DPO Radio

Measure Value, Not Just Traffic Explore new features in AesirX Analytics

AesirX ComplianceOne | Vietnam Data Law

Overview Image

Why the Vietnam Data Law Matters

The Vietnam Data Law is the parent framework for broad data governance in Vietnam. It reaches beyond personal data to address digital data assets, their classification, use, sharing, and movement. Organizations need a reliable view of what data they hold, how it is governed, and which records support each decision.

The framework now has two distinct operational layers. Decree 165/2025/NĐ-CP is active and supplies the implementing procedures, timelines, risk guidance, and official forms used for current compliance work. The Draft Decree on Data Exchange Operations is a separate child instrument that is still under development and must not be treated as final law.

This distinction matters in practice. Current obligations need controlled execution and evidence today, while draft requirements need monitored preparation that can change as the text progresses. Blending the two creates unreliable compliance plans and misleading evidence.

ComplianceOne keeps the parent law, active implementing decree, and draft data-exchange instrument connected without flattening their legal status. Teams can manage current work while maintaining a separate, reviewable readiness track for the draft.

What the Vietnam Data Law Covers

Dimension

Coverage

Parent framework

Law 60/2024/QH15, covering enterprise data governance, classification, sharing, and transfer controls.

Active child instrument

Decree 165/2025/NĐ-CP, the implementing decree in force since 1 July 2025.

Draft child instrument

Draft Decree on Data Exchange Operations, covering data-exchange operators, participants, listings, transactions, and controlled testing.

Operational evidence

Data registers, classification decisions, approvals, risk reviews, transaction records, supporting documents, and audit history.

Official forms

Eleven Decree 165 Mẫu số forms for the active implementing layer; draft Mẫu ĐK01 for the data-exchange proposal.

Status handling

Active obligations are managed separately from draft readiness and regulatory-change monitoring.

The Data Law Instrument Stack

Decree 165/2025/NĐ-CP

Active Implementing Decree

Decree 165 adds the operational layer beneath the Data Law. ComplianceOne supports the decree’s procedures, timelines, risk areas, guidance, and eleven official Mẫu số forms without duplicating the parent law’s role.

  • Decree 165 Compliance

Draft Decree on Data Exchange Operations

Draft

The draft addresses the National Data Exchange relationship, other data exchanges, security and interoperability, controlled testing environments, electronic contracts, listing review, and transaction evidence. Its requirements remain subject to change.

  • Data Exchange Draft Readiness
Overview Image

How ComplianceOne Supports the Vietnam Data Law

ComplianceOne connects data discovery, mapping, and classification records so teams can maintain a governed inventory rather than a collection of disconnected spreadsheets. Review and approval records show how classifications and handling decisions were made.

For Decree 165, the platform brings current forms, procedures, deadlines, guidance, and risk records into the same controlled workspace. Teams can assign owners, prepare supporting evidence, review form content, and preserve a complete history of changes and approvals.

For the data-exchange draft, ComplianceOne maintains a separate readiness track. Organizations can assess security, interoperability, listing review, controlled testing, contracting, and transaction-evidence needs without representing draft provisions as enacted requirements.

Evidence packs and audit history provide a reviewable record of completed work. Where Data Law activity overlaps personal data protection or cybersecurity, the same underlying evidence can be linked to the relevant obligation without losing its original context.

Related Modules

Data Mapping

Maintains data inventories, system relationships, and data-flow records.

Explore Data Mapping

Data Classification

Records classification decisions, review status, and linked handling expectations.

Explore Data Classification

Data Discovery

Helps identify data assets that require governance review.

Explore Data Discovery

Program Governance

Assigns ownership, reviews, recurring work, and regulatory-change actions.

Explore Program Governance

Audit Trail

Preserves contributor, review, approval, and evidence history.

Explore Audit Trail

Compliance Forms

Supports official forms and controlled supporting documentation.

Explore Compliance Forms

Compare the Difference

Graphic Image

Without Structured Framework Operations

Graphic Image

With ComplianceOne

IconThe parent law and its implementing instruments are treated as one undifferentiated checklist.
IconParent, active, and draft instruments retain their correct status and relationship.
IconDraft data-exchange provisions are mistaken for current legal requirements.
IconCurrent Decree 165 work is separated from data-exchange draft preparation.
IconData inventories and classification decisions become stale or lose ownership.
IconData records, decisions, owners, and supporting evidence remain connected.
IconOfficial forms are prepared separately from the evidence that supports them.
IconForm preparation includes review gates and linked evidence.
IconReview history is reconstructed only when an inspection or request arrives.
IconAudit history is available as work progresses, not assembled retrospectively.

Built for PDPL Compliance Operations

ComplianceOne supports the active Decree 165 layer with its official forms and operational records while preserving the Data Law as the parent framework.

Draft data-exchange preparation remains clearly labeled and configurable, helping teams prepare for change without presenting anticipated provisions as final law.

Shared evidence and audit history help organizations manage overlaps with personal data protection, cybersecurity, and other Vietnam obligations.

Background Image

See Data Law Compliance in Action

Ready to see how ComplianceOne manages data governance obligations operationally? Request a demo tailored to your organization's needs.

Demo Image
Ronni K. Gothard Christiansen

Ronni K. Gothard Christiansen - Technical Privacy Engineer & CEO

Technical Compliance Expert, 25+ Years Open Source Advocate, X-BoD Open Source Matters Inc.

Or contact via

ronni@aesirx.io+84 909500760

People Also Ask

The Data Law is the parent framework. Decree 165 is its active implementing decree, adding procedures, timelines, guidance, risk records, and eleven official Mẫu số forms. 

  • The PDPL (Law 91/2025/QH15) focuses specifically on personal data protection – rights requests, breach notification, consent, cross-border transfers. 
  • The Data Law (Law 60/2024/QH15) is broader, covering all digital data assets including non-personal data, with obligations for inventory, classification, governance, and annual attestation. 

Organizations processing personal data in Vietnam are typically subject to both. ComplianceOne manages both frameworks from a single platform.

No. It remains a draft and its provisions may change. ComplianceOne presents it as a readiness and regulatory-change track, not as an active source of final legal obligations.

The annual attestation is managed as a recurring workflow in the Program Governance module. The platform tracks due dates on a 365-day cycle, routes attestation sections to responsible department owners, tracks completion progress, consolidates multi-department inputs, and produces the attestation report. All contributions are captured with timestamps and contributor lineage.

The Data Discovery module automates identification of data assets across connected systems. Discovered assets are routed to the Data Classification module where they are classified by sensitivity and importance. Classification assignments are reviewed by data owners, and each classification level is linked to operational handling rules (access control, retention, deletion).

The platform connects official form preparation to assigned work, supporting evidence, review, approval, and audit history. This helps teams prepare complete records without separating the form from the operational proof behind it.

ComplianceOne includes all 11 Mau so form templates defined by Decree 165/2025/ND-CP (01a through 07b), covering data inventory registers, classification records, governance documentation, and attestation reports. Templates are structured to match MIC-prescribed formats and are available in both Vietnamese and English.

 

Yes. The Data Law requires governance across all data-owning departments. ComplianceOne routes governance tasks to responsible department owners, tracks each department's contributions, and consolidates inputs into unified documentation. Contributor lineage is preserved in the audit trail, showing who contributed what and when.

 Yes. Data inventories, classification records, transfer documentation, and approvals can be linked to related personal data protection or cybersecurity work while retaining their source and review history.

 

 No. ComplianceOne structures compliance work, evidence, ownership, and review. Organizations remain responsible for legal interpretation and approval of their submissions.

 

Next Steps

Icon Image

Start a Compliance Pilot

Test data governance workflows with your team – inventory, classification, attestation, and evidence generation for MIC compliance.

Icon Image

Discuss Your Compliance Needs

Talk to our team about data governance operations, multi-framework coverage, and deployment options for your organization.