Personal Data Privacy Protection Law: Comprehensive Guide

As businesses and individuals increasingly rely on digital platforms, ensuring the privacy and security of personal data requires stringent data protection measures to build trust and confidence among users.

Contributing Advisor

Nathaniel Rushforth

Senior Data Security & Compliance Consultant

The landscape changed significantly with the introduction of the new Personal Data Protection Law.

This comprehensive law aims to create a data protection framework that provides clear guidelines and responsibilities for organizations handling personal data. The new law further aims to align Vietnam's data protection standards with international best practices, ensuring robust protection for individuals' personal information.

What is Personal Data Protection?

Personal data protection refers to the policies and practices designed to safeguard individuals' personal information from unauthorized access, use, disclosure, or destruction.

In Vietnam, personal data protection regulation encompasses measures to ensure that personal data is collected, processed, stored, and transferred securely and transparently. The significance of personal data protection lies in its ability to prevent data breaches, protect privacy, and maintain the integrity and confidentiality of personal information.

The primary objectives of Vietnam's Personal Data Protection Law are to:

• Ensure that individuals have control over their personal data and how it is used.
• Implement measures to protect against unauthorized access and data leaks.
• Urge organizations to be transparent about their data processing activities.
• Hold organizations accountable for their data protection practices and ensuring compliance with legal requirements.
• Align Vietnam's data protection regulations with global standards to facilitate international business and cooperation.

Governing texts

In Vietnam, the right to privacy and the protection of personal secrets are enshrined in the Constitution. While this Constitutional guarantee underscores the importance of personal data protection as a fundamental right, the following key laws put the idea into practice:

Key Laws: Civil Code, Law on Cyber Information Security, PDP Decree No. 13/2023/ND-CP

Before the comprehensive Personal Data Protection Decree (PDPD) was introduced, personal data protection in Vietnam was governed by a patchwork of laws.

For example, the Civil Code of 2015 (No. 91/2015/QH13) established general principles regarding the protection of personal information and the privacy rights of individuals. This code provided a broad legal framework for personal data protection but was not specific enough to address the complexities of the digital environment.

The Law on Cyber Information Security (No. 86/2015/QH13) further detailed the requirements for safeguarding personal data in cyberspace. This law addressed various aspects of information security, including the protection of personal data from cyber threats. It played a crucial role in defining the responsibilities of organizations and individuals in maintaining data security and preventing data breaches.

The introduction of the PDPD (Decree No. 13/2023/ND-CP) aims to resolve confusion about existing regulations and create a cohesive legal framework for personal data protection. This decree consolidates and strengthens rules that were previously dispersed across multiple laws and regulations, providing clarity to businesses and organizations operating in Vietnam.

The PDPD introduces key data protection principles such as:

• Lawfulness;
• Transparency;
• Purpose limitation;
• Data minimization;
• Accuracy;
• Integrity;
• Confidentiality; and,
• Accountability. 

Under this framework, personal data must be collected, processed, and used in a manner that respects individuals' privacy rights, and organizations must inform data subjects about the collection and use of their personal data and obtain explicit consent before processing their data.

The PDPD prohibits the unauthorized collection, transfer, or sale of personal data, ensuring that individuals retain control over their information. Data subjects also have the right to access, review, and request corrections to their personal data, enhancing transparency and accountability.

Other Key Acts, Regulations, and Directives

PDPD (Decree No. 13/2023/ND-CP)

As discussed above, the Personal Data Protection Decree (PDPD) is the new cornerstone of Vietnam's data protection framework, consolidating and strengthening regulations across various sectors. Effective from July 1, 2023, it mandates stringent requirements for businesses and organizations handling personal data, including principles of lawfulness, transparency, purpose limitation, and data minimization. However, other key laws also underpin the framework.

Law on Cybersecurity

The Law on Cybersecurity (No. 24/2018/QH14), enacted on June 12, 2018, regulates activities in cyberspace that impact national security and social order. This law is critical for ensuring that digital activities do not compromise the security and privacy of personal data. It provides guidelines for securing information systems and responding to cyber threats, thereby protecting users' personal data from unauthorized access and breaches.

Law on Electronic Transactions

The Law on Electronic Transactions (No. 20/2023/QH15), adopted on June 22, 2023, and effective from July 1, 2024, governs electronic transactions in both the public and private sectors. It prohibits the use, provision, or disclosure of personal data accessed during electronic transactions without the individual's consent. This law ensures that electronic transactions are conducted securely and with respect for personal privacy.

Law on Information Technology

The Law on Information Technology (No. 67/2006/QH11), effective since June 29, 2006, governs the application and development of information technology. It outlines the rights and obligations of entities involved in IT activities and regulates the collection, processing, use, storage, and provision of personal data in the network environment. This law is fundamental to the protection of personal data in digital and online contexts.

Law on Telecommunications

The Law on Telecommunications (No. 24/2023/QH15), adopted on November 24, 2023, and effective from July 1, 2024, regulates telecommunications activities and the rights and obligations of those in the telecommunications industry. It specifically requires telecommunications enterprises to protect user information and not to disclose it without consent or a valid request from competent authorities.

Law on Credit Institutions

The Law on Credit Institutions (No. 32/2024/QH15), effective from July 1, 2024, governs the establishment and operations of credit institutions in Vietnam. It mandates that credit institutions keep user account information, assets, and transactions confidential unless consent is given or a valid request from a competent authority is received. This law is vital for protecting financial data and ensuring trust in the banking sector.

Law on Protection of Consumers' Rights

The Law on Protection of Consumers' Rights (No. 19/2023/QH15), effective from July 1, 2024, outlines various consumer rights and the obligations of organizations to protect consumer information. It emphasizes the importance of safeguarding consumer data against unauthorized use and disclosure, thereby enhancing consumer trust in the market.

Law on Publication

The Law on Publication (No. 19/2012/QH13), effective since November 10, 2012, regulates the rights and obligations of individuals and organizations in the publishing industry. It prohibits the unauthorized disclosure of national secrets, personal secrets, and other sensitive information, thereby ensuring the protection of personal data within the publishing sector.

Press Law

The Press Law (No. 103/2016/QH13), effective since April 5, 2016, governs the press and outlines citizens' rights to freedom of the press and speech in the media. It also defines the responsibilities of media organizations and prohibits the unauthorized access and disclosure of personal secrets and other protected information. This law plays a crucial role in maintaining the integrity and privacy of personal data in media activities.

Scope of Application

Does this law apply to me??

The law applies to all organizations and individuals involved in personal data processing within Vietnam's borders. This includes data controllers, processors, and any related third parties, as well as Vietnamese companies or individuals processing data offshore. The law also protects natural persons who can be identified from their personal information. So, if you're a Vietnamese citizen or a foreigner living in Vietnam, your data is safeguarded under this legislation.

Where does the law apply?

Geographically, the law's reach primarily focuses on data processing activities within Vietnam's territory. However, it also extends to Vietnamese entities operating abroad and foreign entities involved in data processing within Vietnam.

What does the law cover?

The law covers a comprehensive range of personal data processing activities, from collecting and storing data to more complex operations such as encrypting, decrypting, and automated data processing.

This includes:

• Collecting and recording data;
• Analyzing and verifying information;
• Storing and editing personal details;
• Publishing and combining data sets;
• Accessing and retrieving information;
• Encrypting and decrypting data;
• Copying and sharing personal data;
• Transferring and providing information; and,
• Transmitting and deleting data.

Also note that the law will likely keep pace with technological advancements, including automated data processing activities.

Data Protection Authority

Main Regulator: Ministry of Public Security (MPS)

The Ministry of Public Security (MPS) serves as the chief regulatory body for data protection in Vietnam. The Department of Cybersecurity and Prevention of Cybercrimes is designated to enforce and implement data protection regulations.

Responsibilities

The Cybersecurity Department, holds extensive authority and responsibilities in data protection, including:

• Aiding the government in overseeing personal data protection activities and offering essential guidance to ensure the proper implementation of data protection measures that comply with existing regulations.
• Preventing and addressing violations of personal data protection laws to protect individual rights.
• Proposing, promoting, and offering the creation or improvements of personal data protection standards.
• Developing, managing, and operating the National Portal on Personal Data Protection, which serves as a centralized platform for data protection information and resources.
• Assessing the effectiveness of data protection activities carried out by various entities, agencies, and individuals, ensuring that standards are met and maintained.
• Processing submissions of portfolios, forms, and other information related to personal data protection, as stipulated by the Personal Data Protection Decree (PDPD).
• Adopting innovative measures and conducting research to enhance personal data protection. This includes fostering international cooperation to align Vietnam's data protection standards with global best practices.
• Conducting inspections and handling complaints, denunciations, and violations related to personal data protection, ensuring that entities and individuals comply with the laws and regulations in place.

Legal bases for data processing

Consent

One of the primary legal bases for processing personal data in Vietnam is obtaining the consent of the data subject. Consent must be given voluntarily and with full awareness of several key elements:

• The type of personal data to be processed.
• The purposes of the data processing.
• The entities authorized to process the data.
• The rights and obligations of the data subjects.
• Whether the data includes sensitive personal information.

Consent must be explicit and specific, documented in a clear format such as written statements, voice recordings, text messages, or technical methods of agreement (e.g., ticking a box). Silence or inaction does not constitute valid consent. Additionally, consent can be partial or conditional, allowing data subjects to agree to specific aspects of data processing.

Contract

Data processing can also be based on the need to fulfill a contract with the data subject. This means that personal data can be processed if it is necessary to perform the contractual obligations that the data subject has with an entity or individual, in accordance with the law.

Legal obligations

Another legal basis for data processing is the requirement to comply with legal obligations. This involves processing personal data as mandated by laws and regulations, ensuring that the data controller adheres to statutory duties.

Interests of the Data Subject

In emergency situations, the processing of personal data may be justified to protect the vital interests of the data subject or other individuals. This includes immediate actions necessary to safeguard lives and health, emphasizing the urgency and necessity of such processing.

Public interest

Data processing can be carried out in the public interest, particularly in emergencies related to national defense, security, public safety, natural disasters, or disease outbreaks. This also extends to combating criminal activities such as terrorism, riots, or other legal violations.

In these cases, the processing is aimed at addressing significant risks or threats to public order and safety, even if a state of emergency has not been officially declared.

Other instances

In addition to the aforementioned bases, personal data may be processed to support activities of authorities as stipulated in specific sectoral laws. This includes instances where the data processing serves governmental functions or public administration tasks as defined by legal provisions in various sectors.

Key definitions

Data controller

A data controller is an entity or individual that decides the purposes and methods for processing personal data. Essentially, the data controller has the primary responsibility for determining how and why personal data is processed. This role involves making decisions about data collection, storage, and usage, ensuring that these processes align with legal and regulatory requirements.

Data processor

A data processor is an entity or individual that processes personal data on behalf of the data controller, based on a contractual or agreed arrangement. The data processor follows the instructions given by the data controller and handles data processing tasks such as collecting, recording, and storing data. Although the data processor manages the actual processing activities, the data controller retains overall responsibility for ensuring compliance with data protection laws.

Personal data

Personal data refers to any information that can identify a particular individual, either on its own or when combined with other data. This information can come in various forms, including symbols, letters, numbers, graphics, and audio. Personal data is categorized into basic personal data and sensitive personal data.

Basic personal data

Basic personal data includes a wide range of information such as:

• Name and nickname;
• Date of birth, date of death, or date of missing;
• Gender;
• Birthplace, permanent address, temporary address, current address, and contact address;
• Nationalities;
• Personal photographs;
• Phone numbers, identification numbers, passport numbers, license plates, driver's licenses, tax numbers, social security numbers, and medical insurance numbers;
• Marital status and family information (e.g., parents, children);
• Information related to digital accounts and internet activity history; and,
• Any other data that, alone or in combination with other information, can identify an individual but is not classified as sensitive personal data.

Sensitive personal data

Sensitive personal data includes information considered more private and requires a higher level of protection, such as:

• Political opinions and religious views;
• Medical conditions and private medical record information, excluding blood types;
• Ethnicity;
• Genetic information;
• Biometric data and physical characteristics;
• Sexual orientation;
• Criminal records held by law enforcement agencies;
• Customer information held by financial institutions and intermediary payment service providers, including Know Your Customer (KYC) information, account details, assets, transactions, and guarantor information;
• Real-time location data obtained through location services; and,
• Any other personal data deemed unique and requiring special security measures by law.

The law also defines data processing broadly to encompass nearly any action undertaken that involves the use of personal data, from collection and storage to analysis and deletion.

Controller and processor obligations

Data processing notification

In Vietnam, data subjects must be informed before their personal data is processed. This notification must be verifiable and can be in writing, digital format, or any other printable format. The notification should include:

• The purposes of the data processing activities.
• The type of personal data being processed.
• The methods used for processing.
• Information about the parties involved in the processing activities.
• Potential unwanted consequences.
• The start and end time of the processing activities.

However, if the data subject has already given consent or if the data is being processed by a competent authority for a lawful purpose, notification is not required.

Data transfers

Under Vietnam’s Cybersecurity Law, organizations providing services over telecom networks, the internet, and other digital platforms in Vietnam must store personal data within Vietnam and establish a physical presence in the country. This includes entities involved in e-commerce, social networking, online gaming, and email services, as well as foreign enterprises.

When transferring personal data offshore, organizations must prepare a Transfer Impact Assessment. This document should include:

• Contact details of the data transferor and receiver.
• A description of the processing activities post-transfer.
• Details of the data types being transferred.
• Compliance with PDPD requirements and applied security measures.
• An assessment of the data processing impact.
• Mitigation measures and potential consequences.
• The consent of the data subjects.

This assessment must be submitted to the Cybersecurity Department within 60 days after the transfer begins, and the department must be notified once the transfer is complete.

Data processing records

Data controllers are required to maintain a system log of all data processing activities. This record-keeping ensures accountability and transparency in how personal data is handled.

Data Protection Impact Assessment

Both data controllers and processors must conduct a Data Protection Impact Assessment (DPIA) and submit it to the Cybersecurity Department. The DPIA should include:

• Contact details of the data controller or processor.
• Information about the data protection officer (if applicable).
• The purpose and type of personal data being processed.
• Details of data receivers, including those offshore.
• Duration and protection measures of the processing activities.
• Potential consequences and mitigation strategies.

This assessment must be submitted within 60 days after initiating the processing activities.

Data Protection Officer appointment

Organizations involved in processing sensitive personal data must appoint a data protection officer (DPO) and a department responsible for personal data protection. The details of the DPO must be reported to the Cybersecurity Department.

Data breach notification

Data processors must notify data controllers immediately upon discovering a data breach. Data controllers, in turn, must inform the Cybersecurity Department within 72 hours of the breach. The notification should detail:

• The nature and scope of the breach.
• Contact information of the person responsible for data protection.
• Consequences and damages caused by the breach.
• Measures taken to mitigate the breach's impact.

Data retention

Documents containing personal information must be retained according to relevant laws, such as the Law on Accounting and the Law on Enterprises, which specify the retention periods for accounting and corporate documents.

Children's data protection

The Law on Children prohibits the disclosure of personal data of children under 16 without parental or guardian consent. For children aged seven or older, both the child and the parent or guardian must consent to data processing.

Cybersecurity Law also mandates service providers to protect children from harmful information online and to cooperate with authorities in removing such content.

Special categories of personal data

When processing sensitive personal data, organizations must implement additional protection measures as outlined in Articles 26 and 27 of the PDPD. Data subjects must be informed that their data is sensitive and must be notified of the processing activities unless exceptions apply.

Controller and processor contracts

The PDPD requires that data controllers and processors enter into agreements or contracts for the processing of personal data. While there are no specific requirements for these contracts, they must outline the responsibilities and obligations of each party involved in data processing.

Data subject rights

Data subjects should exercise these rights judiciously, understanding their implications and the broader context of data use in our increasingly connected world.

For businesses and organizations handling personal data, these rights present both challenges and opportunities. While compliance may require significant adjustments to data handling practices, it also offers a chance to build trust with customers and stakeholders.

Right to be informed

Data subjects have the right to be informed about how their personal data is collected, processed, and used. This includes information on the methods, scope, location, and purposes of data processing. Even if the data can be processed without consent, the data subject must still be notified, ensuring transparency and trust in data handling practices.

Right to access

Data subjects have the right to access their personal data. They can request to view or obtain copies of their personal information held by the data controller. This right ensures that individuals can monitor and verify the accuracy and usage of their personal data.

Right to rectification

Data subjects can request corrections to their personal data if it is inaccurate or incomplete. This right ensures that any errors in personal data are promptly addressed, maintaining the integrity and reliability of the data.

Right to erasure

The right to erasure allows data subjects to request the deletion of their personal data. This right can be exercised under certain circumstances, such as when the data is no longer necessary for the purposes it was collected or if the data subject withdraws consent.

Right to object/opt-out

Data subjects have the right to object to or restrict the processing of their personal data. They can withdraw consent for data processing activities, though processing conducted before the withdrawal remains valid. This right provides individuals with greater control over their personal information.

Right to data portability

The right to data portability allows data subjects to request a copy of their personal data in a structured, commonly used, and machine-readable format. This enables them to transfer their data to another data controller, facilitating greater flexibility and control over personal information.

Protection against automated decision-making

While Vietnamese law does not specifically address automated decision-making, it is considered a data processing activity. Data subjects have the right to object to or restrict decisions made solely based on automated processing, ensuring human oversight in significant decisions affecting individuals.

Other rights

Data subjects also have additional rights under the PDPD, including the right to claim damages for breaches of data protection laws, initiate legal proceedings, and take measures for self-protection. These provisions ensure comprehensive protection and recourse for individuals in the event of data misuse or violations.

Penalties for non-compliance

Administrative penalties

Non-compliance with Vietnam's data protection laws can result in significant administrative penalties, as outlined in Decree 15/2020/ND-CP and its amendment Decree 14/2022/ND-CP. Fines vary based on the nature and severity of the violation:

Examples of enforcement decisions

Currently, specific enforcement decisions are not publicly available. However, the regulatory framework and established penalties indicate a robust approach to enforcing data protection laws in Vietnam, emphasizing accountability and compliance among organizations handling personal data.