Tilleke & Gibbins

 

What law(s) specifically govern personal data / information?

There is not a single comprehensive data protection law in Vietnam. Instead, regulations on data protection & privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in the 2013 Constitution (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law.

Regarding personal information, the key principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and guiding documents, among others:

  • Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015; as amended from time to time (“Criminal Code”);
  • Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”);
  • Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Network Information Security Law ”);
  • Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”);
  • Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated November 14, 2017 on planning (“IT Law”);
  • Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”);
  • Decree No. 53/2022/ND-CP of the Government dated 15 August 2022 elaborating a number of articles of the Law on Cybersecurity of Vietnam (“Decree 53”);
  • Decree No. 85/2016/ND-CP of the Government dated 1 July 2016 on the security of information systems by classification (“Decree 85”);
  • Decree No. 72/2013/ND-CP of the Government dated 15 July 2013 on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No. 150/2018/ND-CP dated 7 November 2018 (“Decree 72”);
  • Decree No. 52/2013/ND-CP of the Government dated 16 May 2013 on e-commerce; as amended by Decree No. 08/2018/ND-CP dated 15 January 2018 on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade (“Decree 52”);
  • Decree No. 91/2020/ND-CP of the Government dated 14 August 2020 on anti-spam messages, emails and calls (“Decree 91”);
  • Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions; as amended by Decree No. 14/2022/ND-CP of the Government dated 27 January 2022 (“Decree 15”);
  • Decree No. 98/2020/ND-CP of the Government dated 26 August 2020 prescribing penalties for administrative violations against regulations on commerce, production and trade in counterfeit and prohibited goods, and protection of consumer rights; as amended by Decree No. 17/2022/ND-CP of the Government dated 31 January 2022 (“Decree 98”);
  • Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”);
  • Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”); and
  • Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources (“Circular 25”).

Each aspect and each industry may have their respective regulating documents. In other words, applicability of legal documents will depend on the factual context of each case. For example, businesses in the banking and finance, education, healthcare sectors may be subject to specialised data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2019 (“Labour Code”).

The most important Vietnamese legal documents regulating data protection are the Cybersecurity Law, its guiding Decree 53 and the Network Information Security Law. However, it is worth noting that unlike cybersecurity laws in other jurisdictions that were inspired by the GDPR of the EU, the Cybersecurity Law of Vietnam shares similarities with China’s Cybersecurity Law enacted in 2017. This law focuses on providing the government with the ability to control the flow of information; meanwhile, the Network Information Security Law enforces data privacy rights for individual data subjects.

A draft decree on administrative sanctions in the cybersecurity sector is being prepared by the Ministry of Public Security (“MPS”) in coordination with other relevant ministries, ministerial-level agencies & bodies.

Nevertheless, with the attempt to elevate the Vietnamese data protection laws/regulations to adequately meet the protection measures set out under international standards (especially the GDPR), MPS has been drafting a new Decree on Personal Data Protection (“Draft PDPD”). The Draft PDPD was released for public comments on February 2021 and moved one step closer to promulgation on 7 March 2022, when the Vietnamese government issued Resolution No. 27/NQ-CP (“Resolution 27”) approving the promulgation of the latest version of the Draft PDPD and further instructed the MPS to pass this draft to the National Assembly’s Standing Committee for final consideration. The MPS anticipates to have the Draft PDPD be promulgated and take effect in the first quarter of 2023. Under the same Resolution 27, the MPS and the Ministry of Justice are in charge of developing the proposal of a new Law on Personal Data Protection.

 

What are the key data protection principles in this jurisdiction?:

According to Vietnamese laws, the solid legal basis for the processing of personal information (defined as the performance of one or some acts of collecting, editing, utilising, storing, providing, sharing or spreading personal information in cyberspace for commercial purposes) is a prior consent given by the data subject. Specifically, it requires that organisations that process personal information collect personal information only after (i) having notified data subjects of the scope, purpose, storage period, form and location of collection, storage, processing, use, disclosure and transfer of such information (the relevant terminologies cover “collect, store, process, use, disclose and transfer” rather than just “collection and processing” of data); (ii) obtaining their consent before collecting and/or processing of their personal data. Traders or organisations collecting and using the consumers’ personal information on e-commerce websites must set up a mechanism for consumers (or “subjects”) to clearly express their consent through online functions on the website, e-mail, messages or other methods as agreed by the two parties.

Regarding the form of consent, the current Vietnamese legislation does not provide any specific regulations. However, the Draft PDPD explicitly stipulates that silence or non-response of the data subject shall not be interpreted as consent, meaning that implied consent will no longer be accepted. Moreover, the consent must be given in a form that can be printed or copied in writing.

However, based on the specific purposes for processing of personal information, the laws provide an alternative legal basis besides consent. Particularly, organisations may collect, process, use, store, disclose and transfer personal information of other people without consent when that information is used for the following purposes:

  • Signing, modifying or performing contracts on the use of information, products or services in the network environment (generally defined as “the environment in which information is provided, transmitted, collected, processed and exchanged via information infrastructure);
  • Calculating charges for use of information, products or services in the network environment; and
  • Performing other obligations provided for by law (e.g. upon the request of a competent authority as prescribed by law).

In addition, the traders and organisations collecting and using consumers’ personal information on e-commerce websites will be exempted from obtaining the consumers’ / subjects’ prior consent in the following cases:

  • Collecting personal information that has been publicised on e-commerce websites;
  • Collecting personal information to sign or perform a contract of sale and purchase of goods and services;
  • Collecting personal information to calculate the price and charge of use of information, products and services on the network environment; and
  • Collection of personal information for performing other obligations in accordance with the law.

Moreover, the persons collecting or processing personal information (called the “data controller”) are further required to:

  • provide the data subject with their personal information collected and stored by the data controller upon receipt of a request from the data subject;
  • immediately comply with the request and notify the data subject or grant him/her the right to access information or to do so upon receipt of a request from the data subject for re-examination, update, correction, modification or cancellation, or for the stoppage of the provision of personal information to a third party, and not supply or use relevant personal information until such information is corrected;
  • take necessary measures to protect personal information, and notify data subjects if the data controller fails to comply with their requests for technical reasons or other reasons; and
  • delete stored personal information when they have accomplished their use purposes or the storage time has expired, and notify the data subject thereof, unless otherwise prescribed by law.

 

What is the supervisory authority / regulator in charge of data protection?

Vietnam does not have a single national data protection authority. Instead, authority for state management of certain aspects of information and data protection has been given to a number of competent state authorities. To some extent, the key competent state authorities in charge of information and data protection would be the Ministry of Information and Communication (“MIC”), the MPS, and the Vietnam Cybersecurity Emergency Response Teams / Coordination Center (“VNCERT/CC”) directly managed by the Authority of Information Security (“AIS”) under the MIC. Their key roles are particularly as follows:

  • The MIC, particularly the AIS, is responsible for management of the provision of cyberspace services (e.g. social network, gaming online, e-commerce, etc.), such as requesting cyberspace service providers to delete illegal data uploaded on their system or network;
  • The MPS, particularly the Department for Cybersecurity and High-tech Crime Prevention and Fighting, is responsible for supervision of national cybersecurity, such as requesting cyberspace service providers to (1) store data and establish branches or representative offices in Vietnam and (2) provide users’ information for cybersecurity crime investigations; and
  • VNCERT/CC acts as the national coordination centre for responding to cybersecurity incidents and information security testing.

In addition to the above, subject to each specific industry (e.g. banking and finance; education; healthcare; natural resources and environment; culture, sports and tourism; etc.), the state management authority in charge of each industry and its IT centre is involved in relevant information system protection.

Nevertheless, under the Draft PDPD, there is a new authority under the MPS in charge of personal information protection called the Personal Data Protection Committee (“PDPC”). The PDPC has various functions and duties, including:

  • Receiving certain complaints against violations by data processors and requesting the MPS to settle complaints;
  • Requesting a unit of the MPS to inspect the data protection activities of a processor and acting as the inspection team; and
  • Evaluating and rating processors’ personal data protection reliability with its own established criteria and publishing the result on the National Personal Data Protection Portal operated by the PDPC.

Operating the registration system for sensitive data processing and cross-border, etc.

 

Is there a requirement to register with a supervisory authority / regulator?

There is no requirement under Vietnamese law whereby a private-sector data controller (or its activities) must be registered with the local authorities (e.g. MPS, MIC or VNCERT/CC), except in the following cases:

  • Foreign enterprises which provide services on telecom networks and on the Internet and other value-added services in cyberspace in Vietnam (“cyberspace service providers”) may need to register for establishment of branches or representative offices in Vietnam if (i) their services were used to commit violations of Vietnamese law and (ii) they have received a warning from the MPS but have failed to remedy the situation. In such cases, the MPS will send an official notification demanding the company to establish a branch or representative office in Vietnam. The company will then have 12 months from the date it received the notice to comply with the requirement.
  • Organisations or individuals that are involved in cross-border public information provision activities, that rent digital information storage facilities within Vietnam to provide their services, or that are reported to provide public information to be used or accessed by at least one million Internet users in Vietnam a month, will be subject to the obligation to notify the MIC of their contact information, including:
    • In the case of an organisation: registered name, transactional name, name of the licensing country, and main office address;
    • in the case of an individual: the person’s name, permanent residence address and nationality of the individual owning an electronic information page, and location of the main server system; and
    • Principal contact agent of an overseas organisation or individual and principal contact agent operated within the territory of Vietnam, including information such as organisation, individual, contact email address and telephone number;

This can be supplied directly, by post, or by email to [email protected] .

Moreover, the Draft PDPD requires that an organisation wishing to collect or process sensitive personal data (hereinafter referred to as “sensitive data processor”) must be registered with the PDPC under the MPS prior to such data processing. The scope of sensitive personal data as defined in the Draft ranges from specific types of data such as gender, biometrics, criminal records, and location to very broad concepts such as political and religious views and social relationships. The sensitive data processor must prepare and submit an impact assessment report addressing the potential harm to data subjects due to the proposed processing and measures to manage, minimise, or eliminate such harm. The PDPC will process the applications within 20 working days from the date of receipt of a valid application, which means the date that all information and documents provided in the application are acceptable to the officers in charge.

Similarly, the Draft PDPD also requires data transferors to obtain prior approval from the PDPC before transferring Vietnamese citizens’ personal data out of Vietnam. They must also (i) obtain prior consent from the data subjects, (ii) store the original data in Vietnam, and (iii) secure proof that the recipient country has personal data protection at a level equal to or higher than the level specified in the draft.

 

Is there a requirement to notify the supervisory authority / regulator?

Currently, Vietnamese laws do not require a data controller in the private sector to notify the local authorities (e.g. MPS, MIC or VNCERT/CC) of data processing activities, except in cases of actual or suspected personal information security incidents. Please refer to our response on data breach notification requirements below for details.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Registration or written notice of contact information of organisations or individuals involved in cross-border public information provision activities for at least one million Internet users in Vietnam a month may be sent to the email address [email protected]. Please refer to our response above on registration for more details.

In respect of registration or approval for sensitive data processing and cross-border data transfer, the Draft PDPD does not clearly provide that the application files can be submitted or processed electronically. Thus, it is very likely that online submission will not be available.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Under Vietnamese law, data subjects have the right to request that a data controller check, correct or delete their personal information. The law specifically requires that the privacy policy of the website or platform must indicate (i) contact information of the information collection and management unit and how data subjects (e.g. customers) can ask about the collection and processing of information relevant to them; and (ii) the method and tools for data subjects to access and modify their personal information on the website or platform.

If a data subject specifically asks a data controller to correct or delete his or her personal information, upon receiving such request, data controller must immediately:

  • Comply with the request and notify the data subject (if such request is practicable); or
  • Take necessary measures to protect such information and notify the data subject if it fails to comply with such a request due to technical or other reasons.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Currently, there is no regulation requiring the data controller to appoint a data protection officer (“DPO”). However, certain types of organisations (e.g. big information system owners and others such as telecoms enterprises, banks, state bodies, information system owners using state funds, etc.) are required to appoint specialised information security focal points and contact persons to supervise and warn on cyber-information security and so on. These officers are expected to be in charge of incidents rather than data protection issues. Other strict requirements (under various legal documents) are also applicable to such kinds of organisations and do not cover “companies of the private sector”.

However, the foregoing position may be changed in the near future as the Draft PDPD requires data controllers to appoint a DPO and notify the PDPC of the DPO’s contact information.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

No. Currently, there is no requirement to conduct any data protection impact assessment. However, the Draft PDPD requires impact assessment reports for (i) sensitive data processing and (ii) cross-border data transfer. Please see our related responses above for details.

 

Does this jurisdiction have any specific data breach notification requirements?

The laws of Vietnam impose several requirements for the reporting and notification of actual or suspected personal information security incidents. In general, if a data security incident falls under the criteria set out by laws, the data controller must promptly take relevant measures to mitigate and notify relevant competent state authorities and/or affected data subjects in a timely manner (e.g. 5 days after detection of the security incident, or immediately for incidents that are beyond the control of the data controller). If the information system of an e-commerce service provider is attacked, causing risk of loss of a consumer’s information, the data controller must notify the authorities within 24 hours after the detection of the incident.

Normally, the data controller would be required to give relevant notifications to the following state authorities:

  • Government agencies under the MPS (i.e. Department of Cybersecurity and High-Tech Crime Prevention and Fighting and provincial police department where the head office of data controller is located, as the case may be); and
  • Vietnam Computer Emergency Response Team /Coordination Centre directly managed by the Authority of Information Security under the Ministry of Information and Communications.

 

What restrictions apply to the international transfer of personal data / information?

In general, if a data controller wishes to share, disclose or otherwise transfer an individual’s personal information to a third party (including group companies), the data controller must inform the data subjects and obtain prior explicit consent from the relevant data subjects.

The Cybersecurity Law requires that domestic or foreign cyberspace service providers carrying out activities of collecting, exploiting / using, or analysing and processing personal information, data about service users' relationships, and data generated by service users in Vietnam must store such data in Vietnam for a specified period to be stipulated by the government. In particular, according to Decree 53, domestic and foreign enterprises providing telecom and online services to customers in Vietnam may be required to locally store certain customer-related data in Vietnam for at least 24 months in case the authority alerts them that their services/online platforms have been used to commit violations of Vietnam’s laws but such online service providers failed to remedy the situation upon the request of the authority. According to Decree 53, while all domestic companies providing telecom and online services to customers in Vietnam would be required to locally store certain customer-related data in Vietnam, foreign companies that would be subject to this data localization requirements only include those engaging in the following 10 services: (i) telecommunications; (ii) data storage and sharing in cyberspace; (iii) supply of national or international domains to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) providing, managing or operating other information in cyberspace in the form of messages, phone calls, video calls, email or online chats.

The following data is required to be stored in Vietnam:

  • Data on personal information of service users in Vietnam;
  • Data created by service users in Vietnam: account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone numbers in association with accounts or data; and
  • Data on relationships of service users in Vietnam: friends and groups such users have connected or interacted with.

Moreover, foreign enterprises engaging in the above mentioned services are also required to establish branches or representative offices in Vietnam if the authority alerts them that their services/online platforms have been used to commit violations of Vietnamese law and the online service providers fail to remedy the situation upon the request. The time for such establishment will commence when the enterprise receives the request for the establishment and last until the enterprise terminates its operation in Vietnam or the prescribed services are no longer available in Vietnam.

The Draft PDPD also suggests imposing restrictions on cross-border data transfer (including registration of transferring personal data from Vietnam to foreign countries). The draft also requires that before transferring Vietnamese citizens’ personal data out of Vietnam (i) consent must be obtained from the data subjects; (ii) the original data must be stored in Vietnam; (iii) the data transferor must have written proof that the recipient’s country, territory or area has personal data protection at a level equal to or higher than the level specified in the draft; and (iv) written approval for transfer must be obtained from the PDPC. The Draft PDPD provides an exemption to the foregoing requirement when there is (a) consent from the data subject, (b) written approval from the PDPC, (c) a commitment from the data processor to protect the data, and (d) a commitment from the data processor to apply measures to protect the data. (It is unclear from the wording of the draft whether the data transferor needs to meet one or all of these criteria to be eligible for the exemption, but presumably all four must be met.) In order to obtain written approval from the PDPC, an application must include an impact assessment report with an assessment of potential harm and measures to manage, minimise or eliminate such harm. The PDPC has 20 working days from the date of submission to process applications for approval.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes, in general, the Vietnamese laws related to personal information protection have extraterritorial effects and apply to any Vietnamese or foreign individuals and organisations who collect, process or store personal information of other persons in Vietnam. That is to say, if a data controller will collect, process, use, store, transfer, disclose or share personal information of any persons in Vietnam, the data controller is subject to Vietnam’s data protection and privacy laws/regulations even if it is an offshore company that does not have any business presence or employees in Vietnam.

As discussed above, Vietnam’s data protection provisions are scattered throughout different pieces of legislation. The application scope of these laws is rather broad when Vietnamese elements are involved in the concerned relationships/ transactions, such as activities taking place in Vietnam and, in criminal cases, concerning personal information of Vietnamese citizens.

Generally, the collection or processing of personal data of Vietnamese citizens outside of Vietnam is not subject to the data privacy and protection laws/regulations. However, if such overseas collection/processing is considered a crime under Vietnam’s Penal Code, Vietnamese criminal law could also apply to such extraterritorial collection and processing.

However, legal enforcement of violations related to data privacy and protection in Vietnam remains relatively low. In practice, there is nominal enforcement. In many instances, there have not been any instances of actual (or at least high-profile) enforcement. If there are monetary penalties, they usually are low. While data privacy violations might serve as grounds for private lawsuits, the monetary awards in Vietnam generally are also low.

 

What rules specifically deal with marketing?

In principle, if an e-commerce service provider will use customers’ personal information for marketing purposes (e.g. sending advertisements, product introductions or other commercial information to other persons via emails, SMSs or phone calls), the law requires that consent must be made expressly in one of the following forms:

  • agreeing to receive advertising messages after the advertiser sends the first and only advertising registration (opt-in) message;
  • completing the consent form and making a confirmation therein, regardless of whether such form is provided in paper form or on the advertiser’s website, online application or social network;
  • calling or sending messages to the advertiser’s call centre to subscribe; or
  • using a software program to subscribe..

Moreover, Vietnam’s anti-spam regulation (i.e., Decree No. 91/2020/ND-CP on anti-spam text messages, emails and calls (“Decree 91”)) further provides that advertisements by text message, email or telephone may only be sent or made in compliance with a number of specific conditions:

  • It is prohibited to send advertising messages or make advertising calls to phone numbers on the Do-Not-Call Register;
  • For phone numbers not included in the Do-Not-Call Register, only one initial advertising registration message (i.e., a message inquiring whether the user would like to receive advertising communications from the advertiser) is allowed;
  • If the user refuses to receive advertising messages after receiving the initial advertising registration message, no further advertising message is allowed;
  • Immediately after receiving a refusal request from a user, the advertiser must terminate providing advertising messages, email or calls to the user;
  • No more than three advertising messages or emails, and one advertising phone call, may be sent or made per day to a single user;
  • Advertising messages are only allowed from 7 a.m. to 10 p.m.; advertising calls are only allowed from 8 a.m. to 5 p.m.; and
  • Advertising content must comply with advertising laws.

Foreign organisations which do not operate in Vietnam (i.e. do not have a commercial presence in Vietnam) but wish to advertise their products, goods, services or operations in Vietnam are required to hire a Vietnam-based advertising service provider (a company with business lines of provision of advertisement) to conduct relevant advertising activities.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

In respect of processing of contact information of business-to-business customers, requirements on prior consent, privacy notice, retention period, transfer to third parties and requests for correction/deletion of personal information do not apply.

However, if business-to-business customer information will be used for sending marketing emails and SMS messages or making marketing calls, the use of business-to-business customers’ contact information for these purposes must conform to requirements under anti-spam regulations.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

Please refer to our prior discussion on anti-spam regulations for more details.

 

What rules specifically deal with cookies?

Generally, cookies could be considered a type of personal information under Vietnamese law. Thus, prior consent from users before activating cookies is required.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Depending on the nature and severity of the violation, the violator would be subject to an administration fine ranging between VND 5 million (approx. USD 216) to VND 100 million (approx. USD 4,337) and, in very serious violations, an imprisonment of between 3 months and 7 years.

For example, failure to obtain data subjects’ prior consent for the collection, processing and use of their information is subject to a fine or VND 10–20 million (approx. USD 433–867). In serious cases, according to the Criminal Code, any person who commits illegal use of information on the computer or telecommunications network may be liable to a monetary fine of VND 30 million to VND 1 billion (approx. USD 1,300–43,376), up to 3 years' community sentence, or 6 months’ to 7 years' imprisonment. The offender might also be liable to a monetary fine of VND 20–200 million (approx. USD 867–8,675) or be prohibited from holding certain positions or doing certain jobs for 1–5 years.

Moreover, the Draft PDPD also considers imposing new administrative sanctions, including fines of up to 5% of the revenues earned from the violating activities.

Although in practice the enforcement authorities have not been actively enforcing laws and regulations on data protection, individuals are increasingly aware of their data protection rights. The enforcement environment will likely evolve rapidly.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Vietnamese laws have extra-territorial effect on organisations outside of Vietnam.

 

What upcoming data protection developments should multinational organisations be aware of?

As discussed above, the Draft PDPD is expected to be promulgated in the first quarter of 2023; however, the exact date of promulgation has yet to be determined. The MPS is also assigned, together with the Ministry of Justice, to research and develop a Law on Personal Data Protection.

Another upcoming piece of legislation is the draft Law on Protection of Consumer’s Rights (“Draft CRPL”). The Draft CRPL adds definition of consumer’s information; regulations on the responsibility to protect consumer’s information; and the required contents in consumer’s information protection policies. Moreover, under the draft, provisions in a contract that require the agreement of consumers for business organisations and individuals to collect, store and use their information as a condition for entering into contracts and general transactions shall be invalid. The Draft CRPL was reviewed and discussed by the National Assembly in November 2022. It is expected that the final version will be submitted to the National Assembly for approval and promulgation in May 2023.

In addition, the draft new Law on Electronic Transactions supplements provisions on the obligation of digital platform providers and intermediary digital platform providers to protect personal information. The draft is being discussed by the National Assembly and is scheduled to be submitted to the National Assembly for ratification in May 2023.

This legislation will have an important impact on the legal framework for data protection and create additional obligations for data controllers processing personal data in Vietnam.

 

Search by:

Need more information?
Contact a member firm:
Waewpen Piemwichai
Tilleke & Gibbins
Vietnam


Thao Thu Bui
Tilleke & Gibbins
Vietnam