A new legal wave on Data Governance and Protection in Viet Nam

The 2025-2026 Digital Era marks a major turning point in Vietnam’s digital legal ecosystem with the simultaneous enactment of central laws: the Law on Data 2024, the Law on Personal Data Protection 2025, the Law on Cybersecurity 2025, the Law on Artificial Intelligence 2025, and the Law on Digital Technology Industry 2025. Legislative thinking has officially shifted from creating a relaxed corridor to encourage development to tightening risk management and applying exceptionally strict penalties for data and technology issues. 

The article below summarizes the general legal framework for data in Vietnam based on the latest regulations.. 

1. Law on Data 2024: 

The Law on Data 2024 officially stipulates the strategic mindset: Data is a resource, and the State has a policy to mobilize all resources to enrich data and develop data into an asset. This Law establishes a clear mechanism separating the roles between the Data Owner (property rights, decision-making) and the Data Administrator (operation, management). 

The crucial highlight is the classification of national data assets into two special groups requiring control: 

(i)  Core Data: Having a direct impact on security and macroeconomics. (Example: Basic citizen data from 1,000,000 individuals; sensitive data from 100,000 individuals; account data from 100,000 enterprises). 

(ii)  Important Data: Having potential impacts on security and the economy. (Example: Basic citizen data from 100,000 individuals; sensitive data from 10,000 individuals; account data from 10,000 enterprises). 

The legal framework also tightens cross-border data transfer and processing activities: 

(i)  For Core Data: An impact assessment dossier must be submitted and approved by the Ministry of Public Security (or the Ministry of National Defense) prior to the transfer (the appraisal period is from 10 to 15 days). 

(ii)  For Important Data: An impact assessment dossier must be submitted to the Ministry of Public Security (or the Ministry of National Defense) 15 days prior to processing the data to serve inspection and evaluation purposes. 

In addition, the law also stipulates the establishment of a National Data Center and a National General Database for centralized management. Concurrently, Decree 169/2025/ND-CP has created a legal corridor for the establishment of a Data Exchange – an environment for trading, exchanging data, and related products and services. 

2. Law on Personal Data Protection (PDP) 2025: 

The Law on Personal Data Protection 2025 (effective from January 1, 2026) replaces Decree 13/2023/ND-CP, elevating privacy protection rules to the level of a law. The new legal framework sets extremely stringent compliance standards for organizations and enterprises: 

  • Regarding consent: The consent of the data subject must be clear, specific, and verifiable. The law strictly prohibits the establishment of default consent methods or assuming that silence constitutes consent. 
  • Rights of the data subject and response time: The timeframe for processing user requests is significantly shortened. Upon receiving a request to withdraw consent or object to data processing, the organization must respond within 02 working days and execute the cessation of processing within 15 days. Data deletion requests must also be responded to within 02 working days and executed within 20 days. 
  • Internal governance obligations: Agencies and organizations must appoint a personal data protection department or personnel (DPO) satisfying the condition of having at least 02 years of professional experience. 
  • Business of data processing services: Organizations engaging in the business of personal data processing services (such as SaaS, data analytics services, credit scoring) must apply for a Certificate of Eligibility for Business issued by the Ministry of Public Security. 
  • Compliance dossiers (DPIA/TIA): Data controllers and processors must submit a Personal Data Processing Impact Assessment Dossier and a Cross-border Data Transfer Impact Assessment Dossier within 60 days from the commencement of data processing/transfer. Notably, this dossier must be updated periodically every 06 months, or within 10 days if there is a change in organization or business line. 

Furthermore, the most breakthrough and rigid point in the new legislative thinking is the provision of responsibilities and penalties directly applicable to the Data Subject. 

  • Penalties for the Data Subject: Under the Law on Personal Data Protection 2025, data subjects have the obligation to “self-protect their own personal data”. Notably, according to the Draft Decree on sanctioning administrative violations, the data subjects themselves will be subject to very heavy fines, ranging from 50,000,000 VND to 70,000,000 VND, if they “fail to self-protect their own personal data” or “fail to respect and protect the personal data of others”. 
  • Affirming Data as a National Asset: Penalizing the victims themselves (data subjects) when they are negligent with their data affirms a completely new legal philosophy: Personal data is not merely the private personal right of a single individual, but when aggregated, it constitutes the national digital asset and resource. The protection of personal data must be tied to the protection of national and ethnic interests, serving socio-economic development, and ensuring national defense and security. Therefore, each individual protecting their own data is a mandatory legal obligation to protect common security, avoiding the creation of loopholes for cybercriminals to exploit. 

3. Law on Cybersecurity 2025: 

The Law on Cybersecurity 2025 (effective July 1, 2026) acts as a shield, tightening measures to protect national cyberspace. 

  • Data Localization: Domestic and foreign enterprises providing services on telecommunications networks and the Internet that collect user data in Vietnam are mandatorily required to store data in Vietnam. Foreign enterprises must establish branches/representative offices. 
  • Rapid response mechanism: Enterprises must provide user information to the Ministry of Public Security no later than 24 hours (or 03 hours in emergency cases threatening national security). The removal of violating information/applications must be executed no later than 24 hours (or 06 hours in emergency cases). 
  • Anti-Deepfake & Cybercrime: Absolutely prohibiting the use of new technologies (AI, Deepfake) to forge videos, images, and voices for the purpose of fraudulent property appropriation or disseminating subversive information. 

4. Law on Artificial Intelligence 2025: 

The Law on Artificial Intelligence 2025 creates a specialized legal corridor to control the explosion of AI, particularly concerning AI’s use and generation of data. 

  • Risk-based management: AI systems are classified into high, medium, and low risk. High-risk AI systems must be certified/assessed for conformity prior to being put into use. 
  • Transparency obligations: Audio, visual, and video content generated by AI must be marked in a machine-readable format. If the content is likely to cause confusion with a real person, it is mandatory to affix an easily recognizable label. 
  • Accountability: AI providers must explain the operating principles, input data, and risk control measures when requested by competent authorities; however, the law protects enterprises by not compelling the disclosure of source code or trade secrets. 
  • Data protection in AI: Prohibiting the collection and processing of data for AI training contrary to regulations on personal data protection and intellectual property. Enterprises must explain the “black box” (principles, input data, risk management) upon request, but are protected from having to disclose source codes or trade secrets. 

5. Law on Digital Technology Industry 2025: 

The Law on Digital Technology Industry 2025 focuses on creating a corridor for the development and application of data and technology in new business models. 

  • Identification of Digital Assets: Digital Assets, including virtual assets and crypto assets, are officially identified as property under the Civil Code, being legally issued, stored, and transacted in the electronic environment. 
  • Controlled testing mechanism (Sandbox): The Law allows organizations and enterprises to deploy the testing of new digital technology products and services in a controlled environment, accompanied by a legal liability exclusion mechanism during the testing process. 
  • Investment incentives: Sectors directly related to large-scale data processing, such as semiconductor chip manufacturing, AI development, and Data Center construction, are included in the group of business lines with special investment incentives. 

6. Penalties for violations: 

To ensure deterrence, the draft Decree on sanctioning administrative violations in the fields of cybersecurity and personal data protection stipulates unprecedented penalty levels: 

  • Revenue-based fines: Violations of cross-border personal data transfer regulations may be subject to fines of up to 5% of the organization’s total revenue in Vietnam for the preceding financial year. 
  • Violations involving large-scale data exposure or loss: Sanctions based on a percentage of revenue (up to 5%) if data exposure or loss involves over 5 million citizens. 
  • Penalties for data trading violations: The maximum fine for the act of illegally buying or selling personal data is up to 10 times the illicit profit gained from the violation. The maximum fine for other violations regarding personal data protection is up to 3 billion VND for organizations. 
  • Responsibilities of the data subjects themselves: The new legal framework also binds the obligations of the individuals themselves regarding their data assets. Data subjects who “fail to self-protect their own personal data” or “fail to fully and accurately provide their personal data” may be fined from 50,000,000 VND to 70,000,000 VND. 

7. Practical recommendations for Enterprises: 

  • Review & Classify: Immediately classify the Data Repository to determine which are Core Data and Important Data in order to apply control procedures. Assess and classify AI systems according to risk levels. 
  • Standardize the rapid response procedure: Build a technical system to meet the response time for processing requests to remove posts/provide information within 3h/6h/24h (Cybersecurity), and processing the rights of data subjects (withdrawing consent, deleting data) within 02 working days. 
  • Update Contracts & Operational Structure: Review data sharing contracts with third parties (especially when transferring data cross-border). Appoint a DPO and establish a data protection department if falling under the mandatory category. 
  • Compliance Dossiers (DPIA/TIA): Prepare Data Processing Impact Assessment Dossiers and Cross-border Data Transfer Impact Assessment Dossiers, updating them periodically every 06 months or immediately upon major changes (such as M&A, changing service providers). 

Conclusion: Overall, the legal framework for data in Vietnam has transformed into a strict, highly specialized system, clearly delineating between “Ordinary Data”, “Personal Data”, “Important Data”, and “Core Data”. This system not only focuses on protecting personal privacy but also places data under the lens of national security and digital sovereignty, requiring agencies, organizations, and enterprises to build a massive compliance infrastructure, strictly meeting the standards on storage, governance, sharing, and cross-border data transfer, thereby turning legal compliance into a vital competitive advantage in the market. 


Disclaimers:

This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.

For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.

Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.



Nguồn: https://ift.tt/PIHfO5d
Map: https://goo.gl/maps/JbCF1FiWPuD2Jsnx6
Thông tin: https://www.google.com.vn/search?q=Apolat+Legal&kponly=&kgmid=/g/11jkvqgmw_

Comments

Post a Comment

Popular posts from this blog

Chi phí thành lập công ty hết bao nhiêu tiền? Cập nhật mới nhất 2023

Image
Chi phí thành lập công ty là một trong những vấn đề quan trọng nhất mà bất kỳ doanh nghiệp mới nào cũng phải đối mặt khi bắt đầu hoạt động. Nếu bạn đang lên kế hoạch để thành lập một công ty hãy cùng Apolat Legal tìm hiểu rõ hơn về chi phí thành lập công ty và các yếu tố ảnh hưởng đến chi phí này nhé! Chi phí thành lập công ty 1. Chi phí thành lập công ty gồm những gì? 1.1. Lệ phí công bố nội dung đăng ký doanh nghiệp Theo Thông tư 47/2019/TT-BTC ngày 05 tháng 08 năm 2019 của Bộ Tài chính, lệ phí thành lập doanh nghiệp công bố nội dung đăng ký doanh nghiệp là 100.000 đồng. 1.2. Chi phí khắc dấu tròn doanh nghiệp Chi phí thành lập công ty khắc dấu tròn doanh nghiệp là 400.000 đồng. Công ty tự khắc dấu và quản lý con dấu của Công ty. 1.3. Chi phí mua chữ ký số khai thuế Chi phí mua chữ ký số khai thuế khi thành lập công ty thời hạn 1 năm dao động tầm khoảng 1.600.000 đồng và thời hạn 3 năm là 2.700.000 đồng. Chữ ký số được dùng để gửi báo cáo thuế và các loại báo cáo khác qua mạng. Chi p...
Read more

The role of intellectual property expert opinions in resolving intellectual property infringement

Image
Intellectual property infringement 1. The connection between expert opinions and resolving intellectual property infringement   The legal framework for intellectual property in Vietnam, especially the Law on Intellectual Property, clearly stipulates the role of IP expert assessment in determining infringement acts. An expert opinion issued by VIPRI is a crucial, highly specialized piece of evidence that provides a basis for agencies such as Courts, Police, Customs, etc., to assess the degree of similarity, likelihood of confusion, or other factors related to the infringement act.   Particularly in complex cases involving intellectual property rights such as inventions, industrial designs, trademarks, or copyrights, the expert opinion plays a pivotal role in clarifying specialized elements that disputing parties or competent authorities often find difficult to assess themselves. For instance, for inventions, determining novelty, inventive step, or industrial applicability ...
Read more

Overview of technology transfer agreements

In the context of global economic integration, technology transfer plays a crucial role in Vietnam’s socio-economic development. The adoption, application, and innovation of technology not only help businesses enhance their competitiveness but also optimize production processes and create high-value products. The Law on Technology Transfer 2017 was enacted to establish a transparent legal framework to regulate, coordinate and promote technology transfer activities in Vietnam. It also encourages businesses to engage in innovation and improve their access to advanced technologies. Among these legal frameworks, the Technology Transfer Agreement serves as an essential legal instrument, recognizing and safeguarding the rights and obligations of the parties involved in technology transfer. 1. Introduction to Technology Transfer Agreements A Technology Transfer Agreement is an agreement between parties in which one party (the transferor) transfers ownership rights or grants the right to us...
Read more