DPO Radio
AesirX ComplianceOne | Vietnam PDPL Compliance
Vietnam Personal Data Protection Law (PDPL)
Operational Compliance for Vietnam's Comprehensive Personal Data Protection Framework
Manage DPIA dossier filing, data subject rights, cross-border transfers, breach notification, and consent governance under Law 91/2025/QH15.
Why the Vietnam PDPL Matters
The Vietnam Personal Data Protection Law (Law 91/2025/QH15) is Vietnam's comprehensive personal data protection framework. Administered by the Ministry of Public Security (MPS), it establishes obligations for all organizations that collect, store, process, or transfer personal data within Vietnam or involving Vietnamese data subjects. It replaces the earlier PDPL/Decree 13 regime with a unified statutory instrument.
For organizations operating in Vietnam, the PDPL creates a broad set of compliance obligations. Non-compliance can result in administrative penalties, suspension of data processing activities, and reputational consequences. The law applies to domestic organizations, foreign entities processing data of Vietnamese individuals, and data processors acting on behalf of controllers, meaning nearly every enterprise with Vietnam operations is in scope.
The operational burden is substantial. The PDPL requires organizations to conduct and file Data Processing Impact Assessments (DPIAs) with MPS when statutory triggers are met, fulfill data subject rights requests within defined timelines, manage cross-border data transfers with documented impact assessments, notify MPS of personal data breaches within statutory windows, and maintain consent records with proper legal basis documentation. Each obligation requires coordination across legal, IT, HR, marketing, and procurement departments, all producing evidence under shared deadlines.
Policy documentation alone does not satisfy the PDPL. Regulators expect operational proof – filed dossiers with correctly labeled official forms, submission packages validated for completeness, timestamped evidence of rights request fulfillment, and audit-grade records showing who did what and when. Organizations need structured workflows that produce this evidence as a natural byproduct of compliance operations, not as a retrospective exercise before an inspection.
What the Vietnam PDPL Covers
Dimension
Coverage
Scope
All organizations collecting, storing, processing, or transferring personal data in Vietnam or involving Vietnamese data subjects.
Affected organizations
Domestic enterprises, foreign entities processing Vietnamese personal data, data processors, government agencies handling citizen data.
Key obligations
DPIA dossier filing to MPS, data subject rights fulfillment (access, correction, deletion, portability, objection), cross-border transfer impact assessments, breach notification, consent management, DPO designation, annual compliance review.
Evidence requirements
Filed DPIA dossiers with official form labels (Mau so, Phu luc), rights request case records with SLA tracking, cross-border transfer documentation, breach notification records, consent logs with legal basis, audit trails for all compliance actions.
Filing/submission
Dossier-based submissions to MPS via administrative procedures defined in Decree 356 and Decision 778/QD-BCA-A05, using official Mau so and Phu luc form templates.
Deadlines
72-hour breach notification window (Mau so 08), 30 calendar days for MPS filing review, 15 working days for supplement response, policy-defined SLA for rights request fulfillment.
Decrees and Procedures
The PDPL compliance landscape spans current requirements, superseded instruments still relevant as context, and upcoming enforcement changes. Understanding the full picture matters.
Personal Data Protection Law (91/2025/QH15)
Decree 356/2025/ND-CP (PDPL Implementation)
activeMPS A05 Administrative Procedures (Decision 778/QĐ-BCA-A05)
activeVietnam PDPL (Decree 13/2023 era)
legacyDecree 13 – PDPL Operational Baseline
legacyDraft Enforcement Decree 2026
draft
How ComplianceOne Supports the Vietnam PDPL
ComplianceOne provides end-to-end operational tooling for PDPL compliance, starting with the DPIA workflow. When statutory triggers are met, the platform guides organizations through dossier preparation using the correct official form templates (Mau so 02a/02b for DPIA submission, Mau so 10 for the assessment report), routes sections to responsible departments for completion, tracks contributor progress against deadlines, and produces submission-ready packages for MPS filing. The filing lifecycle – draft, internal review, approved for submission, submitted to authority, supplement loop, accepted – is managed as a structured workflow with audit events at every state transition.
For data subject rights, the Rights Requests module handles the full case lifecycle: intake, identity verification, rights-type routing to responsible departments, fulfillment tracking, response generation, and case closure with evidence preservation. Each case tracks SLA compliance against configured deadlines, and the platform generates the required acknowledgment, completion, and rejection documentation automatically. Cross-border transfer obligations are managed through the Data Mapping and DPIA modules, which support transfer impact assessments, recipient documentation, and dossier filing using Mau so 01a/01b and Mau so 09.
Breach notification is handled through the Incident Response module, which tracks incident discovery, assessment, authority notification (using Mau so 08 within the 72-hour statutory window), supplement loops if MPS requests additional information, and remediation. The Consent Governance module maintains consent records with legal basis documentation, withdrawal propagation across systems, and version history, providing the evidentiary foundation that the PDPL requires for lawful processing.
Every compliance action across these modules produces audit events with contributor lineage, creating the operational proof that regulators expect. Evidence packs can be generated at any time (not just during audit windows) with cryptographic integrity verification (SHA-256 hashing) and configurable redaction profiles for different audiences (internal, auditor, regulator, data subject).
Related Modules
Rights Requests
Manages data subject rights intake, fulfillment, SLA tracking, and response generation for PDPL rights obligations.
Data Mapping
Maintains Records of Processing Activities (RoPA) and systems inventory required for DPIA preparation and cross-border transfer documentation.
Explore Data MappingConsent
Tracks consent records, legal basis, withdrawal propagation, and version history across all processing activities.
Explore ConsentAssessments
Structures DPIA dossier preparation, department routing, and MPS filing workflow using official Decree 356 form templates.
Explore AssessmentsIncidents
Manages breach detection, assessment, MPS notification using Mau so 08, supplement loops, and remediation tracking.
Explore IncidentsDeletion Orchestration
Coordinates deletion propagation across systems and vendors when fulfilling deletion rights requests.
Explore Deletion OrchestrationCompliance Forms
Provides interactive Form Wizard templates for all 13 Mau so and 8 Phu luc forms required by Decree 356.
Explore Compliance FormsAudit Trail
Captures tamper-evident, hash-chained records of every compliance action with contributor lineage.
Explore Audit TrailCompare the Difference
Without Structured Framework Operations
With ComplianceOne
DPIA dossiers are assembled manually from disconnected department inputs, risking incomplete sections and missed filing deadlines.
DPIA dossiers are assembled through structured multi-department workflows with official form templates, contributor tracking, and submission-ready packaging.Data subject rights requests are tracked in spreadsheets without SLA enforcement, leaving organizations unable to prove timely fulfillment.Rights requests follow a defined case lifecycle with SLA tracking, automated documentation, and evidence preservation at every step.Breach notification deadlines are managed informally, with no structured workflow to ensure the 72-hour MPS notification window is met.Breach notification is managed through a timed workflow with Mau so 08 generation, supplement handling, and remediation tracking.Cross-border transfer impact assessments lack a centralized record, making it difficult to produce documentation during inspections.Cross-border transfers are documented with impact assessments, recipient records, and filing dossiers using official Mau so 01a/01b and Mau so 09 templates.Consent records are scattered across systems with no single source of truth for legal basis or withdrawal status.Consent governance provides a centralized record with legal basis linkage, withdrawal propagation, and audit-grade version history.Built for PDPL Compliance Operations
ComplianceOne supports all 13 Mau so administrative procedure forms and all 8 Phu luc statutory annexes defined by Decree 356 – the implementing decree for the PDPL – ensuring organizations can produce correctly labeled, submission-ready documents for MPS filing.
The platform captures contributor lineage across all compliance actions, creating audit-grade evidence of who contributed what, when, and under whose authority. This addresses the PDPL's requirement for demonstrable accountability across multi-department compliance operations.
Seven Vietnam regulatory frameworks are supported within a shared workflow engine, enabling organizations subject to multiple overlapping frameworks to manage compliance operations from a single platform with consistent evidence production and audit trail coverage.
See PDPL Compliance in Action
Ready to see how ComplianceOne manages PDPL obligations operationally? Request a demo tailored to your regulatory needs.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
People Also Ask
Yes. The platform includes interactive Form Wizard templates for all 13 Mau so administrative procedure forms (01a through 10) and all 8 Phu luc statutory annexes (I through VIII) defined by Decree 356/2025/ND-CP. Forms are pre-labeled with official template IDs and structured to match the format required by MPS administrative procedures.
The DPIA workflow routes specific dossier sections to responsible departments (legal, IT security, HR, marketing, procurement), tracks each department's contribution progress against shared deadlines, and consolidates completed sections into a submission-ready package. Contributor lineage is preserved in the audit trail, showing who completed which section and when.
The Incident Response module tracks the breach notification timeline from discovery, generates Mau so 08 (breach notification form) for MPS filing, manages supplement request loops if MPS requires additional information, and tracks remediation actions through to case closure. SLA enforcement is configurable to match your organization's internal escalation procedures.
Each rights request creates a case with identity verification, rights-type classification, department routing for fulfillment, SLA tracking against configured deadlines, and automated generation of acknowledgment, completion, or rejection documentation. Evidence packs are generated at case closure for audit readiness.
Yes. ComplianceOne supports 7 Vietnam regulatory frameworks within a shared workflow engine. Organizations subject to multiple frameworks, such as PDPL, the Data Law, and the Cybersecurity Law, manage all obligations from a single platform with consistent audit trail coverage and evidence production across frameworks.
Next Steps
Start a Compliance Pilot
Test PDPL compliance workflows with your team – DPIA filing, rights requests, breach notification, and evidence generation.
Discuss Your Compliance Needs
Talk to our team about PDPL compliance operations, multi-framework coverage, and deployment options for your organization.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
