Vietnam’s Data Regulations: Part 1- Draft Decree for Data Law Implementation

Posted by Written by Vu Nguyen Hanh Reading Time: 5 minutes
Available language

In this series about data regulation in Vietnam, we explore the key aspects of the proposed regulations and their potential impact on data-related businesses in the country. This article specifically focuses on the draft Implementation Decree, which aims to clarify the general provisions outlined in the Data Law.

Following the introduction of Law No. 60/2024/QH15 on Data (“Data Law”) in November 2024, Vietnam’s government has yet to fill the gap of detailed regulations needed to guide the actual implementation of this milestone law. However, a series of new regulatory instruments will soon address the void, whose drafts were released in January 2025. These documents include:

FIND BUSINESS SUPPORT
Identify Business Risks with Entity Health Checks and Partner Review Services
  • Draft decree on detailed regulations and implementation measures for the Data Law (“Implementation Decree”);
  • Draft decree on scientific, technological, and innovative activities and data-related services (“Decree on Data-related Activities”);
  • Draft decree on the National Data Development Fund (“NDDF Decree”); and
  • Draft decision on core and critical data classification.

Vietnam is currently preparing four legal documents to facilitate the enforcement of its new Data Law, set to take effect on July 1, 2025. In this series on Vietnam’s data regulation, we examine the key aspects of these proposed regulations and their potential impact on data-related businesses in Vietnam.

Essential and core data identifications

The draft Implementation Decree specifies criteria for recognizing essential and core data. Generally, essential data is information potentially influencing national defense, security, foreign relations, macroeconomic stability, social order, public health, and community safety. Meanwhile, core data pertains to information that has a direct impact on these sectors. 

Data Classification Criteria

Category

Criteria

Impacted area

Essential data

Impact on national security, sovereignty, and territorial integrity

Defense, political stability, economic security, social order, public health, and safety (excluding state secrets).

Impact on foreign relations and international cooperation

Strategic partnerships, overseas projects, energy security, maritime routes.

Impact on economic development

Macroeconomic stability, critical infrastructure, and key industries.

Impact on individuals and organizations

Life, health, property, legal rights, and reputational risks.

Core data

Party and State policies

Domestic/foreign policies, leadership activities, ethnic/religious strategies.

National defense and security

Military operations, critical infrastructure, weapons systems, cryptography.

Strategic economic and industrial data

Monetary policy, rare resources, and national reserves.

Scientific and technological advancements

Defense-related patents, nuclear/atomic research, and rare pharmaceuticals.

Population and legal oversight

Census data, anti-corruption, and legal investigations.

International agreements and treaties

Data exchanged with foreign entities under binding treaties.

Obligations for data transfer

Cross-border data transfer

According to the draft decree, for transferring essential and core data abroad, data administrators must thoroughly assess related risks to build mandatory impact assessment reports, including:

  • Cross-Border Data Transfer; and
  • Processing Impact Assessment Dossiers.

Data administrators are required to prepare and submit the necessary documents, along with a notification, to the relevant data regulators at least five days prior to transferring data, which includes:

  • Ministry of National Defense for data related to military, defense, or cryptographic fields; or
  • Ministry of Public Security for data in other fields.

Nonetheless, the approval for transferring core data is stricter compared to that for essential data, as detailed below:

  • Essential data: If no negative assessment is provided within five days, data administrators may proceed with the transfer and processing of data abroad.
  • Core data: Data regulators must finalize the impact assessment within ten working days of receiving a complete and valid dossier. Data administrators can only proceed with transferring and processing data abroad after obtaining a positive assessment from data regulators.
FIND BUSINESS SUPPORT
Seamlessly Manage Your Operations across Multiple Countries in Asia

Data administrators are also required to perform an annual self-assessment of risks related to the transfer and processing of essential data, as well as a bi-annual assessment for core data. These assessments must be reported to the Ministry of Public Security.

Additionally, regardless of the data category being transferred internationally, the data transferor must safeguard the legitimate rights and interests of the data subject, along with national defense, security, and public interests. An agreement must also be established with the recipient, which includes the clearly defined mandatory content.

Data transfer in mergers, restructurings, or bankruptcies

The draft Implementation Decree states that if a data administrator must transfer data during cases of a merger, reorganization, or bankruptcy, data administrators must inform affected users through a phone call, text message, email, or notice, and submit a transfer plan.

Data protection measures

The draft decree establishes principles for managing data access and extraction, along with specific requirements for processing core data and essential data.

Data validation

Pursuant to the draft decree, the responsibility for data validation lies with both the database owner and the data subject. However, the database owner has the ultimate responsibility for ensuring the quality of the data in their database. The database owner, the database operator, or a digital verification service provider has the right to perform data validation. Verified data has the same legal value as the original data for a certain period, as the competent authority prescribes.

Data disclosure restrictions

Disclosure-prohibited data

The draft decree prescribes the following data types, which must not be publicly disclosed:

  • Personal data without consent;
  • State secrets or data affecting national defense and security; and
  • Data that, if disclosed, could harm:
    • Interests of the Communist Party, Government, or national sovereignty;
    • Foreign relations, social ethics, or public health; and
    • Individuals or organizations (for example, reputational or financial damage).

Conditionally disclosable data

The following information may be disclosed under certain conditions:

  • Business-related information can be released publicly with the data owner’s consent;
  • Personal information about private life or individual secrets can be shared only with the explicit approval of the data subject, while information regarding family secrets needs the consent of all family members; and
  • Specific sensitive information may be revealed by the appropriate authority without consent if it serves the public good, safeguards public health, or is mandated by law.

Data security

To guarantee safety, the Draft Decree requires implementing one or more encryption measures for data management, which include:

  • Transmission encryption;
  • Storage encryption;
  • Device encryption; and
  • Hardware security protocols that prevent unauthorized access and ensure encryption/decryption takes place in a secure setting.

Simultaneously, decryption protocols must require identity verification of the individual decrypting the data and authorized access to encrypted information. All encryption and decryption activities must be documented for validity, transparency, and accountability.

FIND BUSINESS SUPPORT
Scale Your Operations with AI Cloud Accounting, ERP, and Office Automation

It is worth noting that many of the measures being imposed are inspired by best practices in personal data protection (for example, record of processing activities, access controls, training of employees, proper deletion and destruction procedures, etc.). Although one would understand why such measures would be relevant in the case of core and important data, the requirements would be very burdensome for “ordinary” data processing. The scope of application of the Data Law (and its future guiding decrees) will cover any organization participating in or related to digital data activities. As digital data is simply data in digital form, the application scope is very broad, and the obligations far-reaching.

Procedures for data provision to state agencies

The Draft Decree outlines the procedures for state authorities to obtain data from organizations and individuals. State agencies must issue written requests for data access. Verbal requests are allowed only in emergencies and must be followed by confirmation.

Each data request should detail the type of data, the required detail level, the amount of data, the frequency of access, and the method of provision. These requests must honor the legitimate purposes of the data administrator and the data owner, while ensuring the protection of business secrets and personal privacy.

A data request can be withdrawn under specific conditions, such as:

  • Violating the Data Law or other applicable legal standards;
  • Failing to meet the criteria for data provision; or
  • The requested data is no longer obtainable for valid reasons.

The draft decree allows data owners, legal representatives, or individuals legally managing and utilizing the data to request changes or cancel the data request from the respective State authority, as long as such requests are made before the established data provision deadline.

Takeaways for businesses

The draft Implementation Decree is designed to enhance the forthcoming Data Law by establishing clear criteria for classifying data and implementing strict protocols for cross-border data transfers, thereby protecting national security and public interests.

As companies gear up for these changes, it becomes imperative to comply with the new requirements to ensure data integrity and remain aligned with shifting legal standards. To adjust successfully to these legal modifications, businesses should:

  • Conduct a thorough data inventory to determine if their data categories include core data or essential data;
  • Review and revise data handling policies, particularly focusing on data transfer and processing abroad, to identify and rectify compliance discrepancies; and
  • Participate in the public consultation and offer feedback on the draft decree to influence the final regulations.

About Us

Vietnam Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Asia, including ASEAN, China, and India. For editorial matters, contact us here and for a complimentary subscription to our products, please click here. For assistance with investments into Vietnam, please contact us at [email protected] or visit us at www.dezshira.com.

Dezan Shira & Associates assists foreign investors throughout Asia from offices across the world, including in Hanoi, Ho Chi Minh City, and Da Nang. We also maintain offices or have alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.