Art. 28 of Decree No. 13/2023/ND-CP requires a data controller and/or a data processor to appoint a department to protect personal data and to appoint a DPO if there is sensitive personal data involved. The information of such DPO must be notified to the Cybersecurity Department.

Art. 19 of Decree No. 72 of 2013, and its extension in Decree 27/2018, regulates that "organisations and individuals that use Internet resources shall provide information and cooperate with competent state management agencies at the latter’s request".

The Law on Cybersecurity stipulates that businesses have to provide users’ data to the Ministry of Public Security upon receipt of requests in writing in cases where any infringement of the cybersecurity law is being investigated (Art. 26).

Art. 17.1.c of the Law on Cyber Information Security No. 86/2015/QH13 requires technology companies to share user data at the request of competent state agencies. It also mandates that authorities be given decryption keys on request, and it introduces licensing requirements for tools that offer encryption as a primary function. There is no mention of a requirement for a court order.

Decree No. 17/2023/ND-CP establishes a safe harbour regime for intermediaries for copyright infringements. According to the Decree, to benefit from this safe harbour, Internet Service Providers (ISPs) must act promptly to remove or block content upon acquiring "knowledge" of copyright infringement. While Decree No. 17 does not define "knowledge," it considers takedown notices from authorities or rights holders as evidence of ISPs' "knowledge" without specifying whether such notices must be substantiated (Arts. 113.3 and 114.5).
Additionally, Decree No. 17 outlines the required information and documents for takedown notices and counter-responses, indicating that ISPs must take appropriate action—such as removal, blocking, or restoration—upon receipt of the complete set of required information and documents (Art. 111.4).

A basic legal framework on intermediary liability beyond copyright infringement is absent in Vietnam's law and jurisprudence.

According to Art. 26 of Vietnam's Law on Cybersecurity, owners or organisations in charge of websites must authenticate information when a user registers a digital account, ensure confidentiality of user information and accounts, provide user information to the task force in charge of network security protection under the Ministry of Public Security upon written request to serve the investigation and handling of violations of the law on network security.

Vietnam does not have an independent telecom authority. The Authority of Telecommunications is a ministerial unit which performs the advisory and regulatory functions over the telecommunications sectors nationwide.

In February 2020, the Vietnamese government issued Decree No. 15/2020/ND-CP to regulate administrative violations on postal services, telecommunications, radio frequencies, IT and electronic transactions. Art. 44.1(d) of the Decree regulates penalties for not storing information at the server system with an IP address in Vietnam for electronic newspapers, general websites or web portals and social networks subject to the license. Art. 95.3 regulates penalties for advertising email and internet message services using servers not located in Vietnam.

Patent applications by non-Vietnamese residents must be filed via recognised Vietnamese patent agents. According to Art. 89 of Law No. 50/2005/QH11 on Intellectual Property Rights, and Art. 4 of Circular 23/2023/Vietnam on Industrial property, non-Vietnamese residents, organisations or companies without business entities in Vietnam must apply for industrial property rights via legal representatives in Vietnam. Legal representatives must meet the criteria as regulated in Article 154 of the Law. The Parliament of Vietnam amended certain parts of Law No. 50/2005/QH11 with Law No. 36/2009/QH12, and such regulation remains.

Art. 26.3 of the Cybersecurity Law stipulates a mandatory requirement for the local storage of data on servers within Vietnam. This obligation is further elaborated in Chapter V of Decree 53. Under Art. 26 of Decree 53, all Vietnamese companies and certain foreign enterprises are required to store regulated data within Vietnam. This mandate extends to foreign enterprises if they engage in business activities within Vietnam in specific fields, including: telecommunication services; data sharing and storage; provision of national or international domains for Vietnamese users; e-commerce; social networking and social marketing; online gaming; and the provision, management, or operation of other internet-based information in forms such as messaging, telephone calls, video calls, email, or online gaming.
Art. 26 delineates the categories of regulated data as follows:
- Personal data of users based in Vietnam;
- Data generated by Vietnam-based users, including account name, time of usage, credit card details, email address, IP address, most recent log-out time, and registered phone number;
- Data pertaining to the relationships of Vietnam-based users, such as connections with friends or other individuals with whom users interact.

Vietnam is a party to the Patent Cooperation Treaty (PCT).

Decree No. 72 establishes the management of Internet services and online networks. Arts. 22, 25, 28 and 34 require providers of websites, social networks, information on mobile networks and online games, respectively, to have at least one server inside the country "serving the inspection, storage, and provision of information at the request of competent state management agencies". In March 2018, the Vietnamese government issued Decree No. 27/2018/ND-CP to partially amend and enhance Decree No. 72. Requirements on local servers remain.

Vietnam’s copyright regime is governed by Law No. 50/2005/QH11 on Intellectual Property Rights and supplemented by Decree 17/2023 on Copyright. However, the exceptions outlined in this framework do not adhere to the fair use or fair dealing models, thereby restricting the lawful use of copyrighted works by others. Art. 25 of Law No. 50/2005/QH11 enumerates these exceptions, with Decree 17/2023 providing further clarification on their application. Notable exceptions include the recitation of works without distorting the author's views in articles for newspapers or periodicals, radio or television broadcasts, or documentaries, as well as the use of works in schools for teaching purposes, provided it does not misrepresent the author’s views and is not for commercial gain, among others.

Under Art. 25 of Decree No. 13/2023/ND-CP, any entity or individual that transfers personal data offshore within the scope of the Decree has to prepare, maintain, and file a Transfer Impact Assessment (TIA) with the Department of Cybersecurity and Prevention of Cyber-Crimes under the Ministry of Public Security (MPS A05 Department) within 60 days after the transferor begins to process personal data. The offshore transfer of personal data is defined as using the internet, digital means or digital equipment or other means to transfer personal data of Vietnamese nationals to a location outside of the territory of Vietnam or using a location outside of the territory of Vietnam to process personal data of Vietnamese nationals (Art. 2.14).
The TIA must include, among other things:
- details of transferor and receiver(s); description and explanation of the purposes of the processing activities to be performed after such transfer;
- types of data to be transferred;
- assessment of the impact of the data processing activities;
- potential consequences, mitigation and/or prevention measures;
- consent of the data subjects with the mechanism for the data subjects to respond to or claim upon the occurrence of any incident; and
- a binding document between the transferor and the receiver of the personal data, outlining the rights, obligations and responsibilities of each party, etc. (Art. 25.2).
After the transfer is completed, the transferor must notify the MPS A05 Department (Art. 25.4).