In the context of data globalization and the rapid development of the digital economy, cross-border transfers of personal data have become an essential requirement for many businesses in Vietnam – particularly those operating in the fields of finance, technology, e-commerce, and healthcare. However, alongside this trend, the legal framework governing outbound data transfers in Vietnam has grown increasingly complex and layered, especially following the enactment of the Personal Data Protection Law and the Law on Data.
One of the most pressing questions today is: Do businesses only need to notify authorities when transferring personal data abroad, or is prior approval required? The answer is far from simple — it depends on the type of data, the volume involved, and the method of transfer. This article provides a structured overview of the criteria for identifying core data, the interplay between the Personal Data Protection Law and the Law on Data, as well as practical scenarios that businesses should carefully consider before carrying out cross-border data transfers.
1. From Personal Data to Core Data: What Should Businesses Be Aware Of ?
“Citizen data” is an expanded concept of personal data, commonly used when referring to the scale, sensitivity, and national significance of personal information.
Digital Data: It refers to all data represented in digital form, including one or a combination of formats such as audio, images, symbols, and text.
Personal Data: It refers to digital data or information in other forms that identifies or helps identify an individual. This includes:
- Basic personal data: full name, date of birth, citizen identification number, address, etc.
- Sensitive personal data:health information, biometric data, financial records, religious beliefs, geolocation, transaction history, etc.
Citizen Data:
- There is no separate legal definition; the term is used in the context of classifying core/critical data under Decision No. 20/2025/QĐ-TTg.
- It refers to the personal data of Vietnamese citizens, considered from the perspective of state governance or on a large scale.
- It encompasses a broader scope than the concept defined in the Personal Data Protection Law.
According to Decision No. 20/2025/QĐ-TTg, unpublished citizen data will be classified as core data if it meets the following criteria:
| Type of unpublished citizen data |
Threshold for classification as core data |
|
Basic citizen data |
≥ 1.000.000 citizens |
|
Sensitive citizen data |
≥ 100.000 citizens |
Note: “Unpublished” means the data has not been widely disclosed through media or official public channels. Once disclosed, the data is no longer considered core data.
2. What Documentation Must Businesses Prepare for Cross-Border Data Transfers?
|
Criteria |
Regular personal data transfers under the Personal Data Protection Law |
Transfers of important/core data under the Law on Data and Decree 165/2025/ND-CP |
|
Administrative procedures |
Implementing the Personal Data Cross-Border Transfer Impact Assessment Dossier |
Implementing the Cross-Border Transfer and Processing Impact Assessment Dossier for Core and Critical Data |
|
Regulated entities |
Personal data not classified as core/critical data |
Personal data reaching the threshold for core/critical data (or other types of data listed in the core/critical data category) |
|
Threshold for triggering obligations |
Cross-border transfers of personal data include the following cases:
|
|
|
Receiving authority |
Ministry of Public Security (the authority specialized in personal data protection)) |
Ministry of Public Security or Ministry of National Defence (depending on the nature of the data) |
|
Time of dossier submission |
Within 60 days from the first date of data transfer |
|
|
Prior approval requirement |
No prior approval required |
|
|
Dossier processing time limit |
No specific time limit prescribed |
|
|
Exemptions |
|
Note: In all the above cases, the impact assessment must still be submitted to the Ministry of Public Security (or Ministry of National Defence, if applicable) within 15 days of implementation. |
|
Interrelation between the two laws |
If personal data does not reach the threshold for critical/core data, the Personal Data Protection Law shall apply |
If personal data reaches the threshold for critical/core data, the Law on Data shall take precedence and replace the obligations under the Personal Data Protection Law. |
The cross-border transfer of personal data in Vietnam is no longer a standalone procedure but a multi-layered legal process that depends on the nature and scale of the data being processed. The parallel existence of the Personal Data Protection Law and the Law on Data – along with guiding instruments such as Decree 165/2025/ND-CP – has introduced varying obligations for different scenarios, ranging from mere notification to the requirement of prior approval before the transfer.
Businesses cannot apply a one-size-fits-all process to all types of data; instead, they must accurately identify the category of data being processed – whether it is regular personal data, critical data, or core data – in order to select the appropriate impact assessment mechanism and ensure compliance. In the context of increasing legal risks, especially for businesses operating in sectors such as technology, finance, insurance, and healthcare, establishing a system for data classification, labeling, and flow control is essential and non-negotiable.
Time of writing: 11/08/2025
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Foreign-Invested Enterprises: How to properly identify the Beneficial Owner?
- Who is the Beneficial Owner? – Legal Perspective from the Latest Regulations of Vietnamese Enterprise Law
- Latest social insurance obligations for foreign enterprises in Vietnam in 2025
- Deduction of input VAT under Decree 181/2025/NĐ-CP: What are the considerations for enterprises?
