Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

An Overview of Vietnam’s Law on Data (Law No. 60/2024/QH15)

Published May 8, 2025
Author

Anas Baig

Product Marketing Manager at Securiti

Listen to the content

I. Introduction

Managing digital data has become crucial to creating a robust digital economy and society in an era marked by rapid digital transformation. The National Assembly of Vietnam, recognizing the urgency of managing digital data, approved Data Law No. 60/2024/QH15 (the Data Law) on November 30, 2024, which will take effect on July 1, 2025.

With its five chapters and forty-six articles, the Data Law regulates several aspects of digital data and aligns Vietnam with international data protection standards. It imposes obligations on individuals, businesses, and government agencies. Additionally, it establishes a robust framework for the National Data Center (NDC) and the National Database, a central hub for data management, storage, and security.

This guide explores the Data Law’s scope, its key definitions, obligations, and steps to swiftly operationalize it.

II. Who Needs to Comply with the Data Law

A. Material Scope

The Data Law applies to how individuals, businesses, and government agencies generate, store, share, protect, and use digital data in Vietnam

B. Territorial Scope

The Data Law applies to local and foreign agencies, organizations, and individuals in Vietnam. It also applies to agencies, organizations, and individuals who are not located in Vietnam but are directly involved in or connected to digital data operations in Vietnam.

III. Definitions of Key Terms

A. Core Data

Important data directly impacting national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety.

A more detailed list of core data categories is present here.

B. Digital Data

Data in digital form about objects, events, and occurrences that includes one or more sounds, pictures, numbers, letters, and symbols.

C. Data Owner

A data owner is an agency, organization, or individual with the legal right to control the creation, management, protection, processing, use, and exchange of their data..

D. Data Processing

Data activities, including receiving, processing, and organizing data, to support agency, organization, and individual operations.

E. Data Subject

The agency, organization, or individual to which the data belongs.

F. Shared Data

Data obtained, exchanged, exploited, and utilized collaboratively by the Vietnam Fatherland Front Committee, political bodies and state agencies, and socio-political groups.

G. Private Data

Data that is accessed, exchanged, exploited, and used within the internal operations of sociopolitical groups, the Vietnam Fatherland Front Committee, political bodies and state institutions.

H. Open Data

Data that may be accessed, shared, exploited, and used by any agency, group, or individual in need.

I. Original Data

Data generated during an agency, organization, or individual's operations, or obtained and produced through the digitization of original documents, papers, and other types of material.

J. Important Data

Data that may impact social stability, health, public safety, macroeconomics, foreign affairs, national defense, and security.

A more detailed list of important data categories is present here.

IV. Obligations for Data Owners Under Data Law

A. Principles of Processing Requirements

Article 5 stipulates that human rights, civil rights, and other lawful rights and interests of agencies, organizations, and individuals should be respected. Organizations must comply with the Data Law, ensure publicity, transparency, and equality in data processing. They must maintain data accurately and securely, protect data from the outset, and ensure that it is easily accessible to those who need it.

Additionally, as per Article 11(3) organizations and individuals should protect the rights of data owners and are responsible for the data they collect and create..

As per Article 14(3), private data must be kept on the NDC's infrastructure with the data owner’s consent. However, if national security is threatened, there’s an emergency or disaster, or data is needed to stop and manage riots and terrorism, organizations may provide data to state agencies without the data subject’s consent.

C. Registration Requirements

Article 40 defines data intermediary products and services as those facilitating agreements between data subjects, owners, and users for data exchange, sharing, and access. Organizations offering these services must register with the relevant organizations and comply with investment laws unless operating internally.

Moreover, Article 41 requires organizations that offer products and services for analyzing and synthesizing data to register their businesses. This applies when their activities could pose a threat to public health, social order and safety, national defense, or social ethics.

D. Security Requirements

Article 30 mandates that the National Data Center’s infrastructure be equipped with security solutions to detect, prevent, and respond to intrusions, attacks, and sabotage. Additionally, the infrastructure must include scalable backup systems to support future expansion. Importantly, the National Comprehensive Database must also prioritize the security, safety, and protection of personal data.

Meanwhile, Article 12 emphasizes data quality assurance by requiring organizations to ensure that data remains accurate, complete, up-to-date, reliable, and consistent. This must be achieved by adhering to technical standards and regularly assessing data quality. In parallel, Article 16 sets out that data access and retrieval must comply with security and safety regulations, while also requiring organizations to provide tools that enable secure data access. It should also be noted that, as per Article 20, the data owner, data administrator, and organization providing electronic authentication services are responsible for the verification of data.

E. Data Classification Requirements

Article 13 specifies data classification requirements. Data must be classified into three groups according to:

  • The nature of data sharing, which refers to open data, private data, and shared data,
  • Importance of data, which refers to core data, important data, and other data, and
  • Other data, as decided by the data manager, and not falling under the first two categories.

F. Data Storage Requirements

Article 14 stipulates data storage requirements.  Data owners have the right to decide on the storage of data that is owned, created, or collected by them. Additionally, data must be stored securely.

Moreover, national databases must be stored in the NDC, while specialized and other state agency databases may be stored either in the NDC or in other compliant data center infrastructure.

G. Providing Data to State Agencies

Article 18 requires data to be provided to state agencies. Organizations and individuals are urged to comply with state authorities' demands for data during crises, security concerns, and disasters, or to prevent riots and terrorism. Moreover, state organizations must ensure the data's appropriate use, security, and secrecy, and delete it when no longer required.

H. Data Encryption Requirements

Article 22 outlines data encryption requirements. Cryptographic codes must be used to encrypt state secrets before they can be shared, stored, sent, or received across computer networks. Agencies, organizations, and individuals can employ one or more encryption solutions and processes appropriate for their data management and administration tasks.

Competent state agencies have the authority to decrypt data without the owner’s or administrator’s consent in cases of emergency, national security threats, disasters, or for riot and terrorism prevention.

I. Cross-Border Data Transfer Requirements

Article 23 specifies cross-border data transfer and processing requirements. Agencies, organizations, and individuals are free to transfer data from abroad to Vietnam and process foreign data within the country. However, they must ensure public interest, national defense, security, and the rights and legitimate interests of data owners and data subjects.

Core and important data processing and transfer across borders include several situations, such as:

  • data stored in Vietnam is moved to storage systems outside of Vietnam,
  • data stored by Vietnamese agencies, organizations, or individuals is transferred to foreign organizations or individuals, and
  • Vietnamese agencies, organizations, or individuals use platforms outside of Vietnam to process data.

J. Risk Assessments

Article 25 describes the identification and management of risks arising from data processing and the need to conduct risk assessments. These may include privacy risks, cybersecurity threats, and identity and access management risks. Owners of core data and important data must periodically conduct risk assessments for such data processing activities.

State agencies are also required to proactively identify these risks, establish early warning mechanisms, and implement necessary measures to ensure data protection. However, organizations and individuals not covered under state agency requirements must independently assess risks, implement protective measures, and address any emerging threats in a timely manner while notifying relevant parties.

K. Data Protection Requirements

Article 27 mandates data protection measures such as establishing and complying with data protection policies, managing processing activities, using security solutions to keep data secure, and providing staff with the necessary training on data privacy and security principles.

Additionally, government agencies must ensure data privacy and security, comply with national security guidelines, and establish a unified data protection system to assess data security risks, monitor, and provide early warning.

L. Service Agreement Requirement

Article 43 outlines the responsibilities of data service providers, encompassing those offering data analysis, synthesis, and services for data intermediaries and platforms. Their responsibilities include:

  • complying with service provision contracts,
  • ensuring services run smoothly,
  • protecting data, and
  • complying with the laws on network security, network information security, and electronic transactions.

M. Data Administration and Management Requirements

Under Article 15 of the Data Law, organizations must coordinate with the NDC to ensure data governance and proper data management. Data owners and administrators must create policies, strategies, programs, procedures, and standards to consistently and effectively manage data, ensuring its completeness, accuracy, integrity, consistency, standardization, security, and timeliness.

V. Data Subject Rights

Data subjects have the right to request data owners and data administrators to do the following:

A. Right to Revoke

Data subjects can request data owners and data administrators to revoke their provided data.

B. Right to Delete or Destroy

Data subjects can request data owners and data administrators to delete or destroy their provided data.

VI. Regulatory Authority

The Ministry of Public Security (MPS) is designated as the principal entity responsible for enforcing the law.

VII. How Can Organizations Operationalize the Data Law

Organizations can operationalize the Data Law by:

  • understanding the law’s scope and provisions,
  • conducting risk assessments and designating a compliance officer,
  • adopting robust data privacy and security measures,
  • establishing cross-border data transfer policies, and
  • establishing regular monitoring mechanisms.

VIII. How Securiti Can Help

Securiti enables organizations to navigate and comply with Vietnam’s Law on Data (Law No. 60/2024/QH15). Its robust modules fortify organizations against cyber threats and ensure alignment with Vietnam’s stringent data privacy laws.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 13:38

Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines

Sanofi Thumbnail
Watch Now View
Spotlight 10:35

There’s Been a Material Shift in the Data Center of Gravity

Watch Now View
Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View

Latest

Securiti Powers Sovereign AI in the EU with NVIDIA View More

Securiti Powers Sovereign AI in the EU with NVIDIA

The EU has taken the lead globally in ensuring that the power of AI systems is harnessed for the overall wellbeing of human citizens...

The Risks of Legacy DLP: Why Cloud Security Needs DSPM View More

The Risks of Legacy DLP: Why Cloud Security Needs DSPM

82% of 2024 data breaches involved cloud data, raising concerns about the effectiveness of legacy data loss prevention (DLP) solutions in today's cloud-centric data...

Data Classification: A Core Component of DSPM View More

Data Classification: A Core Component of DSPM

Data classification is a core component of DSPM, enabling teams to categorize data based on sensitivity and allocate resources accordingly to prioritize security, governance,...

9 Key Components of a Strong Data Security Strategy View More

9 Key Components of a Strong Data Security Strategy

Securiti’s latest blog breaks down the 9 key components of a robust data security strategy and explains how it helps protect your business, ensure...

Beyond DLP: Guide to Modern Data Protection with DSPM View More

Beyond DLP: Guide to Modern Data Protection with DSPM

Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.

Mastering Cookie Consent: Global Compliance & Customer Trust View More

Mastering Cookie Consent: Global Compliance & Customer Trust

Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now View More

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now

Discover why shifting focus from AI risk to AI readiness is critical for enterprises. Learn how Data Security Posture Management (DSPM) empowers organizations to...

The European Health Data Space Regulation View More

The European Health Data Space Regulation: A Legislative Timeline and Implementation Roadmap

Download the infographic on the European Health Data Space Regulation, which features a clear timeline and roadmap highlighting key legislative milestones, implementation phases, and...

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New