TL;DR: Most organizations treat cross-border transfer compliance as a one-time submission event. A team completes Mẫu số 09, assembles Mẫu số 01a, submits the dossier to the Ministry of Public Security, receives an acknowledgement, and closes the case. Under Vietnam's PDPL and Decree 356, that mindset produces an incomplete evidence record. The initial assessment is only the first artifact in a living evidence chain. Sub-processor changes, DPA version updates, destination-country risk shifts, vendor certification expiries, incident notification clauses, and material changes to the transfer itself all generate new evidence obligations,and in many cases trigger amendment filings (Mẫu số 03a) or rapid supplement handling with very short evidence-assembly windows. This article explains why the assessment is not the proof, what the ongoing evidence requirements actually look like, and how a GRC platform turns each transfer into a living dossier that stays filing-ready between submissions.
This article is written for DPOs, privacy counsel, vendor governance leads, procurement compliance managers, and cross-border transfer owners accountable for Decree 356 filings to the Ministry of Public Security. It is especially relevant for enterprises in banking, telecom, e-commerce, and multinational subsidiaries where data routinely flows to regional cloud providers, parent-company systems, offshore processors, or global SaaS platforms, and where a single filing typically sits on top of a web of vendors that keeps changing underneath it.
The filing that looked closed, and was not
Your Vendor Governance Lead walks into the DPO's office on a Monday morning with a problem. The regional cloud provider that hosts your customer service platform was filed eighteen months ago. Mẫu số 01a was submitted. Mẫu số 09 was completed. Legal reviewed the DPA. The DPO signed off. The filing was submitted and recorded in the case. The case was marked closed.
Over the last eighteen months, four things happened that nobody routed back to the transfer record. The provider added a sub-processor in a different jurisdiction. The DPA template was reissued to reflect new standard clauses, but the signed version in your records is the older one. The provider's security certification expired and was reissued under a different scheme. A minor incident was reported by the provider under their breach notification clause, and it was handled by the security team, but never connected to the transfer dossier.
Now the MPS has written to the DPO requesting updated materials in relation to the transfer dossier during review or administrative procedure. The request cites the reported incident and asks whether the organization has reassessed the transfer in light of it. If the authority asks for additional materials, the practical response window can compress quickly, especially where dossier completion, update, or administrative follow-up is required.
“An assessment is a snapshot. Cross-border compliance is a continuous evidence chain. The difference is what happens between filings.”
The assessment dossier filed eighteen months ago has not become wrong. It has become stale. The evidence that existed at the moment of submission no longer represents the operational reality of the transfer. The DPO's problem is not that a document is missing. The DPO's problem is that the organization treated the filing as an endpoint rather than the beginning of an evidence-maintenance obligation.
Why the assessment is only the first artifact
Decree 356 and PDPL do not define cross-border transfer compliance as a one-time filing. They define it as a regulated relationship between the data exporter, the recipient, and the Ministry of Public Security, with obligations that continue as long as the transfer continues. The initial filing establishes the baseline. Everything after that is either evidence that the baseline still holds, or evidence that a material change has occurred and an amendment must be filed.
The assessment itself, Mẫu số 09, captures the organization's evaluation of the transfer at a point in time: the data categories involved, the recipient's legal jurisdiction, the contractual safeguards, the security controls, the legal basis, and the risk profile. It is built on a set of assumptions about how the transfer will operate. Those assumptions have a lifespan.
Operationally, the following assumptions all decay:
- The recipient's sub-processor list at the time of filing will change over the life of the transfer.
- The data processing agreement version signed at onboarding will be superseded by updated standard clauses.
- The security certification cited in the initial assessment will expire and be reissued under a potentially different scheme.
- The incident notification clause performance will be tested by real incidents, some of which may be minor and some of which may be material.
- The destination country's regulatory environment may change, affecting the adequacy of the safeguards.
- The scope of personal data flowing to the recipient will drift as product teams add features, integrate new systems, or expand use cases.
Each of these changes is evidence. Each of them may either confirm the original assessment remains valid, or trigger a reassessment. Where a change falls within the dossier-update cases under Decree 356 Article 20, the organization updates the transfer impact dossier using Mẫu số 03a/03b. The regulator does not define "materially" for every possible case. The burden of that judgement sits with the organization, and the evidence supporting the judgement sits with the DPO.
The five evidence streams that live between filings
Once a transfer is filed, five distinct streams of evidence need to be captured, linked to the transfer case, and made available for supplement responses or amendment filings:
- Vendor record changes, including sub-processor additions, ownership changes, hosting location shifts, and certification status.
- Contract lifecycle evidence, including DPA version updates, addenda, standard clause refreshes, and renewal decisions.
- Security posture evidence, including assessment reports, penetration test findings, ISO or SOC renewals, and remediation tracking.
- Incident evidence, including the vendor's internal notifications, the breach notification clause performance, any reports delivered to your organization under that clause, and the impact judgement you made in response.
- Transfer scope evidence, including new data categories added, new processing purposes introduced, and new systems routed through the vendor.
None of these streams are optional. All of them exist today in most organizations. What is missing is the link between the stream and the transfer filing.
Why paper-based evidence chains collapse under supplement requests
In practice, supplement handling windows are short and evidence assembly time disappears quickly once the authority requests clarification or completion.
In a paper-centric compliance function, the response requires assembling evidence from five departments, reconstructing a timeline, locating the signed DPA, confirming which version of the DPA applied during which incident, and producing a coherent narrative that connects the original Mẫu số 09 to the present operational state of the transfer.
Each of those reconstruction steps is an evidence gap. Procurement holds the signed contract, but not the version history. Legal holds the clause review, but not the connection to the security incident. The security team holds the incident record, but not the link to the transfer case. Vendor Management holds the certification tracker, but not the timeline of certifications cited in the Mẫu số 09 at the time of filing. Finance holds the invoicing that proves the transfer is still live, but not the connection to anything else.
“A supplement response is not a document search. It is a coherence test. If your evidence cannot tell one story, the regulator hears five.”
Organizations often discover the gap only when the first supplement request lands. By then, the reconstruction cost is already a compliance failure, whether or not the MPS explicitly notes it. Missing the authority’s practical handling window because the evidence is scattered is not a filing quality issue. It is an accountability failure for the DPO named on the original submission.
The amendment filing as a disciplined change record
The amendment filing under Mẫu số 03a is the regulatory instrument used to update the submitted transfer impact dossier where required under Decree 356 Article 20. It connects the initial dossier to the current operational state of the transfer.
In practice, changes such as a new sub-processor in a different jurisdiction, a change in legal basis, a significant incident, a material modification of the DPA, or a change in data scope should trigger reassessment. Where the change falls within the decree’s update cases, the filing instrument is Mẫu số 03a/03b.
A disciplined amendment filing contains four elements:
- A reference to the original filing, typically Mẫu số 01a with its submission timestamp and MPS acknowledgement.
- A description of the material change, with a timestamp and a source that generated the evidence (vendor notification, internal case, incident record).
- A reassessment of the transfer risk in light of the change, typically captured as a new or updated Mẫu số 09 section.
- Updated supporting evidence: the new DPA version, the new sub-processor entry, the updated security assessment, the updated jurisdiction analysis.
Every one of these elements is evidence that either existed in another system or had to be created in response to the change. The discipline is not producing the evidence. The discipline is connecting the evidence to the filing case so that when the MPS asks, the answer is available in one place, not five.
The living dossier: what a GRC platform actually changes
A GRC platform does not eliminate the regulatory obligation. It changes the shape of the work required to meet it. The transformation runs through six connected capabilities that exist in the AesirX ComplianceOne platform today, across 28 modules and 392 permissions, localized across 16 supported languages.
The transfer record as a live case
Each cross-border transfer exists as a case with a durable identity. The case is not a row in a spreadsheet. It is a governance object that carries a case number, an owner, a status, a set of linked records, and a full audit trail. When the Vendor Governance Lead opens the case for the regional cloud provider filed eighteen months ago, they see:
- The initial filing record, including the Mẫu số 01a dossier, the Mẫu số 09 impact assessment, and the submission timestamp to the MPS.
- The vendor record, linked to the transfer, with the current sub-processor list, the current DPA version, and the current certification status.
- The data mapping view, showing which processing activities and data categories route through this transfer.
- The incident history, filtered to incidents affecting this vendor or this transfer.
- The timeline, showing every change event that has touched this case since filing.
The case is the spine. Every other evidence stream feeds into it.
The Data Mapping module as the inventory foundation
Data Mapping holds the organization's processing activities and their associated cross-border flows. When a new processing activity is registered, the module asks whether the activity routes personal data outside Vietnam. If it does, the activity is linked to a transfer record, and the transfer record inherits the data scope from the activity. If the activity later expands to include a new data category or a new system, the change propagates to the transfer record and triggers a reassessment prompt.
This closes the evidence gap between the organization’s records of processing / data-mapping inventory and the transfer filing.
A regulator asking "what data is flowing to this recipient today?" receives an answer drawn from the live processing activity, not from the Mẫu số 09 section that was written eighteen months ago.
The Vendor Governance module as the contract and sub-processor spine
Vendor Governance holds the recipient's record. The signed DPA is stored with version history. The sub-processor list is maintained as a structured register, not as an email from the vendor. When a sub-processor is added, the change is captured as a governance event, linked to the vendor, linked to the transfer case, and flagged for DPO review.
When the MPS asks about sub-processors in a supplement request, the DPO does not search inboxes. The DPO opens the vendor record, exports the sub-processor history with timestamps, and attaches it to the supplement response. The evidence is not assembled for the response. The evidence was captured at the moment each change occurred.
The Assessments module as the reassessment engine
The Assessments module holds the Mẫu số 09 for each transfer, and more importantly, it holds the reassessment lineage. When a material change is flagged in Vendor Governance or Incident Ops, the Assessments module opens a reassessment case linked to the original assessment. The reassessment either confirms the original risk rating, or documents the new rating and triggers the amendment filing (Mẫu số 03a) with its own lifecycle.
This is the regulated discipline implied by PDPL Article 20 and Decree 356 Articles 18 and 20, which set the filing, review, and dossier-update mechanics for cross-border transfer dossiers.
Most organizations execute it through a conversation between the DPO and the vendor governance lead. A platform executes it as a structured case with a defined owner, a defined approval chain, and a defined output.
The Audit Trail as the defensibility layer
Every action on the case is recorded in the audit trail: who updated the DPA version, who acknowledged the sub-processor change, who prepared the reassessment, who approved it, who submitted the amendment, and when each action occurred. The audit trail is the defensibility layer. When the MPS asks for the evidence chain supporting a reassessment decision, the trail is exportable, not reconstructable.
Use case: the regional cloud provider that added a sub-processor
A retail bank files Mẫu số 01a and Mẫu số 09 for its regional cloud provider hosting customer relationship data in Singapore. The filing is accepted. Eleven months later, the provider adds a new sub-processor in India for backup storage, notifies the bank under the DPA, and updates its sub-processor list.
In a spreadsheet-based compliance function, the notification lands in the Vendor Governance Lead's inbox. It is forwarded to the DPO. The DPO notes it. The sub-processor change is entered into a vendor tracker. Six months later, the MPS asks about current sub-processors, and the tracker does not match the filing.
In a platform-operated compliance function, the sub-processor notification is ingested as a vendor event. The vendor record updates. The transfer case linked to the vendor fires a reassessment prompt because a sub-processor in a new jurisdiction is classified as a material change under the organization's own risk rules. An assessment task routes to the DPO with the new jurisdiction analysis, the DPA addendum reference, and the previous Mẫu số 09 attached for context. The DPO reviews, decides whether an amendment filing is required, and either documents the decision to remain on the original filing (with justification) or opens an amendment case that produces Mẫu số 03a where the change falls within the decree’s dossier-update cases linked back to the original Mẫu số 01a.
Either way, the evidence exists. The decision is defensible. The lineage is intact. When the MPS asks about sub-processors in month thirteen, the answer is available in one export.
Use case: the multinational subsidiary filing for parent-company data flows
A Vietnam subsidiary of a European parent company routes personal data to the parent's global CRM platform for consolidated customer analytics. The subsidiary's Local Compliance Lead carries two burdens: satisfying the parent's global GRC system, which does not produce PDPL forms, and satisfying the Ministry of Public Security, which requires Mẫu số 01a, Mẫu số 09, and the transfer impact dossier components required under Decree 356 Article 18.
The Local Compliance Lead builds the transfer case in the platform against the parent-company vendor record. The data scope is inherited from the Vietnam processing activities registered in Data Mapping. The DPA is the parent’s global inter-company agreement, with a Vietnam addendum covering PDPL and Decree 356 cross-border transfer requirements. The assessment captures the Vietnam-specific risk profile, even though the parent's global assessment is separate. The DPO sign-off is on the Vietnam filing, distinct from the parent's internal approvals.
Six months later, the parent changes a sub-processor in its global infrastructure. The change is material under Vietnam's criteria even though the parent's global program treats it as routine. The platform opens a reassessment, produces Mẫu số 03a, where required under the decree’s dossier-update cases, with lineage to the original filing, and submits to the MPS. The Vietnam compliance record is complete. The parent's global record remains its own. The subsidiary has satisfied both obligations without rebuilding either.
Use case: the supplement response that arrived in month nine
A payments company files Mẫu số 01a and Mẫu số 09 for a fraud-analytics processor in the United States. The filing is accepted. In month nine, the MPS sends a request for additional materials and reassessment support in light of concerns about the current transfer safeguards and operating environment.
The Compliance Manager opens the transfer case. The case shows the original filing, the intervening vendor events (one DPA version refresh, one certification renewal), the original jurisdiction assessment, and the current sub-processor list. The platform opens a supplement response task with a defined internal handling window.
The Compliance Manager assembles the response: a reassessment memo referring to the destination-country change, the current DPA version, the confirmation that no material change has occurred in the transfer scope, and the DPO sign-off on the conclusion.
The supplement response is submitted within the internal handling window. The evidence supporting the response is exportable from the case. The MPS accepts the response. The transfer remains on the original Mẫu số 01a, with a clean lineage that now includes the supplement record. The case stays open, and the reassessment cadence continues.
The shift: from filing submission to living dossier
The regulatory frame under Decree 356 is not "file a good assessment and move on." It is "maintain a defensible transfer record, and amend it when material changes occur." The difference is not philosophical. It is operational, and it decides whether the organization can respond to a supplement request without drama.
Most organizations are still operating under the first frame. The DPO produces a strong initial filing. Everyone celebrates. The case is closed. Over the next eighteen months, five material changes occur, each handled by a different function, none of them fed back into the transfer record. When the MPS eventually asks, the organization discovers that its filing is stale, its evidence is scattered, and its DPO has a very short practical window to produce a coherent answer that does not yet exist in one place.
The shift to a living dossier changes the day-to-day rhythm. The Vendor Governance Lead routes sub-processor changes through the transfer case. The Legal Counsel updates the DPA version against the vendor record. The Security Lead attaches certification renewals to the vendor. The Incident Manager links vendor incidents to the transfer. The DPO reviews the case on a defined cadence, confirms or challenges the current risk rating, and either keeps the filing or opens an amendment. The MPS, when it asks, receives an answer that reflects the current state of the transfer.
The organizations that make this shift discover that the second and third filings are dramatically less painful than the first, because the evidence is already accumulated. The organizations that do not discover, filing by filing, that the assessment they wrote in month one is not the evidence the regulator is asking about in month eighteen.
Closing
Cross-border transfer compliance under Vietnam's Decree 356 is a continuous evidence discipline, not a documentation milestone. The Mẫu số 09 impact assessment is the starting point, not the proof. The proof is the accumulated record of vendor changes, DPA updates, sub-processor movements, security posture shifts, incident handling, and reassessment decisions, all linked to the transfer case and available when the Ministry of Public Security asks.
Organizations that treat the filing as an endpoint will eventually fail a supplement request or miss a material-change window. Organizations that build the transfer case as a living dossier will respond to the regulator in days, not weeks, with evidence that holds under scrutiny. The difference is the platform, the discipline, and the decision to stop treating each filing as a standalone project.
To see how the living-dossier model works in practice, visit AesirX ComplianceOne: https://aesirx.io/compliance-one
Request a demo to walk through a complete cross-border transfer lifecycle, from initial Mẫu số 01a submission through vendor change events, reassessment, and Mẫu số 03a amendment filing, with the evidence chain assembled as a byproduct of vendor governance.
Ronni K. Gothard Christiansen Technical Privacy Engineer & CEO @ AesirX.io
Laws referenced in this article:
- Vietnam Personal Data Protection Law 2025 (PDPL)
- Decree 356/2025/NĐ-CP detailing implementation of the Personal Data Protection Law
- Administrative Procedures Decision 778/QĐ-BCA-A05 (Ministry of Public Security procedures)
- Decree 13/2023/ND-CP on Personal Data Protection (legacy provisions where still applicable)
Disclaimer: This article provides operational guidance based on publicly available regulatory texts. It does not constitute legal advice. Organizations should consult qualified legal counsel for jurisdiction-specific compliance requirements, especially where Ministry of Public Security filings, supplement response obligations, material change determinations, or amendment filing thresholds are involved.
