Vietnam provides a general framework for data protection under Law on Network Information Security No. 86/2015/QH13 issued on Nov. 19, 2015. Personal data protection is a constitutional right in Vietnam which is often reflected in other pieces of legislation. The rules for the collection, storage, processing, use, disclosure, and publication of personal data are set out in Vietnam’s Civil Code 2015 and in sectoral laws. These rules are drafted in broad language and are open to interpretation.
Personal data is defined as any information which relates to the identification of a data subject. This includes any information that relates to a data subject’s:
The Vietnamese government labels information as state secrets when:
See also: Company’s Data Protection and Privacy in Malaysia
Further, according to Article 3.17 of the Law of National Information Security, Vietnamese law generally regulates the processing of personal data. The law defines defines processing personal data as engaging in one or more of the following activities with personal data:
Certain types of personal data, such as bank account balances and medical records, are considered state secrets and enjoy additional protection. The rules for handling state secrets are provided in Decree 33/2002/ND-CP.
The Law on Network Information Security No. 86/2015/QH13 provides two primary exemptions from the data protection rules, namely:
However, the Law requires organisations to obtain a data subject’s consent before processing personal data. There is no specific requirement on the form or the content of consent. Because the nature and level of consent required is ambiguous, prudent organisations should record consent physically or electronically, and should not consider consent to be implied.
There are no specific requirements to notify data subjects or a regulator of personal data security breaches. In case of a breach or a potential breach, a data processor is required only to apply remedies or preventive measures as soon as reasonably possible (Article 19.2, Law on Network Information Security No. 86/2015/QH13).
See also: As Online Banking Rises, Singaporeans are Concerned with Data Security
Non-compliance with the data protection laws can be subject to both administrative penalties and criminal penalties. An administrative penalty might be imposed as follows:
Criminal penalties might be imposed for violations of rules governing confidentiality and safety concerning an individual’s email, mail, telephone, and other forms of communications. The criminal sanction imposed depends on the severity of the crime and might include:
A person who suffers damages caused by an infringement of the data protection laws is entitled to compensation from the infringing party. To obtain compensation, the claimant must prosecute a legal action and meet the burden of proof for actual damages. Many sectoral laws provide additional administrative penalties for non-compliance with data protection obligations.
Government Decree No. 185/2013/ND-CP on administrative penalties concerning commercial production activities and consumer protections provides the following administrative penalties:
Repeat and multiple violations of e-commerce business requirements might cause the business to be suspended for up to 12 months. Although the law provides for many administrative penalties for non-compliance with data protection regulations, in practice, the regulations are not effectively enforced. Statistics on the number of enforcement actions are not made public.
Read also: Employee Data Privacy & Protection Law in Hong Kong