Global Data Protection Law Guide  Vietnam  

Tilleke & Gibbins

 

What law(s) specifically govern personal data / information?

Regulations on data protection and privacy can be found in various legal instruments. The recently promulgated Decree No. 13/2023/ND-CP of the Government dated 17 April 2023 on Personal Data Protection (‘PDPD’) is the very first regulation fully dedicated to the protection of personal data in Vietnam. It is considered a landmark legal instrument, with the potential to bring Vietnam’s data protection regime closer to GDPR requirements. The PDPD does not replace the patchwork of existing regulations listed below, but concurrently exists with them.

The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are provided for in the 2013 Constitution ('Constitution') and Civil Code 2015 ('Civil Code') as inviolable and protected by law.

In addition to the PDPD, the principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and guiding documents, among others:

• Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015; as amended from time to time ('Criminal Code');
• Law No. 20/2023/QH15 on E-Transactions, passed by the National Assembly on 22 June 2023 ('E-Transactions Law');
• Law No. 19/2023/QH15 on Protection of Consumers' Rights, passed by the National Assembly on 20 June 2023 ('CRPL');
• Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 ('Cybersecurity Law');
• Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws ('Network Information Security Law');
• Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated 14 November 2017 on planning ('IT Law');
• Decree No. 53/2022/ND-CP of the Government dated 15 August 2022 elaborating a number of articles of the Law on Cybersecurity of Vietnam ('Decree 53');
• Decree No. 98/2020/ND-CP of the Government dated 26 August 2020 prescribing penalties for administrative violations against regulations on commerce, production and trade in counterfeit and prohibited goods, and protection of consumer rights; as amended by Decree No. 17/2022/ND-CP of the Government dated 31 January 2022 ('Decree 98');
• Decree No. 91/2020/ND-CP of the Government dated 14 August 2020 on anti-spam messages, emails and calls ('Decree 91');
• Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions; as amended by Decree No. 14/2022/ND-CP of the Government dated 27 January 2022 ('Decree 15');
• Decree No. 85/2016/ND-CP of the Government dated 1 July 2016 on the security of information systems by classification ('Decree 85');
• Decree No. 72/2013/ND-CP of the Government dated 15 July 2013 on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No. 150/2018/ND-CP dated 7 November 2018 ('Decree 72') (Decree 72 will soon be replaced, with a draft decree having been circulated earlier for public consultation);
• Decree No. 52/2013/ND-CP of the Government dated 16 May 2013 on e-commerce; as amended by Decree No. 08/2018/ND-CP dated 15 January 2018 on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade and Decree No. 85/2021/ND-CP of the Government dated 25 September 2021 amending and supplementing some articles of Decree No. 52/2013/ND-CP ('Decree 52');
• Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide ('Circular 20');
• Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information ('Circular 38'); and
• Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources ('Circular 25').

Each aspect and each industry may have their respective regulating documents. In other words, applicability of legal documents will depend on the factual context of each case. For example, businesses in the banking and finance, education, healthcare sectors may be subject to specialised data protection regulations, not to mention to regulations on employees' personal information as provided in Labour Code 2019 ('Labour Code').

The most important Vietnamese legal documents regulating data protection are the PDPD, the Cybersecurity Law, its guiding Decree 53, and the Network Information Security Law. However, it is worth noting that unlike cybersecurity laws in other jurisdictions that were inspired by the GDPR of the EU, the Cybersecurity Law of Vietnam shares similarities with China's Cybersecurity Law enacted in 2017. This law focuses on providing the government with the ability to control the flow of information; meanwhile, the Network Information Security Law enforces data protection measures applicable to data networks located in Vietnam.

At the time of this writing, the decree on administrative sanctions in the cybersecurity sector ('Draft Sanction Decree') is still under preparation by the Ministry of Public Security ('MPS') in coordination with other relevant ministries, ministerial-level agencies and bodies and is expected to be promulgated soon. This Draft Sanction Decree will impose sanctions for violations of obligations pursuant to the PDPD, Network Information Security Law, Cybersecurity Law and Decree 53.

The MPS is also in the process of developing the Law on Personal Data Protection ('PDPL') and the Law on Data ('Data Law'). For the PDPL, on 29 February 2024, the MPS issued the PDPL dossier, proposing the development of the PDPL (a necessary first step in the legislation development procedure in Vietnam). Issuing this PDPL Dossier, the MPS is calling for public comments and opinions on the development of this new legislation from onshore and offshore agencies, organisations and individuals. The issuance of the PDPL will help to, among other things, address and resolve the potential grey areas/conflicts between the PDPD with other existing regulations on personal data protection.

According to Decision No. 142/QD-VPCP of Vietnamese Government Office dated 16 March 2024 promulgating the plan to implement Directive No. 04/CT-TTg of the Prime Minister dated 11 February 2024 on continued promotion of the implementation of the project to develop the application of residential data electronic identification and authentication to serve national digital transformation in the 2022-2025 period, with a vision to 2030 in ministries, sectors and localities in 2024 and next years ('Decision 142'), the Legal Department (under the Government Office) shall, in coordination with the MPS, advise the Government to submit to the National Assembly Standing Committee the proposal to develop the PDPL within Quarter 2 of 2024. As of 15 September 2024; however, the draft version or specific outline for the PDPL has yet to be made available to the public.

For the Data Law, on 23 February 2024, the MPS issued the Data Law dossier, proposing the development of the Data Law and calling for public comments and opinion on the development of this new legislation from onshore and offshore agencies, organisations and individuals. On 2 July 2024, the MPS released for public consultation the detailed draft version of the Data Law ('Draft Data Law'). The purpose of the Data Law is to regulate: (i) the construction, development, processing and administration of data and application of science and technology in data processing; (ii) a national general/comprehensive database; (iii) a national data centre; and (iv) data-related products and services. It is worth noting that the Draft Data Law prevails over other laws when prescribing that the data regulations under other laws must not contravene the Data Law. In cases where other laws do not stipulate or have regulations on data that are different from the provisions of the Data Law, the provisions of the Data Law shall apply. According to Deputy Minister of Public Security Le Quoc Hung, the MPS has already completed the dossier and submitted the draft law to the Government. As of 30 August 2024, the Draft Data Law has passed the rounds of the Government Standing Committee and the Government. The Data Law project is expected to be (i) submitted to the 15th National Assembly at its 8th session in October 2024; and (ii) passed at the 9th session in May 2025.

 

What are the key data protection principles in this jurisdiction?:

The PDPD introduces eight principles for the processing of personal data. These eight principles are: (i) the processing of personal data shall be in accordance with the law (lawfulness); (ii) data subjects must be informed of every activity involving the processing (transparency); (iii) personal data shall be processed only for the purposes registered and announced in relation to the processing (purpose limitation); (iv) personal data collected must be relevant and confined to the extent and purposes of the processing (data minimization); (v) personal data must be updated and supplemented in accordance with the processing’s purposes (accuracy); (vi) personal data must be subject to protection and security measures during the processing (integrity, confidentiality and security); (vii) personal data shall be kept only for a term appropriate with the processing’s purposes (storage limitation); and (viii) the data controller must demonstrate their compliance (accountability).

Vietnam is a consent-centric jurisdiction. This means that regarding lawfulness, prior consent given by the data subject is the legal basis for personal data processing activities, except for certain exemptions as provided by law. The personal data processing is defined as one or multiple activities that have an impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, tracing, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities. Specifically, the PDPD stipulates that consent must be given voluntarily and based on the data subject’s full understanding of the type of personal data to be processed, the purpose of the personal data processing, the organisations/individuals authorised to process personal data, the data subject’s rights and obligations and whether the data to be processed is sensitive personal data. Sensitive personal data is defined as personal data in association with individual privacy which, if violated, will jeopardize a person’s legitimate rights and interests. In particular, the PDPD specifies sensitive personal data to include, among other things, political and religious views, health status and private life information as recorded in medical records (except for blood type), racial or ethnic origin, genetic characteristics, biometric characteristics, sexual orientation, criminal records, customer information of credit institutions/foreign bank branches/payment intermediary service providers, or location data identified via location services.

Valid consent is also subject to prior notice. The PDPD stipulates that data subjects shall be notified before their personal data is processed. The notification to the data subject shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format. Accordingly, the PDPD prescribes specific contents that data subjects must be informed in the notification of personal data processing, including:

• Purposes of processing;
• Type of personal data used in relation to the processing purposes above;
• Method of processing personal data;
• Information on other organisations and individuals related to the processing purposes above;
• Consequences and undesirable damages that are likely to occur; and
• Start time and end time of data processing.

The prior notice is exempted when (i) the data subject clearly knows and fully agrees with the contents above before agreeing to the collection of personal data; or (ii) the personal data is processed by a competent state agency for serving the operations of the state agency in accordance with the law.

Valid consent is also subject to strict format requirements. The PDPD requires that the consent of the data subject shall be expressed in a clear and specific manner in writing, by voice, by ticking the consent box, by consent syntax via message, by selecting consent settings or by other forms. Consent must be given for each purpose for which the personal data is processed. This means that if there are multiple processing purposes, they should be presented in a way that allows data subjects to consent to one or more individually. The data subjects may also opt to provide a partial or conditional consent. Moreover, it is explicitly stipulated that silence or non-response of the data subject shall not be interpreted as consent, meaning that implied consent will not be accepted. Additionally, the consent must be given in a form that can be printed or copied in writing, including in electronic or verifiable format.

However, the PDPD also provides exemptions to the foregoing consent requirement. Particularly, the processing of personal data without consent is permissible in the following circumstances:

• In urgent cases where it is necessary to immediately process relevant personal data to protect the life or health of the data subject or others;
• Where the public disclosure of personal data is in accordance with the law;
• When the processing of data is done by competent state agencies in the event of a state of emergency on national defence and security, social order and safety, major disaster, or dangerous epidemic; or when there is a risk that threatens security and national defence but not to the extent where it is necessary to declare a state of emergency; or to prevent and combat riots, terrorism, crimes and violations of the law;
• To fulfil the contractual obligations of the data subject with relevant agencies, organisations and individuals as prescribed by law;
• For competent agencies and organisations to carry out audio and/or video recording and process personal data obtained from audio or video recording activities in public places for the purpose of protecting national security, social order and safety, or the legitimate rights and interests of organisations and individuals; or
• To serve the activities of state agencies as prescribed by sector-specific laws.

 

What is the supervisory authority / regulator in charge of data protection?

Vietnam does not have a single national data protection authority. Instead, authority for state management of certain aspects of information and data protection has been given to a number of competent state authorities. To some extent, the key competent state authorities in charge of information and data protection would be the MPS (which is the authority in charge of enforcement of the PDPD and Cybersecurity Law), the Ministry of Information and Communication ('MIC') (which is the authority in charge of the Network Information Security Law), and the Vietnam Cybersecurity Emergency Response Teams/Coordination Center ('VNCERT/CC') directly managed by the Authority of Information Security ('AIS') under the MIC. Their key roles are particularly as follows:

• With the issuance of the PDPD, the MPS becomes the main supervisory authority responsible for personal data protection. Specifically, the Department of Cybersecurity and Prevention of Cybercrimes ('A05') under the MPS is a specialized force which is tasked with enforcing and overseeing compliance with Vietnam's personal data protection regulations, including the requirements under the PDPD.
• The MIC, particularly the AIS, is responsible for management of the provision of cyberspace services (e.g. social network, gaming online, e-commerce, etc.), such as requesting cyberspace service providers to delete illegal data uploaded on their system or network. The MIC is also recognized as a state management agency on network information security.
• VNCERT/CC acts as the national coordination centre for responding to cybersecurity incidents and information security testing.

In addition to the above, subject to each specific industry (e.g. banking and finance; education; healthcare; natural resources and environment; culture, sports and tourism; etc.), the state management authority in charge of each industry and its IT centre is involved in relevant information system protection.

 

Is there a requirement to register with a supervisory authority / regulator?

There is no requirement under Vietnamese law whereby a private-sector data controller (or its activities) must be registered with the local authorities (e.g. MPS/A05, MIC)., except in the following cases:

• Foreign enterprises which provide services on telecom networks and on the Internet and other value-added services in cyberspace in Vietnam ('cyberspace service providers') may need to register for establishment of branches or representative offices in Vietnam if (i) their services were used to commit violations of Vietnamese law and (ii) they have received a warning from the MPS but have failed to remedy the situation. In such cases, the MPS will send an official notification demanding the company to establish a branch or representative office in Vietnam. The company will then have 12 months from the date it received the notice to comply with the requirement.
• Organisations or individuals that are involved in cross-border public information provision activities, that rent digital information storage facilities within Vietnam to provide their services, or that are reported to provide public information to be used or accessed by at least one million Internet users in Vietnam a month, will be subject to the obligation to notify the MIC of their contact information, including:
• In the case of an organisation: registered name, transactional name, name of the licensing country, and main office address;
• In the case of an individual: the person's name, permanent residence address and nationality of the individual owning an electronic information page, and location of the main server system; and
• Principal contact agent of an overseas organisation or individual and principal contact agent operated within the territory of Vietnam, including information such as the name of the organisation or individual, contact email address and telephone number.

This can be supplied directly, by post, or by email to: [email protected].

 

Is there a requirement to notify the supervisory authority / regulator?

The PDPD requires individuals and organisations to notify the supervisory authority/regulator of personal data processing activities through the submission of two separate impact assessment dossiers to the A05: a personal data processing impact assessment dossier ('DPIA') and a cross-border transfer impact assessment dossier ('TIA'). The DPIA is required for all personal data processing activities and applies to data controllers and data processors. The TIA, on the other hand, is specifically required when transferring the personal data of Vietnamese citizens overseas across borders from Vietnam. This obligation extends to all data transferors/senders, which may include the data controller, data processor, and any third party involved.

For the sake of clarity, a data controller is an organisation that determines the purposes and means of personal data processing (i.e., the “why” and “how” of the processing), whereas the data processor is an organisation that conducts the processing of personal data on behalf of the data controller via an agreement. A third party is any organisation other than the data subject, data controller or data processor that is permitted to process personal data.

The data controller must establish a DPIA in accordance with the template prescribed by law, which notably includes, but is not limited to:

• Contact information and details of the data controller;
• Name and contact details of the organization and employee assigned to protect personal data of the data controller;
• Processing purposes;
• Types of personal data to be processed;
• Data-receiving organization or individual, including the organization or individual that is located or lives outside the territory of Vietnam;
• Cases of cross-border transfer of personal data;
• Duration of processing of personal data; estimated duration of deletion or destruction of personal data (if any);
• Description of measures for protecting personal data; and
• Assessment of impact of personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

Similarly, the data processor shall establish a DPIA in accordance with the template prescribed by law, which notably includes, but is not limited to:

• Contact information and details of the data processor;
• Name and contact details of the organization assigned to process personal data and the employee responsible for processing personal data of the data processor;
• Description of processing of personal data and types of personal data to be processed under a contract with the data controller;
• Duration of processing of personal data; estimated duration of deletion or destruction of personal data (if any);
• Cases of cross-border transfer of personal data;
• General description of measures for protecting personal data;
• Undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

If a company processes personal data under different roles (i.e., in some cases as a data controller and in other cases as a data processor), it needs to prepare two separate DPIAs: one as a data controller and one as a data processor.

Regarding the TIA requirements, the dossier on TIA must be established in accordance with the template prescribed by law, which notably includes, but is not limited to:

• Contact information and details of the data sender and the data receiver of a Vietnamese citizen’s personal data;
• Full name and contact details of an organization or individual under the data sender involved in sending and receiving a Vietnamese citizen’s personal data;
• Description and explanation about objectives of the processing of a Vietnamese citizen’s personal data after the personal data is transferred abroad;
• Description and clarification of the type of personal data to be transferred abroad;
• Description and explanation about the observance of regulations on protection of personal data under the PDPD, and detailed measures for protecting personal data;
• Assessment of impact of personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.
• Consent of the data subject when he/she is informed of the mechanism for feedback and complaint in case of arising problems or requests;
• Document that shows obligations and responsibilities between the data senders and the data receivers for processing of a Vietnamese citizen’s personal data.

The data sender is also required to notify the A05 of information about the data transfer and contact details of the organization or individual in charge of such transfer in writing after the personal data is successfully transferred.

The DPIA and TIA must be submitted within 60 days from the processing using the statutory forms and be updated from time to time in the case of material changes in the content. They must remain available at all times to serve for inspection and assessment activities of the MPS. The MPS has the right to assess and request amendments if the dossiers are considered incomplete in accordance with the law.

When sensitive personal data is processed, the PDPD mandates that a Data Protection Officer (“DPO”) and an internal personal data protection department (“DPD”) must be appointed and that information on the DPD and the DPO must be notified to the MPS.

In addition to the foregoing, notification to the local authorities (e.g. MPS, MIC or VNCERT/CC) is also required in cases of actual or suspected personal data security incidents. Please refer to our response to Question 10 for details.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Notification of contact information of organisations or individuals involved in cross-border public information provision activities for at least one million Internet users in Vietnam a month may be sent to the email address: [email protected]. Please refer to our response above on registration for more details.

In respect of submission of DPIA and TIA dossiers (including an appointment of a DPO and DPD) and data breach notification under the PDPD, the MPS has set up a National Portal of Personal Data Protection at the address https://baovedlcn.gov.vn/#/ for entities to submit the mandatory documents. At the time of this writing, this portal has been launched but the submission feature is not yet operational. Thus, online submission is not available at the moment. This portal will also allow for data subjects to denounce violations and file complaints with the Vietnamese data protection authority.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

The PDPD recognizes 11 rights of data subjects, including: the right to be informed; right to give consent; right to access; right to withdraw consent; right to delete data; right to restrict data processing; right to request data provision; right to object to data processing; right to file complaints, denunciations and lawsuits; right to claim damages; and right to self-defence. The details are as follows:

Right to be informed

The data subject has the right to be informed of its personal data processing, unless otherwise provided for by law. Accordingly, the PDPD prescribes specific contents that data subjects must be informed of in the notification of personal data processing (please refer to our answer to Question 2 for more information).

Right to give consent

The data subject has the right to give consent to the processing of its personal data, other than the consent exemption cases. Please refer to Question 2 for further details on the contents and format of consent required by the PDPD as well as consent exemption cases.

Right to access

The data subject has the right to access its personal data in order to look at, rectify or request rectification of its personal data, unless otherwise provided for by law. In cases where the data subject cannot correct its personal data directly due to technical or other reasons, the data subject can request the data controller to do so. The data controller must correct the personal data as soon as possible; or, where this is not possible, notify the data subject within 72 hours from the receipt of request for correction. The data processors and the third parties may correct personal data after obtaining written consent from the data controller, knowing that the consent of the data subject has been obtained.

Right to withdraw consent

The data subject has the right to withdraw its consent, unless otherwise provided for by law. Thus, the given consent is revocable (except for the cases where the data can be processed without consent of the data subject as prescribed by law), the data subjects have their discretion to decide to withdraw the consent at any time. The withdrawal of consent shall be expressed in a format that can be printed and/or reproduced in writing, including in electronic or verifiable formats. However, the consent withdrawal shall not interfere with the legality of the data processing done prior to the occurrence of such consent withdrawal.

Upon receiving the data subject’s request to withdraw their consent, the data controller needs to notify the possible consequences and/or damages caused by such withdrawal of consent for the data subject’s consideration. Should the data subject confirm its consent withdrawal, the data controller and the third party involved in the data processing activities shall cease and request relevant organisations/individuals to cease the processing of the data for the consent has been withdrawn by the data subject.

Right to delete data

The data subject has the right to delete or request deletion of its personal data, unless otherwise provided for by law. The deletion of personal data must be conducted within 72 hours after receiving the deletion request. That said, the data deletion request of data subject shall not be honoured in the following cases:

• The law stipulates that data deletion is not allowed;
• Personal data is processed by competent state agencies for the purpose of serving the operation of state agencies in accordance with the law;
• Personal data has been made public in accordance with the law;
• Personal data is processed to serve legal requirements, scientific research or statistics as prescribed by law;
• In cases of national defence and security, social order and safety, major disasters or dangerous epidemics; when there is a threat to national security or defence but not to the extent of declaring a state of emergency; for prevention and combat of riots and terrorism, or prevention and combat of crime and violations of the law; and
• In response to an emergency that threatens the life, health or safety of the data subject or another individual.

Right to restrict data processing

The data subject has the right to obtain restriction on the processing of its personal data, unless otherwise provided for by law. The restriction on the processing of personal data shall be implemented within 72 hours after receiving the request of the data subject, and on all personal data referred to in the data subject requests, unless otherwise provided for by law.

Right to request data provision

The data subject has the right to request the data controller to provide a copy of its personal data, unless otherwise provided for by law. Upon receipt of a valid request for the provision of personal data, the data controller must notify the data subject of the time limit, location, form of providing personal data; actual costs for printing, copying, photographing and sending information via postal and facsimile services (if any) and payment methods and terms; and provide personal data according to procedures as stipulated by law. The provision of personal data must be conducted within 72 hours after the request of the data subject, unless otherwise provided for by law.

The law provides that personal data must not be provided at the data subjects’ request in the following cases:

• Where the provision of personal data causes harm to national defence and security or social order and safety;
• Where the provision of personal data by the subject may affect the safety, physical or mental health of others; and
• Where the data owner does not give consent to the provision, or representation or authorization for the receipt, of its personal data.

Right to object to data processing

The data subject has the right to object to the data controller processing its personal data in order to prevent or restrict (i) the disclosure of personal data or (ii) the use of personal data for advertising and marketing purposes, unless otherwise provided for by law. The data controller shall implement the data subject’s request within 72 hours after receiving the request, unless otherwise provided for by law.

Right to file complaints, denunciations and lawsuits

The data subject has the right to file complaints, denunciations and lawsuits as prescribed by law, if the collection and/or processing of its personal data is made in violation of relevant laws.

Right to claim damages

The data subject has the right to claim damages as prescribed by law when there are violations against regulations on protection of its personal data, unless otherwise agreed by parties or unless otherwise prescribed by law.

Right to self-defence

The data subject has the right to self-defence according to the applicable laws, including but not limited to the Civil Code, other relevant laws and the PDPD, or to request competent agencies and organisations to implement civil rights protection methods, such as recognising, respecting, protecting and guaranteeing its civil rights, ordering termination of the violating act, ordering a public apology or correction, ordering the performance of obligations, ordering compensation for loss or damage, annulling an unlawful isolated decision of competent agencies, organisations or persons, and other requirements specified by law.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

For organisation processing sensitive personal data (see definition in our answer to Question 2), the PDPD requires the appointment of a data protection department ('DPD') and a head of the DPD (often referred to as data protection officer ('DPO')) taking charge of the personal data protection within the organization. However, considering the broad definition of sensitive personal data (which includes bank account information which is typically processed by all organisations for salary payment purposes) and the fact that the DPO/DPD information is one of the mandatory items under the statutory forms for the DPIA and TIA (please refer to our answer in Question 5 for more details), it appears that the appointment of DPD/DPO is systematically required.

Currently, there is no regulation stipulating specific qualification requirements for the DPD and DPO, leaving discretion for the processing entities to designate the suitable person for these positions. However, it is expected that the qualification requirements be further details in the PDPL.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

In the DPIA and TIA statutory forms, organisations are tasked to perform assessments of impact on the data subject’s rights; the economy; society; administrative procedures; the legal system; the data subject’s interests; and national security.

Please refer to our answer to Question 5 for further information on the mandatory filings of the DPIA and TIA.

 

Does this jurisdiction have any specific data breach notification requirements?

The laws of Vietnam impose several requirements for the reporting and notification of actual or suspected personal information security incidents. In general, if a data incident/breach falls under the criteria set out by laws, the data controller must promptly take relevant measures to mitigate and notify relevant competent state authorities and/or affected data subjects in a timely manner. The PDPD, Cybersecurity Law and Network Information Security Law provide different notification requirements per the below, noting that there are also other sector-specific data breach notification requirements, such as for banking/finance, e-commerce, etc.:

Under the PDPD, the data controller has the obligation to notify any violation of personal data protection regulations to the competent authority (i.e., A05) within 72 hours of the occurrence of such violation. In the case of late notification, justification reasons must be provided. The notification must be done using a statutory form and in the Vietnamese language. For the avoidance of doubt, violations of regulations on personal data protection refer to any actions or failures to act that go against the legal requirements and standards set for protection of personal data, which can be interpreted to include data breach incidents. The data processor has the obligation to notify the data controller of any violation of personal data protection regulations as soon as possible.

Under the Cybersecurity Law, enterprises providing online services in Vietnam or to users in Vietnam are required to report to the affected users and the specialized cybersecurity protection force (i.e., A05) in the event of cybersecurity incidents, data breaches, leaks, damages, or loss of user information. This reporting requirement needs to be immediately carried out upon the occurrence of the cybersecurity incident/breach. The definition of “enterprises providing online services in Vietnam” is broad; however, the authorities appear to focus on enterprises offering any of the following services: (1) telecommunication services; (2) data storage and sharing in cyberspace; (3) services providing national or international domain names to service users in Vietnam; (4) e-commerce trading floors/marketplaces; (5) online payment; (6) payment intermediary services; (7) connecting transportation in cyberspace; (8) social networks and social media; (9) online games; and (10) other services that provide, manage and operate information in cyberspace in the form of messages, voice calls, video calls, email, or online chatting.

Additionally, a notification requirement is also imposed regardless of the types of services provided to customers/users in Vietnam in the case where the incident causes or is likely to cause “very serious damage” to the legitimate rights and interests of the affected individuals in Vietnam or threatens human lives. In this case, the reporting entity has the obligation to immediately notify such data incident to relevant government agencies and affected entities/individuals.

Under the Network Information Security Law, when detecting any signs of a cyber-attack or cyber-information security incident to an information system located in Vietnam, the administrator of the information system has an obligation to notify the occurrence of such information security incident within 5 days after detecting the incident. Notification must be made to the VNCERT specialized accident response unit (VNCERT, Vietnam Internet Network Information Center; internet service providers and other relevant state agencies); and members of the concerned incident rescue network. This notification requirement applies solely to the information system (i.e., a collection of hardware, software, and databases established to serve the purpose of creating, providing, transmitting, collecting, processing, storing, and exchanging information on the network) based in Vietnam.

 

What restrictions apply to the international transfer of personal data / information?

In general, if a data controller wishes to share, disclose or otherwise transfer personal data to a third party (including group companies), the data transferor must inform the data subjects and obtain prior explicit consent from the relevant data subjects. Once valid consent is successfully obtained, the data transferor can transfer personal data outside of Vietnam, except when such transfer is subject to prohibitions under the law (for example, most state secrets cannot be transferred outside of Vietnam), or the transferor receives a request from a competent authority to cease data transfer.

Within 60 days of the date of cross-border data transfer, the data transferor must prepare and submit a TIA to the MPS. Please refer to our response to Question 5 for more information on the requirements for preparation and submission of a TIA.

The PDPD defines cross-border transfer of personal data as either transferring a Vietnamese person’s personal data to a location outside of Vietnam or storing/processing a Vietnamese person’s personal data in an automatic system located in a foreign country. As cross-border transfer is one form of personal data processing stipulated under the PDPD; the data controller can transfer the personal data across borders for the purposes agreed upon by the data subjects. However, the MPS can carry out a periodical examination on cross-border transfer activities of the data controller/data transferor on an annual basis. Additionally, the MPS can request the data transferor to cease the transfer in the following circumstances:

• The transferred personal data is used for activities that violate the interests and national security of Vietnam;
• The party transferring data abroad fails to comply with the request/requirement to complete the TIA dossier (please refer to our answer to Question 5 for more details on the TIA requirement);
• An incident involving the disclosure or loss of personal data of Vietnamese citizens occurs during the data transfer.

Pursuant to the Cybersecurity Law and its guidance under Decree 53, domestic companies (companies that are duly incorporated under Vietnamese laws) providing telecommunications services, internet services and value-added services in cyberspace in Vietnam that carry out activities of collecting, exploiting / using, or analysing and processing certain types of data (“Regulated Data”) in Vietnam must store such data in Vietnam for a specified period to be stipulated by the government. The Regulated Data is as follows:

• Data on personal information of service users in Vietnam;
• Data created by service users in Vietnam: account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone numbers in association with accounts or data; and
• Data on relationships of service users in Vietnam: friends and groups such users have connected or interacted with.

This data localization requirements also apply to foreign companies (companies that are incorporated under the laws of another jurisdiction) if the following conditions are all met:

• The company is engaged in the following 10 services: (i) telecommunications; (ii) data storage and sharing in cyberspace; (iii) supply of national or international domains to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) providing, managing or operating other information in cyberspace in the form of messages, phone calls, video calls, email or online chats (“Regulated Services”).
• The MPS notifies the foreign company that its services have been used for committing violations under Vietnamese laws.
• The foreign company fails to respond to the authority’s request or remedy the situation, or works against measures implemented by the MPS.
• The MPS sends the foreign company a request to store the Regulated Data and/or establish a branch or representative office in Vietnam. For a foreign company that meets all the above conditions, the local presence and the local data storage in Vietnam shall be established within 12 months from the receipt of the request mentioned in point 4. The local data storage shall last until the end of the time prescribed in such request, with a minimum term of 24 months, while the local presence shall be maintained until the enterprise terminates its operation in Vietnam or until the prescribed services are no longer available in Vietnam.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes. The PDPD, Network Information Security Law and Cybersecurity Law are key legislation governing data protection practice in Vietnam and their application scopes are rather broad and are considered as having extra-territorial application:

• The PDPD applies to Vietnamese organisations and individuals regardless of their place of residence, work, or operation (i.e., in Vietnam or other countries); foreign organisations and individuals being in Vietnam; and foreign organisations and individuals involved in processing personal data in Vietnam.
• The Network Information Security Law stipulates that it applies to both onshore and offshore organisations directly involved in or related to network information security activities in Vietnam.
• The Law on Cybersecurity only refers to relevant organisations involved in activities to protect national security and ensure social order and safety in cyberspace.

In addition, if overseas collection/processing of Vietnamese citizens is considered a crime under Vietnam's Penal Code, Vietnamese criminal law could also apply to such extraterritorial collection and processing.

However, legal enforcement of violations related to data privacy and protection in Vietnam remains relatively low, especially considering the Draft Sanction Decree has yet to be promulgated (once effective, the enforcement landscape in Vietnam is set to change and authorities to become more active). For additional information on sanctions, please refer to Question 17.

Enforcement across borders would be challenging for the authorities. Nevertheless, in case of violations, the authorities could adopt several measures against foreign offenders such as preventing or requesting to temporarily suspend or stop providing network information; suspending activities of establishing, providing and using telecommunications networks or Internet networks; requesting to store data or set up branches or representative offices in Vietnam, etc. (Article 5.1(h) of Cybersecurity Law, Articles 21 and 26 of Decree 53).

 

What rules specifically deal with marketing?

In principle, when using customers' personal information for marketing purposes (e.g. sending advertisements, product introductions or other commercial information to other persons via emails, SMSs or phone calls), the law requires that consent must be made expressly in one of the following forms:

• agreeing to receive advertising messages after the advertiser sends the first and only advertising registration (opt-in) message;
• completing the consent form and making a confirmation therein, regardless of whether such form is provided in paper form or on the advertiser's website, online application or social network;
• calling or sending messages to the advertiser's call centre to subscribe; or
• using a software program to subscribe.

Moreover, Vietnam's anti-spam regulation (i.e., Decree 91) further provides that advertisements by text message, email or telephone may only be sent or made in compliance with a number of specific conditions, notably including:

• It is prohibited to send advertising messages or make advertising calls to phone numbers on the Do-Not-Call Registry;
• For phone numbers not included in the Do-Not-Call Registry, only one initial advertising registration message (i.e., a message inquiring whether the user would like to receive advertising communications from the advertiser) is allowed;
• If the user refuses to receive advertising messages after receiving the initial advertising registration message, no further advertising message is allowed;
• Immediately after receiving a refusal request from a user, the advertiser must terminate providing advertising messages, email or calls to the user;
• No more than three advertising messages or emails, and one advertising phone call, may be sent or made per day to a single user;
• Advertising messages are only allowed from 7 a.m. to 10 p.m.; advertising calls are only allowed from 8 a.m. to 5 p.m.; and
• Advertising content must comply with advertising laws.

In addition to the specific regulations regarding obtaining consent for marketing purposes as stipulated in Decree 91, such use of customers' personal information for marketing purposes must also comply with the PDPD’s provisions on the notification of personal data processing to data subjects and the collection of their consent before collecting and processing personal data for marketing purposes (please refer to our answer to Question 2 for more details on notification and consent requirements). Additionally, under the PDPD, marketing services providers must include in their privacy notice a clear outline of the content, means, methods, and frequency of product promotion and advertising.

Foreign organisations which do not operate in Vietnam (i.e. do not have a commercial presence in Vietnam) but wish to advertise their products, goods, services or operations in Vietnam are required to hire a Vietnam-based advertising service provider (a company with business lines of provision of advertisement) to conduct relevant advertising activities.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

If the data processing of the business-to-business customers includes the collection and processing of business contact information or other information that is linked to or identifies a specific person, the rules applying to business-to-business and business-to-consumer marketing are equally the same (e.g., sending marketing communication to a specific person like [email protected]).

On the other hand, these rules do not apply when the data processing of the business-to-business customers includes the collection and processing of non-personal business information (e.g., sending marketing information to a generic corporate address not liked to a specific person like [email protected]).

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

Please refer to our prior discussion on anti-spam regulations in Question 13 for more details.

 

What rules specifically deal with cookies?

Under the PDPD, any data in the form of symbols, writing, numbers, images, sounds, or similar forms on an electronic environment that is linked to a specific individual or helps identify a specific individual is considered personal data. Additionally, information about an individual's digital accounts, or personal data reflecting activities and activity history in cyberspace are expressly listed and categorized as basic personal data under the PDPD.

Given the foregoing, data collected by cookies can be considered personal data when collecting information linked to a specific individual or helping identify a specific individual. In this case, the use of cookies is subject to the application scope of the PDPD (please refer to our answer in Question 2 for more information).

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Depending on the nature and severity of the violation, the violator would be subject to an administrative fine ranging from VND 5 million (approx. USD 200) to VND 100 million (approx. USD 4,000) and, in very serious violations, an imprisonment of up to 12 years. The applicable sanctions are scattered in different regulations, notably Decree 98, Decree 15 and the Criminal Code.

For example, failure to obtain data subjects' prior consent for the collection, processing and use of their information is subject to a fine of VND 10–20 million (approx. USD 400–800). In serious cases, according to the Criminal Code, any person who illegally accesses another person's computer network, telecommunications network or electronic device may be sentenced to prison for up to 12 years. The offender might also be liable to a monetary fine of up to VND 50 million (approx. USD 2,000) or be prohibited from holding certain positions or doing certain jobs for 1–5 years.

In the Draft Sanction Decree, pursuant to the draft version released on 2 May 2024 for public consultation, the maximum monetary fine is set at VND 1 billion (approximately USD 40,000),or up to 5% of the violating enterprise’s turnover of the immediately preceding fiscal year in the Vietnamese market in certain aggravated violations, including:

• Second and subsequent violations of the regulations on personal data protection in marketing and advertising activities;
• Second and subsequent violations of the regulations on illegal collection, transfer, purchase and sale of personal data; and
• Disclosure or loss of the personal data of 5 million or more data subjects who are Vietnamese citizens.

Additional penalties applicable to certain violations may also be imposed, including, among others, revocation of licenses for business lines requiring personal data collection, and confiscation of exhibits and means used for conducting violations. Remedial measures may also be imposed, including, among others, suspension from processing of personal data for 1-3 months; forcible destruction or unrecoverable deletion of personal data; forcible return of illegal profits obtained from the violations; and public apology.

Although in practice the enforcement authorities have not been actively enforcing laws and regulations on data protection, individuals are increasingly aware of their data protection rights. The enforcement environment will likely evolve rapidly, especially given the effectiveness of the PDPD and the upcoming promulgation of the Draft Sanction Decree. Furthermore, as mentioned above in Question 6, the MPS is in the process of developing the National Portal of Personal Data Protection, which will allow individuals and/or organisations to file notifications on violations of personal data protection regulations. Once the portal is available, violators would be much more vulnerable to enforcement risks.

For violations of the anti-spam regulations in Decree 91, depending on the specific violations committed by the violators, the fine can range from VND 5 million (approximately USD 200) to VND 100 million (approximately USD 4,000). Additionally, supplementary penalties and remedial measures may be applied, such as suspending the provision of services for 1 to 3 months according to Decree 15.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Vietnamese laws have extra-territorial effect on organisations outside of Vietnam.

Regarding privacy, Vietnam has adopted a consent-centric approach, with very limited exceptions to consent. Vietnam does not recognize legitimate interest as a lawful basis for processing. The consent formality requirements are relatively stringent both in content and format.

The PDPD also explicitly prohibits the sale and purchase of personal data in any form, unless otherwise permitted by law.

As for the impact assessment, the DPIA and TIA are mandatory for any processing or transfer and are not limited to/triggered by high-risk processing nor influenced by the jurisdictions involved in the transfers.

A streamlined DSR request process and incident escalation procedure are necessary to comply with the strict statutory timelines set out in the PDPD.

 

What upcoming data protection developments should multinational organisations be aware of?

In addition to the Draft Sanction Decree, the Draft PDPL and the Draft Data Law mentioned in our answer to Question 1, the MIC is currently developing a draft Law on Digital Technology Industry (‘Draft DTI Law’). The Draft DTI Law devotes a section to the regulations on digital data. Digital data in the digital technology industry refers to digital data directly related to the industry’s operations. Therefore, to encourage the development of the digital technology industry while safeguarding personal data privacy, the Draft DTI Law outlines certain regulations to ensure digital data security, notably including the requirement for data anonymization or adherence to legal regulations regarding personal data. The Draft DTI Law is expected to be submitted to the National Assembly for comments in October 2024 and submitted to the National Assembly for approval in May 2025.

The MIC is also developing a draft decree to replace Decree 72. With the new decree taking effect, it is anticipated that there would be significant updates on the regulatory framework regarding the management, provision and use of internet services and online information, especially for the internet, social networks, online games, etc., covering regulations on the protection, registration, storage, management and disclosure of users’ personal information, where applicable. However, the information regarding the tentative timeline for this legislation is not publicly available.

With respect to the penalties for administrative violations against regulations on commerce, production and trade in counterfeit and prohibited goods, and protection of consumer rights, the Ministry of Industry and Trade issued the second version of the Draft Decree amending and supplementing Decree 98 in March 2024 for public consultation. This decree is expected to be adopted and take effect by the end of 2024 and will potentially introduce certain updates on the penalties against violations of consumers’ information in the fields of e-commerce and general consumer protection, in which the regulations also include obligations related to consent and prior notice for processing personal information.

In addition to the foregoing, sector-specific laws are also being developed around privacy, e.g., the Ministry of Health is currently in the process of preparing a Draft Decree on Medical Data Management (which regulates the management of electronic medical data, including the creation, collection, updating, adjustment, maintenance, exploitation, use, connection and sharing of electronic medical data; the National Health Database; the responsibilities of relevant agencies, organisations and individuals in the management of electronic medical data and the National Health Database), etc.

Beside the legislative updates, the National Portal of Personal Data Protection is expected to bring substantial developments to Vietnam’s existing regulatory and enforcement framework on cybersecurity and personal data protection. For further details on the functions of this portal, please refer to Questions 6 and 17 above.

The aforementioned developments will have an important impact on the legal framework for data protection and create additional obligations for data controllers processing personal data in Vietnam.

 

Search by:

Need more information?
Contact a member firm:

Waewpen Piemwichai

Tilleke & Gibbins

Vietnam

Thao Thu Bui

Tilleke & Gibbins

Vietnam

Disclaimer:

© 2025, Tilleke & Gibbins. All rights reserved by Tilleke & Gibbins as author and the owner of the copyright in this chapter. Tilleke & Gibbins has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025