Vietnam Cross-Border Data Transfer Requirements: What Google Workspace Users Must Know

If your company uses Google Workspace in Vietnam, you are almost certainly transferring personal data across borders. Google's infrastructure is global. Unless you have explicitly configured data region policies — which require an Enterprise-tier plan — your employees' personal data may be stored and processed on servers outside Vietnam.

Under Vietnam's PDPL (Law 91/2025/QH15) and Decree 356, cross-border transfers of personal data are subject to specific requirements that many companies have not yet addressed. This article explains what the rules are, who they affect, and what steps you need to take.

When Do Cross-Border Transfer Rules Apply?

The PDPL's cross-border provisions apply whenever personal data of Vietnamese citizens is transferred, stored, or processed outside the territory of Vietnam. This includes:

Sending data to a parent company abroad — employee records, financial reports containing personal data, or operational data shared with overseas headquarters
Using cloud platforms with global infrastructure — Google Workspace, Microsoft 365, Salesforce, and most SaaS tools store data across multiple geographic regions
Outsourcing to foreign service providers — payroll processing, IT support, or HR administration handled by companies outside Vietnam
Sharing data with foreign clients or partners — project documentation, personnel records, or compliance reports sent internationally

The key point: the trigger is not the intent to transfer data abroad. It is the fact that data ends up outside Vietnam, regardless of how or why.

What the PDPL Requires

1. Cross-Border Transfer Impact Assessment

Before transferring personal data outside Vietnam, companies must complete a Cross-border Transfer Impact Assessment. This document must evaluate:

The types of personal data being transferred
The purpose and necessity of the transfer
The data protection laws of the receiving country
The technical and organizational safeguards in place
The risks to data subjects and how those risks are mitigated

This is not the same as a standard DPIA. It is a separate assessment specifically focused on the cross-border nature of the transfer. Decree 356 specifies the format and content requirements.

2. Registration with the Ministry of Public Security

Companies conducting cross-border transfers must register these activities with the Ministry of Public Security (MPS). This registration must occur before the transfers begin and must include the Cross-border Transfer Impact Assessment.

This requirement has no GDPR equivalent. European data protection law allows cross-border transfers through mechanisms like Standard Contractual Clauses without pre-registration with a government authority. Vietnam's approach is fundamentally different — it requires proactive government notification.

3. Explicit Consent from Data Subjects

Data subjects must provide explicit, informed consent specifically for the cross-border transfer of their personal data. This consent must be:

Separate from general data processing consent
Specific about what data will be transferred and to where
Informed about the data protection standards in the receiving country
Freely given and revocable

For employers, this means updating employee consent forms to include a distinct cross-border transfer consent clause. A general employment consent form is unlikely to satisfy this requirement.

4. Ongoing Compliance Obligations

Cross-border transfer compliance is not a one-time exercise. Companies must:

Update their Impact Assessment if the nature or scope of transfers changes
Maintain records of all transfers
Respond to data subject requests regarding their transferred data
Notify the MPS of any significant changes to transfer arrangements

The Google Workspace Question

Google Workspace presents a specific challenge for Vietnamese companies. Google operates a global cloud infrastructure, and data is distributed across data centers worldwide for performance and redundancy. This means:

Default configuration = cross-border transfer. Unless you have activated Google Workspace data region policies (available on Enterprise plans), you cannot guarantee that Vietnamese personal data stays within Vietnam's borders.

Even metadata matters. It is not just file contents. Email headers, access logs, sharing permissions, and user activity data may also be processed outside Vietnam. Under a strict reading of the PDPL, these constitute personal data transfers.

Google's data processing agreements may not be sufficient. While Google offers data processing agreements that reference GDPR, these do not automatically satisfy Vietnam's PDPL requirements. You still need to complete the Vietnamese Cross-border Transfer Impact Assessment and register with the MPS independently.

Why FDI Companies Face Extra Exposure

Foreign-invested companies face a compounding challenge. They are not only using cloud tools with global infrastructure — they are also actively sending data to parent companies, regional offices, and foreign service providers as part of normal operations. Each of these data flows is a separate cross-border transfer subject to PDPL requirements.

Common scenarios include:

Monthly HR reports sent to regional headquarters containing employee names, IDs, and salary data
Financial consolidation processes that transfer Vietnamese employee data to global systems
IT helpdesk services operated from another country with access to Vietnamese user accounts
Compliance or audit requests from the parent company requiring employee personal data

Each of these must be assessed, documented, and registered with the MPS.

Practical Steps to Take Now

1. Inventory Your Data Flows

Map every flow of personal data that leaves Vietnam. Include cloud storage, SaaS tools, data shared with foreign entities, and outsourced services. Be thorough — the flows you forget are the ones that create risk.

2. Complete a Cross-Border Transfer Impact Assessment

For each identified transfer, prepare the Impact Assessment in the format specified by Decree 356. If you use multiple cloud tools and share data with multiple foreign entities, you may need several assessments.

3. Register with the Ministry of Public Security

Submit your Impact Assessment(s) and register your cross-border transfer activities with the MPS. This step must be completed before the transfers occur.

4. Update Consent Mechanisms

Review and update employee consent forms, privacy notices, and data processing agreements to include explicit cross-border transfer consent. This is especially important for employment relationships, where CCCD numbers, tax codes, and salary data are routinely processed.

5. Audit Your Google Workspace

Understand what Vietnamese personal data exists in your Google Workspace, where it is stored, and whether it is accessible from or replicated to servers outside Vietnam. This audit gives you the factual basis for your Impact Assessment.

Do Not Wait

The PDPL is already in effect. Companies conducting cross-border transfers without the required Impact Assessment and MPS registration are operating outside the law. The requirements are clear, and the steps to comply are well-defined. Starting now gives you time to do it properly.

CompliScan helps companies identify what personal data exists in their Google Workspace before tackling cross-border compliance. Our read-only scan identifies Vietnamese PII across Drive, Gmail, Sheets, and Docs, giving you the data inventory you need for your Cross-border Transfer Impact Assessment. Request your free risk assessment →

This article is for informational purposes only and does not constitute legal advice. Consult a qualified Vietnamese attorney for advice specific to your company's cross-border data transfer obligations.