Draft Implementation Guidelines for the Law on Data

On 30 November 2024, the National Assembly of Vietnam officially enacted the Law No. 60/2024/QH15, entitled the Law on Data (the Law on Data), which will come into force on 1 July 2025. Following the issuance of the Law on Data, in January 2025, the Government released key draft instruments to ensure the effective implementation of the Law on Data, including the Draft Decree guiding the implementation of the Law on Data (Draft Decree) and the Draft Decision on important and core data classification (Draft Decision). We highlight the key provisions introduced by the Draft Decree and the Draft Decision in our Legal Update.

1. Issuing the list of important and core data 

The Draft Decree outlines specific criteria for identifying important and core data. In general, important data refers to data that could have a potential impact on national defence, security, foreign affairs, macroeconomic stability, social order, public health, and community safety. Meanwhile, core data refers to data that directly affects these areas. 

For further details, the Draft Decision provides the list of important and core data. In general, the majority of important and core data relates to the State activities. However, certain private sector areas might also be included, specifically:

1.1 Important Data:

1. Data on health records and biometrics of Vietnamese citizens (from 10,000 people or more);
2. Confidential banking data, account information of important businesses and organisations, loan data, and transaction data involving information of 1,000,000 individuals or more;
3. Data related to insurance contracts, amounts, claims records, and compensation for 10,000 customers or more;
4. Data that can be used for social mobilisation, such as internet behaviour data of over 100,000 users; or
5. Basic personal data of 1,000,000 or more individuals, and sensitive personal data of 10,000 or more individuals.

1.2 Core data: Data on cross-border banking transactions (50,000 transactions or more).

2. Clarifying cross-border data transfer and processing requirements

The Draft Decree clarifies the requirements for transferring and processing important and core data across borders, including:

2.1 With respect to important data: At least five (5) days before transferring or processing important data across borders, data administrators must prepare and submit a cross-border data transfer and processing impact assessment report (Cross-Border Data Transfer and Processing Impact Assessment Dossiers) along with a notification to the Ministry of National Defence (for data in military, defence, or cryptographic fields) or the Ministry of Public Security (for data in other fields) (collectively referred to as the Data Regulators). Data administrators may proceed with the data transfer and processing abroad if no negative assessment is received within five (5) days.

2.2 With respect to core data: Similar to important data, data administrators must prepare and submit the Cross-Border Data Transfer and Processing Impact Assessment Dossiers to the Data Regulators. The Data Regulator shall complete the impact assessment within ten (10) working days from the date of receiving a complete and valid dossier. Unlike important data, the data administrators may only proceed with the data transfer and processing abroad upon receiving a positive assessment from the Data Regulator.

In addition to the above requirements, data administrators must conduct an annual (for important data) or bi-annual (for core data) self-assessment of risks associated with the transfer and processing, and submit such reports to the Ministry of Public Security.

3. Specifying the procedures for data provision to State authorities

The Draft Decree specifies the procedures for State authorities to request data from organisations and individuals. Accordingly, data requests must generally be made in writing. However, in special cases where written requests are not possible, the authorised person may issue a verbal request to carry out the assigned task, but it must be accompanied by a confirmation document. 

The data request must specify type of data, level of detail of data, volume of data, frequency of data access, and method of data provision. The data request must also respect the legitimate purposes of the data administrator and data owner, as well as protect business secrets and personal privacy.

A data request may be cancelled under the following circumstances:

1. If it violates the Law on Data or any other applicable laws;
2. If the conditions for data provision are no longer met; or
3. If the requested data no longer exists due to objective reasons.

Additionally, the Draft Decree grants data owners, legal representatives, or those legally managing and using the data the right to request amendments or the withdrawal of the data request from the relevant State authority, provided that such requests are made before the specified deadline for data provision.

4. Introducing the requirements when providing and delegating the processing of important and core data locally

The Draft Decree requires data administrators to assess risks before providing or delegating the processing of important and core data to other local organisations and individuals, unless it is necessary for the performance of duties or obligations prescribed by law. The risk assessment shall focus on, among others, legality and necessity, the potential risk, technical and management measures. Data administrators are required to enter into agreements with data recipients regarding purposes, methods, scope, security obligations. Data administrators shall monitor the performance of the data recipient's obligations. Data processing records must be retained for a minimum of three (3) years.

Click here to download: Draft Implementation Guidelines for the Law on Data - Legal Update - March 2025.pdf

This material provides only a summary of the subject matter covered, without the assumption of a duty of care by Frasers Law Company.
The summary is not intended to be nor should be relied on as a substitute for legal or other professional advice.

© Copyright in this article is owned by Frasers Law Company