The Compliance Gap Foreign Tech Founders Don’t Know Exists in Vietnam (2026)

Your IRC covers your investment. Your data layer isn’t covered at all.

By Rita Ngo | Legal Consultant | Published May 2026

The assumption most founders get wrong

Getting your company registered in Vietnam does not mean you have legal permission to process Vietnamese user data.

These are two separate authorizations from two separate agencies. Your Investment Registration Certificate (IRC) and Enterprise Registration Certificate (ERC) come from the Department of Finance. Your authorization to handle personal data comes from compliance with Luật số 91/2025/QH15, Vietnam’s Personal Data Protection Law, enforced by the Ministry of Public Security. One does not cover the other.

Most guides about setting up in Vietnam don’t mention this. Most corporate lawyers setting up FIEs don’t mention this either, because their job ends at company formation. The result: foreign tech founders launch into the Vietnamese market legally incorporated but out of compliance on their most significant liability exposure.

This piece covers what the Personal Data Protection Law requires, who it actually applies to, how it intersects with the new Decree 96 registration sequence, and what minimum compliance looks like in 2026.

If you’re still working through the company registration side, the reference guide is here: How to Register a Company in Vietnam as a Foreign Investor (2026)

Who this applies to

This piece is for founders building data centric businesses in Vietnam: SaaS, fintech, marketplaces, EdTech, HealthTech, and any consumer or B2B product that collects, stores, processes, or transmits personal information about Vietnamese users.

If you’re setting up a consulting firm, a trading company, or a manufacturing operation with no consumer data layer, most of this won’t apply. If your product touches Vietnamese user data at any scale, read this before you launch.

When this applies, and when it doesn’t

This applies when:

Your product collects any personal information from Vietnamese users (name, email, phone, device ID, location, behavioral data)
Your backend infrastructure processes or stores Vietnamese user data, even temporarily
You use third party tools (analytics, CRM, email marketing, payment processors) that receive Vietnamese user data
You’re in a soft launch, beta, or pilot phase and handling real user data
You’re operating under Method 1 of Decree 96 (ERC before IRC) and your engineering team has started building on real data

This does not apply when:

You are pre product and have collected no user data
Your product handles only your own employees’ internal data with no external user base
You are building purely internal B2B tooling with no personal data processing

The startup exemption: There is a provision allowing small businesses and startups to skip the formal Data Protection Impact Assessment for the first 5 years after the law takes effect. It does not apply if you process personal data as a core business activity, handle sensitive personal data, or have “a large number” of data subjects. In practice, this exemption covers almost no foreign tech company entering Vietnam for the market opportunity. If your market opportunity is large, you’re outside the exemption.

What the law actually requires

Luật số 91/2025/QH15 took effect January 1, 2026. It replaced and expanded the earlier Decree 13/2023. Three requirements matter most for foreign tech founders.

Meaningful consent. The person whose data you process has to know what you’re collecting, why, and what you’re doing with it, and they have to agree before you proceed. Bundled consent buried in terms of service is not consent. “By using this service you agree to our privacy policy” is not consent. Consent has to be specific, informed, and withdrawable. This means your product’s sign up flow almost certainly needs to change.

Data Protection Impact Assessment (DPIA). For most processing activities, you document what data you collect, why, how it’s stored, how it’s protected, and what the risk looks like. The DPIA isn’t filed with any agency by default. It sits in your records and gets produced on request. If you can’t produce it when asked, you’re not compliant. There is no grace period for “we’re working on it.”

Cross border data transfer framework. If your data leaves Vietnam (it usually does, because your cloud infrastructure isn’t hosted entirely in Vietnam), you need a legal basis for the transfer, a transfer impact assessment, and documentation. This applies to your main backend, your analytics tools, your customer support platform, your email service provider. Every processor that touches Vietnamese user data and operates outside Vietnam is a cross border transfer.

The penalties are not comparable to investment regulation fines

Under Decree 96 and the broader investment regulation framework, violations result in corporate fines ranging from millions to hundreds of millions of VND. Serious, but manageable. No criminal exposure for individuals.

Under the Personal Data Protection Law:

Up to 3 billion VND per violation (roughly 120,000 USD at 2026 exchange rates) for violations involving the sale or unauthorized trading of personal data
Up to 5% of annual revenue for repeated violations
3 to 7 years imprisonment for violations causing serious financial harm, physical harm, or death

The imprisonment provision is not theoretical. It applies at the individual founder level. Not just the company. Vietnamese PDPL is stricter than GDPR on this point. GDPR’s maximum fines are higher in absolute terms but carry no individual criminal liability. Vietnam’s law does.

This is the only Vietnamese regulatory framework touching foreign business operations that exposes founders to personal criminal liability. It changes the risk calculation considerably.

How the PDPL intersects with Method 1 under Decree 96

This intersection is what most advisors don’t walk clients through.

Under Method 1 (Article 72, Decree 96), a foreign investor incorporates the company and receives the ERC first, then has 12 months to complete the IRC. During that window, the company can hire staff, sign leases, open bank accounts, and negotiate with customers. It cannot formally operate the investment project. For the full breakdown of Method 1 vs. Method 2, see the company registration guide.

For a tech company on Method 1, the situation is this: you can build your product, you can onboard your engineering team, and you can sign early customer agreements. But the moment real Vietnamese user data enters your system, even in a beta or pilot, you’re subject to the full Personal Data Protection Law. The “cannot formally operate” restriction under investment law does not insulate you from data protection compliance.

Some founders assume the pre IRC window is a soft launch period where enforcement is lighter. It isn’t. The PDPL applies from the moment of data collection, regardless of your IRC status.

The practical consequence: if you’re a data centric tech company using Method 1, your PDPL compliance work needs to be complete before your technical launch, not after your IRC. For many teams, that means the compliance work they assumed could happen “post IRC” actually needs to happen “pre data,” which can be three to six months earlier than they planned.

Under Method 2 (IRC first), the sequence is cleaner. You get the IRC, operations begin, and your compliance work runs in parallel with your operational launch. Still requires attention, but the timing pressure is different.

Conditional logic: which situation applies to you

If you are pre product and have not collected any user data: PDPL compliance is not your immediate problem. Focus on getting your structure right first. Use this as a planning document for when you start building.

If you are in product build and your engineering team is designing the data architecture: This is the cheapest moment to build compliance in. Every week you wait makes retrofit more expensive. Get a privacy engineer or legal advisor involved in architecture decisions now, not after launch.

If you are approaching launch and have not completed the consent mechanism, DPIA, or cross border transfer framework: Compliance work has to be finished before launch, not after. Regulators don’t offer grace periods for foreign companies that launched without compliance in place. Delay the launch if necessary.

If you are already operating and haven’t done this: You’re in remediation. The question isn’t whether you have gaps. You do. The question is which gaps are most likely to surface in the next 12 to 24 months, and which you can fix first. Start with consent mechanisms (visible to users and regulators) and cross border transfer documentation (required if any enforcement action begins).

If your product handles sensitive personal data (health information, financial data, biometrics, political views, sexual orientation): standard requirements apply to you in stricter form. The startup exemption definitely does not apply. The DPIA is mandatory. Get legal review before any data collection begins.

If you use third party processors (analytics platforms, CRM tools, email services, payment processors): each one that touches Vietnamese user data is part of your compliance obligation. You need data processing agreements with each. If any processor is in a jurisdiction without adequate data protection standards, you need additional documentation for the transfer.

If you’re on Method 1 under Decree 96 and planning a beta launch before your IRC is issued: your PDPL compliance must be complete before the beta, not before the IRC. These are different dates. Plan accordingly.

Five gaps I see most often

Working with tech founders setting up in Vietnam, these are the problems that show up repeatedly.

No written consent mechanism in the product. The sign up flow has a “I accept terms of service” checkbox. There is no separate, specific, informed consent for data processing. These are not the same thing.

Backend architecture assumes US or Singapore infrastructure by default. This is not illegal on its own, but it is a cross border data transfer, and cross border transfers require their own legal basis, documentation, and impact assessment. Most founding teams haven’t thought about this because their cloud provider’s default region is wherever it is.

Third party processors integrated without review. Analytics tools, customer support platforms, and email marketing services are onboarded without checking whether those processors have a valid basis for handling Vietnamese user data. Under the law, you’re responsible for the compliance posture of the processors you use.

DPIA is missing entirely or is a generic template. When regulators ask for it, you either produce the document or you don’t. A template with your company name swapped in is not a DPIA. It needs to reflect your actual product, your actual data flows, and your actual risk profile.

Engineering and legal teams aren’t talking to each other. The product gets built without compliance as a design constraint. Compliance is added later as a retrofit. Retrofitting compliance into a data architecture not designed for it routinely costs ten times what building it in from the start would have cost.

What this legal advice does not cover

This piece explains the framework and the key requirements. It is not a substitute for a compliance review specific to your product.

I don’t handle data protection engineering, technical implementation of consent mechanisms, or ongoing DPIA maintenance. For those, you need a combination of legal counsel and technical privacy expertise.

I also don’t handle the full regulatory stack for financial services. If you’re in fintech or payment services, the compliance requirements have a third layer beyond what’s covered here, and it gets more complex. I’ll cover that in a separate piece.

What I do: I help foreign founders understand where their legal exposure sits, which regulatory frameworks apply to their specific situation, and what they need to have in place before they start operating. If you’re at the planning stage and want to map your actual risk before you build, that’s the right time to talk.

What to have ready before you contact me

If you want to discuss how the Personal Data Protection Law applies to your specific situation, these are the questions that will make the conversation useful:

What data does your product collect, and at what stage of the user journey?
Where is your backend infrastructure hosted?
Which third party processors do you use that touch user data?
Are you on Method 1 or Method 2 under Decree 96, and what is your planned launch date?
Have you done any DPIA work, or is it starting from zero?

You don’t need answers to all of these before reaching out. But the more specific you can be, the faster we get to what actually applies to your situation.

What’s coming next

The Personal Data Protection Law’s implementing decree and detailed cross border transfer regulations are expected in the first half of 2026. When they land, I’ll publish an updated reference.

A separate piece on the Decree 96 and PDPL interaction specifically for financial services is coming in the next few weeks. If you’re in fintech or payment services, the compliance stack has a third layer and it gets more complex.

Rita Ngo advises foreign investors and expatriates on Vietnam’s legal and regulatory environment. This piece builds on the company registration guide for foreign investors published earlier this month.

Rita Ngo

I advise foreigners living and working in Vietnam on legal matters. Most of my clients come to me after something has already gone wrong, so I focus on helping them understand the rules early, before problems start.