Vietnam PDPL 2026 Compliance Checklist for Businesses

What is the legal framework for media, technology and telecoms in Vietnam?

Vietnam regulates media, technology and telecoms through a dense mix of sectoral laws (telecoms, radio, press, cybersecurity) plus general data protection rules under Decree 13/2023/ND-CP and the upcoming PDP Law from January 2026. The key regulators are the Ministry of Information and Communications (MIC) and the Ministry of Public Security (MPS), which share oversight of networks, platforms, content and data.

• Core statutes and regulations
  • Media and online content
    • Law on Press 2016
    • Law on Cyberinformation Security 2015
    • Law on Cybersecurity 2018 and Decree 53/2022/ND-CP
    • Decree 72/2013/ND-CP on internet services and online information, as amended by Decree 27/2018/ND-CP and Decree 150/2018/ND-CP
    • Regulations on online advertising and cross-border advertising services (various MIC circulars and decrees)
  • Telecoms and infrastructure
    • Law on Telecommunications 2009 and the new Law on Telecommunications 2023 (phased effect from 2025)
    • Law on Radio Frequencies 2009 (amended 2022)
    • Decrees on licensing of telecom services, data centers and cloud computing (implementing the 2023 Law)
  • Data and cyber
    • Decree 13/2023/ND-CP on personal data protection
    • Upcoming Law on Personal Data Protection (PDP Law) effective January 2026
    • Law on Cybersecurity 2018 and Decree 53/2022/ND-CP (data localization and local presence obligations for certain foreign providers)
    • Law on Electronic Transactions 2005 and its 2023 replacement law
• Key regulators and their roles
  • MIC - licences telecoms, OTT telecom-related services, data centers/cloud, manages spectrum, supervises online content and advertising, and issues takedown requests.
  • MPS (especially Department of Cybersecurity and High-Tech Crime Prevention, often referred to as A05) - enforces cybersecurity, data protection, data localization, and cross-border data transfer requirements.
  • Other involved bodies include the Competition Authority (for digital platforms and competition law) and sector regulators (banking, health, education) for sector-specific data rules.
• Who is caught
  • Local Vietnamese entities providing media, tech, telecoms and platform services.
  • Foreign platforms and cloud providers serving Vietnamese users, even without a local subsidiary, especially if they reach user or traffic thresholds under Decree 53.
  • Any company (local or foreign) that processes personal data of individuals in Vietnam, if the processing is carried out in or targets Vietnam.

How is personal data regulated between now and the 2026 PDP Law?

From now until January 2026, personal data in Vietnam is mainly governed by Decree 13/2023/ND-CP, alongside the cybersecurity and sectoral laws. The PDP Law will harden these rules with primary legislation and revenue-based penalties, but companies cannot wait for 2026 to implement DPIAs, DPO functions and cross-border transfer documentation.

• Current regime (Decree 13/2023/ND-CP)
  • Applies broadly to any organization or individual that processes personal data in Vietnam or processes data about Vietnamese individuals.
  • Defines personal data, sensitive personal data, and sets out principles (lawfulness, purpose limitation, minimisation, security, accountability).
  • Requires:
    • Valid consent (opt-in, specific, documented) for most processing, subject to exemptions.
    • A personal data processing impact assessment (DPIA) for processing activities.
    • A separate cross-border transfer impact assessment (CBTIA) for transfers outside Vietnam.
    • Designation of personnel/unit responsible for data protection (functional DPO).
    • Contractual arrangements between controllers and processors.
• Transition to the Law on Personal Data Protection (effective January 2026)
  • The PDP Law will upgrade Decree 13 into a full statute with:
    • Clearer definitions of "controller", "processor" and "joint controller".
    • More explicit data subject rights and response deadlines.
    • Formal statutory obligations for DPOs and record keeping.
    • Revenue-based fines for high-impact violations and repeat offenders.
  • Implementing decrees and MIC/MPS guidance during 2024-2025 are expected to align Decree 13 obligations with the PDP Law and set practical thresholds for SMEs.
• Practical implications 2024-2026
  • You should build your compliance program based on Decree 13 now, but design it with enough flexibility to plug into the PDP Law structure.
  • Regulators will increasingly treat 2024-2025 as a "grace build" period; by 2026, they will expect:
    • Completed DPIAs for key processing operations.
    • Documented cross-border transfer files for all overseas hosting/outsourcing.
    • An appointed and trained DPO or DPO unit.
    • Incident response and breach notification playbooks.

When must you appoint a Data Protection Officer in Vietnam?

Under Decree 13, almost all organizations that process personal data in or from Vietnam must designate at least one person or unit responsible for personal data protection, often referred to in practice as the DPO. In reality, any medium-to-large company that relies on customer, employee or user data, or that transfers data overseas, should assume a DPO function is mandatory and must be identifiable to MPS.

1. Current requirement under Decree 13/2023/ND-CP

• Who is caught
  • Personal data controllers, processors and entities acting as both.
  • In practice, this covers almost every incorporated business with employees, customers or users in Vietnam.
• What is required
  • Appointment of an internal department or individual in charge of personal data protection activities.
  • Recording their:
    • Name and contact details.
    • Organizational position and reporting line.
    • Scope of mandate (monitoring compliance, advising, training, liaising with MPS).
  • In many cases, notification of these details to MPS (typically A05) via the prescribed form or channel.
• Practical thresholds for a "real" DPO
  • Although Decree 13 does not carve out clear SME exemptions, MPS practice focuses on:
    • Large-scale or high-risk processing (telcos, banks/fintech, e-commerce, ride-hailing, social platforms, adtech).
    • Processing of sensitive personal data (finance, health, biometrics, location, political views, children).
    • Cross-border data transfers and cloud hosting.
  • If you fall in any of these categories, treating the DPO as a nominal role is risky; you should have:
    • Written DPO terms of reference.
    • Budget and authority to conduct DPIAs, training and audits.
    • Direct access to senior management.

2. Expected changes under the 2026 PDP Law

• Formalisation of the DPO role
  • The PDP Law is expected to:
    • Define the DPO role in primary legislation.
    • Specify independence safeguards (limited conflicts of interest, direct line to senior leadership).
    • Introduce explicit obligations to keep records, oversee DPIAs and represent the company in dealings with MPS.
• Likely risk-based scoping
  • Future implementing rules are expected to:
    • Prioritise DPO requirements for controllers conducting systematic monitoring, profiling or large-scale sensitive data processing.
    • Allow more flexible arrangements (shared or outsourced DPO) for SMEs with lower risk profiles.
  • Many multinational groups already appoint a regional DPO covering Vietnam, combined with a local contact person in the Vietnamese entity.

3. Actionable steps to appoint and operationalise a DPO

1. Decide the model
   • Internal DPO (senior legal/compliance/IT security person) with data protection as a core responsibility.
   • Hybrid model: regional DPO plus local data protection coordinator.
   • External DPO service provider, supplemented by an internal liaison officer.
2. Define the mandate in writing
   • Prepare a DPO charter describing:
     • Scope of processing they oversee.
     • Right to access information and systems.
     • Reporting line and right to escalate to the CEO/board.
3. Notify MPS if required
   • Complete the relevant MPS form (or portal submission) with the DPO's contact details.
   • Retain proof of submission and any MPS acknowledgement in your compliance file.
4. Embed the DPO in key processes
   • Require DPO sign-off for:
     • New products or features that use personal data.
     • New vendors/outsourcers handling customer data.
     • Cross-border transfers and use of foreign cloud services.

What paperwork is required to transfer customer data from Vietnam to Singapore or the US?

To send customer data from Vietnam to servers in Singapore, the US or elsewhere, you must prepare a formal impact assessment, secure valid consent where required, put contractual safeguards in place, and, in many cases, notify or file documents with MPS. These requirements apply whether the transfer is to your own group data center or a third-party cloud or SaaS provider.

1. Identify whether your transfer is in scope

• In-scope transfers
  • Hosting Vietnamese customer data on foreign cloud platforms (for example, AWS Singapore, GCP Singapore, US-based SaaS CRMs).
  • Sharing data with foreign group entities for analytics, marketing, support or development.
  • Outsourcing processing to foreign service providers (BPO, IT support, KYC/AML vendors).
• Typical out-of-scope scenarios
  • Purely domestic storage and processing within Vietnam-based data centers.
  • Transfers that technically transit foreign networks but are not stored or accessed outside Vietnam (less common in practice).

2. Mandatory impact assessments (DPIA and cross-border transfer assessment)

Decree 13 requires two separate but related documents: a general DPIA for your processing, and a dedicated impact assessment for each cross-border transfer scheme.

1. Prepare the general DPIA (sometimes called PDPIA)
   • Describe:
     • Types of personal data processed (basic, sensitive).
     • Purposes (service provision, billing, fraud prevention, marketing, etc.).
     • Data subjects (customers, prospects, employees, partners).
     • Systems and locations (including foreign servers).
   • Assess:
     • Risks to data subjects (identity theft, discrimination, financial loss).
     • Likelihood and severity of those risks.
   • List safeguards:
     • Technical: encryption, pseudonymisation, access controls, logging.
     • Organisational: policies, training, vetting, segregation of duties.
2. Prepare the cross-border transfer impact assessment (CBTIA)
   • Identify:
     • Exporter (Vietnam entity) and importer (for example, AWS Asia-Pacific company, US HQ).
     • Destination countries (Singapore, US, etc.).
     • Categories and volume of personal data transferred.
     • Purpose of transfer (hosting, backup, support, analytics).
   • Evaluate:
     • Local data protection regime and risks in destination countries.
     • Importer's security certifications (ISO 27001, SOC 2) and policies.
   • Conclude:
     • Whether safeguards reduce risk to an acceptable level.
     • Residual risks and why the transfer remains necessary.
3. Retention and filing
   • Keep both assessments on file and update them when:
     • You change cloud providers or regions.
     • You add new types of data or processing purposes.
   • For certain transfers, you may need to submit the CBTIA to MPS or at least be ready to provide it upon request or inspection.

3. Consent and transparency requirements

• Customer consent
  • For many cross-border transfers, you must obtain explicit, informed consent from data subjects, unless a Decree 13 exemption applies.
  • Your privacy notice and consent records should:
    • Identify that data will be stored/processed outside Vietnam.
    • Specify destination countries and general categories of recipients (for example, "our group companies in Singapore and the United States" or "our cloud hosting providers located in Singapore").
• Internal and external notices
  • Update internal policies and data mapping to reflect cross-border flows.
  • Publish or make available a privacy notice in Vietnamese, explaining:
    • What data you collect.
    • Why and where it is transferred.
    • How individuals can exercise their rights or withdraw consent.

4. Contractual safeguards with foreign recipients

• Data processing agreements (DPAs)
  • Include in intra-group agreements and vendor contracts:
    • Purpose and duration of processing.
    • Type of personal data and involved data subjects.
    • Security measures and incident notification timelines.
    • Sub-processor conditions and audit rights.
• Cross-border transfer clauses
  • Although Vietnam does not yet have EU-style standard contractual clauses, your contracts should:
    • Commit the foreign recipient to comply with Vietnamese data protection requirements where relevant.
    • Address onward transfers to third countries or third parties.
    • Provide MPS cooperation clauses (for example, timely responses to regulatory requests).

5. Notifications to the Ministry of Public Security

• MPS notification file typically contains
  • Details of the Vietnamese exporter and foreign recipient(s).
  • Categories and volume of data, number of data subjects.
  • Purposes and legal basis of the transfer.
  • Summary of your CBTIA findings and safeguards in place.
• Timing and follow-up
  • File before or at the start of the transfer scheme, in line with MPS guidance and formats.
  • Maintain a log of all filed transfers and keep copies of submissions.
  • Be prepared to respond promptly to follow-up questions or inspections from MPS.

How are penalties for data and ICT violations changing in Vietnam?

Currently, most data and ICT violations attract fixed administrative fines in VND, often coupled with remedial measures such as deletion of data or suspension of online services. From January 2026, the PDP Law is expected to introduce revenue-based fines for serious personal data violations, signalling a move toward European-style deterrence.

1. Current penalty landscape (before PDP Law)

• Administrative fines under existing decrees
  • Decree 15/2020/ND-CP (as amended) covers telecoms, IT and online content violations.
  • Other decrees and sectoral rules add specific sanctions for banking, insurance, health data, etc.
• Typical ranges for personal data related breaches
  • Failure to obtain valid consent or misuse of personal data: typically from around VND 10 million to several hundred million, depending on severity and scale.
  • Serious or large-scale breaches of data protection or cybersecurity obligations: up to around VND 1 billion for organizations.
  • Remedial powers:
    • Order to delete unlawfully collected data.
    • Suspension or restriction of processing activities.
    • Content blocking, service suspension or traffic throttling for online platforms.

2. Revenue-based penalties under the PDP Law

The PDP Law will introduce turnover-linked penalties for high-impact or repeated personal data violations, replacing the current purely fixed-cap model for the gravest cases. The exact brackets and percentages will be specified in implementing decrees, but Government documents have signalled low single-digit percentages of annual revenue in Vietnam for the most serious infringements.

• Practical enforcement trends
  • Shift from "educational warnings" to targeted inspections of high-profile digital services.
  • Increased pressure on foreign platforms and major domestic apps to localise compliance functions and respond quickly to data-related instructions.
  • Higher appetite for publicising enforcement against repeat offenders to signal deterrence before the PDP Law comes fully into force.

How are media and online content services regulated in Vietnam?

Media and online content in Vietnam are heavily regulated, with licensing and content controls applying both to domestic services and to foreign platforms that reach large Vietnamese audiences. MIC plays the central role in licensing, takedowns and supervision of online information, advertising and cross-border services.

• Licensing and registration
  • Online newspapers, magazines and TV must obtain press or broadcasting licences.
  • Domestic social networks and OTT content platforms typically require:
    • Service provider licence or notification under Decree 72.
    • Content moderation and user identification measures.
  • Cross-border platforms (social media, video-sharing, search, app stores) may be required to:
    • Appoint a local representative office or authorised representative if they hit user/traffic thresholds.
    • Register contact points with MIC and MPS.
• Content controls
  • Prohibited content includes:
    • Anti-state propaganda, state secrets, incitement to violence.
    • Content that offends national heroes, religion or customs.
    • Illegal gambling, unlicensed securities or MLM promotion, fake news that causes serious harm.
  • Platforms must implement:
    • Notice-and-takedown mechanisms.
    • Fast removal of content upon MIC/MPS request (often within 24 hours or less).
    • Age-restriction and parental controls for certain content.
• Advertising and commercial communications
  • Online advertising is subject to the Law on Advertising and MIC rules:
    • Restrictions on ads for tobacco, alcohol, medicines, and certain financial products.
    • Requirements to store ad data and make it available to regulators.
  • Cross-border advertising providers must:
    • Cooperate with Vietnamese agencies on tax, content and data requests.
    • Block ads that violate Vietnamese law.

How is the telecoms and digital infrastructure sector controlled?

Telecoms and digital infrastructure in Vietnam are subject to licensing, spectrum regulation and cybersecurity oversight, with an evolving framework for data centers and cloud services. MIC regulates entry and operation, while MPS focuses on network security and data protection obligations that affect telcos and cloud providers.

• Telecom licensing
  • Basic telecom services (fixed and mobile voice, data, international gateway) require:
    • Telecom business licences from MIC.
    • Spectrum licences for radio-based services under the Law on Radio Frequencies.
  • Foreign investment is allowed but subject to:
    • Equity caps and joint venture structures in certain segments.
    • Security vetting and infrastructure commitments.
• Data centers and cloud services
  • The new Law on Telecommunications 2023 brings data center and cloud services into the telecom regulatory framework.
  • Providers must:
    • Register or obtain licences depending on scale and service type.
    • Meet technical and service quality standards issued by MIC.
    • Implement security and personal data protection controls consistent with Decree 13 and the PDP Law.
• Cybersecurity and data localization
  • Certain foreign providers (for example, major social networks, e-commerce platforms, ride-hailing, payment intermediaries) may be required under Decree 53 to:
    • Store specified categories of data in Vietnam.
    • Establish a local branch or representative office.
    • Provide data and log information to MPS upon lawful request.
  • Telcos and large platforms must deploy capabilities for:
    • Traffic filtering and blocking of banned content or services.
    • Supporting national cybersecurity exercises and incident responses.

What are the key compliance priorities for digital businesses in Vietnam from 2024 to 2026?

From 2024 to 2026, digital businesses in Vietnam should focus on building a robust data protection governance structure, completing DPIAs and cross-border transfer files, and aligning contracts and operations with Decree 13 and the forthcoming PDP Law. This period is effectively a sprint to reach a mature level of compliance before revenue-based enforcement kicks in.

• 1. Complete DPIAs and cross-border transfer files
  • Map all personal data flows, with particular attention to:
    • Cloud systems hosted outside Vietnam.
    • Foreign group entities receiving data for analytics or shared services.
  • Prioritise high-risk operations:
    • Large-scale customer databases.
    • Location tracking, profiling or scoring systems.
    • Use of AI or machine learning on personal data.
• 2. Strengthen governance and the DPO function
  • Formalise your DPO role, including clear reporting lines and responsibilities.
  • Set up a data protection committee or steering group with IT, legal, business and security stakeholders.
  • Roll out regular training for product, marketing and operations teams on consent, privacy-by-design and incident reporting.
• 3. Update contracts and vendor management
  • Review and update:
    • Customer terms and privacy notices (in Vietnamese and English).
    • Vendor and intra-group agreements that involve personal data.
  • Insert:
    • Data processing and confidentiality clauses aligned with Decree 13.
    • Cross-border transfer provisions and security requirements.
    • Clear allocation of incident notification responsibilities and timelines.
• 4. Build incident and breach response capability
  • Design an incident response plan that includes:
    • Internal escalation paths and decision-making thresholds.
    • Evidence collection and forensics.
    • Interaction with MIC, MPS and, where necessary, affected individuals.
  • Run table-top exercises involving senior leadership and the DPO.
• 5. Align marketing, adtech and tracking practices
  • Review:
    • Use of cookies, SDKs and tracking pixels on websites and apps.
    • Sharing of identifiers with ad networks and data brokers.
  • Ensure consent and transparency around:
    • Online behavioural advertising.
    • Lookalike audiences and profiling.

When should you hire a lawyer or specialist for Vietnam media, tech and data projects?

You should bring in Vietnam counsel or a specialist advisor when your project involves large-scale or sensitive data, cross-border transfers, regulated media/content, or telecom and infrastructure licensing. Early advice usually reduces both regulatory risk and long-term implementation cost.

• Situations where expert support is strongly recommended
  • Launching or acquiring:
    • Social networks, OTT messaging, streaming platforms, gaming platforms.
    • E-commerce, fintech, health-tech or edtech services.
  • Implementing cross-border data architectures:
    • Regional cloud migrations (for example, consolidation to Singapore or US clouds).
    • Global data lakes or analytics hubs involving Vietnamese user data.
  • Entering telecom, data center or cloud markets:
    • Licensing, joint ventures, infrastructure sharing and spectrum use.
  • Facing or anticipating enforcement:
    • MPS or MIC inspections, data breach incidents, takedown orders.
    • High-profile media controversies around privacy or content.
• What a good Vietnam MTT advisor will deliver
  • Gap analysis of your current policies, contracts and technical measures against Decree 13 and upcoming PDP Law obligations.
  • Drafting and localisation of DPIAs, CBTIAs, DPO documentation and regulator notification packages.
  • Practical negotiation support with vendors and partners to align on data responsibilities.
  • Training and playbooks for your in-house legal, compliance and product teams.

What practical next steps should in-house teams in Vietnam take now?

In-house teams should treat 2024-2026 as a time-bound project to get their media, tech and data practices into a defensible position before PDP Law enforcement intensifies. A structured, phased approach will help you prioritise high-risk areas and show regulators clear evidence of good-faith compliance efforts.

1. Within the next 3 months
   • Appoint or confirm your DPO/DPO unit and formalise their mandate.
   • Complete a high-level data mapping and identify all cross-border data flows.
   • Prioritise 3-5 high-risk processing activities for immediate DPIAs.
2. Within the next 6-12 months
   • Prepare and document DPIAs and CBTIAs for all major systems and transfers.
   • Update privacy notices, consent flows and key contracts (vendors and intra-group).
   • Implement or strengthen technical controls: access management, encryption, logging, backups.
3. Before January 2026
   • Align internal policies and records with the structure of the PDP Law once final guidance is issued.
   • Run at least one end-to-end incident response exercise, including simulated engagement with MIC/MPS.
   • Prepare a concise "compliance evidence pack":
     • DPO appointment documents.
     • Selected DPIAs and CBTIAs.
     • Training records and key policies.
     ready to provide to regulators if requested.