Q: Is there any law (including data protection/privacy law) of
general application explicitly governing the use, collection, and
processing of personal data (including sensitive data)?
A: No, there are only sector-specific personal data protection
and/or privacy laws. There's a draft decree concerning the
personal data protection of the Ministry of Public Security in 2019
to codify all the provisions on relevant matters, but this decree
has not been ratified
Q: Is there a law or regulation that prohibits network service
providers from restricting data traffic on their network?
A: No
Q: Does any law or regulation prohibit security breaches and/or
prohibits unauthorized access to and use of databases, information
systems, and the related hardware?
A: Yes, there are sectoral regulations.
Q: Does any law or regulation criminalize the following
activities?
- Unauthorized access to systems or other databases holding personal data
- Unauthorized interception of data from systems or other databases holding personal data
- Misuse of devices or data for the purpose of committing any of the above criminal behavior
A: Yes, the Law on Cybersecurity 2018.
Q: Is there a law or regulation setting out cybersecurity
requirements for public and private sector entities?
A: Yes
Q: Do data processors/controllers have to comply with the following
cybersecurity requirements?
- Adoption of an internal policy establishing procedures for preventing and detecting violations
- Ensuring the confidentiality of data and systems that use or generate data
- Appointment of a personal data processing office/manager
- Performance of internal controls
A: Yes, the Law on Cybersecurity 2018.
Q: Do organizations collecting or processing personal data have to
comply with the following security requirements?
A: No.
Q: Does any law, regulation or policy provide for the creation of a
cyber-security strategy, infrastructure and institutions to
identify, investigate, and address cyber-security threats?
A: No.
Q: Is the national CERT/CSIRT institutionalized (formally set up,
mandated, staffed and resourced) and operational?
A: No.
Q: Is there a network of local/sectoral CERTs / cybersecurity focal
points across public sector entities that monitor and report
threats to the national CERT/CSIRT?
A: No
Q: Do any laws, regulations or policies place conditions on, or
otherwise restrict, the transfer of data outside the country?
A: No
Q: Does the country have arrangements with foreign countries or
multinational entities, or are there decisions of domestic and
foreign bodies or agencies, to require, permit or limit transfers
of personal data across borders?
A: No
Q: Has the DPA published any Binding Corporate Rules (BCRs) or
model data transfer agreements to help facilitate compliance for
cross-border data transfers?
A: No
Q: Is your country a member of any regional enforcement or
coordination bodies that support regulatory interoperability for
data regulation (e.g., ECOWAS, APEC CPBR, etc.)?
A: Yes. APEC.
Q: Is there a law or regulation that explicitly governs electronic
transactions?
A: Yes, the Law on E-Transactions 2005.
Q: Does the law referred to above include provisions that grant
legal (functional) equivalence between paper-based and electronic
communications, contracts, signatures and records?
A: Yes. Electronic signatures (Articles 24 & 34 of the Law on
E-transactions 2005)
Q: Does the law identified above recognize electronic signatures as
legal in your country?
A: Yes (Chapter III of Law on E-transactions 2005)
Q: Are there any documents that cannot be legally accepted in
electronic format and cannot be signed electronically?
A: Yes, property deeds and other contracts for the lease or sale of
immoveable property.
Q: Are there entities authorized to issue digital
certificates?
A: Yes. Both public and private entities.
Q: Have any licenses been issued for private Certification
Authorities (Cas)?
A: Yes, for example digital certificates granted by Root
Certification Authority.
Q: Have any certificates been issued for digital signatures
(PKI)?
A: Yes (Artilcle 29 Law on E-Transactions 2005).
Q: Does the law or regulations prescribe a specific form or
condition for electronic signatures?
A: Yes (Decree No. 130/2018/ND-CP on guidelines for the law on
e-transactions of digital signatures and digital signature
authentication.
Q: Is there a law or regulation that governs the creation and
management of a government- recognized foundational digital ID
system (ID enabling law)?
A: Yes, Law on Citizen ID 2014.
Q: Is there a data sharing protocol for the ID system that sets out
standards to manage data sharing with third parties?
A: Yes, Chapter II, Decree 137/2015/ND-CP.
Q: Is there a national data classification policy or directive
issued by the government? If yes, does the policy or directive
prescribe the categories by which data is to be classified (e.g.,
public, restricted, strictly confidential)?
A: Yes. Law on Citizen ID 2014, Decision 714/QD-TTg dated 22 May
2015, Decision 06/QD-TTg dated 06 Jan 2022.
Yes, the relevant categories are Citizen identification database,
residence database, civil status database and other specialized
databases.
Q: Is it mandatory to use the common data classification categories
across all government database applications or document management
systems?
A: Yes. Article 10 Law on Citizen ID 2014.
Q: Is there a law/regulation that governs the (re)use of public
sector data?
A: Yes, Law on Citizen ID 2014.
Q: Does this law or regulation require the private sector to share
data with the public sector when the data has been collected or
generated using public sector funding?
A: No.
Q: Are there special arrangements for administrative data sharing
within the public sector (between NSO/institutions in the National
Statistical System and other ministries)?
A: Yes, in Chapter II, Decree 137/2015/ND-CP.
Q: Is there a law or regulation that grants individuals the right
to request access to government records or data (Access to
Information/Right to Information/Freedom of Information
Laws)?
A: Yes, Article 10.2 (b) Law on Citizen ID 2014.
Q: Does the law provide for limitations or exceptions to this right
of requesting access to government records or data?
A: Yes, Article 10.2 (c) Law on Citizen ID 2014.
Q: Does the law provide for the creation of a centralized body to
process Access to Information (ATI) requests?
A: Yes, Article 10.1 Law on Citizen ID 2014.
Q: Are the number of requests received published and publicly
available on a citizen-facing government website?
A: No.
Q: Is there an Open Data Act or open data policy applicable across
the entire public sector?
A: Yes, Decree No. 47/2020/ND-CP.
Q: Does the government publish datasets on a publicly available
data portal/platform?
A: Yes, on National/centralized (one stop shop) website.
Q: If yes, are the data published on the platform in an open and
reusable format?
A: Yes. The data are regularly maintained and updated with
accompanying metadata.
Q: What are the features of the government operated data sharing
platform?
A: They are based on an open source, proprietary solution and all
government agencies are connected to the platform.
Q: Is there a National Interoperability Framework for the public
sector?
A: Yes, Article 17 Law on Citizen ID 2014. The Interoperability
Framework include mandatory provisions for legal interoperability,
semantic interoperability and organizational
interoperability.
Q: Are governmental/official entities mandated to use common
technical standards (e.g. "FAIR" – Findable,
Accessible, Interoperable, Re-usable.) that enable interoperability
of systems, registries, data bases?
A: Yes. Article 9 Circular No. 10/2016/TT-BCA
Q: Are there technical standards that certain types of data (such
as "high value datasets" or "public good"
datasets) are required to follow to promote re-use?
A: No.
Q: Does any law or regulation mandate the portability of
non-personal data?
A: No.
Q: Is there a legal regime that protects intellectual property
rights (IPRs) for data-driven Products and services?
A: Yes, Article 14, IP Law 2005, as amended by IP Law 2009.
Q: Is there a law that gives government or industry bodies (e.g.,
national Standard Setting Organizations, or SSOs) the power to
compel IPR holders to provide access to "essential" data
or applications on FRAND6 [or similar standard] terms (e.g., data
essential to competition)?'A: no
Q: Have antitrust authorities initiated investigations relating to
data access, e.g., under abuse of dominance infringements or market
inquiries?
A: No
Q: Has the competition authority issued any decisions on
anticompetitive practices or mergers involving data control (e.g.,
including remedies related to data access)?
A: No.
Q: Is there a law or regulation of general application for the
development and use of Artificial Intelligence (AI) or Automated
Decision-Making Systems (ADMS)?
A: NO.
Please do not hesitate to contact Dr. Oliver Massmann under
omassmann@duanemorris.com if you have any questions or want to know
more details on the above. Dr. Oliver Massmann is the General
Director of Duane Morris Vietnam LLC.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.