Under Decree No. 356/2025/ND-CP, the responsibilities of data processing organizations have been significantly strengthened, with strict statutory timelines, including: (1) Response to data subject requests: must respond to requests from personal data subjects within 02 working days, and complete the exercise of such rights within 10 to 20 days.; (2) Valid consent: must be obtained through verifiable methods (such as written consent, audio recordings, or digital confirmations). The practice of “default” consent is strictly prohibited. Notably, Decree No. 336 places particular emphasis on the responsibility of data controllers to retain valid evidence of consent and to demonstrate transparency in the processing of sensitive personal data.
1. How are the Rights of Personal data Subjects regulated under Decree No. 356/2025/ND-CP?
Personal data subjects have the right to request data controllers and data processors to respond to such requests within 02 working days to requests for withdrawal of consent for personal data processing, restriction of personal data processing, objection to personal data processing, provided that such requests are made in accordance with applicable procedures. At the same time, data controllers and data processors are required to provide the personal data subject with full information regarding the procedures for ceasing personal data processing and to complete such procedures within 15 days, except in cases where personal data processing does not require the data subject’s consent pursuant to Article 19 of the Law on Personal Data Protection. Where it is necessary to require a data processor or a third party to cease processing the personal data of the data subject, such cessation must be completed within 20 days.
Depending on the nature and complexity of the request, if an extension is required, the processing period may be extended once only, for a maximum additional period of 15 days. In such cases, the data controller and/or data processor must notify the personal data subject of the reasons for the extension and bear the burden of proving that such extension is necessary and reasonable.
Personal data subjects have the right to request data controllers and data processors to allow them to access their personal data, rectify or request rectification of their personal data and be provided with their personal data in accordance with the prescribed procedures. Data controllers and data processors must respond within 02 working days, provide full information on the relevant procedures, and complete the request within 10 days. Where it is necessary to require a data processor or a third party to rectify the personal data of the data subject, such rectification must be completed within 15 days.
Depending on the nature and complexity of the request, an extension may be granted once only, for a maximum additional period of 10 days, provided that the data controller and/or data processor informs the data subject of the reasons for the extension and proves that the extension is necessary and reasonable.
Personal data subjects have the right to request data controllers and data processors to delete their personal data in accordance with the prescribed procedures. Data controllers and data processors must respond within 02 working days, provide full information regarding the procedures, and complete the deletion within 20 days. Where it is necessary to require a data processor or a third party to provide, delete, or restrict the processing of the personal data of the data subject, such actions must be completed within 30 days.
Depending on the nature and complexity of the request, in cases where an extension of the processing time is necessary, the extension may be granted for a maximum of one time and not exceeding 20 days. The personal data controller or the personal data controller and processor shall notify the data subject of the reasons for the extension and bear the responsibility to prove that the extension is necessary and reasonable.
2. Methods of Expressing Consent by Personal Data Subjects
Methods of obtaining consent from personal data subjects must ensure verifiability, including the ability to determine the identity of the personal data subject; the time at which consent was given and the specific content to which consent was granted and include:
- Written consent;
- Recorded telephone calls;
- Consent via SMS syntax;
- Consent via email, websites, platforms, or applications equipped with technical mechanisms for obtaining consent;
- Other appropriate methods that can be printed, copied, or otherwise documented in writing, including electronic or other verifiable formats.
Data controllers and data processors are required to retain records of consent. In the event of a dispute, the burden of proof regarding the data subject’s consent rests with the data controller and/or data processor. Data controllers and data processors are prohibited from establishing default consent mechanisms or creating unclear or misleading instructions that blur the distinction between consent and non-consent. Default settings must adhere to the principles of personal data protection and respect the rights of personal data subjects.
For the processing of sensitive personal data, the personal data subject must be clearly informed that the data to be processed constitutes sensitive personal data.
3. CDLAF’s recommendation
Based on our experience in advising on and developing internal regulations for personal data protection compliance, as well as assisting clients with personal data procedures from the implementation of Decree No. 13/2023/ND-CP to the present, we observe that:
Personal data compliance is no longer a reactive exercise. Decree No. 356/2025/ND-CP requires enterprises to respond to personal data subject requests within 02 working days, except in limited special cases. This creates a genuine “time trap” for businesses that continue to manage data manually. Without close coordination between the legal/compliance teams and IT departments to establish automated request intake systems, standardized procedures for handling data subject requests, and incident response processes, the risk of missing statutory deadlines is extremely high—particularly for enterprises with large workforces. Businesses should not allow a minor administrative oversight to escalate into a large-scale regulatory inspection on personal data protection.
Advisory on “Digital Evidence” (Audit Trail)
A key development under Decree No. 356 is the tightened obligation to prove valid consent. While it is generally understood that any confirmation between parties should be documented, Decree No. 356/2025/ND-CP does not leave this to assumption. Instead, it expressly specifies which forms of evidence are acceptable to substantiate a data subject’s consent. Our consistent advice to clients is: “Do not merely obtain consent—retain evidence of that consent.” Enterprises should build transparent Log data systems that accurately record timestamps, IP addresses, and the specific version of the privacy policy accepted by the data subject. In the digital era, evidence lies not in verbal assurances, but in system data.
Third-Party Contracts and Data Processing Partners, Many enterprises focus heavily on customer relationships while overlooking data processing partners (vendors). Businesses should promptly update Data Processing Agreements (DPAs) with all third parties to incorporate the 02-working-day response requirement.
If a third-party processor fails to respond in a timely manner, it is the enterprise—not the vendor—that bears legal responsibility under the spirit and provisions of Decree No. 356/2025/ND-CP.
CDLAF – A unit specializing in providing services to obtain licenses to trade in cyber information security products and services and civil cryptography.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 02/01/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Differentiating between Business License to provide cyber information security services and product and Business License for Civil Cryptography Products and Services: Confusions to Eliminate
- Execution of Electronic Labor Contracts: Compliance Conditions and Implementation Process
- Impacts of Decree No. 337/2025/NĐ-CP on Electronic Labour Contracts
- Essential clauses in an overseas processing contracts
