I. Introduction
Managing digital data has become crucial to creating a robust digital economy and society in an era marked by rapid digital transformation. The National Assembly of Vietnam, recognizing the urgency of managing digital data, approved Data Law No. 60/2024/QH15 (the Data Law) on November 30, 2024, which will take effect on July 1, 2025.
With its five chapters and forty-six articles, the Data Law regulates several aspects of digital data and aligns Vietnam with international data protection standards. It imposes obligations on individuals, businesses, and government agencies. Additionally, it establishes a robust framework for the National Data Center (NDC) and the National Database, a central hub for data management, storage, and security.
This guide explores the Data Law’s scope, its key definitions, obligations, and steps to swiftly operationalize it.
II. Who Needs to Comply with the Data Law
A. Material Scope
The Data Law applies to how individuals, businesses, and government agencies generate, store, share, protect, and use digital data in Vietnam
B. Territorial Scope
The Data Law applies to local and foreign agencies, organizations, and individuals in Vietnam. It also applies to agencies, organizations, and individuals who are not located in Vietnam but are directly involved in or connected to digital data operations in Vietnam.
III. Definitions of Key Terms
A. Core Data
Important data directly impacting national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety.
A more detailed list of core data categories is present here.
B. Digital Data
Data in digital form about objects, events, and occurrences that includes one or more sounds, pictures, numbers, letters, and symbols.
C. Data Owner
A data owner is an agency, organization, or individual with the legal right to control the creation, management, protection, processing, use, and exchange of their data..
D. Data Processing
Data activities, including receiving, processing, and organizing data, to support agency, organization, and individual operations.
E. Data Subject
The agency, organization, or individual to which the data belongs.
F. Shared Data
Data obtained, exchanged, exploited, and utilized collaboratively by the Vietnam Fatherland Front Committee, political bodies and state agencies, and socio-political groups.
G. Private Data
Data that is accessed, exchanged, exploited, and used within the internal operations of sociopolitical groups, the Vietnam Fatherland Front Committee, political bodies and state institutions.
H. Open Data
Data that may be accessed, shared, exploited, and used by any agency, group, or individual in need.
I. Original Data
Data generated during an agency, organization, or individual's operations, or obtained and produced through the digitization of original documents, papers, and other types of material.
J. Important Data
Data that may impact social stability, health, public safety, macroeconomics, foreign affairs, national defense, and security.
A more detailed list of important data categories is present here.
IV. Obligations for Data Owners Under Data Law
A. Principles of Processing Requirements
Article 5 stipulates that human rights, civil rights, and other lawful rights and interests of agencies, organizations, and individuals should be respected. Organizations must comply with the Data Law, ensure publicity, transparency, and equality in data processing. They must maintain data accurately and securely, protect data from the outset, and ensure that it is easily accessible to those who need it.
Additionally, as per Article 11(3) organizations and individuals should protect the rights of data owners and are responsible for the data they collect and create..
B. Consent Requirements
As per Article 14(3), private data must be kept on the NDC's infrastructure with the data owner’s consent. However, if national security is threatened, there’s an emergency or disaster, or data is needed to stop and manage riots and terrorism, organizations may provide data to state agencies without the data subject’s consent.
C. Registration Requirements
Article 40 defines data intermediary products and services as those facilitating agreements between data subjects, owners, and users for data exchange, sharing, and access. Organizations offering these services must register with the relevant organizations and comply with investment laws unless operating internally.
Moreover, Article 41 requires organizations that offer products and services for analyzing and synthesizing data to register their businesses. This applies when their activities could pose a threat to public health, social order and safety, national defense, or social ethics.
D. Security Requirements
Article 30 mandates that the National Data Center’s infrastructure be equipped with security solutions to detect, prevent, and respond to intrusions, attacks, and sabotage. Additionally, the infrastructure must include scalable backup systems to support future expansion. Importantly, the National Comprehensive Database must also prioritize the security, safety, and protection of personal data.
Meanwhile, Article 12 emphasizes data quality assurance by requiring organizations to ensure that data remains accurate, complete, up-to-date, reliable, and consistent. This must be achieved by adhering to technical standards and regularly assessing data quality. In parallel, Article 16 sets out that data access and retrieval must comply with security and safety regulations, while also requiring organizations to provide tools that enable secure data access. It should also be noted that, as per Article 20, the data owner, data administrator, and organization providing electronic authentication services are responsible for the verification of data.
E. Data Classification Requirements
Article 13 specifies data classification requirements. Data must be classified into three groups according to:
- The nature of data sharing, which refers to open data, private data, and shared data,
- Importance of data, which refers to core data, important data, and other data, and
- Other data, as decided by the data manager, and not falling under the first two categories.
F. Data Storage Requirements
Article 14 stipulates data storage requirements. Data owners have the right to decide on the storage of data that is owned, created, or collected by them. Additionally, data must be stored securely.
Moreover, national databases must be stored in the NDC, while specialized and other state agency databases may be stored either in the NDC or in other compliant data center infrastructure.
G. Providing Data to State Agencies
Article 18 requires data to be provided to state agencies. Organizations and individuals are urged to comply with state authorities' demands for data during crises, security concerns, and disasters, or to prevent riots and terrorism. Moreover, state organizations must ensure the data's appropriate use, security, and secrecy, and delete it when no longer required.
H. Data Encryption Requirements
Article 22 outlines data encryption requirements. Cryptographic codes must be used to encrypt state secrets before they can be shared, stored, sent, or received across computer networks. Agencies, organizations, and individuals can employ one or more encryption solutions and processes appropriate for their data management and administration tasks.
Competent state agencies have the authority to decrypt data without the owner’s or administrator’s consent in cases of emergency, national security threats, disasters, or for riot and terrorism prevention.
I. Cross-Border Data Transfer Requirements
Article 23 specifies cross-border data transfer and processing requirements. Agencies, organizations, and individuals are free to transfer data from abroad to Vietnam and process foreign data within the country. However, they must ensure public interest, national defense, security, and the rights and legitimate interests of data owners and data subjects.
Core and important data processing and transfer across borders include several situations, such as:
- data stored in Vietnam is moved to storage systems outside of Vietnam,
- data stored by Vietnamese agencies, organizations, or individuals is transferred to foreign organizations or individuals, and
- Vietnamese agencies, organizations, or individuals use platforms outside of Vietnam to process data.
J. Risk Assessments
Article 25 describes the identification and management of risks arising from data processing and the need to conduct risk assessments. These may include privacy risks, cybersecurity threats, and identity and access management risks. Owners of core data and important data must periodically conduct risk assessments for such data processing activities.
State agencies are also required to proactively identify these risks, establish early warning mechanisms, and implement necessary measures to ensure data protection. However, organizations and individuals not covered under state agency requirements must independently assess risks, implement protective measures, and address any emerging threats in a timely manner while notifying relevant parties.
K. Data Protection Requirements
Article 27 mandates data protection measures such as establishing and complying with data protection policies, managing processing activities, using security solutions to keep data secure, and providing staff with the necessary training on data privacy and security principles.
Additionally, government agencies must ensure data privacy and security, comply with national security guidelines, and establish a unified data protection system to assess data security risks, monitor, and provide early warning.
L. Service Agreement Requirement
Article 43 outlines the responsibilities of data service providers, encompassing those offering data analysis, synthesis, and services for data intermediaries and platforms. Their responsibilities include:
- complying with service provision contracts,
- ensuring services run smoothly,
- protecting data, and
- complying with the laws on network security, network information security, and electronic transactions.
M. Data Administration and Management Requirements
Under Article 15 of the Data Law, organizations must coordinate with the NDC to ensure data governance and proper data management. Data owners and administrators must create policies, strategies, programs, procedures, and standards to consistently and effectively manage data, ensuring its completeness, accuracy, integrity, consistency, standardization, security, and timeliness.
V. Data Subject Rights
Data subjects have the right to request data owners and data administrators to do the following:
A. Right to Revoke
Data subjects can request data owners and data administrators to revoke their provided data.
B. Right to Delete or Destroy
Data subjects can request data owners and data administrators to delete or destroy their provided data.
VI. Regulatory Authority
The Ministry of Public Security (MPS) is designated as the principal entity responsible for enforcing the law.
VII. How Can Organizations Operationalize the Data Law
Organizations can operationalize the Data Law by:
- understanding the law’s scope and provisions,
- conducting risk assessments and designating a compliance officer,
- adopting robust data privacy and security measures,
- establishing cross-border data transfer policies, and
- establishing regular monitoring mechanisms.
VIII. How Securiti Can Help
Securiti enables organizations to navigate and comply with Vietnam’s Law on Data (Law No. 60/2024/QH15). Its robust modules fortify organizations against cyber threats and ensure alignment with Vietnam’s stringent data privacy laws.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Request a demo to learn more.
