Skip to content
← Back to Blog
pdplforeign-companiescompliancedata-protection

Vietnam's PDPL: What Foreign-Invested Companies Need to Know

CompliScan Team5 min read

Vietnam's Personal Data Protection Law — officially Law 91/2025/QH15 — has been in effect since January 1, 2026. If your company is foreign-invested and operating in Vietnam, this law applies to you. And if you assumed that existing GDPR compliance would cover your obligations here, it does not.

This article breaks down what the PDPL requires from foreign-invested enterprises (FIEs), where it diverges from GDPR, and what you should do now.

What Is the PDPL?

The PDPL is Vietnam's first comprehensive personal data protection law. It establishes the legal framework for how personal data must be collected, stored, processed, and transferred within and outside of Vietnam. Decree 356 serves as the primary implementing regulation, defining specific data categories, technical requirements, and enforcement mechanisms.

Together, the PDPL and Decree 356 create a compliance landscape that is similar to GDPR in structure but distinct in several critical areas — particularly for foreign-invested companies.

How the PDPL Differs from GDPR

If your company already maintains GDPR compliance, you have a foundation — but significant gaps remain.

Cross-Border Data Transfer Requirements

This is the single biggest area where GDPR compliance falls short. Under the PDPL, any transfer of Vietnamese citizens' personal data outside of Vietnam requires:

  • A Cross-border Transfer Impact Assessment documenting the risks and safeguards
  • Registration with the Ministry of Public Security before the transfer occurs
  • Explicit consent from data subjects for the cross-border transfer specifically

For FIEs, this is especially significant. If your company sends employee data, customer records, or operational data to a parent company or regional headquarters abroad, every one of those transfers is subject to these requirements. This includes data stored in cloud platforms with servers outside Vietnam — which means most Google Workspace users are affected by default.

Vietnamese-Format DPIA

The PDPL requires a Data Protection Impact Assessment, but it must follow the Vietnamese format specified in Decree 356. A GDPR-style DPIA does not satisfy this requirement. The Vietnamese DPIA has specific sections and criteria that reflect local regulatory expectations.

Local Data Categories

Vietnam defines personal data categories that don't map directly to GDPR. Under Decree 356, sensitive personal data includes:

  • Citizen Identity Card numbers (CCCD/CMND)
  • Vietnamese tax identification numbers
  • Social insurance numbers
  • Bank account numbers in Vietnamese formats
  • Health insurance numbers
  • Biometric data linked to Vietnamese identification systems

Your GDPR data inventory likely does not track these categories. A Vietnam-specific data audit is necessary to identify where this data exists in your systems.

Ministry of Public Security Oversight

Unlike GDPR's supervisory authority model, Vietnam's PDPL places primary oversight with the Ministry of Public Security (MPS). Companies must register certain data processing activities with the MPS, particularly those involving cross-border transfers or large-scale processing of sensitive data. The registration process is specific to Vietnam and has no GDPR equivalent.

What FIEs Must Do

1. Conduct a Vietnam-Specific Data Audit

Start by identifying what Vietnamese personal data your company holds. This is not the same as your GDPR data inventory. You need to locate:

  • Where CCCD numbers, tax codes, bank accounts, and social insurance numbers are stored
  • Which systems process this data (Google Workspace, HR platforms, payroll systems)
  • Who has access to this data, including whether it leaves Vietnam

2. Prepare a Vietnamese-Format DPIA

Commission a DPIA that meets the format and content requirements of Decree 356. This is a standalone document — you cannot simply translate your existing GDPR DPIA and submit it.

3. Register Cross-Border Transfers with the MPS

If any Vietnamese personal data leaves the country — including to cloud servers, parent companies, or third-party processors abroad — you must complete a Cross-border Transfer Impact Assessment and register with the Ministry of Public Security.

4. Update Consent Mechanisms

The PDPL has its own consent requirements. Review your privacy notices, employee consent forms, and data processing agreements to ensure they meet Vietnamese standards. Pay particular attention to consent for cross-border transfers, which must be separate and explicit.

5. Audit Your Google Workspace

If your company uses Google Workspace, run a compliance scan to identify where Vietnamese PII is stored across Drive, Gmail, Sheets, and Docs. This is typically the largest source of untracked personal data in FIEs operating in Vietnam.

The Connection to Decree 337

Foreign-invested companies face a second overlapping requirement: Decree 337 mandates that all employers in Vietnam register electronic labor contracts by July 1, 2026. Since labor contracts contain personal data (names, ID numbers, salaries, addresses), Decree 337 compliance is also a PDPL compliance issue.

Companies preparing for Decree 337 should address both requirements simultaneously rather than treating them as separate workstreams.

Common Mistakes FIEs Make

Assuming GDPR covers Vietnam. It does not. The PDPL is a separate legal framework with its own requirements, enforcement body, and penalties.

Not registering cross-border transfers. Many FIEs routinely send data to headquarters without realizing this requires MPS registration under the PDPL.

Using a GDPR DPIA for Vietnam. The format and content requirements are different. A GDPR DPIA will not pass Vietnamese regulatory review.

Ignoring Google Workspace data. FIEs often focus on structured databases (HR systems, ERP) while overlooking the unstructured data in Google Drive, Gmail, and Sheets — which is frequently where the most PII exposure exists.

Next Steps

The PDPL is already in effect. Companies that have not begun compliance work are operating without legal cover. The good news: the steps are clear, and starting with a data audit gives you visibility into your actual risk.

CompliScan specializes in Google Workspace compliance audits for companies operating in Vietnam. We scan your Drive, Gmail, Sheets, and Docs for Vietnamese PII exposure and deliver a detailed risk report within 48 hours. Request your free risk assessment →

This article is for informational purposes only and does not constitute legal advice. Consult a qualified Vietnamese attorney for advice specific to your company's situation.

Share on LinkedIn

Related Posts

decree-337labor-contracts
6 min read

July 1, 2026 Deadline: What Every Company in Vietnam Must Know About Electronic Labor Contracts

Decree 337 requires all employers in Vietnam to use electronic labor contracts by July 1, 2026. Here's what the law requires, who it affects, and the three steps you should take now.

google-workspacedata-protection
6 min read

Google Workspace Data Protection in Vietnam: Where Your Compliance Gaps Are Hiding

Vietnamese companies using Google Workspace often have personal data scattered across Drive, Gmail, and Sheets without realizing it. Here's where the risks are and what to do about them.