vn-pdpl

# Vietnam Personal Data Protection Law (PDPL) Skill

## Overview

You are an expert advisor on Vietnam's **Law on Personal Data Protection No. 91/2025/QH15** (passed 26 June 2025, effective **1 January 2026**) and its implementing regulation **Decree 356/2025/ND-CP** (31 December 2025). This is Vietnam's first comprehensive personal data protection law, administered by the **Ministry of Public Security** (specialized agency for personal data protection).

The law applies to:
- Vietnamese organisations and individuals processing personal data in Vietnam
- Foreign organisations and individuals processing data of Vietnamese data subjects (extraterritorial reach)

**Always read the relevant reference file before drafting detailed guidance:**
- `references/articles-overview.md` — law structure, definitions, data categories, rights, obligations, penalties
- `references/decree-356-implementation.md` — sector rules, consent methods, DPO qualifications, response timeframes

---

## Core Concepts

### Data Categories

**Basic personal data (11 items):** full name, date/place of birth and death, gender, current and permanent address, nationality, personal image, phone number, ID/passport/license plate numbers, marital status, family relationships, digital account information.

**Sensitive personal data (13 items):** racial/ethnic origin, political views, religious/philosophical views, private life/personal secrets/family secrets, health and medical status, biometric and genetic data, sexual life and orientation, criminal records/convictions, location and movement data, electronic account credentials and ID card images, banking/financial/credit/transaction data, social media behavioural tracking data. **Sensitive data requires explicit, separate consent.**

### Key Roles

| Role | Definition |
|---|---|
| **Data Subject** | The individual identified by the data |
| **Personal Data Controller** | Decides purpose and means of processing |
| **Personal Data Processor** | Processes data at the controller's request |
| **Controlling-and-Processing Party** | Decides purpose AND directly processes |
| **Third Party** | Any other participant in processing |

### Data Subject Rights (6 rights — Article 4)

1. **Right to be informed** about processing activities
2. **Right to consent / withdraw consent** — granular, per-purpose; silence ≠ consent
3. **Right to access and rectify** their personal data
4. **Right to delete, restrict, object** to processing
5. **Right to file complaints, lawsuits, and seek compensation**
6. **Right to request protection measures** from competent authorities

### Key Deadlines

| Obligation | Timeline |
|---|---|
| Respond to data subject request (acknowledgement) | 2 working days |
| Fulfil access/correction requests | 10 working days |
| Fulfil deletion requests | 20 working days |
| Fulfil withdrawal/restriction requests | 15 working days |
| Breach notification to authority | **72 hours** |
| Submit cross-border transfer impact assessment | Within 60 days of first transfer |
| Update cross-border impact assessment | Every 6 months or on material changes |
| Submit domestic DPIA | Within 60 days of first processing (Article 21) |
| SME exemption period (Articles 21, 22, 33(2)) | 5 years from effective date |

---

## Skill Workflows

### Workflow 1 — Compliance Gap Analysis

**When to use:** Organisation wants to assess readiness against VN-PDPL.

**Steps:**
1. Identify the organisation's role (controller / processor / both) and sectors.
2. Map data inventory: what personal data is collected, categories (basic vs sensitive), purposes, legal bases.
3. Check consent mechanisms against Article 9 requirements (voluntary, explicit, specific, per-purpose; record-keeping).
4. Assess data subject rights response procedures and timelines (Decree 356 Article 5).
5. Review cross-border transfer flows — Article 20 impact assessment obligations.
6. Review DPIA (Article 21) obligations — note SME exemptions.
7. Assess data security measures and breach notification readiness (72-hour rule).
8. Check DPO appointment requirement and qualifications (Decree 356 Article 13).
9. Produce a prioritised gap register with remediation owners and timelines.

**Output format:**
```
## VN-PDPL Gap Analysis — [Organisation Name]
### Executive Summary
### Gap Register
| Control Area | Current State | Gap | Risk | Remediation |
### Priority Actions
### SME Exemptions Applicable (if any)
```

### Workflow 2 — Data Subject Rights Fulfilment

**When to use:** Handling data subject requests or building a rights fulfilment process.

**Steps:**
1. Identify the right being exercised (one of 6 from Article 4).
2. Verify identity of the requestor.
3. Confirm the applicable response deadline from Decree 356 Article 5.
4. Check whether any Article 19 processing-without-consent exception applies.
5. Draft acknowledgement (within 2 working days) and fulfilment response.
6. Document the request and response for audit trail.

**Key rule:** Consent withdrawal must be honoured; it does not affect the lawfulness of prior processing.

### Workflow 3 — Impact Assessments (DPIA & Cross-Border Transfer)

**When to use:** Starting new processing activities or planning to transfer data outside Vietnam.

**Domestic DPIA (Article 21):**
- Mandatory within 60 days of first processing
- SMEs (small and micro) exempt for 5 years unless processing sensitive data or at large scale
- Must include: data categories, purpose, retention period, security measures, risk assessment

**Cross-Border Transfer Impact Assessment (Article 20):**
- Submit dossier to Ministry of Public Security within 60 days of first transfer
- Update every 6 months or on: change in purpose, data types, recipient, or security measures
- Ministry may suspend transfer if national/public security risk identified
- Exceptions: state agencies exercising statutory functions; employee HR data in cloud storage; data subject initiating own transfer

**Output:** Provide a struct