Single Blog

In the era of information and communications technology (ICT), use of cyberspace by businesses (such as websites, social networks, mobile applications, etc.) is critical for rapid development. As part of the business in such context, collecting, storing, transmitting and processing personal data belonging to customers and cyberspace users are each indispensable. Therefore, to mitigate such a risk, each jurisdiction has its own regulations to protect the data subject (e.g., EU General Data Protection Regulation, UK Data Protection Act, Japan’s Personal Information Protection Act) and entity compliance with such regulations is strictly required. Similar to any other jurisdictions, Vietnam has its own legal framework to regulate personal data protection matters. As a Trusted Software Development Partner, DataHouse Asia will provide you with a quick overview and some essential points concerning the legal framework on personal data protection in Vietnam. 

Introduction 

In Vietnam, the right to privacy and personal secrets is a constitutional right. However, Vietnam does not have a consolidated piece of legislation on the protection of personal data. Instead, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code and the Law on Cyber Information Security and sectoral laws such as the Law on Electronic Transactions and the Law on Telecommunications. In other words, applicability of legal documents will depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations. 

 
Regarding personal information, the key principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and guiding documents, among others: 

• Law on Cyber Information Security No. 86/2015/QH13 (19 November 2015) (‘LCS’). 
• Law on Cybersecurity No. 24/2018/QH14 (12 June 2018) (only available to download in Vietnamese here) (‘the Cybersecurity Law’), which regulates cyber activities that impact national security and social order, and safety 
• Civil Code 2015 (November 24, 2015) (only available in Vietnamese here) (‘the Civil Code’). Article 38 provides rules for the collection, storage, processing, use, disclosure, and publication of personal information. 
• Law on Electronic Transactions No. 51/2005/QH11 (29 November 2005) (only available in Vietnamese here), which governs electronic transactions by state agencies as well as the private sector and generally prohibits the use, provision, or disclosure of data, which can be accessed in relation to an electronic transaction, without consent. 
• Law on Cinematographic No. 62/2006/QH11 (29 June 2006) (only available in Vietnamese here), which sets out rights and obligations for those involved in the film, cinematography, and television industry, and expressly prohibits the unauthorized disclosure of personal secrets and other types of secrets in these industries in accordance with Vietnamese laws. 
• Law on Information Technology No. 67/2006/QH11 (29 June 2006) (only available in Vietnamese here) (‘the IT Law’), which governs information technology applications and development, sets out the rights and obligations of agencies, organizations, and individuals engaged in these activities, as well as regulates the collection, processing, use, storage, and provision of personal data on a network environment. 
• Law on Telecommunications No. 41/2009/QH12 (23 November 2009) (only available in Vietnamese here), which regulates telecommunications activities and the rights and obligations of those working in the telecommunication industry, and expressly requires telecommunications enterprises not to disclose information of an end-user without consent from such end-user or a valid request from a competent authority. 
• Law on Credit Institution No. 47/2010/QH12 (16 June 2010) (only available in Vietnamese here), which governs the establishment and operations of credit institutions in Vietnam, and expressly requires a credit institution to keep confidential all information regarding its users’ accounts, assets, and transactions, unless consent is given or there is a valid request from a competent authority. 
• Law on Postage No. 49/2010/QH12 (17 June 2010) (only available in Vietnamese here), which governs the administration of the postal service, and generally requires protection of the confidentiality of postal parcels. 
• Law on Protection of Consumers’ Rights No. 59/2010/QH12 (17 November 2010) (only available in Vietnamese here), which sets out a variety of consumer rights and details organizations’ obligations to protect consumer information. 
• Law on Publication No. 19/2012/QH13 (20 November 2012) (only available in Vietnamese here), which sets out the rights and obligations of individuals and organizations in the publishing industry, and prohibits unauthorized disclosure of national secrets, personal secrets, and certain other secrets. 
• Press Law No. 103/2016/QH13 (5 April 2016) (only available in Vietnamese here), which governs the press, including citizens’ rights to freedom of press and freedom of speech in the press, and the rights and obligations of agencies, organizations, and individuals involved in the media industry, and prohibits unauthorized access and disclosure of national secrets, personal secrets, and certain other secrets. 

Vietnam: Draft Decree on Personal Data Protection 

The Ministry of Public Security (“MPS”) has reported that a Decree on personal data protection (“Draft PDPD”) is being drafted by the MPS, which is contemplated to consolidate all data protection laws and regulations into one comprehensive data protection law. Only an outline of the Draft PDPD (“Outline”) has been released for public consultation as at 6 January 2021.  

A draft Decree detailing a number of articles of the Cybersecurity Law (“Draft Cybersecurity Decree”), notably including implementation guidelines for data localization requirements, together with a draft Decree detailing the order of and procedures for application of a number of cybersecurity assurance measures and a draft Decision of the Prime Minister promulgating a List of information systems important for national security, are being prepared by the Ministry of Public Security (“MPS”) in coordination with other relevant ministries, ministerial-level agencies and bodies. 

Personal Data Processor 

Among the legal terms defined for the first time in Vietnam is sensitive personal data, which is defined to include, among others, political and religious beliefs, ethnicity or race, healthcare status, genetic information, biometric data, gender and/or sex life, and criminal records. 

Personal Data Processor is also introduced and defined as a legal entity or a natural person, [or] a branch of a foreign company or state authority or local authority that processes personal data. 

Main Personal Data Processor and Authorized Personal Data Processor are distinguished. Specifically, the Main Personal Data Processor gives authorization in accordance with the laws and is similar to a data controller under the European Union’s General Data Protection Regulation (GDPR), and the Authorized Personal Data Processor is authorized by the Main Personal Data Processor to process personal data on its behalf, similar to a data processor under the GDPR. 

The Draft Decree also sets out the following seven (07) principles of personal data protection:  

1. Principle of Lawfulness: Personal data shall be collected legally  

2. Principle of Purpose: Personal data shall be collected for the purposes that have been consented or registered  

3. Principle of Simplification: Personal data shall only be collected if it is necessary to serve for a pre-determined purpose  

4. Principle of Restricted Use: Personal data shall only be used when consented by the data subjects or competent authorities  

5. Principle of Data Quality: Personal data shall be updated, sufficient and necessary to serve the purpose of processing such data  

6. Principle of Security: Security measures shall be applied to protect personal data  

7. Principle of Individuality: Data subjects shall be notified of all activities pertaining to their personal data  

Under Article 4 of the Draft Decree, offshore Personal Data Processors may be required to appoint a representative in Vietnam.  

Article 27 of the Draft Decree also requires that the act of transferring personal data overseas must be registered with competent authorities

Areas to be developed  

As mentioned, a number of provisions remain in skeletal form and the Government is currently reviewing comments from the public on the Draft Decree. The next versions of the Draft Decree would likely expand on the following: 

• Scope of activities pertaining to personal data 

• Rights and obligations of data subjects 

• Measures to protect personal data 

• Data processing registration, including registering to process sensitive personal data and registering to transfer personal data of Vietnamese nationals to another jurisdiction 

• Competent authorities responsible for personal information protection 

Developing an omnibus data protection decree as a sub-legislation to the Cybersecurity Law. This reflects the Government’s goal of developing a comprehensive legal framework regarding data protection that is in line with international standards. 

Talk to us 

DataHouse Asia is very proud to be awarded ISO:IEC 27001:2013 certification, an internationally recognized standard that ensures that the quality management system is process-oriented, and specifically built to the needs of our customers. ISO/IEC 27001:2013 certificate testifies that DataHouse Asia can identify, analyze, and address its information risks. This means that DataHouse Asia has become a more reliable partner in terms of its security arrangements.

References: 
Amchamvietnam ; Dataguidance.com