Data Protected - Vietnam

Contributed by Allens

Last updated September 2022

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws

Vietnam does not have a consolidated law on data protection. The most comprehensive legal framework on data protection is the Law on Cyber Information Security (Law No. 86/2015/QH13) (the "LCIS") and the Law on Cyber Security (Law No.24/2018/QH14) (the "LCS").

Other relevant provisions can be found in the Constitution No. 18/2013/L-CTN, the Civil Code (Law No. 91/2015/QH13), the Penal Code (Law No.100/2015/QH13), the Law on Protection of Consumers’ Rights (Law No. 59/2010/QH12), the Law on E-Transactions (Law No. 51/2005/QH11), the Law on Information Technology (Law No. 67/2006/QH11), the Law on Judicial Records (Law No. 28/2009/QH12), the Law on Insurance Business (Law No. 24/2000/QH10 as amended by Law No. 61/2010/QH12), the Law on Medical Examination and Treatment (Law No. 40/2009/QH12), the Law on Telecommunications (Law No. 41/2009/QH12), the Law on Credit Institutions (Law No. 47/2010/QH12), the Law on Pharmacy (Law No. 105/2016/QH13), the Law on Statistics (Law No. 89/2015/QH13), the Children Law (Law No. 102/2016/QH13), the Law on Technology Transfer (Law No. 07/2017/QH14), and the Law on Protection of State Secrets (Law No. 29/2018/QH14).

Primary legislation tends to be generally drafted leaving its precise application open to interpretation. This interpretation is sometimes clarified by detailed regulations, but not in all cases. Therefore, application of the law to a particular set of facts is not always clear.

Currently, the Ministry of Public Security is drafting a decree on personal data protection ("Draft Decree") which will impose additional obligations.

Entry into force

The LCIS came into effect on 1 July 2016. The LCS came into effect recently, on 1 January 2019. Other laws referred to above came into effect on a number of different dates.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Ministry of Information and Communications and the Ministry of Public Security assume the prime responsibilities for regulation. It will coordinate with the Ministry of National Defence and other related ministries.

Contact information:

Ministry of Information and Communications
18 Nguyen Du Street
Hang Bai Ward
Hoan Kiem District
Hanoi
Vietnam

english.mic.gov.vn/Pages/home.aspx

Ministry of Public Security
44 Yet Kieu Street
Cua Nam Ward
Hoan Kiem District
Hanoi
Vietnam

http://en.bocongan.gov.vn/

The Draft Decree provides for a State authority, being the Personal Data Protection Committee, to regulate personal data protection.

Notification or registration scheme and timing

There is no notification or registration scheme for the collection, use or disclosure of personal data.

However, the Draft Decree will introduce a registration regime for processing sensitive personal data.

Exemptions to notification

Not applicable. The Draft Decree will also introduce a number of circumstances where registration for processing sensitive personal data is exempted (e.g. processing of sensitive personal data is carried out for the purpose of handling of breaches of law).

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

In principle, Vietnamese laws apply to activities conducted partly or wholly in the territory of Vietnam.

However, the scope of application of some laws may extend beyond Vietnam. The LCIS applies to, among others, foreign organizations and individuals directly involved in or related to cyberinformation security activities in Vietnam. If an organization or individual conducts the cyberinformation security activities outside the territory of Vietnam but the consequence occurs in Vietnam, they may still be subject to the law.

Is there a concept of a controller and a processor?

There is no separate concept of a controller or a processor. The majority of the obligations are imposed on “Processing Organisations”, being entities processing personal data.

However, the Draft Decree is likely to introduce the concept of a "data processor".

Are both manual and electronic records subject to data protection legislation?

The other laws discussed above do not make any specific distinction between manual and electronic records. Therefore, both records would be subject to the same data protection regulation.

Are there any national derogations?

The LCIS only applies to information processed over telecommunications and computer networks.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The LCIS defines “personal data” as information associated with the identification of a specific person. Other laws related to personal data also have their own definitions, which resemble the definition in the LCIS. Personal data also includes personal secrets and the concept of personal privacy (see below).

The Draft Decree defines personal data to mean data about individuals or data relevant to identifying a specific individual.

Is information about legal entities personal data?

No. However, if information about legal entities includes information that meets the definition of personal data, for example, information about employees, the information is considered personal data.

What are the rules for processing personal data?

Under the LCIS, Processing Organisations and individuals processing personal data: (i) must only collect personal data after obtaining the consent of the data subject on the scope and purpose of the collection and use of such information; (ii) must obtain the consent of the data subject to use the collected personal information for anything other than the initial purposes; and (iii) must not disclose personal information they have collected, accessed or controlled to a third party, unless they obtain the consent of the data subject or at the request of authorised state bodies. Similar provisions can be found in other laws referred to above.

The processing of personal information for national defence and security purposes, social order and safety or for non-commercial purposes must comply with other relevant laws.

The Law on Information Technology takes a similar approach for the collecting, processing and using of personal data. However, it also sets out other conditions in which personal data can be processed without the consent of a data subject including for: (i) signing, modifying or performing contracts on the use of date in the network environment; (ii) calculating charges for use of data or services in the network environment; or (iii) performing other obligations provided for by law.

The Draft Decree also follows similar approaches for the collecting, processing and use of personal data. For example, personal data can only be used with the consent of the data subject or as approved by relevant authorities and must be processed in accordance with registered purposes and declaration on personal data processing. The Draft Decree also sets out certain circumstances in which personal data can be disclosed or processed without consent from the data subject.

Are there any formalities to obtain consent to process personal data?

Generally, there are no specific formalities to obtain consent from a data subject.

However, under the Law on Information Technology, and unless a legal exemption applies, Processing Organisations and individuals processing personal data must inform a data subject of the form, scope, place and purpose for the collection, processing and use of the data subject’s personal data.

The Draft Decree introduces further requirements on obtaining consent to process personal data. In particular, the consent to process personal data is only effective if such consent is voluntary and is given on the basis of the data subject being aware of the types of personal data to be processed, processing purpose, third parties who will receive/handle personal data, conditions for transfer/sharing personal data with third parties, and the lawful rights of data subject in relation to personal data. The consent to be granted can be unconditional or with conditions and can be withdrawn by the data subject at any time.

The Draft Decree further confirms that silence or no response from the data subject is not considered as consent being granted. Consent from the data subject must be in a written, printable, and copyable format.

Are there any special rules when processing personal data about children?

There are no specific rules under the LCIS that apply when processing personal data about children.

However, under the Law on Children, it is prohibited to disclose the personal data of a child without the consent of either the child in question (where such child is over the age of 7 but younger than 16 years old) or the consent of the child's parents or guardian. There is also a general obligation on agencies, organisations and individuals operating online to apply measures for ensuring the safety and personal secrets for children.

Are there any special rules when processing personal data about employees?

The Labour Code does not impose specific obligations on employers to protect personal data of employees. However, the employer, as one party to the employment contract, has an obligation under the Civil Code to keep confidential information received from the employee and not to use such information for the private purposes of such party or for other illegal purposes.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data is not defined under Vietnamese law. However, Vietnamese law does understand the concept of personalprivacy or personal secrets and considers any such related information as personal data. This includes any information that a data subject may wish to keep confidential, such as medical records, tax payment dossiers, social insurance numbers, credit card numbers and other information defined by law.

Sensitive data also extends to banking operations such as PIN codes and enciphering codes, which must be encrypted at the application layer. Further, any transactions made over a wireless network which involve sensitive personal data must be protected, such as bank account information, social networking accounts, chat content, email data, photos, videos and other private information.

The Draft Decree will introduce a definition of personal "sensitive data" being: (i) political and religious views; (ii) ethnicity or race; (iii) health status; (iv) genetic information; (v) biometric data; (vi) gender, sex life information; (vii) crime data; (viii) financial data; (ix) location data; (x) social affairs data; and (xi) other personal data classified by law as requiring special protection measures.

Are there additional rules for processing sensitive personal data?

There are some additional protections for personal privacy or personal secrets. For example, state agencies holding personal secrets must protect that information and only supply or share it with competent third parties in limited cases by law. Vietnamese law also provides additional protection for medical records, for persons participating in clinical trials of a drug, and for customers data in the banking sector.

The Draft Decree will include provisions for the registration of the processing of sensitive data.

Are there additional rules for processing information about criminal offences?

There are no specific rules for processing information about criminal offences under the LCIS. However, if a data subject wishes information about criminal offences to be kept secret and such information meets the standard of a ‘personal secret’, the rules for processing are the same as for personal data.

The Law on Criminal Procedures allows a Court to hear a case in closed session. This applies in cases involving protection of persons aged below 18 or cases affecting personal privacy as per the litigant's request. However, the judgments must be pronounced publicly.

Are there any formalities to obtain consent to process sensitive personal data?

There are no formalities to obtain consent to process sensitive personal data. Therefore, the same rules as for personal data apply which requires Processing Organisations to inform data subjects of the form, scope, place and purpose of the collection, processing and use of their data.

The Draft Decree further emphasizes that the data subject would need to be aware that the personal data to be processed are of sensitive nature and the consent to be obtained must be in written, printable and copyable format.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There are no legal requirements to appoint a data protection officer.

The Draft Decree will introduce the concept of a data protection officer.

What are the duties of a data protection officer?

Not applicable.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Under the LCIS and Law on Information Technology, Processing Organisations are generally required to apply necessary management and technical measures to protect personal data.

The same principle is adopted under the Draft Decree, where Processing Organisations are required to apply management, technical and physical measures to protect personal data to ensure (i) the confidentiality, integrity and usability of personal data; (ii) encryption and codification of personal data; and (iii) processing history of personal data of Processing Organisations is stored, copied, extracted and protected.

Are privacy impact assessments mandatory?

Not applicable.

The Draft Decree will introduce privacy impact assessments as required documentation for registration of sensitive personal data processing and personal data cross-border transfer.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Under the LCIS, a Processing Organisation must notify the person whose data is processed of the scope and purpose of the collection and use of his or her personal data. If a data subject requests information about the use of the data for the purposes of providing consent to the collection of the data, the person collecting the data is required to provide this information.

Rights to access information

Data subjects can request their personal information from Processing Organisations.

Rights to data portability

There are no legal rulings for the rights to data portability. However, since data subjects are entitled to request their personal information from Processing Organisations, they can receive the data in different electronic formats.

Right to be forgotten

The right to be forgotten concept is not regulated under the laws of Vietnam.

However, under the LCIS, where a data subject requests that a Processing Organisation update, amend, or delete its personal information, or stop providing its personal information to a third party, the Processing Organisation and individuals must: (i) comply with the request and either notify the data subject or allow them to alter or delete their information; and (ii) take appropriate measures to protect such personal information or notify the data subject in case the request cannot be fulfilled because of technical or other reasons. Processing Organisations must delete any stored personal information when they have accomplished the desired purposes or the storage time has expired and notify the data subject, unless otherwise prescribed by law. Similar provisions can be found in other laws referred to above.

Objection to direct marketing and profiling

The consent of the data subject is required in order to use personal data for the purposes of direct marketing.

Other rights

None.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Under the LCIS, Processing Organisations must take appropriate managerial or technical measures to protect information and observe applicable technical regulations and standards.

In addition, information systems are classified into five security levels according to their function and the level of confidentiality of the information they process, for the purpose of applying corresponding managerial and technical measures to protect these information systems.

Further, a Processing Organisation administering an information system must: (i) determine the security level of the system; (ii) assess and manage the security risks posed to the system; (iii) supervise, speed up and examine the protection of the system; (iv) comply with the reporting regime; (v) conduct public information for raising awareness of cyber information security; (vi) adopt measures to protect the system, including managerial and technical measures in accordance with applicable technical standards and regulations; and (vii) supervise the security of the system.

Specific rules governing processing by third party agents (processors)

Processing Organisations must coordinate with state authorities to ensure the protection of personal data.

Notice of breach laws

Under the LCS, a cyberspace service provider in Vietnam has to notify the user and report to the Cybersecurity Task Force in the event of disclosure of, damage to or loss of data about user information. Agencies, organizations and individuals using cyberspace have to promptly provide information relating to cybersecurity to the competent agency and Cybersecurity Task Force.

The main Cybersecurity Task Force will be organised by the Ministry of Public Security and the Ministry of Defence. Other Cybersecurity Task Force will be organised under ministries, branches, provincial people's committees, agencies and organizations which directly manage information systems critical for national security.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The LCS obliges certain enterprises providing internet services in Vietnam (captured enterprises) to store certain users' data (captured data) in Vietnam.

Vietnam has recently issued Decree 53/2022/ND-CP (“Decree 53”) that clarifies the operation of these rules. In particular, it defines “captured data” to be: (i) personally identifiable information data; (ii) data created by user in Vietnam, including account name to use service, time of service use, credit card information, email address, IP address of latest login or logout, registered phone number associated with the account or data; and (iii) data of a user's relationship in Vietnam, including the user’s friends or groups.

Decree 53 also treats local and foreign enterprises differently. A local enterprise will be a “captured enterprise” if it carries any of the following services in Vietnam: (i) telecommunication services; (ii) telecommunication-based application services; (iii) value-added telecommunication services (including email service, voicemail service, fax service, and internet access service); (iv) internet services; and (v) over-the-top content services on the internet.

In contrast, a foreign enterprise will only be a “captured enterprise” in limited situations. This categorisation will occur where it: (i) provides certain specified internet services; (ii) those services have been used to commit a breach of cyber security laws; (iii) the Department of Cybersecurity and High-Tech Crime Prevention and Control under the Ministry of Public Security has notified the foreign enterprise of the cybersecurity law violation and requested co-operation; (iv) the foreign enterprise fails to provide that co-operation; and (v) the Minister of Public Security issues an order requiring the enterprise to store data locally and set up its branch or representative office in Vietnam. Where such an order is made the foreign enterprise must establish a branch or office in Vietnam and must keep the relevant information for 24 months at minimum.

Further, personal data that amount to a State secret must also be stored in Vietnam. Examples of this type of data include: (i) information on members of the People's Army, People's Public Security and intelligence agencies who are sent for training at home or abroad; (ii) information on protection of health of high-ranking leaders of the Party and the State; (iii) information, documents and figures on population surveys; and (iv) strategies, plans and schemes on organization and personnel work of Party and State agencies and socio-political organizations.

The Draft Decree is likely to introduce restrictions on transfer of personal data abroad.

Notification and approval of national regulator (including notification of use of Model Contracts)

No. The Draft Decree will likely introduce registration mechanism for cross-border transfer of personal data.

Use of binding corporate rules

There is no ability to use binding corporate rules in respect of transfers to third countries.

_____________________________________________________________________ Top

Enforcement

Fines

Infringement of privacy laws may lead to: (i) administrative fines of between VND10 million (c USD435) and VND20 million (c. USD870) for collecting personal data without the consent of the data subject; and (ii) administrative fines of between VND40 million (c. USD1,740) and VND60 million (c. 2,610) for publishing personal secrets or other personal data without the consent of the data subject, VND20 million (c. USD870) to VND30 million (c.1,305) for failing to keep necessary management and technical measures to ensure the safety of personal data of other persons or supplying personal data of other persons to a third party in a network environment. The Draft Decree proposes administrative fines of up to VND80 million (c. USD3,280) for violations of regulations concerning the rights of data subject (e.g. right to consent), and up to VND100 million (c.USD4,350) for not applying technical measures to protect personal data.

Consumers' personal data in e-commerce activities is also protected by administrative fines including: (i) administrative fines of between USD VND2 million (c. USD87) and VND20 million (c. USD870) for developing policies to protect personal data which are not compatible with regulations, not showing consumers the policies for personal data protection before or at the time of collecting such data, or failing to check, update, amend or cancel personal information when requested by the subject of information to do so; (ii) administrative fines of between VND20 million (c.USD870) and VND40 million (c. USD1,740) for failing to set up a mechanism for receiving and resolving complaints from consumers or not implementing policies to ensure safety and security for the collection and use of personal data of consumers; (iii) administrative fines of between VND40 million (c.USD1,740) and VND60 million (c. USD2,610) for collecting personal data of consumers without the consent of the data subject, setting up a default mechanism to force consumers to agree that their personal data be shared, disclosed or used for the purposes of advertising and other commercial purposes, or using the personal information of consumers improperly with the purpose and the notified scope.

Besides monetary fines, e-commerce activities may be suspended for 3 to 6 months for violation of point (iii). In addition, administrative fines of between VND60 million (USD2,610) and VND80 million (c. USD3,480), confiscation of means of violation and suspension of e-commerce activities for 6 to 12 months may be applied for stealing, using, revealing, transferring or selling information relating to trade secrets of other business persons or personal data of customers in e-commerce activities without consent from related parties.

Separately, regulators are working on a draft decree on administrative penalties in cybersecurity space.

Imprisonment

Infringement of privacy laws may lead to criminal penalties of up to three years’ imprisonment for infringement of other persons’ rights to privacy or other circumstances arising in relation to the access or interception of communications (mail, telephone and/or telegraphic communications) without the consent of the data subject.

Compensation

Under the civil code, if personal data rights are infringed, the data subject is entitled to demand or request a competent body or person to compel the infringing party to compensate the data subject.

Other powers

Not applicable.

Practice

There have been some cases of regulators imposing administrative fines for breaches of personal privacy, mostly in a network environment. As regulations on personal data protection develop, we have seen more enforcement actions in this space. There is no exact statistic on the number of enforcement actions taken in the last 12 months and the majority of enforcement actions are not publicly disclosed.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There is no specific ePrivacy law in Vietnam. However, the LCIS, the Law on Information Technology and Law on Electronic Transactions contain some provisions that address ePrivacy issues.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The use of cookies is not specifically regulated under Vietnamese law. However, personal data collected via the use of cookies is subject to Vietnamese privacy laws in the same manner as other personal data.

Regulatory guidance on the use of cookies

Since the use of cookies is not regulated, the guidance for storing personal data in cyberspace by using cookies are as the same as the rules apply to the management and processing of personal data which requires the consent of the data subject.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Pursuant to Decree 91 dated 14 August 2020 on Anti-Spam Messages, Emails and Calls ("Decree on Anti-Spam"), advertisers via emails are only permitted to send advertising emails to users after users have provided express consent on receiving such advertising emails.

Advertisers must also provide a clear mechanism for users to opt-out from receiving advertising emails. As soon as advertisers receive opt-out requests from users, advertisers must acknowledge receipt of opt-out requests and stop sending advertising emails to users who opted out.

There are further requirements for advertisers to store subscription and opt-out requests and confirmation and to provide searching and storing tools so users can access these documents, among other obligations.

An advertiser is only permitted to send maximum three emails to one user within 24 hours, unless otherwise agreed with the user. Contents of the advertising emails must comply with laws on advertising.

Conditions for direct marketing by e-mail to corporate subscribers

The rules are the same as for individual subscribers.

Exemptions and other issues

Decree on Anti-Spam provides for other requirements. In particular, email subject and content must be consistent and advertising content must comply with laws on advertising. Advertising emails must be labelled with [QC] or [AD] at the beginning of the email subject to indicate that this is an advertising email. Advertisers must provide information such as name, telephone, email address, geographical address, and website, social network (if any). This information must be expressly set out in the email and must be provided immediately before the select function permitting the recipient to opt-out of email marketing. Where the advertising email concerns a chargeable service, the email must provide information on the fees to be charged. Further, an advertising email must include a function permitting users to opt out from receiving advertising emails.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Under Decree on Anti-Spam, direct marketing by telephone and text messages follows similar principles on required consent and opt-out mechanism as set out above. Advertisers are also restricted to make maximum three advertising calls or send maximum three advertising text messages to one user within 24 hours unless otherwise agreed with the user.

Further to the above, advertisers are not permitted to make advertising calls or send advertising text messages to users within the Do Not Call list. Advertisers are required to carefully check the Do Not Call list before advertising. Unless otherwise agreed with users, advertisers are only permitted to send advertising text messages from 7:00 am to 10:00 pm every day, and make advertising calls from 8:00 am to 5:00 pm every day.

Advertisers are required to register with the Ministry of Information and Communications and obtain from this authority a name identifier code before they can make advertising calls or send advertising text messages.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The rules are the same as for individual subscribers.

Exemptions and other issues

There are further requirements in relation to advertising text messages. Particularly, advertising messages must be labelled with [QC] or [AD] at the beginning of the message subject to indicate that it is an advertising text message. Where the advertising text message concerns a chargeable service, the text message must provide information on the fees to be charged. Further, an advertising text message must include a function permitting users to opt-out from receiving advertising text messages.

_____________________________________________________________________ Top

Our lawyers are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a lawyer by name or use one of the filters.

Our business team members are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a business team member by name or use one of the filters.

Data Protected - Vietnam

General | Data Protection Laws

National Legislation

National Supervisory Authority

Scope of Application

Personal Data

Sensitive Personal Data

Data Protection Officers

Accountability and Privacy Impact Assessments

Rights of Data Subjects

Security

Transfer of Personal Data to Third Countries

Enforcement

ePrivacy | Marketing and cookies

National Legislation

Cookies

Marketing by E-mail

Marketing by Telephone

Contacts

Choose a jurisdiction

Our lawyers are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a lawyer by name or use one of the filters.

Our business team members are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a business team member by name or use one of the filters.

Data Protected - Vietnam

General | Data Protection Laws

National Legislation

National Supervisory Authority

Scope of Application

Personal Data

Sensitive Personal Data

Data Protection Officers

Accountability and Privacy Impact Assessments

Rights of Data Subjects

Security

Transfer of Personal Data to Third Countries

Enforcement

ePrivacy | Marketing and cookies

National Legislation

Cookies

Marketing by E-mail

Marketing by Telephone

Contacts

Choose a jurisdiction

You will need to log in or register to view the content

Register

Reset password

Log in