Legal Update | Guidance on Submitting Soft Copies of Personal Data Protection Impact Assessment Dossiers

June 2, 2026

Recently, the Department for Receiving and Returning Administrative Procedure Results on Personal Data Protection issued guidance on the submission of soft copies of the Personal Data Processing Impact Assessment Dossier and/or the Cross-border Personal Data Transfer Impact Assessment Dossier.

Under the guidance, organizations and enterprises are required to submit the dossier in a .ZIP compressed file to the following email address: dulieucanhan@cschd.mps.gov.vn.

To ensure that the receipt, processing, and appraisal of the dossier are conducted effectively, organizations and enterprises should prepare all required dossier components in PDF format, arrange them in the prescribed order, and name the files consistently in accordance with the guidance.

Specifically, the dossier should include the following main groups of documents:

  1. Submission notice for the Impact Assessment Dossier, with the file name structured as TB-ĐGTĐ-xulyDLCN for the Personal Data Processing Impact Assessment Dossier, or 1.TB-ĐGTĐ-chuyenDLCNxbg for the Cross-border Personal Data Transfer Impact Assessment Dossier.
  2. Impact Assessment Dossier, with the file name structured as HSMau10-ĐGTĐ-xulyDLCN for the Personal Data Processing Impact Assessment Dossier, or 2.HSMau9-ĐGTĐ-chuyenDLCNxbg for the Cross-border Personal Data Transfer Impact Assessment Dossier.
  3. Documents relating to the personal data protection department/personnel or DPO. Depending on the specific case, this group of documents may include the decision on establishment, appointment, and assignment of the personal data protection department or personnel, with file names such as QĐ-BP-DPO or 3.QĐ-NS-DPO; service agreements with a personal data protection organization/individual, with file names such as 3.HĐ-TC-DPO or 3.HĐ-CN-DPO; and documents evidencing the DPO’s qualifications, such as a confirmation of work experience, certificates, or training certificates on personal data protection, with file names such as 3.GXN-NS-DPO or 3.GCN-NS-DPO.
  4. Personal data protection policy and related policies, including policies on the retention, deletion, and destruction of personal data and other relevant internal regulations. File names may be structured as CS-BVDLCN, 4.CS-Luutru-xoa-huyDLCN, or 4.CS-….
  5. Consent forms for personal data processing, applicable to employees, customers, or other groups of data subjects, depending on the organization’s or enterprise’s personal data processing activities. File names may be structured as BM-NLD-dongy, 5.BM-KH-dongy, or 5.BM-KH-….
  6. Agreements/contracts on personal data processing or transfer with relevant parties, including contracts, contract appendices, personal data processing agreements, or cross-border personal data transfer agreements. File names may be structured as HĐ-xulyDLCN-[partner name]/template, 6.PLHĐ-xulyDLCN…, or 6.TT-chuyenDLCNxbg….
  7. System diagrams and personal data processing flow diagrams, with file names structured as SĐ-Hethong… or 7.SĐ-luongxuly….
  8. Other supporting appendices, including other agreements with customers or relevant parties regarding personal data processing or cross-border personal data transfer. File names may be structured as PL-….

Based on the above guidance, please note that the submission of the soft-copy dossier not only requires the preparation of the correct Impact Assessment Dossier template, but also requires ensuring the completeness, consistency, and coherence of the supporting documents, including DPO-related documents, internal policies, consent forms, agreements with relevant parties, system diagrams, and personal data processing flow diagrams.

Therefore, before submitting the dossier, organizations and enterprises should carefully review the dossier components, file format, document order, and file naming convention to reduce the risk of being requested to supplement or clarify the dossier during the receipt, processing, and appraisal process.


Privacy Compliance

Personal Data Protection Workshop – Course 03 Now Open for Registration!

🎓 Personal Data Protection Workshop – Course 03 Now Open for Registration! Building on the success of the first two editions of the Personal Data Protection Workshop Series, PrivacyCompliance is pleased to introduce Workshop 03, designed to help organisations stay up to date with the latest legal developments and strengthen their personal data protection compliance […]

Learn more

Privacy Compliance

RECAP OF THE “PERSONAL DATA PROTECTION” WORKSHOP SERIES

RECAP OF THE “PERSONAL DATA PROTECTION” WORKSHOP SERIES ✨ The specialized Personal Data Protection workshop series organized by PrivacyCompliance has officially concluded, supporting participants in strengthening their legal compliance capabilities in the field of personal data protection. 📚 The program was structured around four key modules: 🔹 Legal framework for personal data protection. 🔹 Establishing […]

Learn more

Privacy Compliance

Draft Decree on Data Exchanges: Proposed Legal Framework for Data Transactions in Vietnam

Draft Decree on Data Exchanges: Proposed Legal Framework for Data Transactions in Vietnam The draft Decree on data exchange operations is currently open for consultation and proposes a framework for organizing, operating, and governing data transactions in Vietnam in a more transparent, controlled, and secure manner. A notable feature of the draft is the proposed […]

Learn more