In the context of globalization and digital transformation, cross-border personal data transfers have become increasingly common, particularly for foreign-invested enterprises (FDIs), technology companies, e-commerce businesses, financial and banking institutions, and multinational corporations. To control risks related to privacy infringement and to ensure data security, the Law on Personal Data Protection No. 91/2025/QH15 (PDPL) and Decree No. 356/2025/ND-CP dated 31 December 2025 detailing a number of articles and implementation measures of the PDPL (Decree 356), which officially took effect on 1 January 2026, have established a relatively stringent legal framework governing this activity.
This article analyzes the core issues relating to cross-border personal data transfers that enterprises should pay close attention to when complying with Vietnamese law.
What is Cross-Border Transfer of Personal Data?
Cross-border transfer of personal data may be understood as the transfer of personal data of Vietnamese citizens outside the territory of Vietnam in any form. This activity not only includes the direct transmission or sending of data abroad, but also covers cases where data is accessed, exploited, or processed from overseas through information technology systems, cloud computing platforms, or servers located outside Vietnam.
In practice, common activities such as using a parent company’s human resources management (HRM) system, storing data on platforms such as Google Cloud, AWS, or Azure, or sharing customer data with foreign partners may all be considered cross-border personal data transfers and must comply with the relevant legal requirements.
Conditions for Cross-Border Transfer of Personal Data
Under current regulations, to be considered lawful, the transferring party must satisfy the following key conditions:
- The data transfer must fall within cases permitted by law or not prohibited;
- The transferring party must prepare and submit a cross-border personal data transfer impact assessment dossier in accordance with Article 18 of Decree 356;
- The purpose, scope, categories of transferred data, and data protection measures must comply with the principles of personal data protection under the law;
- Where the transferred data is found to pose risks to national security or cybersecurity, the competent authority has the right to request a suspension of the data transfer.
These conditions aim to ensure that cross-border data transfers do not infringe upon individuals’ privacy rights and remain consistent with Vietnam’s data protection objectives.
Cross-Border Data Transfer Impact Assessment Dossier
Prior to transferring personal data abroad, the transferring party is required to prepare a cross-border personal data transfer impact assessment dossier in accordance with Article 18 of Decree 356. This dossier plays a crucial role in demonstrating compliance and assessing risks arising from the data transfer.
The main contents of the dossier include:
- An impact assessment report in accordance with Form No. 09 (as provided in the Appendix to Decree 356);
- Copies of contracts or agreements on cross-border personal data transfer, specifying the responsibilities of the parties involved in the transfer and receipt of data;
- Policies, procedures, regulations, forms, and other relevant documents on personal data protection of the agency, organization, or individual engaged in cross-border personal data transfers.
This dossier must be retained and readily available for inspection and assessment by the competent personal data protection authority, and must be promptly updated if there are any changes relating to the purpose of transfer or the data recipient.
Submission Procedures and Processing Process
The PDPL and Decree 356 clearly stipulate the procedures for submission and the process for assessing cross-border personal data transfers:
- The transferring party prepares the impact assessment dossier in accordance with the prescribed form and compiles all required supporting documents;
- The dossier must be submitted to the competent personal data protection authority via the online system, in person, or by postal service within 60 days from the date the cross-border personal data transfer is carried out. However, Siglaw advises enterprises to finalize the TIA Dossier before initiating any cross-border data transfer. This ensures legal compliance and protects the enterprise against potential risks that may occur during the data processing;
- The competent authority will review the dossier and issue an assessment result within 15 days from receipt of a complete and valid dossier;
- In cases where the dossier is incomplete or non-compliant, the competent authority may request supplementation within 30 days before issuing a final decision.
Strict compliance with these procedures helps enterprises minimize legal risks and avoid sanctions for violations related to cross-border personal data transfers.
Comparison with Certain Regulations in the ASEAN Region
Cross-border personal data transfer is not only a legal issue in Vietnam but also a focal point of many data protection regimes within the ASEAN region. While each country adopts different approaches and requirements, they all share the common objective of safeguarding privacy and data security.
In Singapore, the Personal Data Protection Act (PDPA) permits cross-border data transfers provided that the recipient ensures a level of protection not lower than Singapore’s standards. In practice, enterprises often adopt appropriate safeguards such as Binding Corporate Rules, Standard Contractual Clauses, or the APEC Cross-Border Privacy Rules (CBPR) system to ensure secure data transfers. Compared with Vietnam, Singapore applies a more flexible regulatory approach, primarily relying on enterprises’ self-compliance and accountability.
In Malaysia, cross-border personal data transfers are specifically guided by the Personal Data Protection Guidelines No. 3/2025 on Cross-Border Personal Data Transfers (CBPDT), issued on 29 April 2025. Accordingly, personal data may be transferred abroad if it satisfies lawful grounds under Article 129 of Malaysia’s Personal Data Protection Act, including transfers to jurisdictions with equivalent protection, obtaining explicit consent from data subjects, or implementing appropriate safeguards such as Binding Corporate Rules or Standard Contractual Clauses.
In Indonesia, Law No. 27 of 2022 on Personal Data Protection regulates cross-border personal data transfers under Article 56, allowing data to be transferred to countries with an equivalent level of protection, subject to appropriate safeguards, or based on the explicit consent of data subjects. However, in practice, Indonesia adopts a more cautious approach through administrative control mechanisms and close supervision by state authorities, which may require enterprises to fulfill notification obligations or obtain regulatory approvals under implementing regulations. This approach differs from the self-assessment and self-accountability models commonly applied in Malaysia and Singapore.
Compared with other countries in the region, Vietnam is developing a cross-border personal data transfer regulatory model that seeks to strike a balance between privacy protection and facilitating business and investment activities. Vietnam’s regulations are neither as “open” as Singapore’s nor as “restrictive” as Indonesia’s, but instead emphasize enterprises’ ongoing compliance responsibilities through impact assessment dossiers and post-transfer oversight mechanisms. This requires enterprises – particularly FDIs, technology companies, and multinational corporations using HRM systems, cloud services, or overseas data centers – to proactively build long-term compliance strategies from the data processing system design stage.
Conclusion
Cross-border personal data transfer is an inevitable activity in the process of business integration and development, but it also entails significant legal risks if not conducted in accordance with the law. The PDPL and Decree 356 establish clear compliance requirements, obliging enterprises to proactively review, assess, and enhance their personal data governance frameworks.
With extensive experience in providing legal advisory services to both domestic and foreign enterprises, Siglaw Firm offers comprehensive consultancy services on cross-border personal data transfers, including data processing impact assessments, preparation of transfer dossiers, review of contracts with foreign partners, and assistance in working with competent state authorities. Siglaw is ready to accompany enterprises in ensuring legal compliance and operating their business activities in a safe and sustainable manner.
Contact us today for an initial free consultation with Siglaw’s experienced legal professionals.
Head Office in Hanoi: No. 44/A32 – NV13, Area A Geleximco, Le Trong Tan Street, Tay Mo Ward, Hanoi, Vietnam.
Email: vphn@siglaw.com.vn
Southern Branch: No. 103 – 105 Nguyen Dinh Chieu Street, Xuan Hoa Ward, Ho Chi Minh City, Vietnam.
Email: vphcm@siglaw.com.vn
Central Branch: VIFC DN – ICT Building, Software Park No. 2, Nhu Nguyet Street, Hai Chau Ward, Da Nang, Vietnam.
Hotline: 0961 366 238
Facebook: https://www.facebook.com/hangluatSiglaw
