In addition to other resources, Legal News are updated monthly by Vision & Associates in both English and Vietnamese, with a view to providing a wide network of our clients and business partners with a prominent and updated legal changes and development in Vietnam. Our Legal News relate mainly to foreign investment, trading, import and export, taxation, finance and banking, labour, and other relevant issues. The news of the recent year are shown below.

In addition to other resources, Legal News are updated monthly by Vision & Associates in both English and Vietnamese, with a view to providing a wide network of our clients and business partners with a prominent and updated legal changes and development in Vietnam. Our Legal News relate mainly to foreign investment, trading, import and export, taxation, finance and banking, labour, and other relevant issues. The news of the recent year are shown below.

On 24 December 2024, the Government issued Decree No. 163/2024/ND-CP, detailing a number of articles and measures to implement Law on Telecommunications (hereinafter referred to as “Decree 163”), which became effective on 24 December 2024 and replaces Decree No. 25/2011/ND-CP dated 6 April 2011, detailing and providing guidelines for implementation of a number of articles of Law on Telecommunications, including amendments (hereinafter referred to as “Decree 25”).

Based on the amendments and new provisions provided by the Telecommunications Law No.24/2023/QH15, which was adopted by the National Assembly on 24 November 2023 and took effect on 1 July 2024 (hereinafter referred to as the “Telecommunications Law 2024”), the new Decree 163 has a number of notable new or amended provisions when compared to Decree 25. Specifically as follows:

1. Business of telecommunications services

(a) Classification of telecommunications services:

Based on the clear approach of the Telecommunications Law 2024 with respect to data center services, cloud computing services, and OTT services as telecommunications services, Decree 163

(i) expands basic telecommunications services with Transmission services for radio and television; Transmission services for machine-to-machine connections; Virtual private network services; Services for leasing the entire or a part of telecommunications network; Additional telecommunications services of basic telecommunications services (defined as those adding features and utilities to telecommunications service users, are an integral part and are provided together with basic telecommunications services); and
(ii) adds Data center services, Cloud computing services, and Basic telecommunications services on the Internet to value-added telecommunications services.

(b) Provision of telecommunications services:

Decree 163

(i) clearly stipulates that provision of telecommunications services includes resale of telecommunications services to telecommunications service users;

(ii) maintains the provisions of Decree 25, whereby, unless an international treaty to which Vietnam is a member provides otherwise, the provision of telecommunications services across borders to telecommunications service users in the territory of Vietnam (but not only on the mainland as stipulated in Decree 25) must be through a commercial agreement with a Vietnamese telecommunications enterprise that has been granted a license to provide telecommunications services, including international communications; however, this restriction does not apply to data center services, cloud computing services, and basic telecommunications services on the Internet; and

(iii) adds regulations on the provision of telecommunications services via satellite fixed telecommunications networks and satellite mobile telecommunications networks whereby telecommunications enterprises participating in commercial agreements with foreign organizations must have a plan so that all traffic generated by satellite subscriber terminals on the mainland territory of Vietnam must go through the Ground gateway station (Gateway) located on the territory of Vietnam and connected to the public telecommunications network; and

(iv) more clearly define certain rights and obligations of a number of entities when providing and using telecommunications services such as:

• Obligation of enterprises providing basic telecommunications services on the Internet, cloud computing services, email services, voicemail services, value-added fax services; foreign organizations providing basic telecommunications services on the Internet, data center services, cross-border cloud computing services to service users in Vietnam’s territory to notify Telecommunications Department directly under Ministry of Information and Communications (“MOIC”) of service provision.

• Obligation of providers of basic telecommunications services on the Internet to register, store and manage information of service users; and

• Rights and obligations of foreign organizations providing basic telecommunications services on the Internet, data center services, cloud computing services across borders to service users in the territory of Vietnam. For example, foreign organizations providing basic telecommunications services on the Internet across borders to telecommunications service users in the territory of Vietnam have the following rights and obligations:
o To not compensate for indirect damages or unearned profits due to the provision of telecommunications services that do not guarantee time and quality and have other rights as prescribed by relevant laws;
o To not cause harmful interference, damage equipment, construction works, telecommunications networks; or not to harm the legal operations of telecommunications infrastructure of other organizations and individuals;
o To urgently stop the provision of telecommunications services in case of riots, use of telecommunications services to oppose the Socialist Republic of Vietnam, or violations of national security at the request of competent state agencies as prescribed by law;
o To prevent, combat, and block illegal messages and calls as prescribed by the Government;
o To declare the quality of services provided by themselves if they own the network infrastructure or have an agreement with a telecommunications enterprise with a network infrastructure; declare the quality of services provided by themselves depending on the quality of the telecommunications network and telecommunications services managed and provided by other telecommunications enterprises if they do not own the network infrastructure or do not have an agreement with a telecommunications enterprise with a network infrastructure;
o To be responsible for the quality of services according to the declared standards; ensure the correctness, adequacy and accuracy of service prices according to the contract for providing and using telecommunications services;
o To be responsible for notifying users of the necessity and must obtain the user’s consent before accessing to the features on the service user’s terminal equipment to serve the provision of services if necessary;
o To not take advantage of telecommunications activities to oppose the Socialist Republic of Vietnam; violate national security, social order and safety; cause damage to the interests of the State, the rights and legitimate interests of organizations and individuals; etc.

2. Telecommunications service business market

(a) Ownership limit in telecommunications service business:

Previously, according to Decree 25, individuals and organizations that owned more than 20% of the charter capital or shares in a telecommunications enterprise would not be allowed to own more than 20% of the charter capital or shares of another telecommunications enterprise operating in the same telecommunications service market on the List of telecommunications services prescribed by the MOIC. Now, the ownership regulations in Decree 163 have been loosened for shareholders of joint stock companies, accordingly the above-mentioned ownership restrictions only apply to shareholders who own more than 20% of total voting shares at a telecommunications enterprise and do not apply to shareholders who own shares of other types.

(b) Telecommunications service business market:

Decree 163 provides specific criteria to determine the State-managed telecommunications service market and telecommunications enterprises with a dominant market position on the State-managed telecommunications service market. Accordingly:

(i) The criteria for determining the telecommunications service market managed by the State include three criteria, of which two are quantitative criteria: (1) an index measuring the level of market concentration of over 1800 (with formula) and (2) the proportion of service revenue accounting for 10% or more of the total revenue of telecommunications services of the entire market.

(ii) Telecommunications enterprises with a dominant market position on telecommunications service markets managed by the State are determined based on the enterprise’s market share that means the percentage of one of the following factors: telecommunications service revenue, the number of telecommunications subscribers generating traffic or the number of other service units sold over the total telecommunications service revenue, the total number of telecommunications subscribers generating traffic or the total number of other service units sold by enterprises on that telecommunications service market.

A telecommunications enterprise is determined to have a dominant market position if it has a market share of 30% or more or has significant market power on the State-managed telecommunications service market.

A telecommunications enterprise is determined to have significant market power on the State-managed telecommunications service market if it has a market share of 10% to less than 30% on that telecommunications service market and falls into one of the following cases:

• The total assets recorded in the balance sheet in the financial reporting system of the previous year account for 30% or more of the total assets in the financial reporting of the previous year of telecommunications enterprises on that telecommunications service market;

• The North-South backbone capacity (i.e. the design capacity of the wired telecommunications transmission line passing through 3 locations at the same time: Hanoi, Da Nang and Ho Chi Minh City) accounts for 30% or more of the total North-South backbone capacity of telecommunications enterprises participating in that telecommunications service market;

• For the telecommunications service market on the terrestrial mobile telecommunications network (hereinafter referred to as “terrestrial mobile telecommunications services”), in addition to the criteria specified in points (i) and (ii) above, an enterprise is also determined to have significant market power if it falls into one of the following cases:
o The number of telecommunications service points with a specific address owned and established by the enterprise itself accounts for 30% or more of the total number of telecommunications service points with a specific address of telecommunications enterprises participating in the terrestrial mobile telecommunications service market;
o The percentage of the population covered by the enterprise’s terrestrial mobile telecommunications network accounts for 90% or more of the total population of the country.

(c) Competition in telecommunications business activities:

Decree 163 has cancelled the regulations related to the handling of competition cases in telecommunications activities and economic concentration in telecommunications business activities, leaving it the laws on competition. From now on, economic concentration activities in the field of communications no longer need to seek the opinion of the MOIC and will comply with the general provisions of the Competition Law on notification of economic concentrations.

3. Charter capital and conditions for telecommunications network deployment

(a) Fixed-land public telecommunications network:

An enterprise applying for issuance of a license to provide telecommunications services with network infrastructure, which is a type of fixed terrestrial public telecommunications network, without use of radio frequency bands, must continue to meet the conditions on charter capital and conditions on telecommunications network deployment as prescribed in Decree 25; however, if the applicant uses radio frequency bands, it must meet the conditions on charter capital and conditions on telecommunications network deployment as amended as follows:

(i) For establishing a network within a region (i.e. from 02 to 30 provinces and centrally run cities; instead of from 15 to 30 provinces and centrally run cities according to Decree 25): Having a minimum charter capital (instead of the legal capital as prescribed in Decree 25) of VND 100 billion and having fully contributed the charter capital according to the provisions of the law on enterprises (this is a new provision) and meeting the conditions for telecommunications network deployment, which is a commitment to invest a total capital investment of at least 300 billion VND in the network within the first 3 years from the date of being licensed to establish a telecommunications network (similar to the provisions of Decree 25).

(ii) For establishing a nationwide network (over 30 provinces and centrally run cities): Having a minimum charter capital (instead of the legal capital as prescribed in Decree 25) of VND 300 billion and having contributed sufficient charter capital as prescribed by the laws on enterprises (this is a new provision) and meeting the conditions for deploying a telecommunications network, which is a commitment to invest a total capital investment of at least VND 1,000 billion in the network in the first 3 years from the date of being licensed to establish a telecommunications network (similar to the provisions in Decree 25). Thus, Decree 163 has removed the condition under Decree 25 that this enterprise must commit to invest at least VND 3,000 billion in 15 years to develop the telecommunications network as prescribed in the license.

If the use of radio frequency bands or radio frequency channels is granted through auctions or competitions for the right to use radio frequencies or re-issuance of radio frequency band use licenses, the conditions for deploying the telecommunications network shall be implemented according to the commitment to deploy the telecommunications network when participating in the auction or competition for the right to use radio frequencies or applying for re-issuance of radio frequency band use licenses according to the provisions of the law on radio frequencies.

(b) Terrestrial mobile public telecommunications network:

Enterprises applying for a license to establish a terrestrial mobile telecommunications network that does not use radio frequency bands (virtual mobile telecommunications networks) must meet amended conditions on charter capital and conditions on telecommunications network deployment as follows:

(i) Conditions on charter capital: Having a minimum charter capital (instead of the legal capital under Decree 25) of VND 300 billion and having fully contributed charter capital according to the provisions of the law on enterprises (this is a new provision).

(ii) Conditions on telecommunications network deployment: Commitment to invest a total investment capital of at least VND 1,000 billion in the network in the first 3 years from the date of being licensed to establish a telecommunications network (similar to the provisions in Decree 25) and having a written agreement on leasing a terrestrial mobile telecommunications network (this is a new provision). Thus, Decree 163 has removed the condition stipulated in Decree 25, according to which this enterprise must commit to invest at least 3,000 billion VND in 15 years to develop the telecommunications network as stipulated in the license.

Enterprises applying for a license to provide telecommunications services with network infrastructure, which is a type of public terrestrial mobile telecommunications network, using radio frequency channels, must meet amended conditions on charter capital and conditions on telecommunications network deployment as follows:

(i) Conditions on charter capital: Having a minimum charter capital (instead of the legal capital as prescribed in Decree 25) of VND 20 billion and having fully contributed charter capital as prescribed by the laws on enterprises (this is a new provision).

(ii) Conditions on telecommunications network deployment: Commitment to invest a total investment capital of at least VND 60 billion in the network in the first 3 years from the date of being licensed to establish a telecommunications network (similar to the provisions in Decree 25).

If the use of radio frequency channels is granted through auctions or competitions for the right to use radio frequencies, the conditions for deploying telecommunications networks shall be implemented according to the commitment to deploy telecommunications networks when participating in auctions or competitions for the right to use radio frequencies in accordance with the provisions of the law on radio frequencies.

If the use of radio frequency bands is granted through auctions or competitions for the right to use radio frequencies, or a license to use radio frequencies is re-granted, the following conditions on charter capital and conditions on telecommunications network deployment must be satisfied:

(i) Conditions on charter capital: Having a minimum charter capital (instead of the legal capital as prescribed in Decree 25) of at least VND 500 billion and having fully contributed charter capital as prescribed by the laws on enterprises (this is a new provision);

(ii) Conditions on telecommunications network deployment: Commitment to deploy telecommunications network when participating in the auction or competition for the right to use radio frequencies or applying for the re-issuance of a license to use radio frequency bands as prescribed by the law on radio frequencies (in lieu of a commitment to invest at least VND 2,500 billion in the first 3 years and at least VND 7,500 billion in 15 years to develop the telecommunications network as stipulated in the license under Decree 25).

(c) Satellite fixed and satellite mobile public telecommunications networks:

Enterprises applying for issuance of a license to provide services with network infrastructure, which is fixed satellite or mobile satellite public telecommunications network, must meet amended conditions on charter capital and conditions on telecommunications network deployment as follows:

(i) Conditions on charter capital: Having a minimum charter capital (instead of the legal capital as prescribed in Decree 25) of VND 30 billion and having fully contributed charter capital as prescribed by the laws on enterprises (this is a new provision).

(ii) Conditions on telecommunications network deployment: Commitment to invest a total investment capital of at least VND 100 billion in the network in the first 3 years from the date of being licensed to establish a telecommunications network (similar to the provisions in Decree 25).

(d) Determining compliance with investment capital requirements in the conditions for telecommunications network deployment:

This is a completely new provision of Decree 163, according to which an enterprise applying for issuance of a license to provide telecommunications services with network infrastructure is deemed to have met the investment capital requirements in the conditions for telecommunications network deployment if the investment amount in the commitment document to implement the conditions on telecommunications network deployment is not lower than the corresponding minimum investment capital prescribed in Decree 163; except for the case of an enterprise applying for amendment to or re-issue of a telecommunications service business license, the enterprise shall be deemed to have met the regulations on investment capital in the conditions on telecommunications network deployment if it falls into one of the following two cases:

(i) The actual amount invested to establish the previous telecommunications network (calculated according to the value at the time of investment) is not lower than the corresponding total minimum investment capital prescribed in Decree 163.

(ii) The investment amount stated in the written commitment to implement the conditions on telecommunications network deployment is not lower than the difference between the corresponding total minimum investment capital prescribed in Decree 163 and the amount the enterprise has invested to establish the actual telecommunications network previously (calculated according to the value at the time of investment).

4. Administrative procedures in the telecommunications sector

Based on the administrative procedure reforms stipulated in the Telecommunications Law 2024, Decree 163 provides specific measures and guidelines, including:

(a) For some application dossiers for issuance of, amendment to, and renewal of telecommunications service business licenses, licenses for installing telecommunications cables at sea, licenses for establishing private telecommunications networks, and licenses for testing telecommunications networks and services, instead of sending from 3 to 5 sets of dossiers to different agencies of the MOIC, collectively called the “telecommunications management agencies”; according to the new Decree, organizations wishing to apply only need to send 1 set of dossiers to the Telecommunications Department directly managed by the MOIC.

(b) In addition, Decree 163 also adds the dossier handling time limit and process to a number of specific procedures regarding the dossier handling steps, the handling time of the steps and the agencies responsible for implementation.

5. Management of terrestrial mobile subscriber information and terrestrial mobile SIMs

Previously, the authentication, storage, use of terrestrial mobile subscriber information and processing of terrestrial mobile SIMs with non-compliant mobile subscriber information in telecommunications service business were regulated and guided in different circulars and guidelines; now Decree 163 has for the first time provided specific and systematic instructions on this issue.

—–

Currently, in Vietnam, there are many Laws, including Law on Electronic Transactions, the Law on Cybersecurity, Law on Cyberinformation Security, Law on Telecommunications, and Law on Information Technology regulating databases, including national databases and specialized databases. However, all existing Laws do not specifically or consistently regulate data processing and management, such as data collection, digitization, quality assurance, data storage, etc.); do not regulate the development platform and application of high technology in data processing; do not regulate the creation of databases compiled from national databases and specialized databases; has not yet regulated the products and services related to data which are developing in the world such as data exchanges, data intermediary services, data analysis and synthesis services, etc. Meanwhile, the establishment of a data market, the construction and development of products and services related to data in Vietnam today plays a very important role, it is considered a breakthrough factor to gradually create and promote the opening of the data market in Vietnam, using the data market as a driving force for data development, promoting digital transformation (not only for the State agencies but also for enterprises) in all sectors and fields in Vietnam.

For above-mentioned purposes, along with collection of public opinions to finalise the draft Law on Personal Data Protection, on 30 November 2024, the National Assembly passed Data Law No.60/2024/QH15 (“Data Law”). The Data Law shall take effect on 1 July 2025 and applies not only to: (a) Vietnamese agencies, organizations and individuals; and (b) Foreign agencies, organizations and individuals in Vietnam; but also to (c) Foreign agencies, organizations and individuals directly participating in or related to digital data activities in Vietnam.

Within the scope of this article, we would like to summarize some notable contents of the Data Law as follows:

1. Interpretation

The Data Law provides several new definitions such as:

(a) “Digital data” is data about objects, phenomena, events, including one or a combination of sounds, images, numbers, writings, symbols expressed in digital form (hereinafter referred to as data).
(b) “Open data” is data that any agency, organization, or individual, if necessary, can access, share, exploit, and use.
(c) “Original data” is data created during the operation of an agency, organization, or individual or collected and created from digitizing original documents, papers, and other forms of material.
(d) “Important data” is data that can impact national defence, security, foreign affairs, macroeconomics, social stability, health, and public safety in the list issued by the Prime Minister;
(e) “Core data” is important data that directly affects national defence, security, foreign affairs, macroeconomics, social stability, health and public safety in the list issued by the Prime Minister of Government;
(f) “Data administrator” is an agency, organization or individual that carries out activities of building, managing, operating and exploiting data at the request of the data owner;
(g) “Data owner” is an agency, organization or individual that has the right to decide on the building, development, protection, administration, processing, use and exchange of the value of the data he/she/it owns;
(h) “Data owner’s rights to data” are property rights as prescribed by civil law.

in which there are some definitions different from the provisions of Decree No. 13/2023/ND-CP dated 14 July 2023 on Personal Data Protection, such as:

(a) “Data subject” is an agency, organization, or individual reflected by data; and
(b) “Data processing” is the process of receiving, converting, organizing data, and other activities related to data to serve the operations of agencies, organizations, or individuals.

2. Principles of Application

The Data Law stipulates that in the cases where another Law promulgated before the effective date of the Data Law has provisions that are not contrary to the principles of this Law, the provisions of that Law shall be implemented. If such Law has provisions different from those of the Data Law, it is necessary to specifically identify the content of implementation or non-implementation according to the provisions of the Data Law and the content of implementation according to the provisions of that other Law. Thus, the Data Law does not provide for handling the cases where other laws enacted before the effective date of the Data Law contain the provisions contrary to the principles of the Data Law.

3. Data Processing

3.1. Data Collection and Creation

The Data Law stipulates that:

(a) Data is collected and created from sources, including: direct creation; and digitization of documents, papers and other forms of material. The original data created has the same value as the original documents, papers and other forms of material that are digitized.
(b) Organizations and individuals have the following rights and responsibilities regarding data collection and creation activities: (i) Collecting and creating data to serve their activities in accordance with the provisions of law; (ii) Having the rights of data owners protected according to the provisions of the Data Law, provisions of civil laws and other relevant provisions of law; and (iii) Being responsible for the data they collect and create according to the provisions of law.

3.2. Data Classification

Data owners and data administrators who are not the State agencies must classify data according to the importance of the data into: core data, important data, and other data; and classify data according to other criteria. The Government will prescribe criteria for determining core data and important data.

3.3. Provision of Data to the State Agencies

Organizations and individuals must provide data to the State agencies when requested by competent authorities without the consent of the data subject in one of the following cases: (a) Responding to a state of emergency; (b) When there is a threat to national security but not to the extent of declaring a state of emergency; (c) Disaster; (d) Preventing and combating riots and terrorism. The State agencies receiving data are responsible for: (a) Using the data for proper purpose; (b) Ensuring data security, safety, data protection, and other legitimate interests of data subjects, organizations, and individuals providing data in accordance with the provisions of law; (c) Destroying data immediately when the data is no longer necessary for the requested purpose and notifying the data subjects and organizations or individuals providing the data thereof; and (d) Notifying the storage and use of data upon request of organizations and individuals providing the data, except in cases of protecting the State secrets and work secrets.

3.4. Data Certification and Authentication

Data certification is performed by the data owner, data administrator or electronic authentication service provider. Certified data has the value of proving the existence, time and storage location of data in cyberspace according to the provisions of the Data Law and other relevant provisions of law.

Data authentication is performed by the data owner, data administrator who creates the original data, electronic authentication service provider, or the National Data Centre. Authenticated data has the same value as the original data stored in the national database, specialized database or other database within a certain scope and time.

3.5. Data Encryption and Decryption

Data in the list of State secrets must be encrypted using cryptographic codes when stored, transmitted, received, and shared on computer networks. The data owner or data administrator decides to encrypt and decrypt data using one or more encryption solutions and encryption and decryption processes appropriate to their data administration and management activities. However, the competent State agencies are entitled to apply measures to decrypt data without the consent of the data owner or of data administrator in one of the following cases: (a) State of emergency; (b) When there is a threat to national security but not to the extent of declaring a state of emergency; (c) Disaster; and (d) Prevention and control of riots and terrorism; as prescribed by the Government.

3.6. Cross-border Transfer of Data

Agencies, organizations and individuals may freely transfer data from abroad to Vietnam, process foreign data in Vietnam, and have their legitimate rights and interests protected by the State in accordance with the provisions of law. The cross-border transfer and processing of core data and important data, including: (a) Transferring data stored in Vietnam to data storage systems located outside the territory of Vietnam; (b) Vietnamese agencies, organizations and individuals transferring data to foreign organizations and individuals; and (c) Vietnamese agencies, organizations and individuals using platforms outside the territory of Vietnam to process data must ensure national defence, security, protect national interests, public interests, rights and legitimate interests of data subjects and data owners in accordance with the provisions of Vietnamese laws and international treaties to which Vietnam is a member.

3.7. Identification and Management of Risks Arising in Data Processing

Risks arising in data processing include: privacy risks, network security risks, identification and access management risks, and other risks implied in data processing. Data owners who are not the State agencies shall self-assess, identify risks, and implement measures to protect data; promptly remedy risks that arise and notify to data subjects, relevant agencies, organizations, and individuals. Owners of core data and important data must periodically conduct risk assessments for such data processing activities according to the regulations and notify to specialized units on cybersecurity and information security under the Ministry of Public Security, Ministry of National Defence, and relevant agencies to coordinate in implementing data safety and security protection.

3.8. Other Activities in Data Processing

Data owners and data administrators who are not the State agencies are responsible for establishing procedures and implementing measures and methods to retrieve, delete or destroy data at the request of data subjects.

4. Data protection

Data protection measures are applied throughout the entire data processing process, including:

(a) Developing and organizing the implementation of data protection policies and regulations;
(b) Managing data processing activities;
(c) Developing and implementing technical solutions;
(d) Training, fostering, developing, and managing human resources; and
(e) Other data protection measures as prescribed by law.

Data owners as well as data administrators managing core data and important data must comply with the data protection regulations.

5. Data Exploitation

Data in the National General Database has the same value of exploitation and use as original data. Organizations and individuals who are not: (i) Vietnam Communist Party agencies, the State agencies, or socio-political organizations; and (ii) Data subjects; may freely to exploit and use open data; exploit and use personal data with the consent of the National Data Centre and individuals who are the subjects of exploited data; exploit and use other data with the consent of the National Data Centre. Data exploitation and use are carried out through the following methods: (i) Connecting and sharing data between national databases, specialized databases, databases, information systems other than the National General Database; (ii) National Data Portal, National Public Service Portal, electronic information portal, information system for processing administrative procedures; (iii) Electronic identification and authentication platform; (iv) National identification application; (v) Equipment, means, software provided by the National Data Centre; and (vi) Other methods.

Organizations and individuals exploiting and using their own data in the National General Database and other databases managed by the State agencies are not required to pay fees. Organizations and individuals that are not Vietnam Communist Party agencies, the State agencies or socio-political organizations exploiting and using data of other organizations and individuals in the National General Database and other databases managed by the State agencies must pay fees in accordance with the provisions of laws on fees and charges.

6. Data Products and Services

(a) The Data Law for the first time defines data products and services; including:

(i) Data intermediary

Data intermediary products and services are products and services that establish commercial relationships between data subjects, data owners and users of products and services, through agreements for the purpose of exchanging, sharing, accessing data, and exercising the rights of data subjects, data owners and data users. Organizations providing data intermediary products and services must be registered for operation and managed in accordance with the provisions of the law on investment; except for cases of providing data intermediary products and services within the organization.

(ii) Data analysis and synthesis

Data analysis and synthesis products are the result of the process of analysing and synthesizing data into useful in-depth information at different levels according to the requirements of the product users. Data analysis and synthesis services are the activities of analysing and synthesizing data according to the requirements of the service users. Organizations that trade in data analysis and synthesis products and services that may cause harm to national defence, security, social order and safety, social ethics, and public health must register their operations and be managed according to the provisions of the laws on investment.

(iii) Electronic authentication

Electronic authentication services perform data authentication in national databases, specialized databases, electronic identification and authentication systems provided by public non-business professional service units and the State-owned enterprises that meet the conditions for provision of this service.

(iv) Data trading floor

The organization providing data trading floor services is a public non-business professional service unit or State-owned enterprise that meets the conditions for provision of this service and is licensed to establish in accordance with the provisions of law. Data that is not allowed to be traded includes: (i) Data that is harmful to national defence, security, foreign affairs, and cryptography; (ii) Data which are not agreed to by data subjects, unless otherwise provided by law; and (iii) Other data that is prohibited from being traded in accordance with the provisions of law; and will be detailed by the Government.

(b) In addition, the Data Law also stipulates the rights and obligations of organizations providing data products and services. Accordingly,

(i) Organizations providing data intermediary products and services, data analysis and synthesis enjoy the same incentives as enterprises operating in the fields of high technology, innovation, creative start-ups, and digital technology industry.
(ii) Organizations providing data intermediary products and services, data analysis and synthesis service, and data trading floor service also have a number of responsibilities such as: Providing services to organizations and individuals on the basis of agreements in service provision contracts; Ensuring information reception channels and smooth and continuous use of services; Monitoring behaviours that may affect data protection; etc./.