Exemptions from Data Processing Impact Assessment

Exemptions from data processing impact assessment are a key content helping businesses optimize compliance with the Law on Personal Data Protection 2025. Identifying exempt subjects helps organizations save resources while ensuring information security. The following article by Long Phan Consulting Company analyzes this regulation based on current laws.

Regulations on assessing the impact of personal data processing

According to Article 21 of the Law on Personal Data Protection 2025, the personal data processing impact assessment must comply with the following regulations:

1. Personal Data Controller, Personal Data Controller and Processor: Must establish and store the personal data processing impact assessment dossier and send 01 original copy to the specialized personal data protection agency within 60 days from the first day of processing personal data (except for competent state agencies exempt under Article 21).
2. Frequency: The assessment is performed once for the entire operation duration of the Personal Data Controller/Controller and Processor and updated according to Article 22.
3. Personal Data Processor: Establish and store the impact assessment dossier according to the agreement with the Controller (except for exempt competent state agencies).
4. Specialized Agency: Evaluates and requests the completion of the dossier if it is incomplete or incorrect.
5. Updates: Parties must update and supplement the dossier when there are changes in the content of the dossier sent to the specialized agency.

Cases exemptions from data processing impact assessment

Based on Clauses 2 and 3 Article 38 and Clause 6 Article 21 of the Law on Personal Data Protection 2025, the following cases are exempt from the obligation to assess personal data processing impacts:

1. Competent State Agencies exempt under Article 21.
2. Small Enterprises, Startups: Have the right to choose whether to perform the impact assessment for 05 years from the effective date of the Law (Jan 1, 2026), EXCEPT for those:
   • Trading in personal data processing services.
   • Directly processing sensitive personal data.
   • Processing personal data of a large number of data subjects.
3. Micro-enterprises, Household Businesses: Exempt from performing the impact assessment, EXCEPT for those:
   • Trading in personal data processing services.
   • Directly processing sensitive personal data.
   • Processing personal data of a large number of data subjects.

>>> See more: List of Sensitive Personal Data Effective from January 1, 2026

Update the impact assessment profile on processing personal data and the impact assessment profile on cross-border transfer of personal data

Maintaining updated dossiers is a continuous obligation. Article 22 of the Law on Personal Data Protection 2025 regulates updates for both processing impact assessments and cross-border transfer impact assessments:

1. Periodic Updates: Every 06 months when there are changes.
2. Immediate Updates: Required in cases of:
   • Reorganization, termination, dissolution, bankruptcy.
   • Changes in information about the personal data protection service provider.
   • Changes in business lines/services related to personal data processing registered in the dossier.
3. Method: Updates are performed on the National Portal on Personal Data Protection or at the specialized agency.

>>>See more: Granting certificate of eligibility for personal data processing services

Long Phan Consulting Company services on exemptions from data processing impact assessment for businesses

Long Phan Consulting Company provides comprehensive consulting services to help enterprises comply with the Law on Personal Data Protection 2025. We focus on optimizing the dossier process and accurately identifying exempt cases for each entity. We structure our support into the following key areas:

• Review and determine the legal status of small and micro-enterprises according to current laws, comparing it with the actual organizational structure to determine the possibility of exemption from the obligation to prepare an impact assessment report.
• Examine the entire process of data collection, storage, analysis, sharing, and transfer; determine whether sensitive personal data processing or large-scale processing occurs – factors that could void the exemption.
• Draft explanatory documents and supporting documents demonstrating the company’s scale and data processing characteristics; build an internal file ready for presentation when requested by the relevant authorities for inspection.
• In cases where businesses do not meet the exemption criteria, consultants will prepare a data impact assessment report that is accurate in terms of components, content, and procedures as stipulated by the Government; ensuring its completeness and acceptability.
• Submitting applications, monitoring processing progress, receiving requests for additional information; directly participating in explanations and completing documents to minimize the risk of administrative penalties or prolonged corrective requests.

Frequently Asked Questions about exemptions from data processing impact assessment

Below are some frequently asked questions when conducting an impact assessment of a company’s personal data processing practices. Please refer to them:

What constitutes processing personal data from a large number of data subjects that causes a business to lose its data immunity?

“Processing personal data of a large number of data subjects” is defined by a quantitative threshold of 100,000 or more individual data subjects. This means that when the total number of individuals whose data a business has processed (cumulatively) reaches or exceeds 100,000, it is considered large-scale processing and will no longer be exempt.

(Legal basis: Clause 2, Article 41 of Decree 356/2025/ND-CP)

Do micro-enterprises need to file an impact assessment report if they offer online marketing services?

Yes, in the case of micro-enterprises operating in the personal data processing services sector, they are required to prepare an impact assessment report and are not eligible for the exemption.

(Legal basis: Clause 3, Article 38 of the Law on Personal Data Protection 2025.)

>>>See more: Personal Data Protection in Recruitment

From what point in time does the 5-year exemption period for startups begin?

This period is calculated from the date the Personal Data Protection Law 2025 officially comes into effect, which is from January 1, 2026 to December 31, 2030.

(Legal basis: Clauses 1 and 2, Article 38 of the Law on Personal Data Protection 2025.)

What types of sensitive personal data do businesses need to be aware of?

Sensitive personal data refers to personal data linked to an individual’s privacy, the violation of which would directly affect the legitimate rights and interests of agencies, organizations, and individuals, as listed in the categories issued by the Government.

Sensitive personal data includes:

• Data reveals racial and ethnic origins; political views, religion, and beliefs;
• Information about private life, personal secrets, and family secrets;
• Health status; biometric data, genetic characteristics; data revealing an individual’s sex life and sexual orientation;
• Data on crimes and violations of the law are collected and stored by law enforcement agencies;
• An individual’s location is determined through location services;
• Information including username and password for accessing the individual’s electronic identity account; images of identity cards, citizen identification cards, and national identity cards;
• Username and password for bank account access; bank card information, transaction history data of bank account; financial and credit information, and information on the activities and transaction history of customers’ financial, securities, and insurance transactions at credit institutions, branches of foreign banks, payment intermediary service providers, securities and insurance companies, and other authorized organizations;
• Data tracking behavior and activity related to the use of telecommunications services, social networks, online communication services, and other services in cyberspace;
• Other personal data that is legally required to be kept confidential or requires strict security measures.

(Legal basis: Clause 3, Article 2 of the Law on Personal Data Protection 2025, Clause 1, Article 4 of Decree No. 356/2025/ND-CP.)

Which entities are subject to the requirement to update their impact assessment reports every six months?

The obligation to periodically update applies to data controllers, and those controlling and processing personal data that has been filed in accordance with Article 21 of the 2025 Law on Personal Data Protection, and where there are changes in the actual processing content.

(Legal basis: Clause 1, Article 22 of the Law on Personal Data Protection 2025.)

Are sole proprietorships exempt from the obligation to transfer personal data across borders?

Household businesses and micro-enterprises are not required to update their personal data processing impact assessment records and cross-border personal data transfer impact assessment records as stipulated in Article 22 of the 2025 Law on Personal Data Protection, except for household businesses and micro-enterprises that provide personal data processing services, directly process sensitive personal data, or process personal data from a large number of data subjects.

(Legal basis: Clause 3, Article 38 of the Law on Personal Data Protection 2025.)

How often is an assessment of the impact of processing personal data conducted?

The impact assessment of personal data processing is conducted once for the entire duration of operation of the personal data controller and the personal data controller/processor, and is updated as prescribed in Article 22 of the 2025 Law on Personal Data Protection.

(Legal basis: Clause 2, Article 21 of the Law on Personal Data Protection 2025.)

>>> See more: Procedures for Notification of Personal Data Protection Violations

Conclusion

Grasping the exemptions from data processing impact assessment helps enterprises operate efficiently under the Law on Personal Data Protection 2025. Clients need to pay attention to timelines and exemption conditions.

For in-depth support, please contact Long Phan Consulting Company via Hotline 1900636389.