Vietnam's Law on Data: Key Provisions and Implications

Vietnam's Law on Data, effective 1 July 2025, establishes a comprehensive framework for digital data management alongside Decree 13/2023 on personal data protection. This compliance document outlines critical obligations for businesses operating in Vietnam, informed by provisions from the linked Hogan Lovells analysis and related regulations1248.

Scope of Application

The law applies broadly to:

• Vietnamese entities (agencies, organizations, individuals)
• Foreign entities operating in Vietnam or directly involved in Vietnam’s digital data activities12.

Key definitions:

• Digital data: Any information in digital format (audio, visual, numerical, written, symbolic)13.
• Data owners: Granted explicit property rights under Vietnam’s Civil Code, enabling commercial use, transfers, and legal protections14.

The Law on Data in Vietnam has a broad scope of application, applying to a range of entities involved in digital data activities. According to the sources, the law applies to the following:

• Vietnamese agencies, organizations, and individuals.
• Foreign agencies, organizations, and individuals in Vietnam.
• Foreign agencies, organizations, and individuals directly participating or otherwise involved in digital data activities in Vietnam.

The law governs digital data-related activities, including digital data management, the construction and operation of the National Data Centre and the National General Database, digital data products and services, and the rights and responsibilities of relevant parties regarding digital data.

For businesses, several key aspects of Vietnam's new Law on Data are essential to understand. The law, which goes into effect on July 1, 2025, governs digital data-related activities. It aims to establish a comprehensive legal framework for data management and address data protection challenges in Vietnam.

Key aspects include:

• Scope of application: The law applies to Vietnamese agencies, organizations, and individuals, as well as foreign agencies, organizations, and individuals in Vietnam or those directly participating in digital data activities in Vietnam.
• Definition of digital data: The Law defines digital data broadly as data about objects, phenomena, or events in audio, visual, numerical, written, or symbolic forms expressed in digital format. This covers both personal and non-personal data, including business data.
• Property rights of data owners: The law establishes property rights for data owners over their data, allowing them to sell, transfer, or commercially use their data and take measures against infringement.
• Cross-border transfer and processing of important and core data: The law regulates the cross-border transfer and processing of "important data" (data potentially impacting national interests) and "core data" (important data directly impacting national interests). Transfer of data stored in Vietnam to storage systems outside of the country, transfer of data from Vietnamese entities to foreign individuals and entities, and use of overseas platforms for processing such data are all regulated. Cross-border data transfers and data processing from Vietnam must not affect national defence, security, national interests, public interests, or the legitimate rights of data subjects and owners.
• Mandatory risk assessments: Data administrators of important data and core data must conduct periodic risk assessments of their data processing activities. They must also notify specialized task units within the Ministry of Public Security, the Ministry of National Defence, and other relevant authorities.
• Data-related products and services: The law recognizes data intermediary products/services, data analysis/synthesis products/services, and data platforms provided by eligible public units or state enterprises as data-related products and services. These may be subject to registration or licensing requirements.
• National General Database and National Data Centre: The law provides the legal basis for establishing a National General Database managed by the National Data Centre, scheduled to launch by the end of 2025. Data from administrative procedures, public services, and other public databases will be integrated into the National General Database.

Global Privacy & Compliance Explorer

Interactive map for exploring global privacy regulations and compliance requirements. Navigate GDPR, CCPA, PIPEDA, and more.

Interactive Regulatory MapLovable

Data Classification and Compliance Obligations

1.Core Data and Important Data

• Important Data: Affects national security, macroeconomics, public safety, or social stability (lists pending Prime Minister approval)15.
• Core Data: Subset of Important Data with direct national security/defense impacts16.

Compliance requirements:

• Cross-border transfers of Core/Important Data require:
  • Risk assessments and government notifications1910.
  • Proof that transfers do not compromise national interests178.
• Mandatory risk assessments every 6–12 months for administrators of Core/Important Data, reported to cybersecurity authorities19.

2.Cross-Border Data Transfers

For all data types, transfers must:

• Avoid harming national defense, public safety, or individual rights17.
• For personal data, comply with Decree 13/2023 requirements:
  • Obtain explicit consent67.
  • Conduct impact assessments and submit dossiers to the Ministry of Public Security34.

3.Data-Related Products and Services

Businesses offering the following must obtain licenses/registrations:

• Data intermediary services (e.g., API management, storage).
• Data analysis/synthesis platforms111.
• Data exchange platforms (restricted to state-owned/public service entities)4.

Key restrictions:

• Prohibition on unauthorized personal data trading5.
• Mandatory transparency for data collection/processing purposes67.

4.National Data Infrastructure

• National Data Centre: Launching by end-2025 to manage the National General Database112.
• Data integration requirements:
  • Administrative/public service data must be incorporated into the National General Database114.
  • Access restricted to government entities, data subjects, or authorized third parties115.

Compliance Checklist for Businesses

1. Data mapping: Identify if your operations involve Core/Important Data using pending Prime Minister lists156.
2. Update contracts: Ensure data ownership clauses align with Civil Code property rights (Articles 105, 115, 450)14.
3. Cross-border protocols:
   • Implement risk assessment templates for transfers19.
   • Designate a Data Protection Officer (DPO) for high-risk processing36.
4. Consent management:
   • Deploy systems to record explicit consent (e.g., tick-boxes, voice recordings)67.
   • Enable withdrawal mechanisms per Decree 13/202336.
5. Prepare for audits: Maintain records of processing activities and impact assessments34.

Regulatory Risks and Emerging Challenges

• AI/data mining: Ambiguity remains around using AI-generated data without owner consent14.
• Upcoming decrees: Draft implementation rules (e.g., data classification, licensing) are under consultation until March 20254.
• Penalties: Non-compliance with cross-border transfer or risk assessment rules may trigger fines under Decree 13/2023 and future guidance34.

Businesses should monitor updates to Vietnam’s Draft Decree on Data Law Implementation and engage legal counsel to align with evolving requirements4. Proactive compliance will mitigate risks while leveraging opportunities in Vietnam’s US$23 billion digital economy48.

What are the key implications of the Law on Data for foreign businesses operating in Vietnam

Vietnam's Law on Data, effective 1 July 2025, introduces transformative compliance obligations for foreign businesses operating in or connected to Vietnam's digital ecosystem. Here are the key implications based on current regulations and draft implementation decrees:

1. Expanded Scope and Definitions

• Extraterritorial reach: Applies to foreign entities directly involved in Vietnam’s digital data activities, even without a physical presence15.
• Broad data coverage: Includes all digital data (personal and non-personal) in formats like text, images, and audio14.

2. Cross-Border Data Transfer Requirements

For Core Data (directly impacts national security) and Important Data (affects macroeconomics/public safety):

For personal data, existing Decree 13/2023 obligations remain:

• Explicit consent mechanisms
• Data Protection Impact Assessments (DPIAs) submitted to the Ministry of Public Security56

3. Operational Mandates

• Local presence: Foreign enterprises in 10 regulated sectors (e.g., e-commerce, fintech) must establish branches/representative offices if:
  • They receive cybersecurity violation warnings from authorities23
  • Engage in data localization under Decree 53 (24-month storage minimum)2
• Licensing: Required for data-related services like analytics platforms or API management68

4. Integration with National Infrastructure

• National Data Centre: Launching by end-2025 to centralize administrative/public service data46. Foreign businesses must:
  • Synchronize compatible datasets with the National General Database
  • Restrict access to government-authorized parties47

5. Emerging Compliance Risks

• Upcoming decrees: April 2025 guidance expected on68:
  • Detailed data classification lists (Prime Minister approval pending)
  • Cross-border transfer protocols
  • Licensing procedures for data services
• Enforcement ambiguity: Unclear extraterritorial application despite legal text suggesting limited scope48
• Cost increases: Data localization and branch setup requirements may raise operational expenses by 15–30% for affected sectors26

Strategic Recommendations for Foreign Businesses

1. Conduct data mapping to identify exposure to Core/Important Data categories.
2. Update cross-border transfer protocols with risk assessment templates aligned with Decree 13/2023.
3. Prepare for audits by maintaining:
   • DPIA records
   • Consent management systems (e.g., verifiable opt-in mechanisms)
4. Monitor sector-specific rules, particularly for cloud services, AI, and fintech under draft decrees68.

With Vietnam's digital economy projected to reach US$23 billion by 2025, proactive compliance will be critical to balancing regulatory risks with market opportunities68

Citations:

1. https://www.hoganlovells.com/en/publications/vietnams-new-law-on-data
2. https://www.hoganlovells.com/en/publications/vietnams-new-law-on-data
3. https://secureprivacy.ai/blog/vietnam-personal-data-protection-law
4. https://kpmg.com/vn/en/home/insights/2025/02/vietnam-draft-decrees-on-data-regulation.html
5. https://trustarc.com/regulations/vietnam-pdpd/
6. https://www.didomi.io/blog/vietnam-data-privacy-law-pdpd-everything-you-need-to-know
7. https://www.dlapiperdataprotection.com/index.html?t=law&c=VN
8. https://www.vietnam-briefing.com/news/vietnam-national-assembly-approves-law-on-data.html/
9. https://cpl.thalesgroup.com/compliance/apac/data-security-compliance-vietnam-pdpd
10. https://cms-lawnow.com/en/ealerts/2025/01/understanding-vietnam-s-data-law-key-objectives-and-business-implications
11. https://www.tilleke.com/insights/draft-guidance-on-vietnams-new-data-law-open-for-public-consultation/
12. https://www.tilleke.com/insights/vietnams-data-revolution-law-on-data/
13. https://www.dataguidance.com/jurisdiction/vietnam
14. https://insightplus.bakermckenzie.com/bm/data-technology/vietnam-fast-tracked-data-law-sets-out-new-data-regime_1
15. https://www.vietnam-briefing.com/doing-business-guide/vietnam/company-establishment/vietnam-personal-data-privacy-law
16. https://www.dataguidance.com/opinion/vietnam-official-data-law-decoded-how-does-it
17. https://multilaw.com/Multilaw/Multilaw/Data_Protection_Laws_Guide/DataProtection_Guide_Vietnam.aspx