{"id":13735,"date":"2026-01-07T15:06:48","date_gmt":"2026-01-07T08:06:48","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=13735"},"modified":"2026-01-14T11:23:56","modified_gmt":"2026-01-14T04:23:56","slug":"2026-update-cross-border-data-transfer-under-decree-no-356-2025-nd-cp-regulations-and-compliance-procedures","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/2026-update-cross-border-data-transfer-under-decree-no-356-2025-nd-cp-regulations-and-compliance-procedures\/","title":{"rendered":"[2026 Update] Cross-Border Data Transfer under Decree No. 356\/2025\/ND-CP: Regulations and Compliance Procedures"},"content":{"rendered":"<p><em>Cross-border transfers of personal data under <strong>Decree No. 356\/2025\/ND-CP<\/strong> include storing data on overseas servers\/cloud platforms or transferring data to foreign organizations or individuals. Enterprises are required to prepare and submit a Data Transfer Impact Assessment Dossier within <strong>60 days<\/strong> from the date the data transfer occurs. Certain cases, such as human resources management, logistics operations, international payments, or emergency situations, are exempt from the impact assessment requirement. Competent authorities have the power to request the suspension of data transfers if they detect acts that infringe upon national security or violations of data protection that cause harm to national defense.<\/em><\/p>\n<figure id=\"attachment_13695\" aria-describedby=\"caption-attachment-13695\" style=\"width: 604px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-13695\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-goumbik-669616-1-604x400.jpg\" alt=\"\" width=\"604\" height=\"400\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-goumbik-669616-1-604x400.jpg 604w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-goumbik-669616-1-1208x800.jpg 1208w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-goumbik-669616-1-768x509.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-goumbik-669616-1-1536x1017.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-goumbik-669616-1-2048x1356.jpg 2048w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><figcaption id=\"caption-attachment-13695\" class=\"wp-caption-text\">Source: pexels-goumbik-669616<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/2026-update-cross-border-data-transfer-under-decree-no-356-2025-nd-cp-regulations-and-compliance-procedures\/#1_Identification_of_cross-border_personal_data_transfer_activities\" >1. Identification of cross-border personal data transfer activities<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/2026-update-cross-border-data-transfer-under-decree-no-356-2025-nd-cp-regulations-and-compliance-procedures\/#2_Procedures_for_preparing_the_cross-border_personal_data_transfer_impact_assessment_dossier\" >2. Procedures for preparing the cross-border personal data transfer impact assessment dossier<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/2026-update-cross-border-data-transfer-under-decree-no-356-2025-nd-cp-regulations-and-compliance-procedures\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_Identification_of_cross-border_personal_data_transfer_activities\"><\/span>1. Identification of cross-border personal data transfer activities<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Pursuant to Article 17 of newly promulgated Decree No. 356\/2025\/ND-CP, enterprises are deemed to engage in cross-border data transfer activities in the capacity of a personal data controller, a personal data controller and processor, a personal data processor, or a third party carrying out personal data transfer activities. Accordingly, where an enterprise carries out any of the following activities, it shall be considered as conducting cross-border personal data transfers:<\/p>\n<p>Storing personal data involving the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam or to cloud computing services provided by overseas service providers;<\/p>\n<p>Transferring personal data from agencies, organizations, or individuals in Vietnam to recipient organizations or individuals located overseas;<\/p>\n<p>Processing personal data collected in Vietnam and transferring such data to platforms located outside the territory of the Socialist Republic of Vietnam for further processing.<\/p>\n<p><strong>Exceptional cases:<\/strong> circumstances in which cross-border personal data transfers are carried out but are not subject to the requirement to conduct a cross-border personal data transfer impact assessment include:<\/p>\n<ul>\n<li>Journalistic and media activities conducted in accordance with the law;<\/li>\n<li>Cross-border transfers of personal data that have been lawfully disclosed in accordance with applicable regulations;<\/li>\n<li>Emergency situations where it is genuinely necessary to provide personal data across borders to protect an individual\u2019s life, health, or property safety, or to perform duties and obligations as prescribed by law;<\/li>\n<li>Cross-border personal data transfers for the purpose of cross-border human resources management in accordance with internal rules, labor regulations, and collective labor agreements as prescribed by law;<\/li>\n<li>Provision of personal data across borders for the purpose of entering into contracts or carrying out procedures related to cross-border transportation, logistics, remittance, payment, hotel services, visa applications, or scholarship applications.<\/li>\n<\/ul>\n<p><strong>Please note that<\/strong> the competent authority for personal data protection may decide to require the cross-border data transferor to suspend cross-border personal data transfers in the following cases:<\/p>\n<p>Where it is discovered that the transferred personal data is being used for activities infringing upon national defense or national security;<\/p>\n<p>Where there are violations of personal data protection regulations that may cause harm to national defense or national security.<\/p>\n<p>CDLAF observes that it is now necessary for enterprises to establish a dedicated department or designate personnel responsible for compliance with personal data protection regulations. This function should enable the enterprise to classify different types of data and clearly identify its role in relation to each category of personal data. Only on that basis can an enterprise accurately determine whether it is engaged in cross-border data transfers; in other words, the enterprise must have a clear understanding of its own data flows. Previous regulations were largely understood as an initial, introductory approach for businesses; therefore, personal data control mechanisms were not strongly enforced. However, with the promulgation of the Law on Personal Data Protection and Decree No. 336\/2025\/ND-CP, together with corresponding sanctions, enterprises are now placed in a position of mandatory compliance rather than one of \u201cobservation and experimentation.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Procedures_for_preparing_the_cross-border_personal_data_transfer_impact_assessment_dossier\"><\/span>2. Procedures for preparing the cross-border personal data transfer impact assessment dossier<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>After determining that an enterprise engages in cross-border data transfer activities and does not fall under any exempted cases, the enterprise is required to prepare a cross-border personal data transfer impact assessment dossier, which includes:<\/p>\n<ul>\n<li>A report on the cross-border personal data transfer impact assessment;<\/li>\n<li>Copies of contracts or data transfer documents evidencing the binding arrangements and responsibilities between the organizations and individuals transferring and receiving personal data across borders;<\/li>\n<li>Policies, procedures, internal regulations, forms, and other relevant documents on personal data protection of the agencies, organizations, or individuals engaged in cross-border personal data transfer activities.<\/li>\n<\/ul>\n<p><strong>Guidelines for preparing the Cross-Border Personal Data Transfer Impact Assessment Report<\/strong>, under which the report must include the following contents:<\/p>\n<ul>\n<li>Information and contact details of the personal data transferor, the personal data recipient, the personal data processor, and other parties involved in cross-border personal data transfer activities;<\/li>\n<li>Contact details of the personal data protection unit or personnel; and of organizations or individuals providing personal data protection services (if any) of the personal data transferor and the personal data recipient;<\/li>\n<li>Description and justification of the purpose of cross-border personal data transfers, the types of personal data transferred across borders, detailed descriptions of cross-border data transfer and processing activities, and a diagram of personal data processing flows;<\/li>\n<li>Description and justification regarding the obtaining of consent from personal data subjects, as well as policies on the retention, deletion, and destruction of personal data;<\/li>\n<li>Plans to ensure personal data security after cross-border transfer, including personal data protection measures and applicable personal data protection standards;<\/li>\n<li>System architecture diagrams and descriptions of the functionalities of systems used to store and process personal data after receiving cross-border personal data;<\/li>\n<li>Procedures governing the onward transfer or provision of personal data by the cross-border personal data recipient to third parties;<\/li>\n<li>Results of the self-assessment of compliance with personal data protection regulations by the agencies, organizations, or individuals engaged in cross-border personal data transfer activities;<\/li>\n<li>Assessment of the level of personal data protection of the personal data recipient; the degree of impact and risks associated with cross-border transfer and processing of personal data; potential adverse consequences or damages that may occur; and measures to mitigate or eliminate such risks.<\/li>\n<\/ul>\n<p><strong>Procedure for carrying out the cross-border personal data transfer impact assessment<\/strong><\/p>\n<p>The enterprise shall submit one (01) original set of a complete dossier, either online, in person, or via postal services, to the authority specialized in personal data protection, together with Form No. 01a\/01b as prescribed in the Appendix to this Decree, <strong>within sixty (60) days<\/strong> from the date on which the cross-border personal data transfer is conducted. CDLAF emphasizes that enterprises should pay special attention to this 60-day deadline to avoid administrative penalties. Enterprises should also be aware that the preparation of the dossier is currently quite complex and data-intensive; based on our practical experience, the internal preparation process requires a considerable amount of time.<\/p>\n<p>The personal data protection authority shall assess the dossier and issue its conclusion as to whether the cross-border personal data transfer impact assessment dossier meets the requirements within fifteen (15) days.<\/p>\n<p>Where the dossier is incomplete or non-compliant with regulations, the competent authority shall assess and request the cross-border personal data transferor to complete and rectify the cross-border personal data transfer impact assessment dossier within thirty (30) days. If the personal data transferor fails to complete the dossier in accordance with regulations, the authority specialized in personal data protection may consider applying <strong>administrative sanctions in accordance with the laws on personal data protection.<\/strong><\/p>\n<p><strong>Note from CDLAF:<\/strong> The cross-border personal data transfer impact assessment dossier must be kept readily available at all times to serve inspection and assessment activities conducted by the authority specialized in personal data protection. During operations, where there are changes in relevant information, the enterprise is required to update and supplement the cross-border personal data transfer impact assessment dossier in accordance with regulations.<\/p>\n<p>Decree No. 356\/2025\/ND-CP has clarified exemption cases (such as human resources management), thereby helping to reduce the administrative burden on multinational corporations. However, enterprises should not be complacent. For cloud storage activities or centralized data processing at the parent company level that do not fall under the exemption cases, the preparation of the report in accordance with <strong>Form No. 09<\/strong> requires extremely close coordination between the Legal\/Compliance team and the IT department. One of the most common mistakes is inconsistency between the data flow diagram and the technical description, which may result in the dossier being returned and expose the enterprise to the risk of suspension of data transfers if the competent authorities identify potential threats to national security.<\/p>\n<p><strong>CDLAF<\/strong> \u2013 <strong><em>A consulting firm specializing in advisory services and compliance procedures for Personal Data Protection in Vietnam.<\/em><\/strong><\/p>\n<ul>\n<li>\n<h4><strong>Advisory email<\/strong> info@cdlaf.vn<\/h4>\n<\/li>\n<li>\n<h4><strong>Hotline:<\/strong> (+84) 909 668 216<\/h4>\n<\/li>\n<\/ul>\n<p><strong><em>Time<\/em><\/strong><strong><em> of writing<\/em><\/strong><em>: 02\/01\/2026<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-336-2025-nd-cp\/\">Rights of Personal Data Subjects and methods of obtaining consent under Decree No. 356\/2025\/ND-CP<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/differentiating-between-business-license-to-provide-cyber-information-security-services-and-product-and-business-license-for-civil-cryptography-products-and-services-confusions-to-eliminate\/\">Differentiating between Business License to provide cyber information security services and product and Business License for Civil Cryptography Products and Services: Confusions to Eliminate<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/execution-of-electronic-labor-contracts-compliance-conditions-and-implementation-process\/\">Execution of Electronic Labor Contracts: Compliance Conditions and Implementation Process<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/impacts-of-decree-no-337-2025-nd-cp-on-electronic-labour-contracts\/\">Impacts of Decree No. 337\/2025\/N\u0110-CP on Electronic Labour Contracts<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/essential-clauses-in-an-overseas-foreign-party-processing-contract\/\">Essential clauses in an overseas processing contracts<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/13735#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Cross-border transfers of personal data under Decree No. 356\/2025\/ND-CP include storing data on overseas servers\/cloud platforms or transferring data to foreign organizations or individuals. Enterprises are required to prepare and submit a Data Transfer Impact Assessment Dossier within 60 days from the date the data transfer occurs. Certain cases, such as human resources management, logistics&#8230;<\/p>\n","protected":false},"author":4,"featured_media":13695,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-13735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=13735"}],"version-history":[{"count":4,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13735\/revisions"}],"predecessor-version":[{"id":13763,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13735\/revisions\/13763"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/13695"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=13735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=13735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=13735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}