Data Protection in Vietnam

Enforcement in Vietnam

Subject to specific data protection laws and the regulations breached, the sanctions in relation to data protection breaches are scattered across various different laws and regulations. In general, amongst others, the major type of sanction would be administrative penalty. For example, failure to obtain prior consent of the data subjects on collection, processing and use of their information shall be subject to a monetary fine varying from VND 10 million to VND 20 million (approx. USD 400 to USD 800). In serious cases, according to the Criminal Code, any person who commits illegal use of information on the computer or telecommunications network may be liable to a monetary fine varying from VND 30 million to VND 1 billion (approx. USD 1,200 to USD 40,000) or face a penalty of up to 3 years' community sentence or 6 months - 7 years' imprisonment; and the offender might also be liable to a monetary fine varying from VND 20 million to VND 200 million (approx. USD 800 to USD 8,000) or prohibited from holding certain positions or doing certain jobs for 1 - 5 years.

As of early 2024, the MPS is preparing to promulgate the Draft Decree on Sanctioning. Once this decree takes effect, the MPS will have a basis to start imposing sanctions on non-compliance with the requirements under the PDPD.

This Draft Decree on Sanctioning was first released for public comments in September 2021, and its latest updated version was released to the public for consultation on 2 May 2024. However, the specific timeline for the promulgation of this Draft Sanction Decree is still unknown.

Violators of the PDPD’s regulations, depending on the severity of their violations, may be warned, disciplined, or face administrative penalties or criminal prosecution. Generally, for PDPD-associated violations, the Draft Decree on Sanctioning has proposed a monetary fine of up to VND 1 billion (approx. USD 40,000). Additional penalties, applicable to certain violations, include: (i) deprivation of the right to use licenses for business lines requiring personal data collection; (ii) confiscation of exhibits and means of administrative violations. Remedial measures include: (i) 1-3 months of forcible suspension of processing personal data; (ii) forcible destruction or unrecoverable deletion of personal data; (iii) forcible return of illegal profits obtained from the violations; (iv) public apology; (v) forcible implementation of personal data processing notification measures; (vi) forcible personal data provision; (vii) forcible implementation of personal data correction measures upon receiving a lawful request; and (viii) forcible implementation of personal data protection measures, etc.

Notably, under the Draft Decree on Sanctioning, a penalty of up to 5% of the violating enterprise’s turnover of the immediately preceding fiscal year in the Vietnamese market applies to:

  1. disclosing and misplacing the personal data or cross-border transfer of 5 million or more data subjects who are Vietnamese citizens; and
  2. a second violation of the regulations on:
    • personal data protection in marketing and advertising activities; and
    • illegal collection, transfer, purchase and selling of personal data.

In addition, the MPS has set up a National Portal of Personal Data Protection to receive reports on violation of the PDPD. With this portal, companies are expected to be more vulnerable to inspection actions in this area, as the portal aims to enable data subjects like employees or clients to easily report on companies’ acts of non-compliance with the PDPD and breach of their personal data.

Continue reading

  • no results

Previous topic
Back to top