Support Centre
Vietnam - Data Protection Overview
Back

Vietnam - Data Protection Overview

January 2021

INTRODUCTION

In Vietnam, the right to privacy and personal secrets is a constitutional right. However, Vietnam does not have a consolidated piece of legislation on the protection of personal data. Instead, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code and the Law on Cyberinformation Security and sectoral laws such as the Law on Electronic Transactions and the Law on Telecommunications.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

  • Law on Cyber Information Security No. 86/2015/QH13 (19 November 2015) ('LCS').
  • Law on Cybersecurity No. 24/2018/QH14 (12 June 2018) (only available to download in Vietnamese here) ('the Cybersecurity Law'), which regulates cyber activities that impact national security and social order and safety
  • Civil Code 2015 (November 24, 2015) (only available in Vietnamese here) ('the Civil Code'). Article 38 provides rules for the collection, storage, processing, use, disclosure, and publication of personal information.
  • Law on Electronic Transactions No. 51/2005/QH11 (29 November 2005) (only available in Vietnamese here), which governs electronic transactions by state agencies as well as the private sector and generally prohibits the use, provision, or disclosure of data, which can be accessed in relation to an electronic transaction, without consent.
  • Law on Cinematographic No. 62/2006/QH11 (29 June 2006) (only available in Vietnamese here), which sets out rights and obligations for those involved in the film, cinematography, and television industry, and expressly prohibits the unauthorised disclosure of personal secrets and other types of secrets in these industries in accordance with Vietnamese laws.
  • Law on Information Technology No. 67/2006/QH11 (29 June 2006) (only available in Vietnamese here) ('the IT Law'), which governs information technology applications and development, sets out the rights and obligations of agencies, organisations, and individuals engaged in these activities, as well as regulates the collection, processing, use, storage, and provision of personal data on a network environment.
  • Law on Telecommunications No. 41/2009/QH12 (23 November 2009) (only available in Vietnamese here), which regulates telecommunications activities and the rights and obligations of those working in the telecommunication industry, and expressly requires telecommunications enterprises not to disclose information of an end-user without consent from such end-user or a valid request from a competent authority.
  • Law on Credit Institution No. 47/2010/QH12 (16 June 2010) (only available in Vietnamese here), which governs the establishment and operations of credit institutions in Vietnam, and expressly requires a credit institution to keep confidential all information regarding its users' accounts, assets, and transactions, unless consent is given or there is a valid request from a competent authority.
  • Law on Postage No. 49/2010/QH12 (17 June 2010) (only available in Vietnamese here), which governs the administration of the postal service, and generally requires protection of the confidentiality of postal parcels.
  • Law on Protection of Consumers' Rights No. 59/2010/QH12 (17 November 2010) (only available in Vietnamese here), which sets out a variety of consumer rights and details organisations' obligations to protect consumer information.
  • Law on Publication No. 19/2012/QH13 (20 November 2012) (only available in Vietnamese here), which sets out the rights and obligations of individuals and organisations in the publishing industry, and prohibits unauthorised disclosure of national secrets, personal secrets, and certain other secrets.
  • Press Law No. 103/2016/QH13 (5 April 2016) (only available in Vietnamese here), which governs the press, including citizens' rights to freedom of press and freedom of speech in the press, and the rights and obligations of agencies, organisations, and individuals involved in the media industry, and prohibits unauthorised access and disclosure of national secrets, personal secrets, and certain other secrets.

1.2. Guidelines

Guidance on Vietnamese laws are issued in the form of Government Decrees and Ministry Circulars and Decisions. In general, protection of privacy and personal data are under the responsibility of the Ministry of Information and Communications ('MIC').

1.3. Case law

Not applicable. 

2. SCOPE OF APPLICATION

2.1. Personal scope

Vietnamese personal data protection laws apply to organisations, agencies, and individuals that process personal information (data processor) and natural persons, who are identified or identifiable from the personal information (data subject). Vietnamese law does not distinguish between data controllers and data processors.

2.2. Territorial scope

Generally, Vietnamese personal data protection laws cover the personal data and privacy of all natural persons within Vietnam, regardless of nationality and any personal data processed by a processor in Vietnam, or outside of Vietnam, if such processor is directly involved in or connected with cyberinformation security activities in Vietnam.

2.3. Material scope

Personal data is defined to be any information which relates to the identification of its owner, including but not limited to any information that relates to a person's personal life, personal or family secrets, and personal communications, including written correspondence and the content of telephone calls. Vietnamese law does not differentiate between general personal information and sensitive personal information. However, some personal information, such as banking information and medical records, are considered state secrets and enjoy additional protection.

Processing of personal information is defined to be one or more of the following activities: collecting, editing, using, storing, publishing, providing, transferring, and sharing personal information to any third party.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

The MIC is the supervisory authority for information security. The MIC also works with the Ministry of Public Security ('MPS') and the Ministry of National Defence to handle criminal breaches of information security regulations and threats to national security.

3.2. Main powers, duties and responsibilities

The MIC's authority includes the power to:

  • promulgate national standards and technical regulations;
  • examine, investigate, and handle claims or reports about, or violations of, information security regulations and laws;
  • MIC's enforcement authority extends to data protection violations under any sectoral law, in addition to the LCS;
  • coordinate with other authorities and enterprises to protect information security; and
  • supervise compliance with information security regulations.

The MIC has delegated power to its Authority on Information Security to:

  • formulate laws, policies, and other legislation related to information security;
  • implement technical and procedural measures;
  • guide and support organisations in enhancing and protecting their information systems;
  • coordinate activities on preventing spam;
  • supervise compliance with information security regulations;
  • coordinate the implementation of the information security regulations as instructed by the MIC;
  • research, collect, and analyse information to publish reports on the status of information security in Vietnam;
  • receive and handle complaints concerning breaches of information security regulations; and
  • other responsibilities as instructed by the MIC.

4. KEY DEFINITIONS

Data controller: Vietnamese law does not differentiate between data controller and data processor.

Data processor: Any organisation or individual which processes personal information is a data processor. Processing of personal information is defined to be one or more of the following activities: collecting, editing, using, storing, publishing, providing, transferring, and sharing personal information to any third party.

Personal data: Any information which relates to the identification of its owner (Article 3.15 of the LCS). This definition is further expanded to include any information that relates to a person's personal life, personal or family secrets, and personal communications, including written correspondence and the content of telephone calls (Article 38 of the Civil Code).

Sensitive data: Vietnamese law does not differentiate between general personal information and sensitive personal information.

Health data: Not applicable.

Biometric data: Not applicable.

Pseudonymisation: Not applicable.

5. LEGAL BASES

Legal bases, which a data processor can rely on for the processing of personal data are:

  • consent (Article 17 of the LCS and Article 21 of the IT Law);
  • to comply with obligations provided in the law (Article 21.3 of the IT Law);
  • to execute, adjust, or perform contracts with the data subjects for the use of data, goods, or services over a network environment (Article 21.3 of the IT Law);
  • to calculate premiums, fees for the use of data, goods, or services over a network environment (Article 21.3 of the IT Law);
  • to ensure national defence, social order, security, and safety of Vietnam (Article 16.5 of the LCS); and
  • processing of personal information for non-commercial purposes (Article 16.5 of the LCS).

5.1. Consent

Please refer to section 5 above.

5.2. Contract with the data subject

Please refer to section 5 above.

5.3. Legal obligations

Please refer to section 5 above.

5.4. Interests of the data subject

Please refer to section 5 above.

5.5. Public interest

Not applicable. 

5.6. Legitimate interests of the data controller

Please refer to section 5 above.

5.7. Legal bases in other instances

Please refer to section 5 above.

6. PRINCIPLES

The following data protection principles exist in Vietnamese laws:

  • transparency: the data subject must be informed of the method, scope, location and purposes of the collection, processing and use of his/her personal information.
  • storage limitation: the data processor must delete the personal information after it has served its processing purpose and notify the data subject of such deletion.
  • accountability: the data processor is responsible and liable for the personal information it processes.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data processing notification

There is no registration requirement. 

7.2. Data transfers

The Cybersecurity Law requires the storage of personal information, customer's information, or any information created by customers in Vietnam for a period of time specified by the Government of the Socialist Republic of Vietnam and to establish its physical presence in Vietnam, for organisations that:

  • provide services on the telecom network, the internet, and value-added services on cyberspace in Vietnam, value-added services include: storage and sharing of data in cyberspace, national or international domain name registries, e-commerce services, social networking services, online gaming services, and email services; and
  • collect, analyse, or process personal data about service users in Vietnam. 

The guidance for implementation of this requirement will be set forth in future sub-regulations.

7.3. Data processing records

There is no expressed provision that requires data processors to maintain data processing records.

7.4. Data protection impact assessment

There is no requirement for data processors to carry out a Data Protection Impact Assessment.

7.5. Data protection officer appointment

There is no requirement for data processors to appoint a data protection officer. However, Article 24 of the LCS, as guided by Circular 31/2017/TT-BTTTT of the MIC (only available in Vietnamese here), requires managers of information systems to appoint an individual or unit to supervise and oversee information security and to cooperate with the MIC in handling information security, including protection of personal information.

7.6. Data breach notification

Data processors are required to notify the relevant authority (i.e. the Vietnam Cybersecurity Emergency Response Team/Coordination Centre – VNCERT/CC) and the owner of the personal information as soon as possible. The law does not specify the timeframe for such notification.

7.7. Data retention

There is no specific requirement for the retention of personal data. However, there are requirements for the retention of documents, which may comprise personal information (e.g. accounting documents and corporate documents). Such requirements can be found in laws which specify for the types of information in question (e.g. the Law on Accounting 88/2015/QH13 (20 November 2015) (only available in Vietnamese here) for accounting documents and the Law on Enterprises 59/2020/QH14) (17 June 2020) (only available in Vietnamese here) for corporate documents).

7.8. Children's data

The Law on Children 102/2016/QH13 (5 April 2016) (only available to download in Vietnamese here) prohibits the disclosure of personal data of a child under 16 years old without the consent of the child's parents or guardian. Additionally, the Cybersecurity Law provides general guidance for the protection of children in the cyberspace. In particular, managers of information systems, telecommunication service providers, internet service providers, and value-added service providers have the responsibility to make sure information on their systems or services are not harmful to children and do not violate children's rights, to block and delete information harmful to children or violate children's rights, to promptly inform and cooperate with the cybersecurity taskforce of the MPS whenever such information is detected.

7.9. Special categories of personal data

Vietnamese laws does not differentiate between different categories of personal data.

7.10. Controller and processor contracts

There is no requirement for a contract to be in place between a controller and processor.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

The data processor must inform the data subject of the method, scope, location, and purposes of the collection, processing, and use of his/her personal information (Article 17.1 of the LCS). In addition, the data processor must inform the data subject of the transfer of data to any third party (Article 17.1 of the LCS).

8.2. Right to access

The LCS provides the data subject with the right to request access to personal information that the data processor collected or maintains. 

8.3. Right to rectification

The LCS provides the data subject with the right to request that the data processor update, amend, rectify, or delete the personal information that the covered entity or individual collected or maintains. 

8.4. Right to erasure

See section 8.3 above.

8.5. Right to object/opt-out

The LCS provides the data subject with the right to request that the data processor stop providing the personal information to a third party.

8.6. Right to data portability

Vietnamese law does not offer the right to data portability.

8.7. Right not to be subject to automated decision-making

Vietnamese law does not offer the right to be subject to automated decision-making.

8.8. Other rights

Not applicable.

9. PENALTIES

Non-compliance with Vietnam's data protection laws can be subject to both administrative penalties and criminal penalties. Under Decree 15/2020/ND-CP (3 February 2020) (only available in Vietnamese here), an administrative penalty may include fines:

  • between VND 2 million (approx. €70) and VND 5 million (approx. €180) for storing personal information for longer than legally required or agreed to by the parties. (Article 102.1)
  • between VND 5 million (approx. €180) and VND10 million (approx. €360) for
    • failing to verify, correct, or delete personal information, which are stored, collected is processed on a network after receiving a request from the owner (Article 102.2(c));
    • provide or use incorrect information after receiving a request for correction from the owner (Article 102.2(d)); and
    • provide or use incorrect information after receiving a request for deletion from the owner (Article 102.2(dd));
  • between VND 10 million (approx. €360) and VND 20 million (approx. €710) for:
    • collecting personal information without consent of the data subject on the scope and purpose of such collection (Article 84.1(a));
    • providing the data subject's personal information to any third party after a request from the data subject to stop such provision (Article 84.1(b));
    • failing to notify the data subject after the deletion of the data subject's personal data or in case the protection of the data subject's personal data has not been implemented due to technical issue (Article 85.1);
    • not fully complying with the technical standards, regulations for cyberinformation security (Article 86.1); and
    • failing to implement the required management and technical measures to ensure that personal data is not loss, stolen, disclosed, modified, or destroyed when collecting, processing, and using personal data on a network environment (Article 102.3(dd)).
  • between VND 20 million (approx. €710) and VND 30 million (approx. €1,070) for:
    • using personal information not in compliance with the agreed scope and purpose or without consent (Article 84.2(a));
    • providing, disclosing, or publishing the collected or controlled personal information to a third party without consent (Article 84.2(b));
    • illegally collecting, using, publishing, and doing business with personal information of a data subject (Article 84.2(c));
    • failing to update, modify, or delete the personal information upon request from the data subject (Article 85.2(a));
    • failing to provide the data subject with access to update, modify, or delete the personal information upon request from the data subject (Article 85.2(a));
    • failing to delete the collected personal information after the purpose of the collection has been completed or the legal storage period has expired (Article 85.2(b)); and
    • failing to comply with the technical standards, regulations for cyberinformation security (Article 86.2);
  • between VND 30 million (approx. €1,070) and VND 50 million (approx. €1,780) for:
    • failing to promptly apply remedies or preventive measures to actual or threatened breaches (Article 86.3);
    • failing to apply adequate level of security or management measures for the protection of personal information (Article 85.3); and
    • between VND 50 million (approx. €1,780) and VND 70 million (approx. €2,490) for failing to apply remedies or preventive measures to actual or threatened breaches. (Article 86.3);
  • between VND 10 million (approx. €360) and VND 20 million (approx. €710) for:
    • failing to provide personal information as it relates to terrorism or criminal activities if the data is requested by a competent authority;
    • disclosing personal information without consent; or
    • failing to maintain the necessary management and technical measures to protect personal information.

Criminal penalties may be imposed for violations of rules governing confidentiality and safety concerning an individual's email, mail, telephone, or other forms of communications. The criminal sanction imposed depends on the severity of the crime and may include: a warning, a fine between VND 5 million (approx. €180) and VND 50 million (approx. €1,780), and/or non-custodial reform (similar to probation or supervised release in other jurisdictions) of up to three years or prison sentence of between one and three years.

Additionally, any person who suffers damages caused by an infringement of the data protection laws is entitled to compensation from the infringing party (Article 13 of the Civil Code). To obtain compensation, the claimant must prosecute a legal action and meet the burden of proof for actual damages.

9.1 Enforcement decisions

Enforcement decisions are not publicly available.