The Legal Framework for Data Protection in Vietnam is in transition. It is broad--it covers privacy in a strict sense, but it also covers cybersecurity.
Following is an easy and comprehensive Q&A format with specific answers to most of the specific issues that relate to data protection.
1. APPLICABLE LAW
1.1. Rules of law, human rights, and data protection/privacy regime
1.1.1. Is the principle of the rule of law provided in the legal system?
Yes. This principle is presented in Article 2 of the Constitution of Vietnam ('the Constitution').
1.1.2. Are there laws which protect human rights and fundamental freedoms?
Yes. They are both constitutional rights. See Chapter 2 of the Constitution.
1.1.3. Is there a comprehensive data protection/privacy law?
No. However, the Ministry of Public Security of Vietnam ('MPS') is drafting a decree on protection of personal data ('the Draft PDPD'), which was scheduled to come into effect in May 2022 according to Decision No. 06/QD-TTg of the Prime Minister dated January 6, 2022 ('Decision 06'). The status of the decree is unchanged since March 2022 when the Government promulgated Resolution No. 27/NQ-CP approving the development portfolio of the Draft PDPD ('Resolution 27'). When adopted, the Draft PDPD will serve as Vietnam's consolidated data protection regulations.
The content of the Draft PDPD will be discussed in this note. However, the final decree should be revisited once it is finalised and comes into effect.
In addition, according to Decision 06, a New Law on Personal Data Protection is planned to be issued in 2024.
1.1.4. Are there sectoral data protection/privacy laws?
Yes. Data protection requirements are provided in numerous legislative documents including:
- Law on Information Technology No. 67/2006/QH11 (29 June 2006) ('the IT Law'), which governs the application and development of information technology, sets out the rights and obligations of agencies, organisations, and individuals engaged in these activities, and it regulates the collection, processing, use, storage, and provision of personal data in a network environment;
- Law No. 86/2015/QH13 on Cyber Information Security (19 November 2015)('CISL');
- Law on Cybersecurity No. 24/2018/QH14 (12 June 2018) ('the Cybersecurity Law') which regulates cyber activities that impact national security, social order, and safety;
- Civil Code 2015 (24 November 2015) ('the Civil Code'). Article 38 provides rules for the collection, storage, processing, use, disclosure, and publication of personal data;
- Law on Electronic Transactions No. 51/2005/QH11 (29 November 2005), which governs electronic transactions by state agencies and the private sector;
- Law on Cinematographic No. 05/2022/QH15 (15 June 2022), which sets out rights and obligations for those involved in the film, cinematography, and television industry;
- Law on Telecommunications No. 41/2009/QH12 (23 November 2009) ('the Telecoms Law'), which regulates telecommunications activities and the rights and obligations of those working in the telecommunications industry;
- Law on Credit Institution No. 47/2010/QH12 (16 June 2010) ('the Law on Credit Institutions), which governs the establishment and operations of credit institutions in Vietnam;
- Law on Postage No. 49/2010/QH12 (17 June 2010), which governs the administration of the postal service;
- Law on Protection of Consumers' Rights No. 59/2010/QH12 (17 November 2010) ('the Consumer Law'), which sets out a variety of consumer rights and details organisations' obligations to protect consumer information;
- Law on Publication No. 19/2012/QH13 (20 November 2012), which sets out the rights and obligations of individuals and organisations in the publishing industry; and
- Press Law No. 103/2016/QH13 (5 April 2016), which governs the press, including individuals' rights to freedom of press and freedom of speech in the press, and the rights and obligations of agencies, organisations, and individuals involved in the media industry.
1.1.5. Is there relevant case law regarding privacy and/or data protection?
1.1.6. What are the legitimate legal bases for processing personal data in a lawful, fair, and legitimate way?
Under Vietnamese law, the legitimate legal bases to process personal data include:
- consent: The CISL requires organisations to obtain the data subject's consent before processing related personal data (Article 17 of the CISL and Article 21 of the IT Law);
- to comply with obligations provided in the law (Article 21.3 of the IT Law);
- when personal data is processed for the purpose of execution, adjustment or performance of contracts for the use of data, goods, or services over a network environment (Article 21.3 of the IT Law);
- when personal data is processed to calculate premiums, fees for the use of data, goods, or services over a network environment (Article 21.3 of the IT Law);
- to ensure national defence, social order, security, and safety of Vietnam (Article 16.5 of the CISL);
- processing of personal information for non-commercial purposes (Article 16.5 of the CISL);
- when processing personal data is required to address an emergency situation which threatens the life, health or safety of the subject or of other individuals;
- to comply with the legal requirement to publish personal information;
- to assist the investigations of legal violations or crimes in accordance with applicable legal process; and
- to use for the operations of authorized government agencies in accordance with the law.
1.2. Data protection principles
1.2.1. Is the purpose limitation principle part of the data protection/ privacy law?
Yes. The CISL requires that a data processor must obtain consent to the scope and purpose of collection, and the processing of personal data, and must obtain consent to use such data for anything other than the initial purpose. The data processor must delete the personal data after the processing purpose has been served or after such data processor is no longer permitted to store such personal data (Article 18.3).
The purpose limitation principle is also provided in Article 3.2 of the Draft PDPD.
1.2.2. Is the accuracy principle provided by the data protection/privacy law?
Yes. Article 21.2 of the IT Law requires that processing of any inaccurate data must be suspended until the data is corrected.
The CISL requires agencies, organisations, and individuals to comply immediately with data subjects' requests to update, alter, or delete their personal data (Article 18.3).
The accuracy principle is provided in Article 3.5 and Article 15 of the Draft PDPD.
1.2.3. Does the law provide for the processing to be adequate, relevant, and not excessive?
No. However, the data minimisation principle appears in Article 3.3 of the draft PDPD.
1.2.4. Does the law provide that personal data must not be kept for longer than necessary?
Yes. Please refer to section 1.2.1 above.
1.2.5. Does the law require that data is to be processed in a secure way?
Yes. The CISL requires agencies, organisations, and individuals to take appropriate management and technical measures to protect personal data and to comply with standards and technical regulations for cyberinformation security (Article 19.1). They must also implement measures to prevent and remedy actual or threatened cyberinformation security incidents (Article 19.2).
Article 3.6 and 3.8 of the Draft PDPD provide that data must be processed in a secure way.
The Draft PDPD requires processors to apply administrative, technical and physical measures (Article 17) and develop internal regulations (Article 18) to protect personal data. The processing of sensitive personal data and offshore transfer of personal data must be registered with the Personal Data Protection Commission ('PDPC') before these activities can be conducted (Article 20 and 21). The PDPC may inspect an agency or organization for its compliance with personal data protection regulations up to twice a year, and if there is evidence of violations of personal data protection, further inspection may be conducted (Article 19).
1.2.6. Does the law require data controllers to inform individuals in relation to the processing activity?
No. Vietnamese law does not recognise the concept of a 'data controller'. Every organisation and individual that engages in one or more of the following activities: collecting, editing, using, storing, providing, sharing, or transferring to a third party or publishing (collectively, processing) of personal data is considered a 'data processor'. Even though it is required that the data subject must be informed of the main elements of the processing activities, it is not expressly required that the main elements of the processing activity must be presented in a clear, easily accessible, concise, transparent, and intelligible form.
The Draft PDPD expands the concept of 'processing personal data' to cover 'collection, recording, analysis, storage, alteration, disclosure, grant of access, retrieval, recovery, encryption, decryption, copying, transfer, deletion, or destruction of personal data or other related actions'. The Draft PDPD requires that a data processor must inform the data subject of the main elements of the processing activity in a clear, easily accessible, and transparent form (Articles 11.2 and 13.3). Resolution 27 mentions the concepts of 'data controller', 'data processor' and 'an entity which is both a data controller and a data processor' but none of these concepts is defined.
1.3. Individuals' rights
1.3.1. Does the law expressly provide individuals with the right to obtain confirmation of processing and a right to access their data?
Not expressly, but see below.
Article 17.3 of the CISL provides an individual with the right to request access to personal data that the data processor has collected or maintains.
Article 5.3 of the Draft PDPD provides individuals with the right to request access to personal data that the data processor has collected or maintains. Additionally, Article 3.7 of the Draft PDPD provides that an individual has the right to know and be notified of activities that are related to the processing of such individual's personal data. As such, in our opinion an individual has the right to obtain confirmation in relation to the processing activity.
1.3.2. Does the law empower individuals with a right to rectify their personal data?
Yes. Article 18.1 of the CISL gives individuals the right to request the data processor to update, amend, rectify, or delete personal data that the data processor has collected or maintains.
This right is also provided in Article 5.3 of the Draft PDPD.
1.3.3. Does the law empower individuals with a right to erase their personal data?
Yes. Please see our discussion in section 1.3.2.
1.3.4. Does the law empower individuals with a right to object to processing in specific circumstances?
Vietnamese law does not yet do so. However, Article 8.3 of the Draft PDPD provides that an individual may provide conditional consent for data to be processed and this will cover the right to object to the processing activity on the basis of legitimate grounds related to specific circumstances.
1.3.5. Does the law provide a right to object to processing for direct marketing at any time and without any charge?
Yes. Decree No. 90/2008/ND-CP Against Spam (available to download in English here) ('Decree 90') provides that an organisation or individual who sends commercial advertising messages must cease doing so within 24 hours after receiving an opt-out request from the receiver.
On 14 August 2020 the Vietnamese Government issued Decree 91/2020/ND-CP (available to download in English here) ('Decree 91') on fighting against spam, text messages, spam emails, and spam calls, and took effect on 1 October 2020. Decree 91 retains the essential rules of anti-spam legislation in Decree 90, but expands the scope and application of anti-spam measures.
1.3.6. Does the law address when decisions based solely on automated processing (including profiling) may take place?
Currently, no. However, Article 13.1 of the Draft PDPD regulates automated processing. Automated processing of personal data may only be performed in connection with the participation or performance of a contract, provided that the data subject is informed and has given consent.
1.3.7. Does the data protection system provide for limitations to the exercise of individuals' rights?
The data processor may only provide, share, and publish personal data that has been collected [with a third party] (i) upon a valid request from a competent authority (Article 17.1 of the CISL) or (ii) to perform obligations that are required by law (Article 21.3 of the CISL).
Article 10 of the Draft PDPD provides that data may be processed, without consent, in the following circumstances:
- as required by law;
- in support of national security, social order and safety;
- in emergency events that threaten life or seriously affect the health of the data subject or public health;
- in support of investigations and handling of regulatory violations;
- in compliance with specific provisions that explicitly allow the processing of personal data without the data subject's consent, under international agreements or treaties to which Vietnam is a party; and
- for research or statistical purposes in accordance with Article 12 of the Draft PDPD.
1.3.8. Does the law provide for specific protections for special categories of personal data?
No. However, the Draft PDPD divides personal data into 'basic personal data' and 'sensitive personal data'. Sensitive personal data can only be processed after the processing activities of such sensitive personal data have been registered with the Personal Data Protection Commission ('PDPC').
1.4. Onward transfers
1.4.1. Does the law include rules for onward data transfers to third countries or international organisations?
The law does not yet restrict the transfer of personal data to third countries or to international organisations. However, the data processor must obtain the data subjects' consent before sharing the personal data with any third party. Any secondary processor located outside of Vietnam is considered to be a data processor under Vietnamese law and must comply with the requirements and obligations applicable to data processors. It must:
- ensure security for the personal data it processes;
- obtain the data subject's consent on the scope and purpose of the collection, and obtain consent to use the information for anything beyond the initial purpose;
- develop and publish its policy for personal data processing and protection;
- implement appropriate management and technical measures to protect personal data and comply with standards and technical regulations for cyberinformation security; and
- implement measures to stop and remedy actual or threatened cyberinformation security incidents.
Article 21.1 of the Draft PDPD requires that personal data of Vietnamese citizens can be transferred out of Vietnam when all of the following four conditions are satisfied:
- data subject's consent has been granted for the transfer;
- original data is stored in Vietnam;
- written evidence that the recipient country, territory or a specific area within the recipient's country or territory has issued regulations on personal data protection at a level equal to or higher than that specified in the Draft PDPD; and
- written approval is obtained from the PDPC.
Article 21.3 of the Draft PDPD, however, also provides that personal data may be transferred out of Vietnam without meeting these conditions in any one of the following cases:
- data subject's consent has been granted;
- written approval is obtained from the PDPC;
- there is a commitment by the data processor to protect personal data; or
- the data processor commits to apply appropriate personal data protection measures.
As such, it is not clear whether or not the data subject's consent is sufficient for the transfer of personal data outside of Vietnam. However, the Draft PDPD is not yet finalised. We should revisit this question once the final version is issued.
1.4.2. Does the law require personal data to be stored locally?
According to Article 26 of Decree 53/2022/ND-CP to guide certain articles of the Law on Cybersecurity ("Decree 53"), a Vietnamese enterprise must store the following data in Vietnam:
- Personal data of users in Vietnam, i.e. Vietnam-based users;
- Data created by Vietnam-based users, including: account name, time of usage, credit card information, email address, IP address, most recent log-out, registered phone number; and
- Data in relation to the relationship of Vietnam-based users to the users' friends or other people with whom the users interact, collectively referred to as "Regulated Data".
A foreign company doing business in Vietnam is required to store Regulated Data in Vietnam and to establish a branch or a representative office in Vietnam, should it fall within the following circumstances:
- The foreign company is doing business in Vietnam in one of the following fields: telecommunications services; data sharing and storage, provider of national or international domain for Vietnamese users; e-commerce; social network and social marketing; online games; provision, management or use of other information on the internet in the form of messages, telephone calls, video calls, email or online games;
- The services provided by such company are used to violate the Law on Cybersecurity; and
- The cybersecurity taskforce of the Government has notified the company and requested the company's cooperation to prevent, investigate and handle such violations but the company has failed to cooperate, and this failure causes the taskforce's measures to fail.
If a foreign company is within the above situation, the Minister of Public Security shall send the company a request to do so. The company shall be given 12 months from the date of the request to comply. The company may choose how it stores the Regulated Data in Vietnam and it must store the Regulated Data in Vietnam until the request is lifted.
There is no guidance on whether a copy of data being stored in Vietnam will suffice. However, given the intention of Article 21.1 of the Draft PDPD as discussed in Question 1.4.1 above, we are under the impression that the Regulated Data can be stored offshore and that an accessible, updated and complete copy can be stored in Vietnam.
1.4.3. When are onward transfers from the initial recipient permitted?
Please see section 1.4.1 above.
1.5.1. Does the law ensure a high degree of accountability and awareness among controllers, processors, and data subjects?
Even though Vietnamese law does not specifically require accountability of a data processor, the CISL requires that data processors ensure the protection of personal data that they collect (Article 16.2). Data processors must comply with the requirements and obligations discussed in section 1.4.1 above.
The CISL also requires that a data subject must protect its own personal data and comply with the regulations on provision of personal data (Article 16.1).
1.5.2. Does the law require data controllers and processors to demonstrate their compliance to the competent supervisory authority?
1.5.3. What are the laws that enable public authorities to access transferred personal data held by private organisations?
The following laws enable public or law enforcement authorities to access personal data held by private organisations:
- Cybersecurity Law;
- Telecoms Law;
- Law on Credit Institutions; and
- Consumer Law.
1.5.4. What are the general rules on access to transferred personal data for national security or law enforcement purposes?
The laws generally provide that data processors are not allowed to disclose personal data to any third party without the consent of the data subjects or without a valid request from a competent authority.
1.5.5. What legal bases are there for public authorities to access and use personal data held by private organisations?
As inferred in section 1.5.1, the legal bases/purposes for public authorities to access and use personal data held by private organisations are not expressly provided nor limited under the law. Rather, it is within the general discretion of public authorities. However, public authorities may only request access to personal data upon a valid request and only for matters within their responsibility.
For example, Article 26.2 of the Cybersecurity Law provides that service providers must provide customer information to the specialised task force under the MPS. The task force must present a written request, and it can only request the information to investigate violations of the Cybersecurity Law or to enforce administrative sanctions.
1.5.6. Are there limitations/safeguards to the legal basis for access or use of personal data by public authorities?
Yes. Generally, public authorities which access or use personal data under a valid request may only use personal data for the purposes specified in their request. Additionally, the data subject must be notified that its personal data is being accessed/used by public authorities.
2. EXISTENCE AND FUNCTIONING OF SUPERVISORY AUTHORITIES
2.1. Has an independent supervisory authority been established?
No. The supervisory authority that provides oversight for the protection of privacy and compliance with data protection rules is the Ministry of Information and Communications ('MIC'), which has the power to:
- promulgate national standards and technical regulations;
- examine, investigate, and handle claims or reports about, or violations of, information security regulations and laws;
- coordinate with other authorities and enterprises to protect information security; and
- supervise compliance with information security regulations.
The MIC has delegated powers to its Authority of Information Security ('AIS') to:
- formulate laws, policies, and other legislation which relate to information security;
- implement technical and procedural measures;
- guide and support organisations to enhance and protect their information systems; and
- coordinate activities to prevent spam.
Under the AIS, there are the National Cybersecurity Center ('NCSC') and the Vietnam Cybersecurity Emergency Response Teams/Coordination Center ('VNCERT/CC'). They each have different roles and responsibilities but are mostly involved in ensuring and maintaining Vietnam's cybersecurity infrastructure and handling cybersecurity incidents.
The Draft PDPD provides that the PDPC will be established under the Government, and that it will act as the main supervisory authority on data protection. Article 25 of the Draft PDPD describes the roles of the PDPC as follows:
- perform tasks specified in the Draft PDPD;
- develop and promulgate a set of criteria to assess the reliability of personal data protection of agencies and organizations processing personal data;
- build and operate a National Portal on personal data protection;
- receive and process registration dossiers for sensitive personal data processing and offshore transfer of personal data;
- collect and publish a list of agencies and organizations engaged in personal data processing;
- organize conferences, seminars and other activities on personal data protection;
- evaluate annual personal data protection performance;
- supervise and ensure compliance with data protection rules.
2.2. Is the supervisory authority completely independent and impartial?
No. The AIS operates under the instructions and guidance of the MIC. The PDPC will operate under instructions of the Government, acting through the Ministry of Public Security.
2.3. Does the supervisory authority function effectively, having adequate enforcement powers?
Yes. The MIC has enforcement powers under Article 52.2 of the CISL. The powers are broad and extend to dealing with data protection violations under any of the sectoral laws. These include:
- issuing or establishing the basis for competent authorities to issue legal instruments, strategies, planning, plans, national standards and technical norms of network information security;
- appraising network information security in information system design files;
- managing the monitoring of information system safety nationwide, excluding systems set forth in Article 52.3(c) and 52.5(b) of the CISL;
- granting licenses for trading in network information security products and services, permits to import information security products, except for civil cryptographic products and services;
- performing scientific and engineering research and application involving network information security activities; training, improving knowledge and skills, developing human resources;
- managing and performing international cooperation on network information security;
- examining, inspecting and settling claims, denouncements and treating legal breaches if network information security;
- presiding over, cooperating with ministries, sectors, provincial People's Committees and companies to ensure network information security;
- educating, disseminating laws on network information security; and
- annually reporting to the Government about network information security.
2.4. Are there clear, precise, and accessible rules for the processing of personal data for surveillance/law enforcement purposes?
2.5. What are the oversight mechanisms for the approval and review of relevant actions by public authorities?
Generally, any action by public authorities is subject to the supervision and approval of the appropriate Ministry. For example, actions by the AIS are subject to approval of the MIC and actions by the PDPC are subject to approval of the MPS. The Ministries will ultimately be responsible for their actions vis-a-vis the Government.
Additionally, the Government also provides an oversight mechanism through the inspectorate. Inspection activities are intended to prevent, detect, and handle violations of the law during the implementation of policies and the exercise of powers by agencies, organisations, and individuals under the management of such agencies and organisations. Inspection activities are subject to the regulations of the Law on Inspection No. 56/2010/QH12 (15 November 2010) (available to download in English here).
There is nothing in the law that allows the public authorities to act in secret, except for special methods of investigation and proceedings provided in Chapter XVI of the Law on Criminal Procedures No. 101/2015/QH13 (27 November 2015) (available to download in English here).
These methods and proceedings permit secret recording of sound and visual, phone tapping and secret collection of electronic data. Such methods can only be used to handle breach of national security, drug-related crimes, corruption, terrorism, money laundering, and other crimes that are considered to be extremely severe felonies. Additionally, special investigation methods can only be used after the issuance of an approval by a competent authority. Information collected using such methods may not be used or processed for any purpose other than the purpose of assisting the investigation.
2.6. Are there legal remedies for data subjects, including effective individual rights and judicial redress?
Yes. Article 13 of the Civil Code provides that any person who suffers damages caused by an infringement of the data protection laws is entitled to compensation from the infringing party. To obtain compensation, the claimant must prosecute a legal action and meet the burden of proof for actual damages.
There is no provision for effective administrative and judicial redress for individuals whose data are transferred offshore.
2.7. Can an organisation refuse to comply with an authority access request and what remedies are available to them?
The law does not specify circumstances under which an organisation can refuse to comply with a valid request from a competent authority.
However, if an organisation has evidence that the request from an authority is invalid or if that authority does not have the capacity to issue such request, the organisation may make a denunciation in accordance with the Law on Denunciation No. 25/2018/QH14 (12 June 2018) (available to download in English here).
3. ADDITIONAL INFORMATION
3.1. Do the above provisions apply to both residents/citizens of the jurisdiction and to foreign data subjects?
The above provisions apply to processing of personal data:
- conducted by a data processor located in Vietnam; or
- of data subjects who are located in Vietnam or are of Vietnamese nationality, by a data processor located outside of Vietnam.
3.2. Has the jurisdiction entered into international commitments or multilateral or regional systems?
Vietnam has not entered into any international commitments related to data protection. Vietnam's commitments relating to data protection can be found in several bilateral and multilateral agreements, including the Comprehensive and Progressive Agreement for Trans-Pacific Partnership ('CPTPP') (Chapter 14) and the Regional Comprehensive Economic Partnership ('RCEP') (Chapter 12). Vietnam is also a party to the APEC Privacy Framework and the ASEAN Framework on Personal Data Protection.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.