DLA Piper Intelligence

Data Protection
Laws of the World

Law

Vietnam
Vietnam

There is not a single comprehensive data protection law in Vietnam. Instead, regulations on data protection & privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in Constitution 2013 (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law.

Regarding personal information, the key principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and guiding documents, among others:

  • Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015; as amended from time to time (“Criminal Code”);
  • Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”);
  • Law No. 86/2015/QH13 on Cyberinformation Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Cyber-information Security Law”);
  • Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”);
  • Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated November 14, 2017 on planning (“IT Law”);
  • Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”);
  • Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“Decree 85”);
  • Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No.150/2018/ND-CP dated 7 November 2018 (“Decree 72”);
  • Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree 08/2018/ND-CP dated 15 January 2018,  on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade (“Decree 52”);
  • Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”);
  • Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”);
  • Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources (“Circular 25”).

Each aspect and each industry may have their respective regulating documents. In other words, applicability of legal documents will depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2012 (“Labour Code”).

The most important Vietnamese legal document regulating data protection is the Cybersecurity Law. However, it is worthy to note that unlike cybersecurity laws in other jurisdictions that were inspired by the GDPR of the EU, the Cybersecurity Law of Vietnam shares similarities with China’s Cybersecurity Law enacted in 2017. Such Law focuses on providing the government with the ability to control the flow of information, instead of enforcing data privacy rights for individual data subjects.

A draft Decree detailing a number of articles of the Cybersecurity Law, together with a draft Decree detailing the order of and procedures for application of a number of cybersecurity assurance measures and a draft Decision of the Prime Minister promulgating a List of information systems important for national security, are being prepared by the Ministry of Public Security (“MoPS”) in coordination with other relevant ministries, ministerial-level agencies & bodies. MoPS has also reported that a Decree on personal data protection is being drafted by this Ministry.

Last modified 14 Jan 2020
Law
Vietnam

There is not a single comprehensive data protection law in Vietnam. Instead, regulations on data protection & privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in Constitution 2013 (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law.

Regarding personal information, the key principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and guiding documents, among others:

  • Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015; as amended from time to time (“Criminal Code”);
  • Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”);
  • Law No. 86/2015/QH13 on Cyberinformation Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Cyber-information Security Law”);
  • Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”);
  • Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated November 14, 2017 on planning (“IT Law”);
  • Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”);
  • Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“Decree 85”);
  • Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No.150/2018/ND-CP dated 7 November 2018 (“Decree 72”);
  • Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree 08/2018/ND-CP dated 15 January 2018,  on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade (“Decree 52”);
  • Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”);
  • Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”);
  • Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources (“Circular 25”).

Each aspect and each industry may have their respective regulating documents. In other words, applicability of legal documents will depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2012 (“Labour Code”).

The most important Vietnamese legal document regulating data protection is the Cybersecurity Law. However, it is worthy to note that unlike cybersecurity laws in other jurisdictions that were inspired by the GDPR of the EU, the Cybersecurity Law of Vietnam shares similarities with China’s Cybersecurity Law enacted in 2017. Such Law focuses on providing the government with the ability to control the flow of information, instead of enforcing data privacy rights for individual data subjects.

A draft Decree detailing a number of articles of the Cybersecurity Law, together with a draft Decree detailing the order of and procedures for application of a number of cybersecurity assurance measures and a draft Decision of the Prime Minister promulgating a List of information systems important for national security, are being prepared by the Ministry of Public Security (“MoPS”) in coordination with other relevant ministries, ministerial-level agencies & bodies. MoPS has also reported that a Decree on personal data protection is being drafted by this Ministry.

Last modified 14 Jan 2020
Definitions

Definition of personal data

There is no single, pervasive definition of personal data in Vietnam, but the concept of personal information, definition thereof and its variations can be found in the various laws, regulations and guidance that comprise the data protection framework in Vietnam. In summary, personal information is generally defined as information associated with the identification of a specific person, e.g. full names, date of birth, profession, title, contact addresses, email addresses, telephone numbers, ID numbers, passport numbers.

Definition of sensitive personal data

There is no particular definition of ‘sensitive personal data’ specified in the laws of Vietnam. However, to some extent, sensitive personal data may be reasonably interpreted as being similar to the following terms provided by the laws of Vietnam, including:

  • Information related to the private life or personal privacy; or Information on the family privacy of an individual such as mail, telephone, telegraph, private electronic information exchange of an individual.
  • Personal secrets, e.g medical records, tax payment dossiers, social insurance card's numbers, credit cards' numbers and other personal secrets.
Last modified 14 Jan 2020
Authority

Vietnam does not have a single National Data Protection Authority. Instead, the authority on State management of certain respects of information and / or data protection has been given to a number of competent State authorities. To some extent, the key State competent authorities in charge of information and / or data protection would be Ministry of Information and Communication (“MoIC”), the MoPS, and the Vietnam Cybersecurity Emergency Response Teams / Coordination Center (“VNCERT/CC”) directly managed by the Authority of Information Security (“AIS”) under the MoIC. Their key roles are particularly as follows:

  • MoIC, particularly the AIS shall be responsible for management of the provision of cyberspace services (e.g. social network, gaming online, e-commerce, etc.), e.g requesting cyberspace service providers to delete illegal data uploaded on their system / network,
  • MoPS, particularly Department for Cybersecurity and High-tech Crime Prevention and Fighting, is responsible for supervision of national cybersecurity, e.g. to request cyberspace service providers to (i) store data in Vietnam and (ii) provide users’ information for serving investigation into cybersecurity crime.
  • VNCERT/CC acts as the National Coordination Center for response to cybersecurity incidents and information security testing.

In addition to the above, subject to each specific industry (e.g. banking and finance; education; healthcare; natural resources and environment; culture, sports and tourism; etc.), the State management authority in charge of such industry and its IT center shall be involved in relevant information system protection.

Last modified 14 Jan 2020
Registration

There is no requirement under Vietnamese laws whereby such data controller of private sector is required to have it or its activities registered with the local authorities (e.g. MoPS, MoIC or VNCERT/CC), except:

  • Foreign enterprises which provide services on telecom networks and on the Internet and other value-added services in cyberspace in Vietnam (“cyberspace service providers”) must have branches or representative offices in Vietnam (subject to specific guidance of the Government);
  • Where organizations or individuals involved in cross-border public information provision activities rent digital information storage facilities within the territory of Vietnam so as to provide their services or are reported to provide public information to be used or accessed by at least 1 (one) million Internet users in Vietnam a month, they shall have the obligation to send a written notice to the MoIC of their contact information, including:
    • In the case of an organization, registered name, transactional name, and name of the licensing country are required; in the case of an individual, name of such individual is required;
    • Main office address of an organization, permanent residence address and nationality of an individual owning an electronic information page and location of the main server system;
    • Principal contact agent of an overseas organization or individual and principal contact agent operated within the territory of Vietnam, including the following information such as name of an organization, individual, contact email address and telephone number;
    • in a direct manner, by post or to the email address report38@mic.gov.vn.
Last modified 14 Jan 2020
Data Protection Officers

Under the laws of Vietnam there is no regulation mandating a typical company to appoint a “DPO”. However, certain types of organizations (e.g. big information system owners and others such as telecoms enterprises, banks, State bodies, information system owners using State budgets, etc.,) are required to appoint specialized information security focal points and contact persons to supervise and warn on cyber-information security, etc., These officers are expected to be in charge of incidents rather than data protection issue. Other strict requirements (under various legal documents) are also applicable to such kinds of organizations which do not cover “companies of the private sector”.

Last modified 14 Jan 2020
Collection & Processing

According to Vietnamese laws, the solid legal basis for the processing of personal information (that means the performance of one or some acts of collecting, editing, utilizing, storing, providing, sharing or spreading personal information in cyberspace for commercial purpose) is a prior explicit consent given by the data subject. Specifically, it requires that organizations that process personal information shall collect personal information only after (i) having notified data subjects of the scope, purpose, storage period, form and location of collection, storage, processing, use, disclosure and transfer of such information (the relevant terminologies cover “collect, store, process, use, disclose and transfer” rather than just “collection and processing” of data); (ii) obtaining their consents before. The traders or organizations collecting and using the consumers’ personal information on E-commerce website must set up the mechanism for the consumers / subjects to clearly express their consent through online functions on the website, e-mail, messages or other methods as agreed by the two parties.

However, based on the specific purpose for processing of personal information, the laws provide an alternative legal basis besides consent. Particularly, organizations may collect, process, use, store, disclose and transfer personal information of other people without the consent when that information is used for the following purposes:

  • Signing, modifying or performing contracts on the use of information, products or services in the network environment (generally defined as “the environment in which information is provided, transmitted, collected, processed and exchanged via information infrastructure);
  • Calculating charges for use of information, products or services in the network environment; and
  • Performing other obligations provided for by law (e.g. at request of competent authority as prescribed in the law of Vietnam).

In addition, the traders and organizations collecting and using consumers’ personal information on E-commerce websites shall not need the consumers / subjects’ prior consent in the following cases:

  • Collecting personal information that has been publicized on E-commerce websites;
  • Collecting personal information to sign or perform contract of sale and purchase of goods and services;
  • Collecting personal information to calculate the price and charge of use of information, products and services on the network environment.

Especially, the data controller is required:

  • to provide the data subject with their personal information collected and stored by the data controller upon receipt of a request from the data subject;
  • to immediately comply with the request and notify such data subject or grant him / her the right to access information or to do so upon receipt of a request from the data subject for re-examination, update, correction, modification or cancellation, or for the stoppage of the provision of personal information to a third party, and not supply or use relevant personal information until such information is corrected; to take necessary measures to protect personal information, and notify the data subject if the data controller fails to comply with its / his / her request for technical or other reasons;
  • to delete the stored personal information when they have accomplished their use purposes or the storage time has expired and notify the data subject thereof, unless otherwise prescribed by law.
Last modified 14 Jan 2020
Transfer

In general, if a data controller wishes to share, disclose or otherwise transfer an individual’s personal information to a third party (including group companies), the data controller they must inform the data subjects and obtain prior explicit consent from such data subjects. In particular, the traders or organizations collecting and using the consumer’s personal information on an E-commerce website must have specific mechanisms for the information subjects may choose the permission or refusal of using their personal information in the cases of using personal information to send advertisements and introduce products and other commercial information.

In cases of cross-border transfers, the data exporter / importer does not need to obtain authorization from or make a filing with the Vietnamese regulators, or notify the supervisory authority before carrying out any automatic processing operation or set of such operations, including a transfer of personal information from Vietnam to a foreign country or an international organization. There are exceptions for the transfer of information that is classified as being a State secret.

In addition to the above requirements, it is worthy to note that data localization is an increasing trend in Vietnam, which is provided in certain legal documents, e.g.:

  • According to Circular 24, electronic general information pages and social networks as entities licensed in Vietnam must use at least 1 domain name “.vn” and store information in servers identified by IP addresses in Vietnam; and
  • The Cybersecurity Law requires that domestic or foreign cyberspace service providers carrying out activities of collecting, exploiting / using, analysing and processing data being personal information, data about service users' relationships and data generated by service users in Vietnam must store such data in Vietnam for a specified period to be stipulated by the Government.
Last modified 14 Jan 2020
Security

Organizations must take necessary managerial or technical measures to ensure that the personal information shall not be lost, stolen, disclosed, modified or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed or destroyed.

Indeed, generally, the data controller shall classify information based on its secrecy in order to take appropriate protection measures; and agencies and organizations that use classified and unclassified information in activities within their fields have to develop regulations and procedures for processing information; determine contents and methods of recording authorized accesses to classified information.

In which:

  • Personal information protection policies to be developed and published by traders and organizations collecting and using the consumers’ personal information on E-commerce websites must provide the purpose of collection; scope of use; storage period; organizations and persons authorized to access to such personal information; address of data controller, including way of contact for the consumers to ask about the collection and processing information related to them; methods and tools for data subjects to access and modify their personal information on the E-commerce system of the data controller.
  • The above contents must be clearly displayed for the consumers before or at the time of information collecting. The language is Vietnamese. The contents are clear and understandable. The font size of the text is at least 12. The paper background and ink colour used in the terms must contrast.
  • If the information collection is done through E-commerce website of the data controller, the personal information protection policies must be made ​​public in a conspicuous place on this website.
  • The traders, organizations or individuals that own E-commerce websites with online payment functions must publish on their website policies on security of customer’s payment information.
Last modified 14 Jan 2020
Breach Notification

The laws of Vietnam introduced a general requirement for the reporting and notification of actual or suspected personal information security incidents. Where there is a data security incident, organizations must promptly take relevant measures to mitigate and notify relevant data subjects and relevant competent State authorities in a timely manner, e.g 5 days after detection of the security incident, except incidents that are beyond the control of the organization must be immediately reported in accordance with the relevant provision. Especially, in case the information system of a trader, organization or individual engaged in e-commerce is attacked causing risk of loss of consumer’s information, the data controller must notify the authorities within 24 hours after the detection of incident.

Normally, the data controller would be required to give relevant notifications to the following State authorities:

  • Local police agency (i.e. Police Department of Cybersecurity and High-Tech Crime Prevention and Fighting under the MoPS with regard to offshore service providers, provincial police department where the head office of data controller is located);
  • VNCERT/CC directly managed by the AIS under the MoIC.
Last modified 14 Jan 2020
Enforcement

Subject to specific data protection laws and the regulations breached, the sanctions in relation to data protection breaches are scattered across various different laws and regulations. In general, amongst others, the major type of sanction would be administrative an penalty. For example, failure to obtain prior consent of the data subjects on collection, processing and use of their information shall be subject to a monetary fine varying from VND 10,000,000 to VND 20,000,000. In serious cases, according to the Criminal Code, any person who commits illegal use of information on the computer or telecommunications network may be liable to a monetary fine varying from VND 30,000,000 to VND 1,000,000,000 or face a penalty of up to 3 years' community sentence or 3 months – 7 years' imprisonment; and the offender might also be liable to a monetary fine varying from VND 20,000,000 to VND 200,000,000 or prohibited from holding certain positions or doing certain jobs for 1 - 5 years.

Although, in practice, the Ministries have not been actively enforcing laws and regulations on data protection, individuals are increasingly aware of their data protection rights. It is foreseen that the enforcement environment will be evolving rapidly.

Last modified 14 Jan 2020
Electronic Marketing

Generally, email and text message advertisements may only be sent after obtaining a prior explicit consent from the recipient. Once again, the traders or organizations collecting and using the consumers’ personal information on E-commerce websites must have a specific mechanism for the information subjects to choose the permission or refusal of using their personal information in the cases of using personal information to send advertisements and introduce products and other commercial information.

Additionally, the organization shall not be allowed to hide their names or to use unlawfully the name of others when sending advertisements via e-mail or text message. Specific information must be stated in each electronic message: for example, information about the advertiser and the advertising service provider, opt-out function (refusing acceptance of advertisements), a label identifying “QC” or “ADV” [QC means Adv. in Vietnamese].

With regard to the method of advertising into Vietnam (i.e. to target Vietnam-based recipients), foreign organizations which do not operate in Vietnam (i.e. do not have commercial presence in Vietnam) but wish to advertise their products, goods, services and operation in Vietnam, are required to hire a Vietnam-based advertising service provider (a company with business lines of provision of advertisement) to conduct relevant advertising activities.

In addition, there are also specific rules applicable to electronic marketing and certain specific prescribed information must be provided to the recipient, e.g it is prohibited to send more than 3 email advertisements with the same contents to an email address within 24 hours, unless otherwise agreed by the recipient.

Last modified 14 Jan 2020
Online Privacy

To some extent, by assisting in tracking the information on a specific person, the cookies and location data could be deemed as tools preinstalled on the users’ computers for collecting, storing and using their personal information, which may disclose his / her private life, e.g hobbies, favourite websites and locations usually visited by him or her.

As such, we believe that all rules on data protection are applicable to cookies as well as location data. For example, cyberspace service provider must seek for users’ prior acceptance before some certain technologies (e.g. cookies, positioning service) are activated.

Last modified 14 Jan 2020
Contacts
Luu Tien Ngoc
Luu Tien Ngoc
Partner
Vision & Associates Legal
T +84 903 251 617
LE Tuan Anh
LE Tuan Anh
Partner
Vision & Associates Legal
T +84 913 250 313
Last modified 14 Jan 2020