April 2024

1. Governing Texts

In Vietnam, the right to privacy and personal secrets is a constitutional right. Prior to July 1, 2023, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code 2015 No. 91/2015/QH13 (November 24, 2015) (only available in Vietnamese here) (Civil Code) and the Law on Cyber Information Security No. 86/2015/QH13 (November 19, 2015) (LCS) and sectoral laws.

On April 17, 2023, the Government of Vietnam (the Government) issued Decree No. 13/2023/ND-CP on the Protection of Personal Data (April 17, 2023) (only available in Vietnamese here) (PDPD) which came into effect on July 1, 2023. The PDPD is the Government's first step towards consolidating the regulations on personal data. Based on Decision No. 06/QD-TTg 2022 (January 6, 2022) (only available in Vietnamese here) of the Prime Minister of Vietnam, the Ministry of Public Security is tasked with researching and drafting a law on the protection of personal data, the first draft of which should be introduced in 2024.

1.1. Key acts, regulations, directives, bills

• PDPD.
• LCS.
• Law on Cybersecurity No. 24/2018/QH14 (June 12, 2018) (only available to download in Vietnamese here) (the Cybersecurity Law), which regulates cyber activities that impact national security and social order and safety
• Civil Code – Article 38 provides rules for the collection, storage, processing, use, disclosure, and publication of personal information.
• Law on Electronic Transactions No. 20/2023/QH15 (adopted on June 22, 2023, and will become effective on July 1, 2024) (only available in Vietnamese here), which governs electronic transactions by state agencies as well as the private sector and generally prohibits the use, provision, or disclosure of data, which can be accessed in relation to an electronic transaction, without consent
• Law on Information Technology No. 67/2006/QH11 (June 29, 2006) (only available in Vietnamese here) (the IT Law), which governs information technology applications and development, sets out the rights and obligations of agencies, organizations, and individuals engaged in these activities, as well as regulates the collection, processing, use, storage, and provision of personal data on a network environment.
• Law on Telecommunications No. 24/2023/QH15 (adopted on November 24, 2023, and will become effective on July 1, 2024) (only available in Vietnamese here), which regulates telecommunications activities and the rights and obligations of those working in the telecommunication industry, and expressly requires telecommunications enterprises not to disclose information of an end-user without consent from such end-user or a valid request from a competent authority.
• Law on Credit Institution No. 32/2024/QH15 (adopted on January 18, 2024, and will become effective on July 1, 2024) (only available in Vietnamese here), which governs the establishment and operations of credit institutions in Vietnam, and expressly requires a credit institution to keep confidential all information regarding its users' accounts, assets, and transactions, unless consent is given or there is a valid request from a competent authority.
• Law on Postage No. 49/2010/QH12 (June 17, 2010) (only available in Vietnamese here), which governs the administration of the postal service, and generally requires protection of the confidentiality of postal parcels.
• Law on Protection of Consumers' Rights No. 19/2023/QH15 (adopted on June 20, 2023, and will become effective on July 1, 2024) (only available in Vietnamese here), which sets out a variety of consumer rights and details organizations' obligations to protect consumer information.
• Law on Publication No. 19/2012/QH13 (November 10, 2012) (only available in Vietnamese here), which sets out the rights and obligations of individuals and organizations in the publishing industry and prohibits unauthorized disclosure of national secrets, personal secrets, and certain other secrets.
• Press Law No. 103/2016/QH13 (April 5, 2016) (only available in Vietnamese here), which governs the press, including citizens' rights to freedom of the press and freedom of speech in the press, and the rights and obligations of agencies, organizations, and individuals involved in the media industry, and prohibits unauthorized access and disclosure of national secrets, personal secrets, and certain other secrets.

1.2. Guidelines

Guidance on Vietnamese laws is issued in the form of Government Decrees, Ministry circulars, and decisions. In general, the protection of privacy and personal data is under the responsibility of the Ministry of Public Security (MPS). Other ministries, including the Ministry of National Defense, Ministry of Information and Communications, and Ministry of Science and Technology, will have input on the MPS's decisions.

1.3. Case law

Not applicable. 

2. Scope of Application

2.1. Personal scope

Vietnamese personal data protection laws apply to organizations and individuals that are involved in the processing of personal data (data controller, data processor, or third party) and natural persons, who are identified or identifiable from the personal information (data subject).

2.2. Territorial scope

Generally, Vietnamese personal data protection regulations cover data processing activities within the territory of Vietnam, regardless of the nationality of the data processor or data controller, data processing activities of Vietnamese companies or individuals operating offshore, and entities and individuals (onshore or offshore) which directly participate in or are involved in data processing activities in Vietnam.

2.3. Material scope

Vietnamese personal data protection regulations apply to the following personal data processing activities: collecting, recording, analyzing, verifying, storing, editing, publishing, combining, accessing, retrieving, encrypting, decrypting, copying, sharing, transferring, providing, transmitting, deleting or removing personal data, and any other relevant activities, including automated data processing activities.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The MPS is the supervisory authority for data protection. The Department of Cybersecurity and Prevention of Cybercrimes (the Cybersecurity Department) is a specialized task force, which was established by the MPS for the implementation and enforcement of data protection regulations.

3.2. Main powers, duties and responsibilities

The MPS's authority includes the power to:

• assist the Government with the supervision of personal data protection;
• provide guidance and implement personal data protection activities; protect the rights of data subjects against violations of regulations of personal data protection; propose the promulgation of personal data protection standards and recommendations;
• develop, manage, and operate the National Portal on Personal Data Protection;
• evaluate the results of data protection activities of involved entities, agencies, and individuals;
• receive the submission of portfolios, forms, and information in relation to personal data protection in accordance with the PDPD;
• adopt measures and conduct research to innovate the protection of personal data, and promote international cooperation in the protection of personal data; and 
• conduct inspections, and handle complaints, denunciations, and violations against regulations on the protection of personal data.

4. Key Definitions

Data controller: Any entity or individual that determines the purposes for which and the manner in which personal data is processed.

Data processor: An entity or an individual that processes personal data for and on behalf of the data controller in accordance with a contract or an agreement with the data controller.

Personal data: Any information in the form of symbols, letters, numbers, graphics, audio, or any other form in a digital environment in relation to the identification of a particular natural person or when combined with other data, can identify a particular natural person. Personal data is divided into basic personal data and sensitive personal data.

Basic personal data: Includes:

• name, nickname (if any);
• date of birth, date of death, or date of missing;
• gender;
• location of birth, permanent address, temporary address, current address, contact address;
• nationalities;
• personal photos;
• phone number, ID, passport, license plate, driver's license, tax, social security number, and medical insurance number;
• marriage status and information in relation to the family (parents, children);
• information of digital accounts of a person and data that reflects activity or history of activity of an individual on the internet; and
• other data referring to a specific person or, when combined with other data and information, can identify a specific person but is not sensitive personal data.

Sensitive data: Includes:

• political opinion, religious views;
• medical status and private information in medical records, not including blood types;
• ethnicity information;
• genetic information;
• biometrics and physical information;
• sexual orientation;
• criminal records collected and maintained by enforcement agencies;
• customers' information of financial institutes, intermediary payment service providers, including KYC information and account information, assets, transactions, guarantees/guarantors;
• live location identified through location services; and
• other personal data that is determined by the law to be unique and needs to be secured.

Processing of personal data: Means one or more of the following activities: collecting, recording, analyzing, verifying, storing, editing, publishing, combining, accessing, retrieving, encrypting, decrypting, copying, sharing, transferring, providing, transmitting, deleting or removing personal data, and any other relevant activities.

Health data: Not applicable.

Biometric data: Not applicable.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

Legal bases, which a data controller can rely on for the processing of personal data, include consent. In regard to consent, the same must be:

• voluntary and fully informed of:
  • the type of personal data to be processed;
  • purposes of such process;
  • who is permitted to process;
  • the rights and obligations of the data subjects; and
  • whether the data is sensitive personal data;
• expressed and specific in writings, voice recordings, tick to agree, text messages, choosing the technical option to agree, or other actions. Silence or non-action will not be considered valid consent; and
• in a format that can be printed, or copied in writing, including electronic formats and other verifiable formats.

In addition, consent can be partial or conditional.

5.2. Contract with the data subject

Legal bases, which a data controller can rely on for the processing of personal data, include performing the contractual obligations of the data subject with the relevant entities or individuals in accordance with the law.

5.3. Legal obligations

Legal bases, which a data controller can rely on for the processing of personal data, include the publishing of personal data as required by law.

5.4. Interests of the data subject

Legal bases, which a data controller can rely on for the processing of personal data, include in an emergency, which requires immediate processing of personal data to protect the lives and health of the data subject or of other individuals.

5.5. Public interest

Legal bases, which a data controller can rely on for the processing of personal data, including where the processing of personal data in case of emergency to national defense, national security, social safety and order, natural disaster, diseases, or potential risks to national security but not required to declare an emergency state; or to fight against riot, terrorists, criminals, and other legal violations in accordance with the law.  

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Legal bases, which a data controller can rely on for the processing of personal data, include serving the activities of the authorities as provided in any sectoral law.

6. Principles

The following data protection principles exist in Vietnamese laws (Article 3 of the PDPD):

• personal data will be processed in accordance with the laws;
• the data subject has the right to be informed of processing activities in relation to their personal data unless otherwise provided for by law;
• personal data will only be processed in accordance with the purposes that have been registered or declared by the data controller and the data processor;
• personal data must be collected, updated, and supplemented to the appropriate extent for the scope and purposes of the processing;
• purchase or sale of personal data must be prohibited in any form unless otherwise provided for by law;
• personal data must be protected and secured throughout the processing; and
• personal data must only be stored for the duration that is appropriate for the processing purposes unless otherwise provided for by law.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no registration requirement.

The data subject must be notified before their personal data is processed (Article 13 of the PDPD). The notification must be in a verifiable format (writing, digital, or other printable format) and include the following information:

• purposes of the processing activities;
• type of personal data being processed;
• processing methods;
• information of the parties involved in such processing activities;
• potential unwanted consequences; and
• start and end time of the processing activities.

Notification is not required if the data subject has already given consent or if data is being processed by a competent authority for a lawful purpose.

7.2. Data transfers

The Cybersecurity Law requires the storage of personal information, customer's information, or any information created by customers in Vietnam for a period of time specified by the Government of the Socialist Republic of Vietnam and to establish its physical presence in Vietnam, for organizations that:

• provide services on the telecom network, the internet, and value-added services on cyberspace in Vietnam, value-added services include storage and sharing of data in cyberspace, national or international domain name registries, e-commerce services, social networking services, online gaming services, email services; and
• collect, analyze, or process personal data about service users in Vietnam.

The guidance for implementation of this requirement will be set forth in future sub-regulations.

On August 15, 2022, the Vietnamese government issued Decree 53/2022/ND-CP (August 15, 2022) (only available in Vietnamese here) (Decree 53). Among other things, Decree 53 provides important guidance and clarification on the 'data localization' and 'mandatory physical establishment' requirements that have been introduced by the Law on Cybersecurity. Decree 53 regulates the following data (regulated data):

• personal data of Vietnam-based users;
• data created by Vietnam-based users, including account name, time of usage, credit card information, email address, IP address, most recent log-out, and registered phone number; and
• data in relation to the relationship of Vietnam-based users to users' friends or other people with whom the users interact.

Under Decree 53, a 'Vietnamese company' must store the regulated data in Vietnam. A foreign enterprise doing business in Vietnam would be required to store the regulated data in Vietnam and to establish a branch or a representative office, should it fall under the following circumstances:

• the foreign enterprise is doing business in Vietnam in one of the following fields:
  • telecommunication services;
  • data sharing and storage, provider of a national or international domain for Vietnamese users;
  • e-commerce;
  • social network and social marketing;
  • online games; and
  • provision, management, or operations of other information on the internet in the forms of messages, telephone calls, video calls, emails, or online games;
• the services provided by such an enterprise are used to violate the Law on Cybersecurity; and
• the cybersecurity taskforce of the Government has notified the enterprise and requested the enterprise's cooperation in the prevention, investigation, and handling of such a violation, but the enterprise failed to cooperate, which caused the task force's measures to fail.

Under the PDPD, the transfer of personal data is considered a processing activity. As such, general requirements for processing personal data shall apply. Additionally, the PDPD provides specific requirements for offshore transfers of personal data. The offshore transfer of personal data refers to the use of the internet, digital means or equipment, or other means to transfer personal data of Vietnamese nationals to a location outside of the territory of Vietnam, or using a location outside of the territory of Vietnam to process personal data of Vietnamese nationals.

An entity or individual, which transfers personal data offshore within the scope of the PDPD, will have to prepare and maintain a Transfer Impact Assessment with the following content:

• information and contact details of the transferor and receiver of the personal data of Vietnamese citizen(s);
• full name and contact details of the entity or individual of the transferor which directly involves the transfer and receipt of the personal data of Vietnamese citizen(s);
• description and explanation of the purposes of the processing activities to be performed after such transfer;
• description and clarification of the types of data to be transferred;
• description of the compliance of the requirements of the PDPD and description of the applied security measures;
• assessment of the impact of the data processing activities;
• potential consequences, mitigation, and/or prevention measures;
• consent of the data subjects with the mechanism for the data subjects to respond to or claim upon the occurrence of any incident; and
• a binding document between the transferor and the receiver of the personal data, outlining the rights and obligations, and responsibilities of each party.

The Transfer Impact Assessment must be submitted to the Cybersecurity Department within 60 days after the transferor begins to process personal data. After the transfer is completed, the transferor must so notify the Cybersecurity Department.

7.3. Data processing records

The data controller must record and maintain a system log of the data processing activities. 

7.4. Data protection impact assessment

The data controller and the data processor are required to prepare, maintain, and submit to the Cybersecurity Department a personal Data Protection Impact Assessment (DPIA).

The DPIA of a data controller must have the following content:

• information and contact details of the data controller;
• name and contact details of the data protection department and officers of the data controller;
• purpose of the personal data processing activities;
• type of personal data to be processed;
• receiver of personal data, including offshore receivers;
• offshore transfer of personal data (if any);
• duration of the data processing activities;
• description of the implemented protection measures;
• assessment of the impact of personal data processing activities; and
• potential unwanted consequences and mitigation measures.

The DPIA of a data processor must have the following content:

• information and contact details of the data processor;
• name and contact details of the entity and individuals performing the data processing activities;
• description of the processing activities and the type of personal data to be processed in accordance with the agreement with the data controller;
• duration of the data processing activities; estimated deletion or removal of the personal data (if any);
• offshore transfer of personal data (if any); and
• consequences or potential unwanted consequences and mitigation and/or prevention measures.

These DPIAs must be submitted to the Cybersecurity Department within 60 days after the personal data processing activities are started.

7.5. Data protection officer appointment

Article 28 of PDPD requires a data controller and/or a data processor to appoint a department to protect personal data and to appoint a data protection officer (DPO) if there is sensitive personal data involved. The information of such DPO must be notified to the Cybersecurity Department.

7.6. Data breach notification

Data processors are required to notify data controllers as soon as possible upon being aware of a data breach. Data controllers are required to notify the Cybersecurity Department within 72 hours of the occurrence of any data breach. If the notification cannot be made within 72 hours, an explanation will be required (Article 23 of the PDPD).

The notification must have the following content:

• description of the nature and scope of the data breach, including but not limited to the time of occurrence, location, the breached data, and information of the parties involved;
• contact information of the person in charge of personal data protection;
• description of the consequences or damages of the data breach; and
• description of the measures which have been applied to handle or mitigate the consequences or damages of the data breach.

7.7. Data retention

There are requirements for the retention of documents, which may comprise personal information (e.g., accounting documents and corporate documents). Such requirements can be found in laws that specify the types of information in question (e.g., the Law on Accounting 88/2015/QH13 (November 20, 2015) (only available in Vietnamese here) for accounting documents and the Law on Enterprises 59/2020/QH14) (June 17, 2020) (only available in Vietnamese here) for corporate documents).

7.8. Children's data

The Law on Children 102/2016/QH13 (April 5, 2016) (only available to download in Vietnamese here) prohibits the disclosure of personal data of a child under 16 years old without the consent of the child's parents or guardian. The PDPD provides that the personal data of a child of seven or more years old can only be processed on the basis of the consent of the child and of the child's parents or guardian (Article 20 of the PDPD).

Additionally, the Cybersecurity Law provides general guidance for the protection of children in cyberspace. In particular, managers of information systems, telecommunication service providers, internet service providers, and value-added service providers have the responsibility to make sure information on their systems or services is not harmful to children and does not violate children's rights, to block and delete information harmful to children or violate children's rights, to promptly inform and cooperate with the cybersecurity taskforce of the MPS whenever such information is detected.

7.9. Special categories of personal data

Please refer to the section on definitions above on sensitive personal data.

The PDPD requires the designation of a department and personnel responsible for personal data protection and the exchange of personal information (Article 28(2) of the PDPD). In addition, the PDPD confirms that the measures outlined in Articles 26 and 27 of the PDPD must be implemented when processing sensitive personal information, and data subjects must be notified of such processing unless otherwise provided for in Articles 13(4), 17, and 18 of the PDPD. Moreover, data subjects must be informed that the data to be processed is sensitive (Article 11(8) of the PDPD).

7.10. Controller and processor contracts

The PDPD requires that a data controller and a data processor enter into an agreement or a contract for the processing of personal data. There is no specific requirement regarding such an agreement or contract (Article 39 of the PDPD).

8. Data Subject Rights

8.1. Right to be informed

Data subjects have the right to be informed of the method, scope, location, and purposes of the collection, processing, and use of their personal information (Article 9.1 of the PDPD). Even in circumstances where personal data can be processed without the data subject's consent, the data subject still has the right to be informed. Please see the section on data processing notification above.

8.2. Right to access

The PDPD provides the data subject with the right to access or request access to view or edit their personal data (Article 9.3 of the PDPD).

8.3. Right to rectification

Please see the section on the right to access above. 

8.4. Right to erasure

The PDPD provides the data subject with the right to delete their personal data or to request that their personal data be deleted (Article 9.5 of the PDPD).

8.5. Right to object/opt-out

The PDPD provides the data subject with the right to object to or restrict data processing activities. (Articles 9.6 and 9.8 of the PDPD). In addition, the PDPD provides the data subject with the right to give or withdraw consent to the processing of their personal data. Personal data processing activities, which happen before consent is withdrawn, are legal and valid (Articles 9.2 and 9.4 of the PDPD).

8.6. Right to data portability

Data subjects have the right to request that the data controller provide a copy of their personal data (Article 9.7 of the PDPD).

8.7. Right not to be subject to automated decision-making

Vietnamese law does not have any specific provision for automated decision-making. Automated decision-making should be treated as a data processing activity. As such, data subjects shall have the right to object to or restrict such automated decision-making.

8.8. Other rights

Under the PDPD, the data subject has the right to claim damages, initiate legal proceedings, and implement measures for self-protection (Articles 9.9-9.11 of the PDPD).

9. Penalties

Non-compliance with Vietnam's data protection laws can be subject to both administrative penalties and criminal penalties. Under Decree 15/2020/ND-CP (February 3, 2020) (only available in Vietnamese here), as amended by Decree 14/2022/ND-CP (January 27, 2022) (only available in Vietnamese here), an administrative penalty may include fines:

• between VND 2 million (approx. $80) and VND 5 million (approx. $200) for storing personal information for longer than legally required or agreed to by the parties (Article 102.1);
• between VND 5 million and VND 10 million (approx. $390) for:
  • failing to verify, correct, or delete personal information, which is stored, collected, and processed on a network after receiving a request from the owner (Article 102.2(c));
  • provide or use incorrect information after receiving a request for correction from the owner (Article 102.2(d)); or
  • provide or use incorrect information after receiving a request for deletion from the owner (Article 102.2(dd));
• between VND 10 million and VND 20 million (approx. $790) for:
  • collecting personal information without the consent of the data subject on the scope and purpose of such collection (Article 84.1(a));
  • providing the data subject's personal information to any third party after a request from the data subject to stop such provision (Article 84.1(b));
  • failing to notify the data subject after the deletion of the data subject's personal data or in case the protection of the data subject's personal data has not been implemented due to technical issue (Article 85.1);
  • not fully complying with the technical standards and regulations for cyberinformation security (Article 86.1); or
  • failing to implement the required management and technical measures to ensure that personal data is not lost, stolen, disclosed, modified, or destroyed when collecting, processing, and using personal data on a network environment (Article 102.3(dd));
• between VND 40 million (approx. $1,580) and VND 60 million (approx. $2,370) for:
  • using personal information not in compliance with the agreed scope and purpose or without consent (Article 84.2(a));
  • providing, disclosing, or publishing the collected or controlled personal information to a third party without consent (Article 84.2(b));
  • illegally collecting, using, publishing, and doing business with the personal information of a data subject (Article 84.2(c));
  • failing to update, modify, or delete the personal information upon request from the data subject (Article 85.2(a));
  • failing to provide the data subject with access to update, modify, or delete the personal information upon request from the data subject (Article 85.2(a));
  • failing to delete the collected personal information after the purpose of the collection has been completed or the legal storage period has expired (Article 85.2(b)); or
  • failing to comply with the technical standards and regulations for cyberinformation security (Article 86.2);
• between VND 30 million (approx. $1,180) and VND 50 million (approx. $1,970) for:
  • failing to promptly apply remedies or preventive measures to threatened breaches (Article 86.3);
  • failing to apply and maintain an adequate level of security or management measures for the protection of personal information (Article 85.3);
  • unauthorized access into the network or electronic devices of other people to collect data or claim control of such network or devices (Article 80.2); or
  • failing to provide personal information as it relates to terrorism or criminal activities if the data is requested by a competent authority (Article 100.2); and
• between VND 50 million and VND 70 million (approx. $2,760) for:
  • illegal sales and purchase or transfer of personal information (Article 102.5).

Criminal penalties may be imposed for violations of rules governing confidentiality and safety concerning an individual's email, mail, telephone, or other forms of communication. The criminal sanction imposed depends on the severity of the crime and may include: a warning, a fine between VND 5 million and VND 50 million, and/or non-custodial reform (similar to probation or supervised release in other jurisdictions) of up to three years or prison sentence of between one and three years.

Additionally, any person who suffers damages caused by an infringement of the data protection laws is entitled to compensation from the infringing party (Article 13 of the Civil Code). To obtain compensation, the claimant must prosecute a legal action and meet the burden of proof for actual damages. The Government is working on a separate decree on sanctions for violations of cybersecurity regulations, including violations of personal data protection regulations.

9.1 Enforcement decisions

Enforcement decisions are not publicly available.