Cross-border transfers of personal data under Decree No. 356/2025/ND-CP include storing data on overseas servers/cloud platforms or transferring data to foreign organizations or individuals. Enterprises are required to prepare and submit a Data Transfer Impact Assessment Dossier within 60 days from the date the data transfer occurs. Certain cases, such as human resources management, logistics operations, international payments, or emergency situations, are exempt from the impact assessment requirement. Competent authorities have the power to request the suspension of data transfers if they detect acts that infringe upon national security or violations of data protection that cause harm to national defense.
1. Identification of cross-border personal data transfer activities
Pursuant to Article 17 of newly promulgated Decree No. 356/2025/ND-CP, enterprises are deemed to engage in cross-border data transfer activities in the capacity of a personal data controller, a personal data controller and processor, a personal data processor, or a third party carrying out personal data transfer activities. Accordingly, where an enterprise carries out any of the following activities, it shall be considered as conducting cross-border personal data transfers:
Storing personal data involving the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam or to cloud computing services provided by overseas service providers;
Transferring personal data from agencies, organizations, or individuals in Vietnam to recipient organizations or individuals located overseas;
Processing personal data collected in Vietnam and transferring such data to platforms located outside the territory of the Socialist Republic of Vietnam for further processing.
Exceptional cases: circumstances in which cross-border personal data transfers are carried out but are not subject to the requirement to conduct a cross-border personal data transfer impact assessment include:
- Journalistic and media activities conducted in accordance with the law;
- Cross-border transfers of personal data that have been lawfully disclosed in accordance with applicable regulations;
- Emergency situations where it is genuinely necessary to provide personal data across borders to protect an individual’s life, health, or property safety, or to perform duties and obligations as prescribed by law;
- Cross-border personal data transfers for the purpose of cross-border human resources management in accordance with internal rules, labor regulations, and collective labor agreements as prescribed by law;
- Provision of personal data across borders for the purpose of entering into contracts or carrying out procedures related to cross-border transportation, logistics, remittance, payment, hotel services, visa applications, or scholarship applications.
Please note that the competent authority for personal data protection may decide to require the cross-border data transferor to suspend cross-border personal data transfers in the following cases:
Where it is discovered that the transferred personal data is being used for activities infringing upon national defense or national security;
Where there are violations of personal data protection regulations that may cause harm to national defense or national security.
CDLAF observes that it is now necessary for enterprises to establish a dedicated department or designate personnel responsible for compliance with personal data protection regulations. This function should enable the enterprise to classify different types of data and clearly identify its role in relation to each category of personal data. Only on that basis can an enterprise accurately determine whether it is engaged in cross-border data transfers; in other words, the enterprise must have a clear understanding of its own data flows. Previous regulations were largely understood as an initial, introductory approach for businesses; therefore, personal data control mechanisms were not strongly enforced. However, with the promulgation of the Law on Personal Data Protection and Decree No. 336/2025/ND-CP, together with corresponding sanctions, enterprises are now placed in a position of mandatory compliance rather than one of “observation and experimentation.”
2. Procedures for preparing the cross-border personal data transfer impact assessment dossier
After determining that an enterprise engages in cross-border data transfer activities and does not fall under any exempted cases, the enterprise is required to prepare a cross-border personal data transfer impact assessment dossier, which includes:
- A report on the cross-border personal data transfer impact assessment;
- Copies of contracts or data transfer documents evidencing the binding arrangements and responsibilities between the organizations and individuals transferring and receiving personal data across borders;
- Policies, procedures, internal regulations, forms, and other relevant documents on personal data protection of the agencies, organizations, or individuals engaged in cross-border personal data transfer activities.
Guidelines for preparing the Cross-Border Personal Data Transfer Impact Assessment Report, under which the report must include the following contents:
- Information and contact details of the personal data transferor, the personal data recipient, the personal data processor, and other parties involved in cross-border personal data transfer activities;
- Contact details of the personal data protection unit or personnel; and of organizations or individuals providing personal data protection services (if any) of the personal data transferor and the personal data recipient;
- Description and justification of the purpose of cross-border personal data transfers, the types of personal data transferred across borders, detailed descriptions of cross-border data transfer and processing activities, and a diagram of personal data processing flows;
- Description and justification regarding the obtaining of consent from personal data subjects, as well as policies on the retention, deletion, and destruction of personal data;
- Plans to ensure personal data security after cross-border transfer, including personal data protection measures and applicable personal data protection standards;
- System architecture diagrams and descriptions of the functionalities of systems used to store and process personal data after receiving cross-border personal data;
- Procedures governing the onward transfer or provision of personal data by the cross-border personal data recipient to third parties;
- Results of the self-assessment of compliance with personal data protection regulations by the agencies, organizations, or individuals engaged in cross-border personal data transfer activities;
- Assessment of the level of personal data protection of the personal data recipient; the degree of impact and risks associated with cross-border transfer and processing of personal data; potential adverse consequences or damages that may occur; and measures to mitigate or eliminate such risks.
Procedure for carrying out the cross-border personal data transfer impact assessment
The enterprise shall submit one (01) original set of a complete dossier, either online, in person, or via postal services, to the authority specialized in personal data protection, together with Form No. 01a/01b as prescribed in the Appendix to this Decree, within sixty (60) days from the date on which the cross-border personal data transfer is conducted. CDLAF emphasizes that enterprises should pay special attention to this 60-day deadline to avoid administrative penalties. Enterprises should also be aware that the preparation of the dossier is currently quite complex and data-intensive; based on our practical experience, the internal preparation process requires a considerable amount of time.
The personal data protection authority shall assess the dossier and issue its conclusion as to whether the cross-border personal data transfer impact assessment dossier meets the requirements within fifteen (15) days.
Where the dossier is incomplete or non-compliant with regulations, the competent authority shall assess and request the cross-border personal data transferor to complete and rectify the cross-border personal data transfer impact assessment dossier within thirty (30) days. If the personal data transferor fails to complete the dossier in accordance with regulations, the authority specialized in personal data protection may consider applying administrative sanctions in accordance with the laws on personal data protection.
Note from CDLAF: The cross-border personal data transfer impact assessment dossier must be kept readily available at all times to serve inspection and assessment activities conducted by the authority specialized in personal data protection. During operations, where there are changes in relevant information, the enterprise is required to update and supplement the cross-border personal data transfer impact assessment dossier in accordance with regulations.
Decree No. 356/2025/ND-CP has clarified exemption cases (such as human resources management), thereby helping to reduce the administrative burden on multinational corporations. However, enterprises should not be complacent. For cloud storage activities or centralized data processing at the parent company level that do not fall under the exemption cases, the preparation of the report in accordance with Form No. 09 requires extremely close coordination between the Legal/Compliance team and the IT department. One of the most common mistakes is inconsistency between the data flow diagram and the technical description, which may result in the dossier being returned and expose the enterprise to the risk of suspension of data transfers if the competent authorities identify potential threats to national security.
CDLAF – A consulting firm specializing in advisory services and compliance procedures for Personal Data Protection in Vietnam.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 02/01/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Rights of Personal Data Subjects and methods of obtaining consent under Decree No. 356/2025/ND-CP
- Differentiating between Business License to provide cyber information security services and product and Business License for Civil Cryptography Products and Services: Confusions to Eliminate
- Execution of Electronic Labor Contracts: Compliance Conditions and Implementation Process
- Impacts of Decree No. 337/2025/NĐ-CP on Electronic Labour Contracts
- Essential clauses in an overseas processing contracts
