DPO Radio
AesirX ComplianceOne | Vietnam Decree 356 PDPL Implementation
Decree 356/2025/ND-CP (PDPL Implementation)
Vietnam's PDPL implementing decree – 21 official forms, 6 MPS procedures, and prescribed filing workflows
Manage every administrative procedure form, statutory annex, and MPS filing timeline defined by Decree 356/2025/ND-CP with structured compliance workflows and official form templates.
Decree 356/2025/ND-CP: Scope and Current Status
Decree 356/2025/ND-CP is the primary implementing decree for Vietnam's Personal Data Protection Law (Law 91/2025/QH15). Issued by the Government of Vietnam and administered by the Ministry of Public Security (MPS), it translates the PDPL's statutory obligations into the specific administrative procedures, official form templates, data structure requirements, and procedural timelines that organizations must follow when interacting with the MPS. Decree 356 is currently in force.
Where the PDPL establishes the "what" of compliance – organizations must conduct DPIAs, notify breaches, document cross-border transfers, fulfill data subject rights – Decree 356 specifies the "how." It prescribes 13 official administrative procedure forms (Mau so 01a through Mau so 10) that organizations must use for each filing type, and 8 statutory annexes (Phu luc I through Phu luc VIII) that define the data structures for processing registers, impact assessments, transfer applications, breach records, consent documentation, rights request records, data processing agreements, and annual compliance reports. Each form carries an official template ID that must appear on the document submitted to MPS.
At the operational level, Decree 356 is where compliance moves from policy to evidence. The decree specifies exactly which Mau so forms apply to DPIA dossier submissions (Mau so 02a/02b, Mau so 10), cross-border transfer filings (Mau so 01a/01b, Mau so 09), dossier update notices (Mau so 03a/03b), service processing certificate applications (Mau so 04, 05, 06, 07), and breach notifications (Mau so 08). Six of these forms are further operationalized through MPS A05 administrative procedures defined in Decision 778/QD-BCA-A05, adding specific procedural steps and timelines on top of the base form requirements. Organizations that prepare submissions without referencing these specific forms – and without correctly labeling each document with its official template ID – risk rejection, supplement requests, or penalty exposure.
How Decree 356 Relates to the Vietnam PDPL
The Vietnam Personal Data Protection Law (Law 91/2025/QH15) is the parent statutory framework. It establishes the legal obligations that apply to all personal data controllers, processors, and service processors operating in Vietnam. For a full understanding of those statutory obligations, see the Vietnam PDPL (Law 91/2025/QH15) compliance page.
Decree 356 is the implementing instrument that operationalizes those obligations. The PDPL delegates to the Government (and through the Government, to the MPS) the authority to specify administrative procedures, form formats, and procedural timelines. Decree 356 exercises that delegation. This means that a compliance practitioner who reads only the PDPL knows what is required but not how to execute it in a way that MPS will accept. Decree 356 is the gap between statutory obligation and operational compliance.
For practitioners implementing PDPL compliance, this creates a two-layer working requirement: the PDPL layer defines the triggers (when must a DPIA be filed, when must a breach be notified), while the Decree 356 layer defines the execution (which form, which data fields, through which MPS procedure, within which timeline). ComplianceOne supports both layers in an integrated workflow, but understanding Decree 356's specific provisions is essential for configuring compliance programs at the procedure level.
Technical Provisions and Compliance Obligations
| Form | Offical ID | Purpose | Filing Procedure |
|---|---|---|---|
| Cross-Border Transfer Impact Assessment Application | Mau so 01a | Controller filing for cross-border transfers | MPS A05 via Decision 778 procedure |
| Cross-Border Transfer Assessment – Processor Filing | Mau so 01b | Processor/service processor cross-border filing | MPS A05 |
| DPIA Dossier Submission – Controller | Mau so 02a | Data controller DPIA submission to MPS | MPS A05 via Decision 778 procedure |
| DPIA Dossier Submission – Processor | Mau so 02b | Data processor DPIA submission to MPS | MPS A05 |
| Dossier Update Notice – Controller | Mau so 03a | Notification of changes to submitted DPIA dossier | MPS A05 |
| Dossier Update Notice – Processor | Mau so 03b | Processor notification of dossier changes | MPS A05 |
| Service Processing Certificate Application | Mau so 04 | Initial certificate application | MPS A05 |
| Service Processing Certificate Re-issuance | Mau so 05 | Certificate renewal or amendment application | MPS A05 |
| Service Processing Certificate Reissuance – Damage/Loss | Mau so 06 | Replacement application for damaged or lost certificate | MPS A05 |
| Service Processing Certificate Return | Mau so 07 | Certificate surrender notification | MPS A05 |
| Personal Data Breach Notification | Mau so 08 | MPS notification of confirmed personal data breach | Direct notification within statutory window |
| Cross-Border Transfer Impact Assessment Report | Mau so 09 | Supporting assessment report for cross-border transfer filing | Accompanies Mau so 01a/01b |
| DPIA Assessment Report | Mau so 10 | Supporting assessment report for DPIA dossier submission | Accompanies Mau so 02a/02b |
| Annex | Official ID | Data Structure |
|---|---|---|
| Records of Processing Activities | Phu luc I | Data mapping register of all processing activities |
| Data Processing Impact Assessment | Phu luc II | Structured impact assessment for statutory triggers |
| Cross-Border Transfer Application | Phu luc III | Transfer documentation and recipient details |
| Breach Record | Phu luc IV | Incident record for personal data breaches |
| Consent Record | Phu luc V | Consent documentation with legal basis linkage |
| Rights Request Record | Phu luc VI | Data subject rights case documentation |
| Data Processing Agreement | Phu luc VII | Controller-processor agreement template |
| Annual Compliance Report | Phu luc VIII | Annual review and compliance attestation structure |
| Obligation | Timeline | Reference |
|---|---|---|
| Breach notification to MPS | Within 72 hours of discovery | Mau so 08 |
| MPS review of filed dossier | 30 calendar days | Decree 356 procedure |
| Organization response to MPS supplement request | 15 working days | Decree 356 procedure |
| Resubmission after revision | 10 working days | Decree 356 procedure |
How ComplianceOne Supports Decree 356 Compliance
ComplianceOne implements all 21 official Decree 356 form templates as interactive Form Wizard templates in the Compliance Forms module. Each template is pre-populated with its official template ID (e.g., "Mau so 02a," "Phu luc I"), structured to match the prescribed data fields, and available in Vietnamese and English. When a practitioner initiates a filing, the platform presents only the forms applicable to the selected procedure type, reducing the risk of selecting an incorrect form for a given MPS interaction.
The filing lifecycle is modeled as a structured state machine: Draft, Internal Review, Approved for Submission, Submitted to Authority, Supplement Requested, Supplement Submitted, and Accepted. Each state transition is captured as an audit event with the responsible user's identity, timestamp, and any associated document version. This mirrors the administrative procedure steps in Decision 778/QD-BCA-A05, ensuring that the platform's workflow tracks the actual MPS procedural timeline. For multi-department dossiers – such as DPIA submissions that require contributions from legal, IT security, HR, marketing, and procurement – the platform routes each dossier section to the responsible department owner, tracks completion status, flags overdue contributors, and consolidates inputs into a single submission-ready package. Contributor identity and completion timestamps are preserved throughout.
Breach notifications under Mau so 08 are managed through the Incident Response module. When a personal data breach is confirmed, the platform initiates the 72-hour notification countdown from the discovery timestamp, pre-populates Mau so 08 with incident data already captured in the case record, routes the notification for legal review and approval, and produces the submission-ready document for MPS filing. If MPS requests a supplement, the supplement workflow links back to the original notification record, tracking the 15-working-day response deadline. All Phu luc annexes (I through VIII) are maintained as live data structures within their respective modules – Records of Processing Activities in the Data Mapping module, consent records in Consent Governance, rights request records in Rights Requests – ensuring that when a filing package is assembled, the supporting annex data reflects the current operational state of the organization.
Related Modules
Compliance Forms
Provides all 13 Mau so and 8 Phu luc templates with official IDs and prescribed data fields.
Explore Compliance FormsIncident Response
Manages the 72-hour breach notification workflow using Mau so 08, with supplement loop handling.
Explore IncidentsData Mapping
Maintains Records of Processing Activities aligned with Phu luc I data structure requirements.
Explore Data MappingConsent Governance
Maintains consent records in the Phu luc V format with legal basis linkage and withdrawal tracking.
Explore ConsentRights Requests
Manages rights request case documentation structured per Phu luc VI requirements.
Deletion Orchestration
Coordinates deletion propagation evidence for rights request documentation under Phu luc VI.
Explore Deletion OrchestrationAudit Trail
Captures tamper-evident records of every form preparation, state transition, submission, and supplement action.
Explore Audit TrailDPIA and Assessments
Structures multi-department DPIA dossier preparation using Mau so 02a/02b and Mau so 10.
Expore AssessmentsCompliance Readiness Checklist
Organizations implementing Decree 356 compliance should confirm:
See Decree 356 Compliance in Action
Ready to see how ComplianceOne implements Decree 356 forms and filing workflows at the procedure level? Request a demo tailored to your organization's regulatory operations.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
Frequently Asked Questions
MPS may reject the submission or issue a supplement request requiring resubmission with correctly labeled forms. This restarts the 30-calendar-day review clock and, if the original filing deadline was time-sensitive, may constitute a compliance failure for the period between the obligation trigger and the accepted resubmission. ComplianceOne pre-labels all form templates with official IDs to prevent mislabeling at the point of preparation.
The DPIA workflow prompts the practitioner to classify the filing entity as data controller or data processor at the start of the dossier preparation workflow. Based on that classification, the platform presents the appropriate form variant (02a for controllers, 02b for processors) and routes the dossier sections accordingly. This classification is also preserved in the audit trail.
Yes. When material changes occur to a submitted DPIA dossier – changes to data categories, processing purposes, or system architecture – the platform initiates a dossier update workflow linked to the original submission. It generates Mau so 03a or 03b depending on entity type, preserves the link between the original dossier and the update notice in the audit trail, and tracks the update through its own filing lifecycle.
Decision 778/QD-BCA-A05 specifies MPS A05 administrative procedures for six forms: Mau so 01a, 01b, 02a, 02b, 03a, and 03b. These procedures define additional procedural steps, the specific MPS A05 unit responsible for receiving the filing, and procedural timelines that apply on top of the base Decree 356 requirements. ComplianceOne models these Decision 778 procedures within the filing workflow. For a full breakdown of those procedures, see the MPS A05 Administrative Procedures page.
The Phu luc annexes are maintained as live data structures within the respective modules: Phu luc I from Data Mapping, Phu luc V from Consent Governance, Phu luc VI from Rights Requests. When a dossier submission is assembled, the platform pulls the current annex data from these modules and includes it in the submission package. Changes to the underlying data are reflected in subsequent submissions or dossier update notices.
Next Steps
Start a Compliance Pilot
Test Decree 356 form workflows end-to-end – DPIA dossier preparation, breach notification, and evidence generation for MPS filings.
Discuss Your Compliance Needs
Talk to our team about Decree 356 procedure configuration, form template coverage, and multi-department dossier workflows for your organization.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
