The Vietnamese Government recognizes data as a strategic asset vital to national security, defense, and economic stability, It has intensified regulatory oversight of data management and of data-related businesses. This is consistent with Vietnam’s National Data Strategy, which was established under Decision No. 142/QD-TTg dated February 2, 2024.
On November 30, 2024, the National Assembly enacted the Law on Data, which will take effect on July 1, 2025. It will be the legal foundation for data governance, security, and processing. In preparation for its implementation, the Ministry of Public Security released a draft decree for public consultation on January 16, 2025 (“Draft Decree”). The Draft Decree aims to clarify and facilitate enforcement of the Law on Data.
The Draft Decree focuses on categorizing data based on their importance: including Core Data, which is data with direct implications for national security, defense, foreign affairs, economic stability, public health, and social order; Essential Data, has only a potential impact on these areas. The draft Prime Minister’s Decision outlines a comprehensive list of Core and Essential Data.
The Draft Decree defines data processing activities. It also prescribes specific requirements for handling data types, particularly Core Data and Essential Data. The Draft Decree offers a framework for organizations and individuals to implement technical, managerial, and security measures in order to comply with legislative mandates, such as the Law on Cybersecurity, the Law on Network Information Security, and Decree 13/2023/ND-CP on personal data protection.
- Data processing activities and requirements:
The Draft Decree provides precise definitions for key data-related activities. “Accessing data” is defined as engaging with and affecting data within the scope of authorized permissions, including reading, writing, modifying, executing, and other activities stipulated by the database owner. “Extracting data” refers to the process of accessing and retrieving data, whether manually, automatically, in real-time, or through other means as specified by the database owner. Additionally, the Draft Decree establishes principles governing data access and extraction, along with specific requirements for handling Core Data and Essential Data.
The responsibility to “confirm data” lies with both the database owner and the data subjects. However, the database owner is ultimately accountable for ensuring the quality of the data within its database. “Verification of data” may be conducted by the database owner, the database operator, or a provider of digital verification services. Verified data holds the same legal validity as the original data for a specified period, as determined by the relevant authority.
The Draft Decree outlines circumstances under which data cannot be publicly disclosed, including:
- Personal data for which the data subject has not given consent for disclosure;
- National secrets or data that may impact national defense and security;
- Other data that, if disclosed, could negatively affect the interests of the Communist Party, Government, national interests, foreign relations, public morality, public health, or could cause harm to individuals or organizations.
Conversely, certain types of data may be publicly disclosed under specific conditions:
- Business-related data may be disclosed if the data owner provides consent in accordance with legal requirements;
- Personal data related to private life or personal secrets may be disclosed with the explicit consent of the data subject, while data related to family secrets may be disclosed with the agreement of all family members;
- Certain sensitive data may be disclosed by a competent authority without consent if the disclosure serves the public interest, public health, or is required by law.
To ensure data security, the Draft Decree mandates the implementation of one or more encryption methods or encryption/decryption procedures for data management and administration, including:
- Encryption of data during transmission;
- Encryption of stored data;
- Encryption of data on digital media;
- Hardware security measures to prevent unauthorized access and to ensure that encryption/decryption occur in a secure environment;
- Decryption protocols that require:
- Identification of the individual performing decryption;
- Authorization to access encrypted data;
- Logging of encryption and decryption activities to ensure validity, transparency, and accountability.
Additionally, the Draft Decree includes provisions on data retrieval, deletion, destruction, combination, modification, copying, transmission, and transfer. A key requirement mandates that entities and individuals provide data to a competent authority under certain circumstances and upon receipt of a valid request.
- Offshore transfer, processing of data
A significant provision of the Draft Decree pertains to the cross-border transfer and processing of data. Under this framework, data owners must conduct risk assessments, prepare impact assessments for cross-border data transfers and processing, and comply with other procedural requirements outlined in the Draft Decree. The Draft Decree also specifies the required contents of the impact assessment. However, only cross-border transfers and processing of Core Data or Essential Data require prior submission of the Impact Assessment to the relevant authority for approval. Additionally, entities handling such data must periodically update their risk assessments. If the data set includes personal data, the impact assessment requirements under personal data protection regulations also apply.
Beyond risk assessment obligations, the Draft Decree mandates that agreements between the data transferor and recipient must include, at a minimum, the following provisions:
- The purpose, methodology, and scope of cross-border data transfer and processing;
- The location and duration of offshore data storage, along with measures for data handling upon expiration of the storage period, fulfillment of the stated purpose, or termination of the agreement;
- Binding obligations requiring the recipient to return the data;
- Security measures to be implemented in response to material changes in the recipient’s control, business operations, local data security regulations, or other force majeure events impacting data security;
- Remediation measures for breaches, dispute resolution mechanisms, and liability provisions;
- Emergency protocols to address unauthorized or illegal data modification, destruction, leakage, loss, transfer, or collection.
While the Draft Decree seeks to balance national security and data integrity with the facilitation of international data flows, its stringent requirements impose a heightened compliance burden on businesses.
Preparing for Compliance
Vietnam’s evolving data regulatory landscape presents both challenges and opportunities for businesses. While enhanced controls strengthen national security and data governance, a clearer legal framework can provide businesses with greater certainty in digital operations. To navigate these regulatory changes effectively, businesses should:
- Conduct a comprehensive data inventory to determine whether Core Data or Essential Data is involved;
- Review and refine data handling policies, including cross-border transfer and processing procedures, to identify potential compliance gaps;
- Engage in public consultations and provide feedback on the Draft Decree to help shape its final provisions.
As a market leader in data protection, privacy, and information security regulations, Russin & Vecchi is well-positioned to support businesses to prepare for these new compliance requirements.
