law.org.vn
Server-room corridor with subtle Vietnamese ornamental motifs

Compliance

AI draft — pending SME review

Vietnam's 2026 Personal Data Protection Law: what changes for SaaS startups

The 2026 PDPL took effect in January and imposes DPO obligations, impact assessments, and 72-hour breach notifications. Here is a compliance checklist for cloud-native SaaS startups.

by Apolo Editorial TeamApril 8, 20263 min read

Vietnam's Personal Data Protection Law (Law No. 91/2026/QH15) took effect on 1 January 2026, replacing Decree 13/2023/NĐ-CP. This is not a minor upgrade — it lifts compliance obligations to GDPR-equivalent, with fines up to 5% of annual revenue.

Core obligations you need to know now

Any organisation processing personal data of Vietnamese subjects must appoint a Data Protection Officer (DPO) if it meets either condition: large-scale processing of sensitive personal data (financial, health, biometric, location), or personal data of more than 100,000 subjects per year. The average B2B SaaS company crosses the 100k-subjects threshold faster than founders expect — check this immediately.

Data Protection Impact Assessments (DPIA): when and how

A DPIA is mandatory before deploying any high-risk processing — training AI models on customer data, employee monitoring, automated behavioural analytics. DPIAs must be retained for five years and produced on request from the competent authority.

72-hour breach notification

On a security incident exposing personal data, the controller must notify the Department of Cybersecurity and High-Tech Crime Prevention (A05 — Ministry of Public Security) within 72 hours of discovery. Notification templates are available on dichvucong.bvdl.gov.vn — worth dry-running before a real incident.

Compliance is not a project — it is an operational discipline. The SaaS founders who get this right treat PDPL the way they treat SOC 2: bake it into CI/CD.

The cross-border transfer problem

Article 25 requires every transfer of personal data out of Vietnam to be approved by the Ministry of Public Security. In practice, most SaaS providers running on AWS Singapore or Google Cloud Tokyo are non-compliant if they have not filed a Cross-Border Transfer Impact Assessment (TIA). The MPS published its template and submission procedure in March 2026.

Practical recommendation: appoint a DPO in the first month (outsourced DPO services are acceptable), complete data mapping within 60 days, file TIAs for every existing outbound data flow, and stand up an incident-response runbook within 90 days.

Editorial blog