According to the latest regulations, micro-enterprises, household businesses, and startups are eligible for exemptions or deferrals regarding certain mandatory personal data protection procedures for a period of five years. However, these benefits do not apply to entities directly processing sensitive data, providing data processing services, or handling data from 100,000 or more data subjects. Correctly identifying a business’s status helps the business optimize operating costs while ensuring legal compliance during the digital transformation phase.
1. Small Enterprises, Startups, and Personal Data Compliance
As part of the policy to encourage and create favorable conditions for small enterprises, Decree 356/2025/ND-CP (providing guidance on the Law on Personal Data Protection) clearly stipulates that certain groups of enterprises are granted a specific roadmap for implementing personal data procedures over a designated period. Accordingly, small enterprises and startups have the right to choose whether or not to implement the following procedures:
- Preparation of Personal Data Processing Impact Assessment dossiers: This includes Data Controllers and Data Controllers-cum-Processors, who are not required to establish, store, or submit Personal Data Processing Impact Assessment dossiers to the specialized data protection authority.
- Updating Personal Data Processing Impact Assessment dossiers and Transfer Impact Assessment dossiers for cross-border data transfers: Normally, these dossiers must be updated every six months when changes occur, or updated immediately in cases prescribed by law.
- Organizing a personal data protection force: This includes establishing departments or appointing personnel with sufficient capacity for personal data protection, or hiring organizations/individuals to provide personal data protection services.
The roadmap prescribed by law provides a 5-year grace period from the effective date of the Law on Personal Data Protection. This does not apply to small enterprises and startups that engage in personal data processing services, directly process sensitive personal data, or process personal data from the point they reach a scale of 100,000 data subjects or more, based on the cumulative total of processed personal data.
From a risk management perspective, although Decree No. 336/2025/ND-CP grants small enterprises and startups the right to ‘defer’ the implementation of impact assessment dossiers for 5 years, we always recommend that clients should not remain sidelined. Accordingly, there are three key reasons why businesses should consider implementing compliance from the very beginning:
- The “Sensitive Data” Barrier: The line between non-sensitive and sensitive data is extremely thin. A single instance of collecting geolocation data or payment information is enough to immediately invalidate your exemption status.
- The Advantage of Working with Major Partners: Multinational corporations and investment funds always prioritize data protection standards as a prerequisite during Due Diligence. Possessing a methodical Data Protection Impact Assessment (DPIA) serves as a “passport,” allowing startups to prove their management capabilities and professionalism.
- The Pressure of Reaching the 100,000 Data Subject Threshold: Given the growth trajectory of startups, reaching 100,000 data subjects can happen very quickly. If a business waits until hitting this threshold to start building a compliance system, it will face operational disruptions and exorbitant transition costs.
Therefore, consider these five years as a period for foundation-building rather than a reason for delay. Preparing the compliance dossiers now will enable businesses to proactively manage operational risks when they no longer qualify for exemptions or as they progress through the implementation roadmap.
2. Enterprises are exempted from personal data procedures
For micro-enterprises, compliance is not required with respect to the following obligations: (i) conducting personal data protection impact assessments; (ii) updating personal data protection impact assessment dossiers and cross-border personal data transfer impact assessment dossiers; and (iii) establishing a specialized department or appointing personnel with adequate data protection expertise, or engaging external organizations or individuals to provide personal data protection services.
However, this exemption shall not apply to micro-enterprises engaged in personal data processing services, directly processing sensitive personal data, or processing personal data from the point they reach a scale of 100,000 personal data subjects or more, based on the cumulative results of the total volume of personal data processed.
Currently, the Law on Support for Small and Medium-sized Enterprises is under review for public comment to provide a basis for adjusting the criteria for small and micro-enterprises to align with new digital economy and cybersecurity standards. This means that the defining boundaries of a ‘micro-enterprise’ may change, leading to either a narrowing or an expansion of the entities eligible for data procedure exemptions. Therefore, as with the above, from the perspective of a legal consulting firm, we recommend that businesses establish a plan to strictly control the storage and processing of both their own and their customers’ personal data.
Advice from CDLAF: Many startups today in sectors such as finance, e-commerce, and healthcare may assume that being a small enterprise entitles them to an exemption. However, these businesses often overlook the fact that their products directly process financial or health data—both of which are classified as sensitive personal data.
At CDLAF, our advice is that businesses must conduct “Data Classification” before deciding whether or not to prepare a Data Protection Impact Assessment (DPIA) dossier. If a business fail to submit the dossier, believing you are exempt, but an inspection proves that you are processing sensitive data or have exceeded the threshold of 100,000 data subjects, the penalties will be severe due to the systematic nature of the violation. Therefore, an ‘administrative exemption’ does not equate to an ‘exemption from the legal responsibility to protect personal data’.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 02/01/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Cross-Border Personal Data Transfers – Procedural Steps to Be Implemented under Decree No. 3362025ND-CP
- Rights of Personal Data Subjects and methods of obtaining consent under Decree No. 336/2025/ND-CP
- Differentiating between Business License to provide cyber information security services and product and Business License for Civil Cryptography Products and Services: Confusions to Eliminate
- Execution of Electronic Labor Contracts: Compliance Conditions and Implementation Process
- Impacts of Decree No. 337/2025/NĐ-CP on Electronic Labour Contracts
- Essential clauses in an overseas processing contracts
