Responsibilities of foreign enterprises in processing data and personal data of Vietnamese individuals
LexNovum Lawyers
07/05/2026
RESPONSIBILITIES OF FOREIGN ENTERPRISES IN PROCESSING DATA AND PERSONAL DATA OF VIETNAMESE INDIVIDUALS
In the context of rapid digital transformation, the presence and expansion of foreign enterprises in Vietnam have been steadily increasing, particularly in the technology sector and cross-border service provision. Alongside this trend, the protection of data and personal data of Vietnamese individuals has become an increasingly pressing concern.
To address governance needs in this evolving landscape, Vietnam has progressively developed its legal framework on data through key instruments such as the Data Law 2024, Decree No. 165/2025/ND-CP guiding the Data Law, Decree No. 53/2022/ND-CP detailing certain provisions of the Law on Cybersecurity, as well as regulations on personal data protection, including the Personal Data Protection Law 2025 and Decree No. 356/2025/ND-CP providing detailed guidance on several provisions thereof. These regulations not only broaden the scope of application but also impose more stringent requirements on data collection, processing, and storage. Accordingly, the responsibilities of foreign enterprises in processing data and personal data of Vietnamese individuals are becoming increasingly clear and comprehensive.
In this article, LexNovum Lawyers (“LNV”) outlines several responsibilities of foreign enterprises when processing data and personal data of Vietnamese individuals to assist clients in fully understanding and identifying their compliance obligations under the current legal framework.
1. Responsibilities of foreign enterprises in data processing in Vietnam
Pursuant to Clause 12, Article 2 of Decree No. 53/2022/ND-CP, a foreign enterprise is defined as an enterprise established or registered for establishment under foreign law.
Under Article 2 of the Data Law 2024, in addition to Vietnamese agencies, organizations, and individuals, the scope of application of the Data Law also covers foreign agencies, organizations, and individuals operating in Vietnam, as well as those directly participating in or related to digital data[1] activities in Vietnam. Accordingly, foreign enterprises operating in Vietnam, or even, in certain cases, those without a commercial presence in Vietnam, are still required to comply with the provisions of the Data Law.
Upon reviewing the Data Law 2024 and its current guiding regulations, LNV highlights several key provisions that foreign enterprises are required to comply with, including regulations on rights and responsibilities in data collection and creation activities as stipulated in Clause 3, Article 11 of the Data Law 2024, specifically:
– Rights, foreign enterprises are permitted to collect and generate data for their operations in compliance with applicable laws. They also receive protection for rights regarding data owners in accordance with the Data Law 2024, civil law, and other relevant regulations;
– Responsibilities, foreign enterprises are responsible for the data they collect and generate. For example, under Clauses 1, 2, and 11 of Article 17 of Decree No. 165/2025/ND-CP, foreign enterprises acting as data governing bodies[2] must establish management systems for data protection throughout the entire data processing, and implement data protection measures during data collection and generation. Additionally, where foreign enterprises are governing bodies of core data[3] or important data[4], they are required to annually assess risks in the processing of core or important data within their management scope and prepare and store risk assessment reports in accordance with the law.
Notably, pursuant to Clause 3, Article 26 of Decree No. 53/2022/ND-CP, where foreign enterprises operating in Vietnam in certain specific sectors such as: telecommunications services; storage and sharing of data in cyberspace; provision of national or international domain names for service users in Vietnam; e-commerce; online payment; payment intermediaries; services of connection and transportation in cyberspace; social media and social communication; online games; services of provision, management, or operation other information in cyberspace in forms of messages, calls, video calls, emails, online chatting, they may be required to store data in Vietnam and establish branches or representative offices in Vietnam upon request. These requirements apply only in cases where the services provided by such foreign enterprises are used for violations of laws on cybersecurity, notified and requested for cooperation, prevention, investigation, and handling in writing by the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam, but they fail to comply or incompletely comply with such documents or prevent, obstruct, disable, or nullify the effect of cybersecurity protection measures performed by cybersecurity protection forces.
In short, the obligations to store data in Vietnam and to establish a branch or representative office are not automatically imposed on all foreign enterprises operating in the above-mentioned sectors; rather, they are conditional obligations. Specifically, these obligations arise only when both of the following conditions are met:
(i) The services provided by the enterprise are used to commit violations of cybersecurity laws; and
(ii) The enterprise fails to cooperate, or does not fully cooperate, with the competent authorities in response to a written request.
In other words, this is “a post-audit and enforcement measure”, rather than a market entry condition imposed from the outset on all enterprises.
Accordingly, the categories of data that foreign enterprises in the above cases may be required to store in Vietnam include:
- Data on personal information of service users in Vietnam;
- Data created by service users in Vietnam: account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone numbers in association with accounts or data;
- Data on relationships of service users in Vietnam: friends and groups such users have connected with or interacted with.
Thus, when participating in data processing activities in Vietnam, even in certain cases without a commercial presence, foreign enterprises may still fall within the scope of Vietnamese law and must comply with corresponding obligations. In specific circumstances, they may also be required to store data in Vietnam and establish a commercial presence.
2. Responsibilities of foreign enterprises in the personal data processing of Vietnamese individuals
Pursuant to Clause 2, Article 1 of the Personal Data Protection Law 2025 and Article 2 of Decree No. 356/2025/ND-CP, regulations on personal data protection are not only applicable to Vietnamese agencies, organizations, and individuals, but also to foreign agencies, organizations, and individuals operating in Vietnam, as well as those directly participating in or related to the processing of personal data of Vietnamese citizens and persons of Vietnamese origin without determined nationality residing in Vietnam who have been issued with identification certificates.
Accordingly, when processing personal data of Vietnamese individuals, foreign enterprises are also subject to and must comply with Vietnamese legal regulations on personal data protection, similar to domestic enterprises. Some key responsibilities include:
(i) Appoint a department or personnel with adequate capacity for personal data protection, or hire an organization or individual providing personal data protection services (Clause 2, Article 33 of the Personal Data Protection Law 2025).
(ii) Establish mechanisms for collecting and obtaining the consent of personal data subjects (Article 9 of the Personal Data Protection Law 2025; Article 6 of Decree No. 356/2025/ND-CP).
(iii) Provide notification of personal data processing, ensuring that all required contents specified in Clause 2, Article 9 of the Personal Data Protection Law 2025 are clearly presented.
(iv) Develop clear processes, procedures, and forms for the exercise of data subjects’ rights (Article 5 of Decree No. 356/2025/ND-CP).
(v) Enter into agreements with personal data processors (in cases where a third party is engaged to process personal data on behalf of the enterprise) (Point a, Clause 1; Points a and b, Clause 2, Article 37 of the Personal Data Protection Law 2025).
(vi) Submit dossiers for personal data processing impact assessments and cross-border personal data transfer impact assessments (Articles 20 and 21 of the Personal Data Protection Law 2025; Articles 17, 18, and 19 of Decree No. 356/2025/ND-CP).
In relation to this responsibility, LNV further notes that, as mentioned in Section 1 of this article, where a foreign enterprise acts as the governing body of core data or important data, it is required to conduct an annual risk assessment of its core and important data processing activities in accordance with applicable regulations. However, pursuant to Clause 2, Article 16 of Decree No. 165/2025/ND-CP, as amended by Clause 3, Article 42 of Decree No. 356/2025/ND-CP, in cases where a foreign enterprise cross-border transfer or processing of core data or important data that constitutes personal data, and has already completed the required dossiers for personal data processing impact assessment and cross-border personal data transfer impact assessment in accordance with personal data protection laws, such foreign enterprise is not required to conduct additional risk assessments or cross-border data processing/transfer impact assessments under Decree No. 165/2025/ND-CP. Accordingly, in such cases, the foreign enterprise is only required to complete the impact assessment procedures under personal data protection laws and is not required to simultaneously conduct risk assessment procedures under Decree No. 165/2025/ND-CP.
(vii) Other related obligations (as they arise), such as notifying competent authorities in the event of a personal data protection breach (Article 23 of the Personal Data Protection Law 2025; Article 28 of Decree No. 356/2025/ND-CP), among others.
In summary, when processing personal data of Vietnamese individuals, foreign enterprises must fully comply with Vietnamese legal regulations, with obligations similar to those imposed on domestic enterprises. These include establishing consent mechanisms, ensuring the rights of data subjects, and carrying out required impact assessment procedures. Therefore, building and maintaining an appropriate personal data protection system is not only a matter of legal compliance but also a critical factor in minimizing risks and ensuring stable business operations.
From the foregoing, it can be seen that, in addition to complying with the laws of the country where they are established or operate, foreign enterprises, when processing data and personal data of Vietnamese individuals, must also comply with the laws of Vietnam. Notably, this obligation may arise even where the enterprise has no commercial presence in Vietnam, provided that it is involved in data or personal data processing activities relating to Vietnamese individuals. Accordingly, in the event of violations, foreign enterprises may not only face direct administrative sanctions (pursuant to Article 2 of the Draft Decree on administrative penalties in the field of cybersecurity and personal data protection, which also applies to foreign enterprises), but may also be subject to indirect consequences through international judicial assistance mechanisms or arising from Vietnamese partners or customers being sanctioned or held liable due to their cooperation with the foreign enterprises. This may significantly affect the enterprise’s reputation, its ability to maintain business operations, and its access to the Vietnamese market.
Therefore, when processing data in Vietnam, particularly personal data, foreign enterprises should proactively review their data and personal data processing activities, and establish and operate data processing systems in compliance with Vietnamese law, thereby ensuring lawful business operations and minimizing legal risks.
The above outlines several key points from LNV regarding the responsibilities of foreign enterprises when processing data and personal data of Vietnamese individuals. Should you require further advice on any issue related to this article or a specific case, please feel free to contact LexNovum Lawyers via hotline or email at info@lexnovum.com.vn for detailed consultation.
✍️Author: Junior Associate Hoàng Vy
Consultant: Lawyer Phan Nhi
Disclaimer:
The information provided in this article is intended for reference purposes only. We assume no responsibility or legal liability for any individual or organization using the information herein for purposes other than reference. Before making any decisions or taking any actions, clients are advised to seek formal professional advice or contact LexNovum Lawyers for in-depth consultation.
Please cite “LexNovum Lawyers” as the source when using or sharing this article in any form.
———————–
[1] According to Clause 1, Article 3 of the Data Law 2024, “digital data” refers to data on things, phenomena, and events, including one or a combination of audio, images, numbers, letters, and symbols in digital form (hereinafter referred to as “data”).
[2] According to Clause 13, Article 3 of the Data Law 2024, a “data governing body” refers to an agency, organization, or individual engaging in data construction, management, operation, and utilization under requests from the data owner.
According to Clause 14, Article 3 of the Data Law 2024, a “data owner” refers to an agency, organization, or individual with the right to decide on the construction, development, protection, administration, processing, use, and exchange of the value of data under their ownership.
[3] According to Clause 7, Article 3 of the Data Law 2024, “core data” refers to important data that directly impacts national defense and security, foreign affairs, macroeconomic situations, social stabilization, and community health and safety, including in the list promulgated by the Prime Minister of Vietnam.
[4] According to Clause 6, Article 3 of the Data Law 2024, “important data” refers to data that may affect national defense and security, foreign affairs, macroeconomic situations, social stabilization, and community health and safety, included in the list promulgated by the Prime Minister of Vietnam
