1. Overview of the Legal Framework on Data in Vietnam
Vietnam’s data governance framework is primarily shaped by two key legal pillars:
- Personal Data Protection: The foundation of this pillar is Decree No. 13/2023/NĐ-CP on Personal Data Protection, which will be superseded and formalized by the Law on Personal Data Protection effective from January 1, 2026. Reflecting global trends in privacy protection—similar to the EU’s General Data Protection Regulation (GDPR)—this regulation focuses on safeguarding individuals’ fundamental rights related to their personal information. It establishes a clear chain of accountability among all entities involved in personal data processing.
- Digital Data Management: This pillar is established under the Law on Data No. 60/2024/QH15, guided by Decree No. 165/2025/NĐ-CP. The Law adopts a broader, more strategic perspective, positioning data as a vital national resource to be systematically developed, protected, and governed. Its objective is to lay a solid foundation for the development of a digital economy, digital government, and to ensure national data security.
The table below summarizes the key legal instruments and their respective scopes of regulation:
| Legal Document | Effective Date | Main Scope of Regulation |
| Decree No. 13/2023/NĐ-CP | 01/07/2023 | Provides regulations on the protection of personal data and the responsibilities of parties involved in personal data processing |
| Law on Data No. 60/2024/QH15 | 01/07/2025 | Regulates digital data; the development, protection, governance, processing, and use of digital data; and the state management of digital data. |
| Decree No. 165/2025/NĐ-CP | 01/07/2025 | Details certain articles and implementation measures of the Law on Data, including specific criteria, procedures, and responsibilities. |
2. Parties Involved in Personal Data Processing under Decree No. 13/2023/NĐ-CP
Decree No. 13/2023/NĐ-CP defines the roles based on the functional relationship of an organization or individual to a specific person’s data and the purpose of data processing activities. The central element governing these relationships is the “consent” of the data subject. Each role is associated with a distinct set of rights and obligations, forming a clear chain of legal accountability.
Data subject
According to clause 6, Article 2 of Decree No. 13, a Data Subject is “an individual who is reflected by personal data.” This is the central entity protected under the law. Article 9 of the Decree sets out the core rights of the Data Subject, including:
- Right to be informed: To be informed about the processing of their personal data.
- Right to consent: To give or withhold consent for the processing of personal data.
- Right of access: To access, review, or request correction of their personal data.
- Right to withdraw consent: To withdraw previously given consent.
- Right to erasure: To delete or request deletion of their personal data.
- Right to restrict processing: To request restriction of personal data processing.
- Right to data provision: To request provision of their own personal data.
- Right to object to processing: To object to processing for the purpose of disclosure, advertising, or marketing.
- Right to lodge complaints, denunciations, or initiate lawsuits.
- Right to claim compensation for damages.
- Right to self-protection.
Personal Data Controller
According to clause 9, Article 2 of Decree No. 13, a Personal Data Controller is “an organization or individual that determines the purposes and means of processing personal data.” This party holds the decisive role and bears the highest level of responsibility for data processing activities. Under Article 38, the Controller has key obligations such as selecting an appropriate Data Processor and being liable to the Data Subject for any damage arising from the processing. This establishes the principle of ultimate accountability: the Controller cannot disclaim legal responsibility by delegating processing to a Processor. The Controller remains primarily responsible to the individual, even if a violation is committed by its service provider.
Personal Data Processor
According to clause 10, Article 2, a Personal Data Processor is “an organization or individual that processes personal data on behalf of the Controller, pursuant to a contract or agreement with the Controller.” This party does not determine the purposes of processing but only performs processing activities as instructed by the Controller. Article 39 sets out key obligations, including processing data strictly in accordance with the signed contract and deleting or returning all personal data to the Controller upon termination of the contract.
Personal Data Controller-cum-Processor
According to clause 11, Article 2, a Personal Data Controller-cum-Processor is “an organization or individual that both determines the purposes and means of processing and directly processes personal data.” This party assumes the combined responsibilities of both the Controller and the Processor, as stipulated in Article 40.
Third Party
According to clause 12, Article 2, a Third Party is “an organization or individual, other than the Data Subject, the Personal Data Controller, the Personal Data Processor, or the Personal Data Controller-cum-Processor, that is permitted to process personal data.” This is an independent party that may participate in the processing of personal data under specific circumstances.
The system of roles under Decree No. 13 is designed around the protection of individuals’ rights, establishing a clear chain of legal accountability from the party determining the purpose of processing (the Controller) to the party executing the processing (the Processor).
3. Parties Involved in Data Activities under the Law on Data No. 60/2024/QH15
The Law onData No. 60/2024/QH15 approaches the issue from a macro perspective, defining roles based on the ownership, management, and operation of data as a national asset or resource. This “assetization” of data provides the legal foundation for the establishment of a formal data market and the recognition of clear ownership rights—an area that had previously existed in a legal gray zone. These definitions do not replace but rather coexist and complement the roles established under Decree No. 13.
Data Subject
The most significant legal difference lies in how the Law on Data broadens the definition of a data subject compared to Decree No. 13:
- Decree No. 13 (clause 6, Article 2): “A data subject is an individual who is reflected by personal data.”
- Law on Data No. 60 (clause 12, Article 3): “A data subject is an agency, organization, or individual that is reflected by data.”
This expansion has profound legal implications. While Decree No. 13 focuses solely on individuals, the Law on Data recognizes that organizations and agencies can also be data subjects. For instance, a person is the data subject of their personal information, whereas a company can be the data subject of datasets reflecting its operational performance or financial reports. This broader scope forms the foundation for governing all types of data, not just personal data.
Data Owner
According to clause 14, Article 3, a Data Owner is “an agency, organization, or individual that has the right to decide on the creation, development, protection, governance, processing, use, and exchange of the value of data it owns.” This role emphasizes supreme control rights over a dataset. A key clarification is made in clause 15, Article 3: “The rights of a data owner over data are property rights in accordance with civil law.” This officially recognizes data as a form of property that can be owned and traded for value.
Data governing body
According to clause 13, Article 3, a Data governing body is “an agency, organization, or individual that carries out the creation, management, operation, and exploitation of data at the request of the data owner.” The Data governing body plays a technical management and operational role, acting under the direction or authorization of the Data Owner.
The roles defined under the Law on Data focus on data governance, value utilization, and the establishment of property rights over data. This framework lays the groundwork for the formation of a data market, national data governance, and the promotion of the digital economy. To ensure accurate implementation in practice, it is essential to analyze the interaction and interrelation between the two role systems.
4. Comparative Analysis and Interrelationship between the Roles
| Criteria | Roles under Decree No. 13 | Roles under the Law on Data |
| Nature of Role | Based on processing functions (who determines the purpose, who executes the processing). | Based on ownership and management rights (who holds the property rights, who operates). |
| Legal Basis | Based on privacy rights and the individual’s consent. | Based on property rights and legal provisions on resource management. |
| Principal point | Protection of individuals and their legitimate rights and interests. | Management of data resources, value exploitation, and development of the digital economy. |
| Applicable Scope | Personal data (associated with a specific individual). | Digital data (including personal data, organizational data, and non-personal data). |
Time of writing: 15/10/2025
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Sensitive Data: What your business might be handling without knowing it
- Key considerations for Enterprises for Private placement of Shares
- New Provisions under the Corporate Income Tax Law effective from October 1, 2025
- Divorce involving foreigners in Vietnam and division of assets
- Conditions and issues to note when foreigners divorce in Vietnam
- When should enterprises enter into a short-term or long-term foreign loan agreement?
