DPO Radio
AesirX ComplianceOne | Vietnam Data Law
VIETNAM DATA LAW
Operational Compliance for Vietnam's Data Governance Framework
Manage data inventory, classification, annual attestation, and cross-border governance under the Vietnam Data Law (60/2024/QH15).
Why the Vietnam Data Law Matters
The Vietnam Data Law (Law 60/2024/QH15) is Vietnam's umbrella data governance framework, administered by the Ministry of Information and Communications (MIC). Effective since 2025-07-01, it establishes obligations for data inventory, classification, handling rules, sharing governance, cross-border transfer controls, and ongoing governance attestation. While the PDPL focuses specifically on personal data protection, the Data Law covers all digital data assets – including non-personal data – making it the broadest data governance instrument in Vietnam's regulatory landscape.
For organizations operating in Vietnam, the Data Law requires a structured approach to knowing what data they hold, how it is classified, who can access it, and under what conditions it can be shared or transferred. Organizations must maintain a digital data inventory with assets classified by sensitivity and importance, define handling rules for each classification level (access control, retention, deletion), and log all data sharing and disclosure events with approvals and legal basis documented.
The annual governance attestation (DG-6) is a distinctive obligation. Organizations must complete an annual attestation confirming their governance structure, policy status, and compliance posture. This is not a one-time filing – it recurs annually, requiring organizations to demonstrate ongoing governance maturity rather than point-in-time compliance. Regular data risk assessments (DG-7) covering inventory, classification, and sharing risks further reinforce the continuous governance model.
The Data Law's obligations are operationalized through Decree 165/2025/ND-CP, which defines 11 official Mau so form templates (01a through 07b). These forms structure the documentation required for data governance compliance, including inventory registers, classification records, and governance attestation reports. Organizations must produce these documents in the prescribed format when requested by MIC or during regulatory inspections.
What the Vietnam Data Law Covers
Dimension
Coverage
Scope
All organizations that collect, store, process, or manage digital data assets (personal and non-personal) in Vietnam
Affected organizations
Domestic enterprises, government agencies, foreign entities processing data within Vietnam's jurisdiction, data service providers
Key obligations
Data inventory and classification maintenance (DG-1), handling rules per classification level (DG-2), data sharing and disclosure logging (DG-3), cross-border data transfer governance (DG-4), governance artifact maintenance (DG-5), annual governance attestation (DG-6), regular data risk assessment (DG-7)
Evidence requirements
Data inventory registers, classification records with handling rules, sharing/disclosure logs with legal basis, governance policies and role documentation, annual attestation records, risk assessment reports, audit trails for governance actions
Filing/submission
Documentation per Decree 165 Mau so forms (11 templates: 01a through 07b), annual attestation reports to MIC
Deadlines
Annual governance attestation (365-day cycle), ongoing compliance with inventory, classification, and sharing obligations
How ComplianceOne Supports the Vietnam Data Law
ComplianceOne provides integrated tooling for the Data Law's core governance obligations through three specialized modules. The Data Discovery module automates the identification of data assets across connected systems, producing an inventory that feeds into the Data Classification module where assets are classified by sensitivity and importance. Classification levels are linked to handling rules – access controls, retention periods, and deletion policies – satisfying the DG-1 and DG-2 requirements. The Data Mapping module maintains the structured inventory of processing activities, systems, and data flows, providing the foundation for governance documentation.
The annual governance attestation (DG-6) is managed through the Program Governance module as a recurring workflow. The platform tracks attestation due dates, routes attestation sections to responsible department owners for completion, consolidates multi-department inputs, and produces the attestation report in the required format. The attestation workflow captures who attested what and when, creating audit-grade evidence of governance status across the organization. Regular risk assessments (DG-7) are similarly managed as structured assessment workflows with findings, recommendations, and remediation tracking.
Data sharing and disclosure governance (DG-3, DG-4) is supported through logging and approval workflows. Every sharing event is captured with the recipient, scope, legal basis, and internal approval chain. Cross-border data transfers are documented with safeguards, recipient commitments, and impact assessments. The Compliance Forms module includes the 11 Decree 165 Mau so form templates (01a through 07b) for producing governance documentation in the format prescribed by MIC.
All governance actions produce audit events with contributor lineage, and evidence packs can be generated at any time for internal review, auditor inspection, or MIC request. The platform's multi-framework support means organizations subject to both the Data Law and the PDPL manage their data governance and data protection obligations from a single platform with consistent evidence production.
Related Modules
Data Mapping
Maintains data inventory, processing activity records, system inventory, and data flow documentation.
Explore Data MappingData Classification
Classifies data assets by sensitivity and importance with linked handling rules per classification level.
Explore Data ClassificationData Discovery
Automates identification of data assets across connected systems for inventory completeness.
Explore Data DiscoveryProgram Governance
Manages governance frameworks, annual attestation workflows, risk assessment schedules, and policy documentation.
Explore Program GovernanceAudit Trail
Captures tamper-evident records of inventory updates, classification changes, sharing events, and attestation actions.
Explore Audit TrailCompliance Forms
Provides 11 Decree 165 Mau so form templates (01a through 07b) for governance documentation.
Explore Compliance FormsCompare the Difference
Without Structured Framework Operations
With ComplianceOne
Data inventories are maintained in spreadsheets that become stale, with no automated discovery or classification enforcement.
Data inventory is maintained through automated discovery with classification enforcement and linked handling rules.Classification levels exist in policy documents but are not operationally linked to handling rules (access, retention, deletion).Classification levels are operationally active – each level defines access controls, retention periods, and deletion policies enforced through the platform.Data sharing events are logged inconsistently across departments with no centralized register of legal basis and approvals.Every sharing and disclosure event is logged with recipient, scope, legal basis, and approval chain in a centralized register.Annual governance attestation is treated as a document exercise rather than a multi-department operational workflow.Annual attestation follows a structured multi-department workflow with due date tracking, contribution routing, and evidence preservation.Organizations cannot demonstrate ongoing governance maturity – only point-in-time compliance snapshots.Ongoing governance maturity is demonstrated through continuous audit trail coverage and recurring assessment workflows.Built for PDPL Compliance Operations
ComplianceOne supports the Vietnam Data Law's 7 operational compliance rules (DG-1 through DG-7) through integrated modules for data discovery, classification, mapping, and governance, providing continuous governance operations rather than periodic compliance exercises.
The platform includes 11 Decree 165 Mau so form templates (01a through 07b) plus 12 internal operational templates for data governance documentation, ensuring organizations can produce MIC-prescribed documentation alongside their day-to-day governance artifacts.
Annual governance attestation is managed as a structured recurring workflow with multi-department routing, contribution tracking, and evidence generation, addressing the Data Law's requirement for demonstrated ongoing governance rather than static policy documentation.
See Data Law Compliance in Action
Ready to see how ComplianceOne manages data governance obligations operationally? Request a demo tailored to your organization's needs.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
People Also Ask
The PDPL (Law 91/2025/QH15) focuses specifically on personal data protection — rights requests, breach notification, consent, cross-border transfers. The Data Law (Law 60/2024/QH15) is broader, covering all digital data assets including non-personal data, with obligations for inventory, classification, governance, and annual attestation. Organizations processing personal data in Vietnam are typically subject to both. ComplianceOne manages both frameworks from a single platform.
The annual attestation is managed as a recurring workflow in the Program Governance module. The platform tracks due dates on a 365-day cycle, routes attestation sections to responsible department owners, tracks completion progress, consolidates multi-department inputs, and produces the attestation report. All contributions are captured with timestamps and contributor lineage.
The Data Discovery module automates identification of data assets across connected systems. Discovered assets are routed to the Data Classification module where they are classified by sensitivity and importance. Classification assignments are reviewed by data owners, and each classification level is linked to operational handling rules (access control, retention, deletion).
ComplianceOne includes all 11 Mau so form templates defined by Decree 165/2025/ND-CP (01a through 07b), covering data inventory registers, classification records, governance documentation, and attestation reports. Templates are structured to match MIC-prescribed formats and are available in both Vietnamese and English.
Yes. The Data Law requires governance across all data-owning departments. ComplianceOne routes governance tasks to responsible department owners, tracks each department's contributions, and consolidates inputs into unified documentation. Contributor lineage is preserved in the audit trail, showing who contributed what and when.
Next Steps
Start a Compliance Pilot
Test data governance workflows with your team – inventory, classification, attestation, and evidence generation for MIC compliance.
Discuss Your Compliance Needs
Talk to our team about data governance operations, multi-framework coverage, and deployment options for your organization.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
