Vietnam has been rapidly developing its legal framework around data protection and data-related services, with several key pieces of legislation recently enacted. Below is a breakdown of the important points in the following recently issued regulations, which all took effect on 1 July 2025:
 

• Decree 165/2025/ND-CP of the Government guiding the Law on Data 2024 (Decree 165);
• Decision 20/2025/QD-TTg of the Prime Minister on list of core data and important data (Decision 20);
• Decree 169/2025/ND-CP of the Government on science, technology, innovation activities, data-related products and services (Decree 169). This Decree does not guide the implementation of the Law on Science, Technology and Innovation 2025 but has been issued based on the Law on Data 2024 and the proposal of the Minister of Public Security, focusing on data-related services and products; and
• Decree 102/2025/ND-CP of the Government on management of health data (Decree 102).  

Determination of core data and important data
Decree 165 provides the qualitative criteria to determine core data and important data, while Decision 20 provides a detailed list of these data types and sets certain quantitative thresholds. Notably, the following types of data on organizations or Vietnamese citizens which have not been disclosed shall be regarded as important data and core data, subject to the quantitative thresholds:
 

^* The calculation for classification is based on the accumulated volume of data which have been processed and transferred overseas from 1 July 2025 until the date of transfer.

The previous drafts of Decision 20 used the term “personal data” of Vietnamese citizens; however, the term “citizen data” has been adopted in the issued version of Decision 20, which is not clearly defined. Under other relevant regulations, the following data could be regarded as citizen data of a Vietnamese citizen: 
 

• Personal data of such Vietnamese citizen: e.g., name, ID number, birthday, gender, birthplace, nationality, blood type, residence address, mobile phone number, e-mail address;
• Information of the family members of such Vietnamese citizen: parents, spouse, children; and
• Residence dossier, household data.
   

The officials of the Ministry of Public Security have verbally confirmed this interpretation and further clarified that “sensitive citizen data” refers specifically to the sensitive personal data of citizens, as defined under the applicable personal data protection regulations.

Companies are required to review and classify their data to determine whether it falls within the categories of “core data” or “important data.” This classification is essential, as the Law on Data 2024 and Decree 165 impose specific obligations on the owners and administrators of core data and important data. 

We anticipate that the sectors most likely to be affected include banking and finance, telecommunications, healthcare, education, transportation, technology, fintech, e-commerce, and any other businesses that process personal data on a large scale.

Cross-border transfer of core data or important data

• Impact Assessment Requirement: A data owner or data administrator is required to conduct the data transfer impact assessment and submit it to the authorities before transferring core or important data overseas. This only needs to be updated in case of certain significant changes, for example, to the purpose, method, scope of the data transfer, or security environment of the recipient country.
  No grace period for compliance is granted. For case of transferring citizen data, it is not clear if the data transferor is required to obtain an approval before transferring data if the volume of transferred data and to-be-transferred data will reach the threshold of core data.
   
• Written Approval before transferring core data overseas
  The transferor of core data is required to obtain a written notification of the assessment result from the competent authority—namely, the Ministry of Public Security or the Ministry of National Defense. This notification must constitute an approval or a positive assessment, and it must be secured prior to transferring any core data overseas. This requirement is notably more stringent than the impact assessment obligations for cross-border transfers of personal data under both Decree 13/2023 on personal data protection and the new Personal Data Protection Law 2025 (PDPL 2025) where a written approval is not required (or not required yet since the draft decree on assessment procedures guiding PDPL 2025 is expected to be issued by 1st January 2026. In some cases, compliance with this requirement may be practically impossible without suspending business operations entirely.
  Under the PDPL 2025, organizations that conduct an impact assessment for cross-border transfers of personal data in accordance with the PDPL 2025 are not required to conduct a separate impact assessment under the general data laws. However, Decree 165 appears to introduce an ambiguous and potentially conflicting requirement by mandating that data transferors conduct an impact assessment for cross-border transfers of personal data classified as core or important data, in accordance with Decree 165. This inconsistency creates uncertainty regarding the applicable compliance obligations for organizations handling such data. 
   
• Notification on transferring important data overseas
  The transferor of important data is only required to file the data transfer impact assessment dossier with the competent authority 15 days before transferring the important data without subject to the competent authority’s approval.
   
• Exemption cases
  Some transfers are exempt from these requirements, including (i) the transfer of data to manage the human resources in line with labor rules, regulations and labor collective agreement, (ii) in emergency cases to protect life, health or asset safety of individuals, or to implement the obligations or duties as regulated at law, and (iii) where necessary for signing or implementing contracts relating to cross-border transportation, money transfer, payment, bank account opening and few other services and activities. 
   

Compliance Checklist for data owners and data administrators
To ensure robust compliance with data protection regulations, data owners and data administrators should proactively develop their own comprehensive compliance checklist. This checklist will serve as a practical tool to guide ongoing compliance efforts and to prepare for potential audits or inspections by regulatory authorities. The following key actions should be included in such a checklist:
 

• Data Classification: Systematically review and classify all data to determine whether it qualifies as "core data" or "important data" under applicable regulations.
   
• Data Protection Management System: Establish and maintain a comprehensive system to manage data protection across the entire data processing lifecycle, from collection to deletion.
   
• Data Verification Processes: Implement procedures to verify and confirm the accuracy and authenticity of data on a regular basis.
   
• Data Deletion and Destruction: Develop and adhere to clear procedures for the timely deletion and destruction of data, ensuring compliance with statutory requirements (such as completing deletion within 72 hours of a valid request from data subjects).
   
• Risk Assessment: Conduct regular assessments of risks related to privacy, cybersecurity, access control, and data quality. For core and important data, ensure that annual risk assessments are performed and that detailed reports are maintained for review by authorities.
   
• Preventive and Corrective Measures: Put in place preventive and corrective measures, including regular data backups, periodic system maintenance, and comprehensive incident response plans.
   
• Activity Logging: For core and important data, maintain detailed logs of all processing activities throughout the data lifecycle, and retain these logs for a minimum of six months.
   
• Designation of Responsible Personnel: Assign a responsible individual and establish a dedicated team to oversee data protection for core and important data.
   
• Staff Training and Confidentiality: Ensure that all relevant staff members receive appropriate training on data protection requirements and sign confidentiality agreements.

Decree 102 introduces comprehensive requirements for the management, processing, and protection of digital medical data in Vietnam, with a strong emphasis on consent, data subject rights, and the responsibilities of both domestic and foreign entities.
 

• Digital Medical Data: Decree 102 defines digital medical data as digital data reflecting various aspects of the medical sector, including information on medical examinations, treatments, health insurance, medical devices, population, medicines, cosmetics;
   
• Extraterritorial Application: The Decree applies broadly to any entities, both onshore and offshore, that are directly involved in or related to digital medical data activities in Vietnam. 
   
• Strict Consent Standard: Decree 102 imposes a requirement of obtaining consent before accessing private life secrets, personal secrets, health status included in the personal medical data. Consent must be obtained from the data subject in line with the laws on personal data protection. Decree 102 does not regulate in detail the scope of “accessing personal medical data”, and thus the access should include reading, watching, listening, reproduction and photocopying of personal medical data in line with Vietnam’s law on Access to Information.  
  While it is not entirely clear, other processing activities towards personal medical data could be proceeded based on consent given by the data subject as a lawful ground in line with the laws on personal data protection.

Decree 169 sets out licensing, operational, and security requirements, as well as responsibilities, for three categories of data-related services regulated under the Law on Data 2024. These categories include intermediary data products and services, data analysis and synthesis products and services, and data platform services. The key provisions are as follows:
 

• Data intermediary products and services: Suppliers are required to comply with several requirements when supplying the intermediary products and services. 
  The data intermediary services are provided to serve data intermediary activities of connecting, transmitting, accessing and processing electronic data between data subjects, data owners and users of data products and services to ensure safety, efficiency and correct format.
  These intermediary data products and services exclude cloud services, data center services, internal intermediary services, and those already regulated elsewhere.
   
• Data analysis and synthesis services: These services are divided into different levels of data analysis and synthesis. Notably, data analysis service using core data or important data is subject to the license requirements in Vietnam unless it is used for internal purpose or otherwise regulated under other laws of Vietnam. 
   
• Data platform service: Under the Law on Data 2024, this service can only be offered by public institutions or State-owned enterprises that meet service conditions and possess establishment. Decree 169 clarifies the activities and services that could be conducted via the data platform, as well as types of data not allowed to be traded on the data platform.
   

The information provided in this newsletter is summary in nature and does not purport to be comprehensive or to render legal advice. Please contact us if you would like to obtain advice about specific situations.