From 29 April 2026: Provincial-Level Police Departments To Handle Personal Data Processing/Cross-Border Personal Data Transfer Impact Assessment Dossiers
LexNovum Lawyers
18/05/2026
On 29 April 2026, the Government issued Resolution No. 22/2026/NQ-CP on the reduction, decentralization, and simplification of administrative procedures, as well as the reduction and simplification of business conditions under the authority of the Ministry of Public Security (“Resolution 22”).
Notably, under Appendix I.7.B of this Resolution, the Government decentralized the authority to process the Personal Data Processing Impact Assessment and Cross-Border Personal Data Transfer Impact Assessment (collectively, the “Impact Assessment Dossiers”) to provincial and municipal Police Departments based on geographical area, scale, and sector of management, instead of having such dossiers processed exclusively by the Department of Cyber Security and Hi-tech Crime Prevention under the Ministry of Public Security (“Department of Cybersecurity”), as is currently the case. Specifically:
1. Contents of Resolution 22 relating to the processing of Impact Assessment Dossiers
Pursuant to Items I, II, and III of Appendix I.7.B, the delegation of authority for processing the Impact Assessment Dossiers and updated Impact Assessment Dossiers shall be implemented as follows:
From the foregoing provisions, it may generally be understood that the submission and delegated handling of Impact Assessment Dossiers and updated Impact Assessment Dossiers shall be carried out as follows: agencies, organizations and individuals shall submit the Impact Assessment Dossiers and updated Impact Assessment Dossiers to the Ministry of Public Security; thereafter, the Ministry of Public Security shall receive, classify and transfer such dossiers to the provincial and municipal Police Departments for handling based on geographical area, scale and sector.
In addition, pursuant to Article 5.2 of Resolution 22, where the Impact Assessment Dossiers had already been received by the Department of Cybersecurity or had been postmarked prior to the effective date of this Resolution (i.e., before 29 April 2026), the Department of Cybersecurity shall continue handling such dossiers in accordance with applicable regulations.
With the above adjustment, it can be seen that the decentralization of authority for dossier processing under Resolution 22 provides significant geographical and time-related convenience for dossier submitters. Accordingly, instead of having to work with and monitor the processing progress solely at the Department of Cybersecurity in Hanoi as previously required, agencies, organizations, and individuals may now directly communicate, follow up, and work with the provincial and municipal Police Departments assigned by the Ministry of Public Security to process the dossiers.
2. Issues Requiring Further Clarification under Resolution 22 in relation to the Impact Assessment Dossiers
Alongside the aforementioned advantages, Resolution 22 still contains several unclear points that may give rise to practical difficulties during implementation, specifically as follows:
(i) Appendix I.7.B.II is titled: “Notification on Submission of Personal Data Processing Impact Assessment Dossiers under Article 19 of Decree No. 356/2025/ND-CP dated 31 December 2025 detailing a number of articles and measures for implementation of the Law on Personal Data Protection”.
However, the explanatory content below refers to “Cross-border Personal Data Transfer Impact Assessment Dossiers”. This creates an inconsistency between the title and the substantive content, which may cause difficulties in practical application. Accordingly, the question arises as to which type of dossier Appendix I.7.B.II is intended to apply.
(ii) Appendix I.7.B.III is titled: “Notification on Updates to Personal Data Impact Assessment Dossiers under Article 20 of Decree No. 356/2025/ND-CP dated 31 December 2025 detailing a number of articles and measures for implementation of the Law on Personal Data Protection”. Based on the title, it may generally be understood that this section is intended to govern procedures for updating two types of dossiers, namely: (i) Personal Data Processing Impact Assessment Dossiers; and (ii) Cross-border Personal Data Transfer Impact Assessment Dossiers. However, the provisions under this section contain several inconsistencies, specifically as follows:
Paragraph 1 of Appendix I.7.B.III provides that: “Agencies, organizations and individuals shall submit dossiers in accordance with Article 18 of Decree No. 356/2025/ND-CP via the National Public Service Portal”. Meanwhile, Article 18 of Decree No. 356/2025/ND-CP governs the conditions, order, procedures, and dossier components for Cross-border Personal Data Transfer Impact Assessment Dossiers. However, such provision may give rise to two possible interpretations:
Interpretation 1: Agencies, organizations, and individuals submitting Cross-border Personal Data Transfer Impact Assessment Dossiers may only submit such dossiers via the National Public Service Portal. Nevertheless, this interpretation does not appear entirely reasonable because the procedures for submitting Cross-border Personal Data Transfer Impact Assessment Dossiers have already been addressed under Appendix I.7.B.I. Therefore, if Paragraph 1 of Appendix I.7.B.III is interpreted as restating the same issue, such provision would not only be repetitive but may also create the misunderstanding that dossier submission methods are now limited solely to the National Public Service Portal. Consequently, this raises the question of whether provincial and municipal Police Departments only participate in assessing dossiers submitted via the National Public Service Portal.
Interpretation 2: Inconsistency regarding the methods for submitting Impact Assessment Dossiers. Pursuant to Article 18.7 of Decree No. 356/2025/ND-CP, the update and supplementation of Cross-border Personal Data Transfer Impact Assessment Dossiers shall be carried out in accordance with Article 20 of Decree No. 356/2025/ND-CP. Accordingly, based on such cross-reference, it may be understood that agencies, organizations, and individuals carrying out procedures for updating Cross-border Personal Data Transfer Impact Assessment Dossiers are required to submit dossiers via the National Public Service Portal. However, this wording raises the question of whether other submission methods recognized under the Law on Personal Data Protection 2025 (Article 22.3) and Decree No. 356/2025/ND-CP (Article 20.3), including direct submission or submission via postal services to the Department of Cybersecurity, remain applicable.
This issue may perhaps be addressed under Paragraph 4 of Appendix I.7.B.IV as follows:
“The update of Personal Data Processing Impact Assessment Dossiers and Cross-border Personal Data Transfer Impact Assessment Dossiers shall be carried out in accordance with Form No. 03a/03b attached to the Appendix of this Decree, submitted via the National Public Service Portal, directly, or through postal services to the Ministry of Public Security.”
Accordingly, the submission of updated Impact Assessment Dossiers to the Ministry of Public Security may be conducted through three methods: (i) submission via the National Public Service Portal; (ii) direct submission; and (iii) submission through postal services. However, if all three submission methods remain applicable, the question arises as to the practical meaning and purpose of Paragraph 1 of Appendix I.7.B.III.
(iii) Appendix I.7.B of Resolution 22 provides that the Ministry of Public Security and the provincial and municipal Police Departments shall assess and issue results in relation to the Impact Assessment Dossiers. Accordingly, how should this provision be interpreted?
– The provincial and municipal Police Departments are the authorities directly responsible for assessing dossiers and issuing results, while the Ministry of Public Security merely performs the role of receiving, routing, and supervising dossiers; or
– The Ministry of Public Security remains the principal authority responsible for assessment, while the provincial and municipal Police Departments only conduct preliminary reviews or coordinate dossier processing; or
– Both authorities participate in dossier assessment under a parallel or multi-level coordination mechanism.
Clarification of these issues would facilitate dossier submitters in monitoring the processing progress of dossiers, while also minimizing overlapping authority among relevant authorities during practical implementation.
Accordingly, it can be seen that Resolution 22 seeks to address the current backlog and processing pressure relating to Impact Assessment Dossiers at the Department of Cybersecurity through the decentralization of authority to provincial and municipal Police Departments. However, it remains uncertain whether the Resolution has fully achieved such expectation, given that numerous inconsistent and overlapping provisions still require further guidance and clarification to ensure consistency in practical application.
Therefore, in the coming period, agencies, organizations and enterprises engaged in personal data processing or cross-border personal data transfer activities should continue monitoring detailed implementing guidance and practical enforcement from competent authorities in order to promptly update and ensure full compliance with relevant legal obligations.
From LNV’s perspective, during the course of advising on and supporting the completion of Impact Assessment Dossiers, in addition to ensuring full compliance with the requirements under the Law on Personal Data Protection 2025 and Decree No. 356/2025/ND-CP, LNV shall also study and consider the orientations and guidance under Resolution 22 in order to ensure that the proposed compliance approach is aligned with the practical application of competent authorities. Should our Clients require compliance advice in the field of personal data protection, please contact LNV for assistance in assessing and developing compliance solutions in accordance with prevailing laws and practical enforcement.
Author: Junior Associate Quế Trân
Consultant: Lawyer Phan Nhi
Note:
It is intended solely to assist readers in understanding the content and does not replace the official Vietnamese-language version. In case of any inconsistency or discrepancy between this translation and the original Vietnamese text, the Vietnamese version shall prevail.
This article has been prepared based on the prevailing laws of Vietnam and practical experience. The information provided herein is for reference purposes only. We shall not bear any responsibility or legal obligation toward any individual or organization using the information contained in this article for purposes other than reference. Before making any choice or decision, Clients are advised to seek formal recommendations or contact LexNovum Lawyers for in-depth legal advice from our team.
Please cite “LexNovum Lawyers” as the source when using or sharing this article in any form.
