Vietnam Data Compliance: 7 Powerful Rules Foreign Companies Must Follow to Protect Trust and Avoid Trouble Under 2025 Vietnam Data Law No. 60/2024/QH15

  Data moves fast. The law, not always. But Vietnam is catching up, and catching up quickly.

In a region driven by digital acceleration, Vietnam has begun to close the gap between how data flows and how it is governed.

For years, foreign companies operated with minimal regulatory oversight on how they stored or transferred information.

Not that has changed!

With the passage of Vietnam Data Law No. 60/2024/QH15, a new chapter begins. For any business handling customer data, employee records, transaction logs, or cloud-based systems, Vietnam data compliance is no longer an abstract idea. It is now a concrete legal obligation.

Why now?

Because Vietnam is serious about becoming a secure, trustworthy digital economy. That means defining how data is classified, where it can be stored, who may access it, and how violations will be handled.

Vietnam data compliance also reflects a broader international movement, aligning with General Data Protection Regulation trends seen in Europe (GDPR), Asia-Pacific, and ASEAN’s cross-border frameworks.

The implications of Vietnam data compliance are especially sharp for foreign companies. Whether you operate a fintech app, an online platform, or just store client records in the cloud, you are in scope.

We are here to walk you through what you need to know about Vietnam data compliance. From the legal overview to the action plan, we will then break down Vietnam’s new data compliance rules into practical steps your business can refer to and see if it fits to follow.

Vietnam Data Compliance

What Is Vietnam Data Compliance?

Vietnam data compliance refers to a company’s ability to meet all legal obligations related to the collection, storage, use, and transfer of data under Vietnamese law.

With the enactment of the 2025 Vietnam Data Law, businesses are now required to classify data, follow strict guidelines on cross-border transfers, report breaches, and implement internal compliance measures.

Unlike earlier rules that focused mostly on personal data protection law, the new law on Vietnam data compliance governs both personal and non-personal data. It introduces categories like national data, sensitive data, and open data, each with different requirements.

If your business handles any data related to Vietnamese users, citizens, customers, or operations, you are responsible for ensuring that data is managed in accordance with local law.

And failure to comply can result in serious consequences, including penalties, suspension of operations, or even criminal liability in severe cases.

The Landscape: Why the Vietnam Data Compliance Law Matters Now

You should have heard: Data is the new gold.  That is why it comes to the time data needs to be regulated.

The world is moving toward stricter digital governance, and Vietnam is no exception.

Here is why Vietnam is prioritizing data compliance now:

Digital economy growth

Vietnam is one of Asia’s fastest-growing digital markets. With e-commerce, fintech, ride-sharing, and online education booming, data volumes are exploding.

Foreign investment

The government wants to protect national interests while maintaining Vietnam’s appeal to responsible investors.

Cybersecurity threats

Rising cyberattacks have pushed the state to tighten data access and storage requirements.

Global alignment

The new law positions Vietnam in line with GDPR (Europe), Cross Border Privacy Rules (CBPR) of APEC, and ASEAN Data Management Frameworks.

Sovereignty concerns

Certain types of data, such as military, public health, or political are now defined as “national data” and may not be stored overseas without approval.

The message is clear: if your company operates in Vietnam’s digital space, Vietnam data compliance is part of your license to operate.

7 Rules Every Foreign Business Must Follow About Vietnam Data Compliance

Classify Your Data

All companies must classify their data into categories:

• Personal data
• Sensitive personal data
• Non-personal business data
• Critical or national data
• Open data (allowed for public reuse)

This classification helps determine which rules apply to each type of data. For instance, national data must remain in Vietnam unless special permission is granted.

If you do not know what you are storing, you can not comply.

Start by conducting a data inventory across all systems, departments, and vendors.

Store Sensitive and National Data Onshore

The law requires certain categories of data, especially national or security-related information to be stored physically inside Vietnam.

Cloud services hosted outside the country may violate this rule unless exempted.

If your servers or backups are in foreign countries, you may need to rethink your data architecture to meet Vietnam data compliance standards.

Register Cross-Border Transfers

Companies must declare:

• What data is being transferred
• Why it is being sent abroad
• Who receives it
• Where the servers are located

And they must receive approval from competent Vietnamese authorities.

This applies to APIs, SaaS tools, and more.

Establish a Data Governance Structure

You must assign a person or team to be responsible for data compliance. Some companies appoint a Data Compliance Officer or integrate it with their existing legal or IT department.

Internal data policies should include:

• Access control
• Data retention rules
• Breach notification procedures
• Consent records

Failure to do so could mean you are not organizationally prepared.

Respond to Government Requests

State agencies have the right to request access to certain types of data under legal conditions.

Businesses must respond:

• Within the required timeframe
• Using secured communication methods
• With audit logs of access and transfer

This also means you should have systems in place to locate and extract the right data quickly.

Report Data Breaches Promptly

Under the new law, companies must report any data leak or security breach to the appropriate authority, often within 72 hours.

Failure to report can result in heavier fines than the breach itself.

Include:

• Date and time of the incident
• Type of data exposed
• Estimated volume
• Mitigation steps taken

Align with the Personal Data Protection Law (PDPL)

Vietnam data compliance under the 2025 Data Law is just one side of the coin.

The Personal Data Protection Law (PDPL), effective January 2026, introduces deeper rules on user rights, consent, data subject access, and profiling restrictions.

Your compliance strategy should be dual-tracked: system-level rules (Data Law) and user-level rules (PDPL).

Step-by-Step Guide To Follow Vietnam Data Compliance 

Step 1: Conduct a Full Data Audit

Map all data flows across the company, what is collected, where it is stored, how it is processed, and who has access.

Step 2: Classify Your Data

Use categories defined by the law to group your data. Focus first on national, personal, and sensitive personal data.

Step 3: Review Your Cloud and Server Locations

Evaluate whether current storage infrastructure meets Vietnam’s data localization rules.

Step 4: Update Your Contracts and Policies

Adjust internal and external documents to reflect data control responsibilities, especially with vendors or third parties.

Step 5: Appoint a Compliance Lead

This person will be the point of contact for inspections, enforcement, and internal reporting.

Step 6: Train Your Staff

All employees should understand basic data handling obligations, especially in HR, customer service, and IT.

Step 7: Prepare for Future PDPL Enforcement

Build systems that allow for data subject access requests, consent tracking, and opt-out mechanisms.

Frequently Asked Questions (FAQ)

Q1: Does the law apply to foreign companies without a Vietnamese office?

Yes, if you process data related to individuals or entities in Vietnam, such as online services, apps, or e-commerce, you are in scope.

Q2: What are the penalties for non-compliance?

Pending further decrees, penalties could include monetary fines, revocation of licenses, and even criminal charges for intentional violations.

Q3: How is this different from the Personal Data Protection Law (PDPL)?

Vietnam data compliance under the 2025 Data Law focuses on system-level obligations. The PDPL, effective from 2026, focuses on individual rights and consent.

Q4: Can I still use overseas cloud providers?

Yes, but only if data localization requirements are met and cross-border transfers are registered and approved.

Q5: What if my company does not store any sensitive or personal data?

You still need to classify and declare data types. Even machine logs or financial transactions may fall under national interest categories.

Compliance may feel like a burden at first, but it is quickly becoming the currency of trust in the digital economy. By taking proactive steps now, foreign companies can stay ahead of risk, and regulators while building stronger relationships with clients and partners in Vietnam.

Vietnam data compliance is not just about avoiding penalties. It is about future-proofing your operations in one of Asia’s most promising markets.  If you get ready early before your competitors, you would get ahead and win, while your competitors might struggle with fines, ban and lost momentum in the race.

About ANT Lawyers, a Law Firm in Vietnam

We help clients overcome cultural barriers and achieve their strategic and financial outcomes, while ensuring the best interest rate protection, risk mitigation and regulatory compliance. ANT lawyers has lawyers in Ho Chi Minh city, Hanoi,  and Danang, and will help customers in doing business in Vietnam.