Skip to Content
VILAF - A Leading Law Firm in Vietnam
VILAF - A Leading Law Firm in Vietnam

New regulations on data management


Written by Partner Hung Q. Nguyen and Senior Associate Minh Ha Nguyen

Vietnam recently introduced the new Law on Data No. 60/2024/QH15 dated 30 November 2024 (“Law on Data”) which came into force on 1 July 2025 in order to improve the legal framework for data and data management.  In addition, with the enactment of the new Law on Personal Data Protection No. 91/2025/QH15 (effective from 1 January 2026) (“LPDP”), these laws emphasize Vietnam’s commitment to safeguarding data as a strategic national asset in the digital era, with a particular focus on robust protection, effective utilization, and secure management of data. Below we outline the key requirements applicable to businesses in the banking and finance sectors.

1. Compliance obligations for cross-border processing and transfer of data

In general, the Law on Data governs general data-related activities, while the LPDP focuses specifically on the protection of personal data. Together, they create a structured legal framework of data protection.

Data Processing Impact Assessments (“DPIAs”) and Outbound Transfer Impact Assessments (“OTIAs”) under the LPDP

Under the LPDP, DPIAs and OTIAs are mandatory. The data controllers or the data controllers and processors must prepare and retain DPIA reports within 60 days of commencing any personal data processing, while entities transferring personal data abroad must submit OTIA reports within 60 days of the first transfer. Both assessment reports must be updated every six months or immediately upon significant operational changes as specified in the LPDP. The LPDP also provides some limited exemptions to the OTIA requirement, including data transfers by competent state agencies or use of cloud services for storage of employee data, and self-transfers by data subjects. Of note, in cases where an agency, organization, or individual which transfer conducts a DPIA or an OTIA for its processed personal data as required by the LPDP, they are not required to conduct a data processing risk assessment or an OTIA with respect to personal data as stipulated by the Law on Data.

Requirements related to DPIAs and OTIAs under the LPDP are quite similar to those stipulated in Decree No. 13/2023/ND-CP on personal data protection dated 17 April 2023 (“Decree 13/2023”) which took effect on 1 July 2023. We understand that most credit institutions or foreign bank branches have prepared and submitted the DPIA and OTIA (if it transferred data offshore) to the Department of Cyber​​security and Hi-tech Crime Prevention under the Ministry of Public Security in accordance with Decree 13/2023. The LPDP provides that DPIAs and OTIAs submitted in accordance with Decree No. 13/2023 before the effective date of the LPDP will remain valid, and thus, credit institutions or foreign bank branches which already submitted the DPIAs and OTIAs shall not be required to prepare and submit another DPIAs and OTIAs as required under the LPDP.

Outbound Transfer Impact Assessments under the Law on Data

Pursuant to the Law on Data, cross-border processing and transfer of “critical data” (“dữ liệu quan trọng” in Vietnamese) (i.e. data which potentially affect national defense and security, foreign affairs, macroeconomic situations, social stabilization, community health and safety) or “core data” (“dữ liệu cốt lõi” in Vietnamese) (i.e. data that directly affect those areas) will be subject to the requirement on outbound transfer impact assessment. The list of critical and core data is specified by the Prime Minister under Decision No. 20/2025/QD-TTg dated 1 July 2025 (“Decision 20/2025/QD-TTg”). Data in banking and finance sectors is classified as critical data and core data as follows:

  • Core data: Data on bank accounts, payment histories, and debt obligations of 100,000 or more Vietnamese enterprises or organizations.
  • Critical data: Data on bank accounts, payment histories, and debt obligations of 10,000 or more Vietnamese enterprises or organizations.

The Law on Data provides stricter requirements for cross-border processing and transfer of critical data or core data. While under the LPDP, submitting assessment reports (i.e. DPIA reports or OTIA reports) is merely procedural and can be done within 60 days after the first transfer of data cross-border, the transferor must submit the OTIA under the Law on Data before carry out a cross-border transfer of critical data or core data. Particularly:

  • With respect to core data: The transferor must submit the assessment report to the Ministry of Public Security or the Ministry of National Defense (depending on the applicable case) and may only proceed with the cross-border transfer after receiving an approval from the competent authority.
  • With respect to critical data: The transferor must submit the assessment report to the Ministry of Public Security or the Ministry of National Defense (depending on the applicable case) 15 days before processing the data. However, a prior approval from the competent authority is not required for transferring critical data.

Credit institutions and foreign bank branches must act swiftly to ensure compliance with the Law on Data which came into force on 1 July 2025 and the upcoming LPDP which will come into force on 1 January 2026 by:

  • Reviewing and assessing DPIAs and OTIAs which were submitted in accordance with Decree 13/2023.
  • Reviewing if the data is classified as “critical data” or “core data” and managing data accordingly.
  • Reviewing if it has any cross-border transfer of “critical data” or “core data”, and if an OTIA under the Law on Data is required.

2. Data owner’s rights with respect to data is considered property rights

The Law on Data introduces for the first time the concept of data owner which is defined as an “agency, organization or individual who has the right to decide on the creation, development, protection, administration, processing, use, and exchange of the value of data under its ownership”.

The data owners who are not state agencies are responsible for:

  • classifying data based on its level of importance, including core data, critical data, and other data;
  • storage of data, including specifying data storage period and data storage methods in accordance with the relevant regulations;
  • accessing and retrieving data in accordance with the regulations and technical procedures on data access and retrieval;
  • identification and management of risks arising during data processing: self-assessing, identifying risks, and implementing measures to protect data; promptly addressing any risks that arise and notifying data subjects and relevant agencies, organizations, or individuals;
  • data protection: data owners must implement protection measures throughout the entire data processing, including: (i) developing and implementing data protection policies and regulations; (ii) managing data processing activities; (iii) developing and implementing technical solutions; (iv) training, developing, and managing human resources; and (v) other data protection measures in accordance with the law

The Law on Data also recognizes that the data owner’s rights with respect to the data is property right. That means a data owner is entitled to dispose of data rights, including to create security over the rights of such data owner. In other words, banks and foreign bank branches may consider taking security over data owner’s rights. However, until data platforms are operated in practice, the enforcement of secured assets being data owner’s rights may be questionable.

Categories