Vietnam provides a general framework for data protection under Law on Network Information Security No. 86/2015/QH13 issued on Nov. 19, 2015. Personal data protection is a constitutional right in Vietnam which is often reflected in other pieces of legislation. The rules for the collection, storage, processing, use, disclosure, and publication of personal data are set out in Vietnam’s Civil Code 2015 and in sectoral laws. These rules are drafted in broad language and are open to interpretation.

Data protected  

Personal data is defined as any information which relates to the identification of a data subject. This includes any information that relates to a data subject’s:

• Personal life, such as name, date of birth, address, telephone number, identification number, or email address.
• Personal or family secrets.
• Personal communications, including written correspondence and the content of telephone calls. (Article 38, Civil Code 2015.) 

The Vietnamese government labels information as state secrets when:

• The information relates to a case, a circumstance, a document, an object, a location, a time, or a speech that contains important content in the fields of politics, national defense, national security, foreign affairs, economy, science, technology, or other subjects designated by the government. 
• The disclosure of the information might cause harm to the State of the Socialist republic of Vietnam. 

See also: Company’s Data Protection and Privacy in Malaysia 

Further, according to Article 3.17 of the Law of National Information Security, Vietnamese law generally regulates the processing of personal data. The law defines defines processing personal data as engaging in one or more of the following activities with personal data:

• Collecting
• Editing
• Using
• Storing
• Providing to any third party
• Transferring
• Sharing
• Publishing

Certain types of personal data, such as bank account balances and medical records, are considered state secrets and enjoy additional protection. The rules for handling state secrets are provided in Decree 33/2002/ND-CP. 

Exemptions 

The Law on Network Information Security No. 86/2015/QH13 provides two primary exemptions from the data protection rules, namely: 

• The processing of personal data carried out by a competent authority or on the decision of a competent authority supported by law. The law does not define a competent authority in this context.
• The processing of personal data to ensure national security, protect national defense, maintain public order, or meet non-commercial objectives in accordance with relevant laws. 

However, the Law requires organisations to obtain a data subject’s consent before processing personal data. There is no specific requirement on the form or the content of consent. Because the nature and level of consent required is ambiguous, prudent organisations should record consent physically or electronically, and should not consider consent to be implied.

Data security breaches 

There are no specific requirements to notify data subjects or a regulator of personal data security breaches. In case of a breach or a potential breach, a data processor is required only to apply remedies or preventive measures as soon as reasonably possible (Article 19.2, Law on Network Information Security No. 86/2015/QH13). 

See also: As Online Banking Rises, Singaporeans are Concerned with Data Security

Sanctions 

Non-compliance with the data protection laws can be subject to both administrative penalties and criminal penalties. An administrative penalty might be imposed as follows:

• Between VND 2 million and VND 5 million for storing a data subject’s personal data for longer than legally required or agreed by the parties.
• Between VND 5 million and VND 10 million for failing to check, adjust, or delete a data subject’s personal data after receiving a request from the data subject.
• Between VND 10 million and VND 20 million for: z failing to provide a data subject’s personal data as it relates to terrorism or criminal activities if the data is requested by a competent authority; z disclosing a data subject’s personal data without consent; or z failing to maintain the necessary management and technical measures to protect a data subject’s personal data. 

Criminal penalties might be imposed for violations of rules governing confidentiality and safety concerning an individual’s email, mail, telephone, and other forms of communications. The criminal sanction imposed depends on the severity of the crime and might include: 

• A warning
• A fine between VND 5 million and VND 50 million
• Non-custodial reform, similar to probation or supervised release in other jurisdictions, of up to three years
• A prison sentence of between one and three years 

A person who suffers damages caused by an infringement of the data protection laws is entitled to compensation from the infringing party. To obtain compensation, the claimant must prosecute a legal action and meet the burden of proof for actual damages. Many sectoral laws provide additional administrative penalties for non-compliance with data protection obligations. 

Government Decree No. 185/2013/ND-CP on administrative penalties concerning commercial production activities and consumer protections provides the following administrative penalties:

• Violations of consumers’ rights. An administrative penalty of between VND 10 million and VND 20 million might be imposed for failing to inform data subjects of the purpose of the collection and processing personal data; using personal data for purposes other than those communicated to the data subject; failing to protect and maintain a complete and accurate version of personal data when collecting, using, or transferring the data; failing to revise or update, or allow the data subject to revise or update, inaccurate personal data; or transferring a data subject’s personal data to a third party without consent. 
• Improper e-commerce activities. An administrative penalty of between VND 5 million to VND 30 million might be imposed for collecting personal data without the data subject’s consent; using personal data for purposes other than those communicated to the data subject; setting up a mechanism that compels consent for the collection, disclosure, or use of personal data for advertisement purposes or for other commercial purposes; or failing to have a privacy policy or disclose the privacy policy to consumers as legally required.

Repeat and multiple violations of e-commerce business requirements might cause the business to be suspended for up to 12 months. Although the law provides for many administrative penalties for non-compliance with data protection regulations, in practice, the regulations are not effectively enforced. Statistics on the number of enforcement actions are not made public.

Read also: Employee Data Privacy & Protection Law in Hong Kong