under "customer identification information of credit institutions"— a category limited to the banking sector. However, Decree 356/2025 classifies the ID Card image itself as sensitive personal data in all cases. This triggers stricter obligations (e.g., mandatory access controls) for all sectors involving eKYC—including e-commerce, insurance, and fintech—rather than just credit institutions.

In addition, this creates a significant compliance burden for automated processing (e.g. OCR). For example, even if an e-wallet provider only collects the ID Card image momentarily to extract text data via OCR and immediately deletes the image, that activity still constitutes the "processing of sensitive personal data”.

2.         Data processing services - A broad scope with licensing risks

Decree 356/2025 treats "personal data processing services" (Dịch vụ xử lý dữ liệu cá nhân) as a conditional business line requiring a license from the MPS. The definition of this service is notably broad, including, for example, online personal data collection and processing services from websites, applications, software, and social networks. This wording creates a significant risk of over-reach. It creates a grey area where standard B2B technology providers—such as cloud service providers, SaaS platforms, and marketing/analytics agencies—could be classified as "personal data processing service providers" rather than mere technical intermediaries.

Without further guidance, there is a risk of aggressive interpretation that even ordinary businesses operating their own activities (e.g., an e-commerce platform processing customer data for vendors) could be misconstrued as providing "personal data processing services." If interpreted broadly by regulators, this would impose a heavy and unrealistic licensing burden on a vast array of digital businesses in Vietnam.

3.         DPO standards - "Relaxed" qualifications & the certificate gap

Unlike the Draft PDPL Decree (see our analysis here), which proposed stringent requirements for DPO, including mandatory exams, Decree 356/2025 has significantly relaxed these standards. Particularly, for both Internal DPO and External DPO, Decree 356/2025 has:

·         removed the requirement of completion of specific training courses organized by a qualified Vietnamese organization and to satisfy standards under an assessment program by the MPS;

·         lowered the professional education requirement from a “university degree” (trình độ đại học) to a “college degree” (trình độ cao đẳng);

·         reduced the required years of experience in relevant fields (e.g., an Internal DPO is only required to have 2 years of experience—rather than 3 as previously proposed—in law, IT, cybersecurity, or related fields).

Notably, an Internal DPO can satisfy the requirement of “having received in-depth training in legal knowledge and professional skills regarding personal data protection” simply by receiving internal training from their organization. However, Decree 356/2025 is silent regarding External DPOs. It is unclear whether this requirement can be satisfied by holding certificates from international bodies (and whether the MPS would recognize such certificates), or if the personnel must obtain a specific certification issued by a Vietnamese entity.

4.         Stricter regulations for the AI and Blockchain sectors

As compared to the initial regulations on specific-sector data processing under the Draft PDPL (see our analysis here), Decree 356/2025 introduces tightened compliance requirements specifically targeting the application of Artificial Intelligence (AI) and Blockchain in personal data processing, notably:

• AI-generated data as personal data: Under Decree 356/2025, data generated or derived from AI technology may be classified as personal data (if it can identify an individual). There may pose several issues:

(1)    Burden of protection for inferred data: There is a significant risk that any output generated by AI could be classified as personal data. If organizations are required to protect all AI-generated inferences—even incorrect or irrelevant ones—strictly as Personal Data, organizations face unjustified costs to protect data that may have no actual value or link to real individuals.

(2)    The "consent paradox" (conflict with prior consent principles): Since the data subject is unknown before the algorithm of AI runs, the organization cannot obtain their specific consent. However, by the time the AI identifies the data subject, the organization has technically already "processed" the data without consent, resulting in an immediate violation of the law.

(3)    Re-identification risk: There is a heightened risk that data previously deemed "de-identified"(khử nhận dạng) may be "re-identified" (tái khử nhận dạng) by AI capabilities, effectively nullifying prior anonymization efforts and triggering retrospective compliance obligations.

• Restrictions on blockchain storage: Under Decree 356/2025, the direct storage of raw personal data on a blockchain is prohibited. Personal data may only be stored on a blockchain if it has been (i) de-identified (khử nhận dạng); or (ii) converted into hash values (lưu trữ giá trị băm).

5.         Requirement for "per-instance" consent for data transfers

Decree 356/2025 introduces a stringent consent standard for the transfer of personal data, specifically impacting transfers from data controllers to data processors and other transfers requiring data subject consent. Decree 356/2025 mandates that organizations obtain the data subject's consent on a case-by-case basis (từng lần) for each transfer activity. This implies that a general or "blanket" consent obtained at the initial stage of collection may be deemed insufficient. Instead, the Data Controller must seek separate, specific consent for each distinct act of transferring data to a third party.

This requirement creates a significant compliance burden and operational risk for automated processing activities. For example, for service providers handling high-volume, repetitive transactions for the same purpose with the same recipient (e.g., payment intermediaries processing monthly subscriptions or e-commerce platforms handling recurring orders), a strict interpretation of this rule could require the processing entities to actively obtain consent to every single transaction.

6.         Redundancies and conceptual overlaps with the PDPL 2025

Decree 356/2025 contains several provisions that appear repetitive or conceptually inconsistent with the definitions set out in PDPL 2025.

§  Repetitive regulations on cross-border data transfer - Decree 356 largely duplicates the definition of cross-border data transfer already established in PDPL 2025, creating unnecessary legislative redundancy. The only notable addition in Decree 356 is the explicit inclusion of "cloud computing services of a foreign service provider". In addition to an inconsistency to PDPL 2025, this addition expressly categorizes the use of foreign cloud services (e.g., AWS, Azure, Google Cloud) as a cross-border transfer activity, regardless of the physical location of the servers.

§  Terminological conflict: "anonymization" (ẩn danh) vs "encryption" (mã hóa). There is a significant conceptual overlap between the definition of "anonymization" in Decree 356/2025 and "encryption" under the PDPL 2025. Conflating these terms may lead to compliance confusion, as organizations may struggle to distinguish whether they are applying "anonymization" or "encryption" measures.

7.         Resolution of ambiguities and conflicts within the PDPL 2025 framework

§  Harmonization with the Data Law 2024 on core and important data: Decree 356/2025 clarifies that for core data or important data that is also classified as personal data,  the requirements regarding (i) data protection measures and (ii) procedures for submitting TIA and DPIA dossiers for processing and cross-border transfer will follow the PDPL 2025 and Decree 356/2025. This provision effectively eliminates the potential conflict with the Data Law 2024 (whereby duplicate risk assessments might have been required) (see discussions here), ensuring a unified and cohesive legal framework for data governance.

§  Supersession of Decree 13: Decree 356/2025 officially provides that it supersedes Decree 13/2023, becoming the primary legal decree guiding PDPL 2025. This resolves the ambiguity previously noted regarding the transitional validity of Decree 13/2023 (see discussions here)

This post is written by Trinh Phuong Thao.