Vietnam: Government Decree No. 165/2025/ND-CP detailing a number of articles and measures to implement the Data Law (No. 60/2024/QH15), including regulatory approval requirements entered into force

On 1 July 2025, the Vietnamese government Decree No. 165/2025/ND-CP, which provides detailed regulations and measures for implementing the Data Law (No. 60/2024/QH15), entered into force. The Decree establishes regulatory approval requirements for cross-border data transfer and processing of core and important data. Entities must conduct a risk assessment and submit a comprehensive dossier, including a cross-border data transfer impact assessment report (Form No. 02), contractual agreements, legal status documentation, and details of data protection measures, to either the Ministry of Public Security or the Ministry of National Defence, depending on whether the data pertains to general security or military/defence matters. For core data, prior approval is mandatory, with authorities reviewing the dossier within 10–15 days to assess risks to national defence, security, foreign relations, macroeconomic stability, social order, public health, or community safety. Important data transfers require advance notification 15 days before processing, along with the same documentation, though prior approval is not required. Exemptions apply for emergencies involving life, health, or asset protection, cross-border personnel management under labour laws, or contractual necessities such as logistics, payments, or visa services, provided a post-transfer report is submitted within 15 days. The Decree enforces technical safeguards, including data encryption, access controls, authentication protocols, and logging of encryption/decryption activities, while mandating compliance with Vietnamese technical standards and periodic risk evaluations. Non-compliance may result in suspension of data transfers, particularly if activities threaten national security or violate data protection laws.