Tilleke & Gibbins
The following law(s) specifically govern personal data / information:
There is not a single comprehensive data protection law in Vietnam. Instead, regulations on data protection & privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in the 2013 Constitution (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law.
- Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015; as amended from time to time (“Criminal Code”);
- Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”);
- Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Network Information Security Law”);
- Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”);
- Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated November 14, 2017 on planning (“IT Law”);
- Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”);
- Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“Decree 85”);
- Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No.150/2018/ND-CP dated 7 November 2018 (“Decree 72”);
- Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree 08/2018/ND-CP dated 15 January 2018, on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade (“Decree 52”);
- Decree No. 91/2020/ND-CP of the Government dated 14 August 2020 on anti-spam messages, emails and calls (“Decree 91”);
- Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”);
- Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”); and
- Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources (“Circular 25”).
Each aspect and each industry may have their respective regulating documents. In other words, applicability of legal documents will depend on the factual context of each case. For example, businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2019 (“Labour Code”).
The most important Vietnamese legal documents regulating data protection are the Cybersecurity Law and Network Information Security Law. However, it is worth noting that unlike cybersecurity laws in other jurisdictions that were inspired by the GDPR of the EU, the Cybersecurity Law of Vietnam shares similarities with China’s Cybersecurity Law enacted in 2017. This law focuses on providing the government with the ability to control the flow of information; meanwhile, the Network Information Security Law enforces data privacy rights for individual data subjects.
A draft decree detailing a number of articles of the Cybersecurity Law (“Draft Cybersecurity Decree”), notably including implementation guidelines for data localization requirements, together with a draft decree detailing the order of and procedures for application of a number of cybersecurity assurance measures and a draft Decision of the Prime Minister promulgating a List of information systems important for national security, are being prepared by the Ministry of Public Security (“MPS”) in coordination with other relevant ministries, ministerial-level agencies & bodies.
Nevertheless, with the attempt to elevate the Vietnamese data protection laws/regulations to adequately meet the protection measures set out under international standards (especially the GDPR), MPS has been drafting a new Decree on Personal Data Protection (“Draft PDPD”). The Draft PDPD was released for public comments on February 2021. The MPS anticipates to have the Draft PDPD be promulgated and take effect by December 2021.
The key data protection principles in this jurisdiction are:
According to Vietnamese laws, the solid legal basis for the processing of personal information (defined as the performance of one or some acts of collecting, editing, utilizing, storing, providing, sharing or spreading personal information in cyberspace for commercial purposes) is a prior consent given by the data subject. Specifically, it requires that organizations that process personal information collect personal information only after (i) having notified data subjects of the scope, purpose, storage period, form and location of collection, storage, processing, use, disclosure and transfer of such information (the relevant terminologies cover “collect, store, process, use, disclose and transfer” rather than just “collection and processing” of data); (ii) obtaining their consent before collecting and/or processing of their personal data. Traders or organizations collecting and using the consumers’ personal information on e-commerce websites must set up a mechanism for consumers (or “subjects”) to clearly express their consent through online functions on the website, e-mail, messages or other methods as agreed by the two parties.
However, based on the specific purposes for processing of personal information, the laws provide an alternative legal basis besides consent. Particularly, organizations may collect, process, use, store, disclose and transfer personal information of other people without consent when that information is used for the following purposes:
- Signing, modifying or performing contracts on the use of information, products or services in the network environment (generally defined as “the environment in which information is provided, transmitted, collected, processed and exchanged via information infrastructure);
- Calculating charges for use of information, products or services in the network environment; and
- Performing other obligations provided for by law (e.g. upon the request of a competent authority as prescribed by law).
In addition, the traders and organizations collecting and using consumers’ personal information on e-commerce websites will be exempted from obtaining the consumers’ / subjects’ prior consent in the following cases:
- Collecting personal information that has been publicized on e-commerce websites;
- Collecting personal information to sign or perform a contract of sale and purchase of goods and services;
- Collecting personal information to calculate the price and charge of use of information, products and services on the network environment; and
- Collection of personal information for performing other obligations in accordance with the law.
Moreover, the persons collecting or processing personal information (called the “data controller”) are further required to:
- provide the data subject with their personal information collected and stored by the data controller upon receipt of a request from the data subject;
- immediately comply with the request and notify the data subject or grant him/her the right to access information or to do so upon receipt of a request from the data subject for re-examination, update, correction, modification or cancellation, or for the stoppage of the provision of personal information to a third party, and not supply or use relevant personal information until such information is corrected;
- take necessary measures to protect personal information, and notify data subjects if the data controller fails to comply with their requests for technical reasons or other reasons; and
- delete stored personal information when they have accomplished their use purposes or the storage time has expired, and notify the data subject thereof, unless otherwise prescribed by law.
The supervisory authority / regulator in charge of data protection is:
Vietnam does not have a single national data protection authority. Instead, authority for state management of certain aspects of information and data protection has been given to a number of competent state authorities. To some extent, the key competent state authorities in charge of information and data protection would be the Ministry of Information and Communication (“MIC”), the MPS, and the Vietnam Cybersecurity Emergency Response Teams / Coordination Center (“VNCERT/CC”) directly managed by the Authority of Information Security (“AIS”) under the MIC. Their key roles are particularly as follows:
- The MIC, particularly the AIS, is responsible for management of the provision of cyberspace services (e.g. social network, gaming online, e-commerce, etc.), such as requesting cyberspace service providers to delete illegal data uploaded on their system or network;
- The MPS, particularly the Department for Cybersecurity and High-tech Crime Prevention and Fighting, is responsible for supervision of national cybersecurity, such as requesting cyberspace service providers to (1) store data in Vietnam and (2) provide users’ information for cybersecurity crime investigations; and
- VNCERT/CC acts as the national coordination center for responding to cybersecurity incidents and information security testing.
In addition to the above, subject to each specific industry (e.g. banking and finance; education; healthcare; natural resources and environment; culture, sports and tourism; etc.), the state management authority in charge of each industry and its IT center is involved in relevant information system protection.
Is there a requirement to register with a supervisory authority / regulator?
There is no requirement under Vietnamese law whereby a private-sector data controller (or its activities) must be registered with the local authorities (e.g. MPS, MIC or VNCERT/CC), except in the following cases:
Moreover, the current draft PDPD requires that an organization wishing to collect or process sensitive personal data (hereinafter referred to as “sensitive data processor”) must be registered with the Personal Data Protection Commission (“PDPC”) under the MPS prior to such data processing. The scope of sensitive personal data as defined in the Draft ranges from specific types of data such as gender, biometrics, criminal records, and location to very broad concepts such as political and religious views and social relationships. The sensitive data processor must prepare and submit an impact assessment report addressing the potential harm to data subjects due to the proposed processing and measures to manage, minimize, or eliminate such harm. The PDPC will process the applications within 20 working days from the date of receipt of a valid application, which means the date that all information and documents provided in the application are acceptable to the officers in charge.
Similarly, the draft PDPD also requires data transferors to obtain prior approval from the PDPC before transferring Vietnamese citizens’ personal data out of Vietnam. They must also (i) obtain prior consent from the data subjects, (ii) store the original data in Vietnam, and (iii) secure proof that the recipient country has personal data protection at a level equal to or higher than the level specified in the draft.
Is there a requirement to notify the supervisory authority / regulator?
Currently, Vietnamese laws do not require a data controller in the private sector to notify the local authorities (e.g. MPS, MIC or VNCERT/CC) of data processing activities, except in cases of actual or suspected personal information security incidents. Please refer to our response on data breach notification requirements below for details.
Is it possible to register with / notify the supervisory authority / regulator online?
Registration or written notice of contact information of organizations or individuals involved in cross-border public information provision activities for at least one million Internet users in Vietnam a month may be sent to the email address [email protected] Please refer to our response above on registration for more details.
In respect of registration or approval for sensitive data processing and cross-border data transfer, the draft PDPD does not clearly provide that the application files can be submitted or processed electronically. Thus, it is very likely that online submission will not be available.
The key data subject rights under the data protection laws of this jurisdiction are:
If a data subject specifically asks a data controller to correct or delete his or her personal information, upon receiving such request, data controller must immediately:
- Comply with the request and notify the data subject (if such request is practicable); or
- Take necessary measures to protect such information and notify the data subject if it fails to comply with such request due to technical or other reasons.
Is there a requirement to appoint a data protection officer (or equivalent)?
Currently, there is no regulation requiring the data controller to appoint a data protection officer (“DPO”). However, certain types of organizations (e.g. big information system owners and others such as telecoms enterprises, banks, state bodies, information system owners using state funds, etc.,) are required to appoint specialized information security focal points and contact persons to supervise and warn on cyber-information security and so on. These officers are expected to be in charge of incidents rather than data protection issues. Other strict requirements (under various legal documents) are also applicable to such kinds of organizations and do not cover “companies of the private sector”.
However, the foregoing position may be changed in the near future as the draft PDPD requires data controllers to appoint a DPO and notify the PDPC of the DPO’s contact information.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No. Currently, there is no requirement to conduct any data protection impact assessment. However, the current draft PDPD requires impact assessment reports for (i) sensitive data processing and (ii) cross-border data transfer. Please see our related responses above for details.
Does this jurisdiction have any specific data breach notification requirements?
The laws of Vietnam impose several requirements for the reporting and notification of actual or suspected personal information security incidents. In general, if a data security incident falls under the criteria set out by laws, the data controller must promptly take relevant measures to mitigate and notify relevant competent state authorities and/or affected data subjects in a timely manner (e.g., 5 days after detection of the security incident, or immediately for incidents that are beyond the control of the data controller. If the information system of an e-commerce service provider is attacked, causing risk of loss of a consumer’s information, the data controller must notify the authorities within 24 hours after the detection of incident.
Normally, the data controller would be required to give relevant notifications to the following state authorities:
- Government agencies under the MPS (i.e. Department of Cybersecurity and High-Tech Crime Prevention and Fighting and provincial police department where the head office of data controller is located, as the case may be);
- Vietnam Computer Emergency Response Team /Coordination Center directly managed by the Authority of Information Security under the Ministry of Information and Communications.
The following restrictions apply to the international transfer of personal data / information:
Currently, there is no specific restriction on transfer of personal data out of the jurisdiction. In general, if a data controller wishes to share, disclose or otherwise transfer an individual’s personal information to a third party (including group companies), the data controller must inform the data subjects and obtain prior explicit consent from the relevant data subjects. The data exporter or importer does not need to obtain authorization from or make a filing with the Vietnamese regulators, or notify the supervisory authority before transferring personal data outside of Vietnam.
However, the foregoing positions may be changed in the near future as the Vietnamese authority is considering imposing data localization requirements in Vietnam.
The Cybersecurity Law requires that domestic or foreign cyberspace service providers carrying out activities of collecting, exploiting / using, or analysing and processing personal information, data about service users' relationships, and data generated by service users in Vietnam must store such data in Vietnam for a specified period to be stipulated by the government. In particular, according to the draft Cybersecurity Decree, domestic and foreign enterprises providing telecom and online services to customers in Vietnam may be required to locally store certain customer-related data in Vietnam for a certain period prescribed by law in case the authority alerts them that their services/online platforms have been used to commit violations of Vietnam’s laws but such online service providers failed to remedy the situation upon the request of the authority. According to the latest version of the draft Cybersecurity Decree, the companies which would be subject to this data localization requirements include those engaging in the following 10 services: (i) telecommunications; (ii) data storage and sharing in cyberspace; (iii) supply of national or international domains to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) providing, managing or operating other information in cyberspace in the form of messages, phone calls, video calls, email or online chats. According to reports, after revising the Draft Cybersecurity Decree several times, the Vietnamese authority aims to finalize and promulgate it within this year, 2021.
The draft PDPD also suggests imposing restrictions on cross-border data transfer (including registration of transferring personal data from Vietnam to foreign countries). The draft also requires that before transferring Vietnamese citizens’ personal data out of Vietnam (i) consent must be obtained from the data subjects; (ii) the original data must be stored in Vietnam; (iii) the data transferor must have proof that the recipient country has personal data protection at a level equal to or higher than the level specified in the draft; and (iv) written approval for transfer must be obtained from the PDPC. The draft PDPD provides an exemption to the foregoing requirement when there is (a) consent from the data subject, (b) approval from the PDPC, (c) a commitment from the data processor to protect the data, and (d) a commitment from the data processor to apply measures to protect the data. (It is unclear from the wording of the draft whether the data transferor needs to meet one or all of these criteria to be eligible for the exemption, but presumably all four must be met.) In order to obtain written approval from the PDPC, an application must include an impact assessment report with an assessment of potential harm and measures to manage, minimize or eliminate such harm. The PDPC has 20 working days from the date of submission to process applications for approval.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, in general, the Vietnamese laws related to personal information protection have extraterritorial effects and apply to any Vietnamese or foreign individuals and organizations who collect, process or store personal information of other persons in Vietnam. That is to say, if a data controller will collect, process, use, store, transfer, disclose or share personal information of any persons in Vietnam, the data controller is subject to Vietnam’s data protection and privacy laws/regulations even if it is an offshore company that does not have any business presence or employees in Vietnam.
As discussed above, Vietnam’s data protection provisions are scattered throughout different pieces of legislation. The application scope of these laws is rather broad when Vietnamese elements are involved in the concerned relationships/ transactions, such as activities taking place in Vietnam and, in criminal cases, concerning personal information of Vietnamese citizens.
Generally, the collection or processing of personal data of Vietnamese citizens outside of Vietnam is not subject to the data privacy and protection laws/regulations. However, if such overseas collection/processing is considered a crime under Vietnam’s Penal Code, Vietnamese criminal law could also apply to such extraterritorial collection and processing.
However, legal enforcement of violations related to data privacy and protection in Vietnam remains relatively low. In practice, there is nominal enforcement. In many instances, there have not been any instances of actual (or at least high-profile) enforcement. If there are monetary penalties, they usually are low. While data privacy violations might serve as grounds for private lawsuits, the monetary awards in Vietnam generally are also low.
The following rules specifically deal with marketing:
In principle, if an e-commerce service provider will use customers’ personal information for marketing purposes (e.g. sending advertisements, product introductions or other commercial information), the law requires that the customers’ consent for these purposes must be expressly obtained through a separate mechanism that allows users to permit or refuse the use of their person information for such marketing purposes. Please refer to our response below for specific regulations on electronic marketing.
Moreover, Vietnam also has a regulation on anti-spam (i.e., Decree No. 91/2020/ND-CP on anti-spam text messages, emails and calls (“Decree 91”)). According to Decree 91, advertisements by text message, email or telephone may only be sent or made in compliance with a number of specific conditions:
- It is prohibited to send advertising messages or make advertising calls to phone numbers on the Do-Not-Call Register;
- For phone numbers not included in the Do-Not-Call Register, only one initial advertising registration message (i.e., a message inquiring whether the user would like to receive advertising communications from the advertiser) is allowed;
- If the user refuses to receive advertising messages after receiving the initial advertising registration message, no further advertising message is allowed;
- Immediately after receiving a refusal request from a user, the advertiser must terminate providing advertising messages, email or calls to the user;
- No more than three advertising messages or emails, and one advertising phone call, may be send or made per day to a single user;
- Advertising messages are only allowed from 7 a.m. to 10 p.m.; advertising calls are only allowed from 8 a.m. to 5 p.m.; and
- Advertising content must comply with advertising laws.
Foreign organizations which do not operate in Vietnam (i.e. do not have a commercial presence in Vietnam) but wish to advertise their products, goods, services or operations in Vietnam are required to hire a Vietnam-based advertising service provider (a company with business lines of provision of advertisement) to conduct relevant advertising activities.
Do different rules apply to business-to-business and business-to-consumer marketing?
In respect of processing of contact information of business-to-business customers, requirements on prior consent, privacy notice, retention period, transfer to third parties and requests for correction/deletion of personal information do not apply.
However, if business-to-business customer information will be used for sending marketing emails and SMS messages or making marketing calls, the use of business-to-business customers’ contact information for these purposes must conform to requirements under anti-spam regulations.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Please refer to our prior discussion on anti-spam regulations for more details.
The following rules specifically deal with cookies:
Generally, cookies could be considered a type of personal information under Vietnamese law. Thus, prior consent from users before activating cookies is required.
The consequences of non compliance with data protections laws (including marketing laws) are:
Depending on the nature and severity of the violation, the violator would be subject to an administration fine ranging between VND 5 million (approx. USD 216) to VND 100 million (approx. USD 4,337) and, in very serious violations, an imprisonment of between 3 months and 7 years.
For example, failure to obtain data subjects’ prior consent for the collection, processing and use of their information is subject to a fine or VND 10–20 million (approx. USD 433–867). In serious cases, according to the Criminal Code, any person who commits illegal use of information on the computer or telecommunications network may be liable to a monetary fine of VND 30 million to VND 1 billion (approx. USD 1,300–43,376), up to 3 years' community sentence, or 6 months’ to 7 years' imprisonment. The offender might also be liable to a monetary fine of VND 20–200 million (approx. USD 867–8,675) or be prohibited from holding certain positions or doing certain jobs for 1–5 years.
Although in practice the enforcement authorities have not been actively enforcing laws and regulations on data protection, individuals are increasingly aware of their data protection rights. The enforcement environment will likely evolve rapidly.
Moreover, the draft PDPD also considers imposing new administrative sanctions, including fines of up to 5% of the revenues earned from the violating activities.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Vietnamese laws have extra-territorial effect on organisations outside of Vietnam. Please refer to our prior discussion on this matter for more details.
Multinational organisations should be aware of the following upcoming data protection developments:
As discussed above, the Government is currently refining the draft Cybersecurity Decree and the draft PDPD. These pieces of legislation will have an important impact on the legal framework for data protection and create additional obligations for data controllers processing personal data in Vietnam. Please refer to our prior discussions on these matters for more details.