Vietnam: Government Decree No. 165/2025/ND-CP detailing a number of articles and measures to implement the Data Law (No. 60/2024/QH15), including data transfer regulation entered into force

On 1 July 2025, the Vietnamese government Decree No. 165/2025/ND-CP, which provides detailed regulations and measures for implementing the Data Law (No. 60/2024/QH15), entered into force. This Decree includes provisions governing cross-border data transfer and processing, including the classification of "core data" (directly impacting national defence, security, foreign relations, macroeconomics, social stability, or public health) and "important data" (posing significant risks if misused). Entities transferring such data must conduct a comprehensive impact assessment evaluating legality, necessity, scope, transmission methods, recipient security measures, and potential risks to national security, economic stability, or individual rights, submitting reports to the Ministry of Public Security (for general data) or the Ministry of National Defence (for military/defence-related data) for approval, with assessments valid for the entity’s operational duration unless updated due to changes in data scope, recipient policies, or storage conditions. Technical safeguards include mandatory encryption (for transmission, storage, and devices), access controls, audit logging, and secure destruction protocols, with data deletion required within 72 hours of request unless legally exempt. Cross-border transfers for emergencies, international contracts, or personnel management are permitted without pre-approval but require retrospective reporting within 15 days. The Decree mandates data localisation for core data, requiring domestic storage unless an exception is granted, and imposes record-keeping obligations (minimum six-month logs for core/important data). Non-compliance triggers enforcement by the Ministry of Public Security, including suspension of data transfers or penalties under Vietnamese law. These requirements apply to domestic and foreign entities handling Vietnamese data, with specific exemptions for diplomatic or international treaty obligations.