Introduction to new Data Law (Vietnam)

Application

The Data Law takes effect from 1 July 2025 and applies to not only Vietnamese agencies, organizations, and individuals; but also foreign agencies, organizations, and individuals in Vietnam; and foreign agencies, organizations, and individuals directly involved in or related to digital data activities in Vietnam. If provisions of a law enacted before the Data Law takes effect align with the Data Law’s principles, such law will prevail; otherwise, subsequent laws with provisions conflicting with the Data Law must specify which rules to follow.

Provisions

Key Definitions

Under the Data Law, digital data (sometimes referred to as “data”) is broadly defined as data about objects, phenomena, and events, including one or a combination of forms such as sound, images, numbers, text, and symbols, represented in digital form. This defination may be interpreted as inclusive of personal data.

Digital data may be categorized in various ways, and amongst others, includes the following:

Classification according to the sharing nature of data:

• Shared Data: Data that can be accessed, shared, exploited, and used collectively by the Party (the Communist Party of Vietnam) and State agencies, the Vietnam Fatherland Front, and political-social organizations.
• Exclusive Data: Data that can only be accessed, shared, exploited, and used within the internal scope of Party and State agencies, the Vietnam Fatherland Front, and political-social organizations.
• Open Data: Data that is accessible, shareable, exploitable, and usable by any agency, organization, or individual with a need.

Classification according to the importance of data:

• Important Data: Data that can affect national defense, security, foreign relations, macroeconomics, social stability, health, and public safety, as defined in a list issued by the Prime Minister.
• Core Data: Important data that directly impacts national defense, security, foreign relations, macroeconomics, social stability, health, and public safety, as defined in a list issued by the Prime Minister.

The Data Law has also provided the following definitions regarding data-related entities:

• A data subject is the agency, organization, or individual that the data reflects.
• A data administrator is the agency, organization, or individual responsible for building, managing, operating, and exploiting the data according to the requirements of the data owner.
• A data owner is the agency, organization, or individual who has the authority to decide on the building, development, protection, governance, processing, usage, and exchange of the value of the data they own.

Data as Property

The Data Law stipulates that the rights of data owners over their data are property rights under the provisions of civil law. For the first time, the property right of data has been recognized, and the owner can capitalize on this asset while also using strong anti-infringement measures in laws relating to property to protect their data.

Cross-border Transfer

The Data Law has outlined the basic principles to be followed in the data processing process for agencies, organizations, and individuals; governance, identification, and management of risks arising from data processing.

Notably, the Data Law allows for free data transfer from overseas to Vietnam and processing of foreign data in Vietnam. Further, the Data Law also contains provisions regulating cross-border transfer and processing of core data and important data, which includes: (i) transferring data currently stored in Vietnam to storage systems outside Vietnam; (ii) transferring data from Vietnamese agencies, organizations, or individuals to foreign entities, individuals and (iii) using platforms outside Vietnam for data processing. Both (1) data transfer from overseas to Vietnam and processing of foreign data in Vietnam, and (2) cross-border transfer and processing of core data and important data must ensure national defense, security, public interest, and comply with Vietnamese laws and international treaties to which Vietnam is a party.

Obligation to Identify and Manage Risks

The data administrators that are not state agencies are obligated to self-assess and identify risks arising from data processing, and to notify these risks to data subjects and relevant agencies, organizations, or individuals . The data administrators of core and important data must periodically assess the risks associated with the processing activities of such data in accordance with regulations and notify the specialized authorities to coordinate in ensuring the safety and security of such data.

Therefore, to fullfill new obligations under the Data Law, data owners and data administrators must categorize their data into core data, important data, and other data. Specific guidance on the requirements, conditions, and procedures to ensure national defense, security is expected to be stipulated by future government’s decrees.

Data Provision Obligation

Under the Data Law, organizations and individuals must provide data when required by competent authorities, without needing the consent of the data subject, in following cases: (i) emergency response situations; (ii) national security threats that do not yet require emergency response; (iii) disasters; (iv) prevention of riots and terrorism.

Since the drafting stage, this regulation on data provision has sparked debates, particularly from enterprises concerned about being forced to disclose sensitive business information or data under private confidentiality obligations. However, the Data Law appears to address this concern by only encouraging domestic and foreign organizations and individuals to provide data under their ownership to competent authorities, and limiting data provision obligations to four above-mentioned situations, offering a reasonable environment for businesses in Vietnam.

Digital Data Products and Services

The Data Law regulates data-related products and services in data intermediary activities, data analysis, data aggregation, electronic verification, and data exchanges platform (“sàn dữ liệu” in Vietnamese). A data exchange platform is a platform that provides data-related resources to support research, startup development, and innovation; offers data-related products and services to promote socio-economic development; and serves as an environment for trading and exchanging data and related products and services. The service of electronic verification and data exchanges platform shall be conducted by public non-business units and state-owned enterprises that meet the conditions for providing such services and are licensed for establishment in accordance with the law.

Each data-related product and service does not have a clear scope and includes a variety of activities (i.e. data intermediary products and services are products and services designed to establish a commercial relationship between data subjects, data owners, and the users of products and services, through agreements aimed at exchanging, sharing, and accessing data, as well as exercising the rights of data subjects, data owners, and data users.). Therefore, products and services that are not truly data intermediaries may inadvertently or due to misinterpretation be considered data intermediary products and services in certain cases. The Data Law entrusts the government to give further guidance on these contents.

Conclusion

The Data Law is an important step in providing a fundamental legal framework for digital data management aligning with the country’s digital transformation. The recognition of data as property marks a significant shift in how data is treated legally and provides data owners with more control and protection over their digital assets. However, some provisions in the law are still general and require detailed guidance from the government to ensure feasibility and effectiveness in implementation. Specially, enterprises should pay attention to the drafting and issuance of decrees and circulars guiding the Data Law, in order to stay updated on potential obligations that may arise, such as: obligations regarding the cross-border transfer of core and important data, obligations regarding risk assessments, obligations regarding data provision, and obligations for business registration of data products and services.