The impact assessment of personal data processing and the impact assessment of cross-border transfer of personal data constitute two core compliance obligations for agencies, organizations, and individuals when processing personal data in Vietnam. The Personal Data Protection Law 2025 (“PDPL 2025”) and Decree No. 356/2025/ND-CP establish a relatively stringent legal framework, linking the obligation to prepare and submit assessment dossiers with post-inspection mechanisms and strict sanctions.
Subjects required to conduct impact assessments of personal data processing and cross-border data transfers
Under the PDPL 2025, the obligation to conduct impact assessments is determined based on the role of the entity within the data processing chain and the nature of the processing activities.
First, the Data Processing Impact Assessment (DPIA) applies to personal data controllers and personal data controllers-cum-processors. These entities are responsible for preparing, retaining, and submitting the DPIA dossier to the specialized authority for personal data protection from the commencement of personal data processing. For personal data processors, the obligation to prepare and retain the dossier is implemented in accordance with agreements with the data controller, unless otherwise prescribed by law. Competent state authorities are exempt from this obligation.
Second, the Transfer Impact Assessment (TIA) applies to any agency, organization, or individual that engages in one of the following activities:
(i) transferring personal data stored in Vietnam to systems located outside the territory of Vietnam;
(ii) transferring personal data from Vietnam to organizations or individuals abroad; or
(iii) using platforms located outside the territory of Vietnam to process personal data collected in Vietnam.
Certain cases are exempt from the obligation to conduct impact assessments, such as transfers conducted by competent state authorities, internal employee data transfers on cloud computing platforms, or cases where the data subject independently transfers their own personal data.
Procedures and components of impact assessment dossiers under decree No. 356/2025/ND-CP
Decree No. 356/2025/ND-CP provides detailed regulations and clearly distinguishes the dossier components applicable to each type of impact assessment.
For Personal Data Processing Impact Assessments, the basic dossier includes:
(i) The Personal Data Processing Impact Assessment Report, comprising the following groups of contents:
- Identification Information & Personnel: Detailed contact information of the transferring party (in Vietnam), the receiving party (abroad), intermediary parties, and particularly the department/personnel in charge of data protection (Data Protection Officer – DPO).
- Data Flow Description: A clear explanation of the purpose of processing, specific categories of data (basic/sensitive), and a mandatory data flow diagram illustrating the end-to-end processing flow from Vietnam to overseas.
- Technical Infrastructure & Security: Description of overseas server system architecture, applied cybersecurity measures (such as encryption, firewalls, access control), and data retention and deletion/destruction policies upon completion of the processing purpose.
- Legal & Risk Assessment: Evidence of data subject consent, assessment of the level of data protection in the recipient country/entity, and analysis of potential risks together with mitigation measures.
(ii) Copies of contracts or personal data processing agreements clearly stipulating legal responsibilities among the parties; and
(iii) Policies, procedures, regulations, forms, and other relevant documents on personal data protection of the data controller, controller-cum-processor, and data processor.
For Cross-Border Transfer Impact Assessments, the dossier has a broader scope and, in addition to the assessment report in the prescribed form, includes:
(i) The Cross-Border Personal Data Transfer Impact Assessment Report, comprising the following groups of contents:
- Identification Information & Personnel: Detailed contact information of the data controller, data controller & processor, relevant third parties, and particularly the department/personnel responsible for data protection (DPO).
- Processing Workflow Description (Data Flow): A clear explanation of processing purposes, specific data categories (basic/sensitive), and a mandatory data flow diagram illustrating the movement of data within the operational system.
- Infrastructure & Safeguards: System architecture diagrams and descriptions of technical standards and security measures applied (such as encryption, firewalls, access control) to protect personal data.
- Legal & Risk Assessment: Evidence of consent collection procedures, data retention/destruction policies, self-assessment of regulatory compliance, and analysis of potential risks with corresponding mitigation measures.
(ii) Copies of contracts or personal data transfer instruments evidencing the binding obligations and responsibilities between organizations and individuals transferring and receiving personal data across borders; and
(iii) Policies, procedures, regulations, forms, and other relevant documents on personal data protection of agencies, organizations, and individuals engaged in cross-border personal data transfers.
These reports are complex and require both legal and technical expertise. Enterprises must prepare them carefully to avoid rejection or being deemed non-compliant with security requirements.
Compliance timelines and transitional provisions between Decree No. 13/2023/ND-CP and the PDPL 2025 and Decree No. 356/2025/ND-CP
The PDPL 2025 maintains the principle that dossiers must be submitted within 60 days from the first date of personal data processing or cross-border personal data transfer. Impact assessments are conducted once for the entire duration of operations but must be updated and supplemented when there are changes in purpose, scope, data categories, recipients, or protective measures.
Regarding legal transition, agencies, organizations, and individuals that have prepared and submitted impact assessment dossiers under Decree No. 13/2023/ND-CP are not required to resubmit dossiers under Decree No. 356/2025/ND-CP if the processing and transfer activities remain unchanged. However, where there are significant adjustments relating to personal data processing or transfer activities, the subject is obliged to prepare and submit updated dossiers in accordance with the new regulations.
This approach demonstrates policy continuity while reducing the compliance burden for enterprises during the transitional period.
Sanctions for failure to submit or complete dossiers as required
The PDPL 2025 establishes a strict sanctioning mechanism linked to the obligation to conduct impact assessments. Failure to submit dossiers, late submission, or failure to update dossiers upon changes may result in administrative penalties.
Notably, for cross-border personal data transfer activities, the maximum monetary fine imposed on organizations may reach up to 5% of the revenue of the immediately preceding fiscal year.
In cases where dossiers have been submitted but are incomplete or non-compliant, the specialized personal data protection authority may require completion within 30 days. If, upon expiry of this period, the transferring party fails to comply or complies inadequately, the competent authority will consider imposing corresponding administrative sanctions.
This mechanism demonstrates that impact assessments are not merely formal procedural requirements but constitute substantive compliance obligations directly linked to enterprises’ legal and financial risks.
Personal data processing impact assessments and cross-border personal data transfer impact assessments are fundamental pillars of Vietnam’s personal data protection regime under the PDPL 2025. With the detailed implementation provided by Decree No. 356/2025/ND-CP, these obligations extend beyond dossier preparation to include ongoing updates, cooperation with regulatory authorities, and acceptance of stringent post-inspection mechanisms. In the context of increasingly severe sanctions, proactive compliance and the establishment of a robust data governance system have become strategic imperatives for all organizations and enterprises engaged in personal data processing activities in Vietnam.
Please contact Siglaw Firm for comprehensive consultation.
Head Office in Hanoi: No. 44/A32 – NV13, Area A Geleximco, Le Trong Tan Street, Tay Mo Ward, Hanoi, Vietnam.
Email: vphn@siglaw.com.vn
Southern Branch: No. 103 – 105 Nguyen Dinh Chieu Street, Xuan Hoa Ward, Ho Chi Minh City, Vietnam.
Email: vphcm@siglaw.com.vn
Central Branch: VIFC DN – ICT Building, Software Park No. 2, Nhu Nguyet Street, Hai Chau Ward, Da Nang, Vietnam.
Email: vphcm@siglaw.com.vn
Hotline: 0961 366 238
Facebook: https://www.facebook.com/hangluatSiglaw
