Under Data Law 2024 and the Law on Personal Data Protection 2025 (PDPL 2025), several data-related services, including “personal data processing service” (dịch vụ xử lý dữ liệu cá nhân), personal data protection service (DPO Service), data intermediary service, data trading floor and data synthesis and analysis service (collectively, New Data-Related Services) are now designated as conditional business sectors. The New Data-Related Services (which could include dozen of sub-services) are subject to specific licenses and operational conditions. In the past, data processing or exploitation services in Vietnam were not classified as conditional business lines, allowing providers to operate with limited regulatory prerequisites.

In short, the Government has arguably created (or at least intended to create) more than just a regulatory system; it has established a complex compliance economy. This new framework tethers businesses to a costly ecosystem of intermediaries ranging from essential licensing consultants to mandatory training centers and credit rating agencies. To remain operational, enterprises must now absorb the dual burden of initial licensing fees and the recurring costs of maintaining qualified staff and ratings. As these obligations mount, the pressing question remains: will this expensive bureaucracy actually reduce the daily scam calls and messages suffered by Vietnamese citizens, or simply increase the cost of doing business?

This post analyzes compliance burdens arising from the licensing conditions for these services.

1)         Financial burden - Mandatory escrow deposits  

Among the New Data-Related Services, data intermediary service is the only sector that requires a minimum escrow deposit as a condition for license. Under Article 25.4 of Decree 169/2025, businesses providing data intermediary services (Dịch vụ trung gian dữ liệu) to connect users with state agencies must maintain a deposit of at least VND 5 billion at a commercial bank in Vietnam. While intended to ensure liability coverage, this requirement effectively freezes a significant portion of working capital, creating a barrier to entry for smaller enterprises and startups.

2)         Recruitment burden - High personnel qualification standards

Beyond general requirements (such as university degrees or relevant experience in minimum years), Data Law 2024 and PDPL 2025 impose more stricter personnel standards for New Data-Related Services as conditions for licensing. In particular,

• Mandatory specialized certificates: All New Data-Related Services require qualified personnel holding specific certifications on completion of specialized courses (e.g., in data science, data analysis, data management or personal data protection). Notably, for personal data processing and DPO services, the staff must obtain a certificate of completion of training issued specifically by a “qualified Vietnamese organization” and must meet standards under a professional assessment program by the Ministry of Public Security (MPS). Crucially, under the Draft PDPL Decree, these certificates are valid for only 2 years, which may require retraining to obtain new certificates.

• Strict staffing quotas: Providers of all New Data-Related Services must maintain a minimum headcount of qualified staff. For instance, under Article 25.2(b) of Decree 169/2025, the data intermediary service (connecting users with state agencies) requires a minimum of 5 personnel holding the requisite course completion certificates.

This requirement may increase significantly the HR cost for enterprises, specifically to hire qualified professionals or arrange budget for current staffs to attend mandatory courses and prepare for retraining courses due to limited validity of certificates. Additionally, this creates a barrier for offshore service providers, as their existing global staff cannot easily qualify under Vietnamese law due to the requirement for certifications issued by local Vietnamese organizations.

3)         Structural burden - Local presence and infrastructure cost

Except for DPO service provider, Draft PDPL Decree and Decree 169/2025 generally require the provider of other New Data-Related Services to be enterprises established in Vietnam as a condition to obtain license. This effectively removes the option for foreign tech companies to offer these regulated services on a cross-border basis.

In addition, for data intermediary services (connecting users with state agencies) and data trading floor services, the applicants must demonstrate that they possess appropriate technical equipment and physical system located in Vietnam that have been inspected for security compliance. These conditions may significantly increase investment expenses in local infrastructure and operations.

4)         Administrative burden - Complex licensing procedure

The administrative workload for data businesses in New Data-Related Services is set to increase substantially due to rigorous appraisal and renewal procedures. Particularly,

• Heavy appraisal process: To apply for licenses like data intermediary service, data exchange services or personal data processing services, businesses must draft and submit detailed "Schemes" (Đề án) with required contents outlining their technical architecture, security measures, payment systems, and business plans for appraisal by the MPS. This may be time-consuming and require significant administrative costs (e.g., hiring consultants) to prepare such schemes.

• Credit rating requirement for license renewal: Under the Draft PDPL Decree, to renew a 5-year license to provide personal data processing service, the provider must hold a "Passed" rating on personal data protection issued within the last 6 months. Furthermore, businesses must plan for this rating assessment annually. Currently, PDPL 2025 and Draft PDPL Decree do not provide for the procedure to obtain such rating. Upon public search, it appears that this assessment will be conducted annually by the MPS starting from 2024 (see this link). However, up to now, there is no public result available regarding these ratings. This regulatory ambiguity poses a risk that businesses may face delays or denials in license renewal due to unclear rating mechanisms.

This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.