Doing Business in Vietnam: Overview | Practical Law

Data Protection Laws

Data protection, more specifically, the right to privacy and confidentiality of information is a fundamental right enshrined in the Vietnamese Constitution.

Currently, there is no single comprehensive legal document regulating data privacy in Vietnam. However, there are a number of laws and regulations with provisions to protect personal data privacy. The key principle across these documents is that the information owner must consent to the collection, processing and use of their personal information and the use of such information must be in accordance with prior stated purposes. In addition to this requirement for consent, in certain sensitive transactions, such as the transfer of information classified as a state secret or sensitive data under banking laws/regulations (that is, confidential information, information restricted to internal circulation within the entity, or information the entity manages which, if leaked, could have an adverse impact on the entity’s reputation, finances or activities), the person transferring such information must also encrypt the information.

As of May 2021, there is no specific requirement for cross-border transfer of personal information from Vietnam to overseas (such as requirements on the qualifications of the transferees and/or measures the transferees are required to perform). Therefore, as long as prior consent of the data subject is obtained, the data can be transferred to any third parties overseas. However, the Ministry of Public Security (MPS) is drafting a decree guiding the implementation of the Cybersecurity Law of 2018. According to this draft decree, which is expected to be issued in 2021, customer data collected and/or processed by certain industries (such as telecom, e-commerce, online payments and so on) may need to be stored in Vietnam for a period of time prescribed by law if the service providers are warned by the MPS that its online services/platforms have been used for and/or involved with activities prohibited by the Vietnamese law and such service providers failed to rectify the situation following a request from the MPS.

The MPS is also drafting a new Decree on Personal Data Protection (Draft PDPD), which would become the first comprehensive legal document regulating data privacy in Vietnam. The Draft PDPD suggests imposing restrictions on cross-border data transfer, requiring that before transferring Vietnamese citizens’ personal data out of Vietnam, the following four conditions must be fulfilled:

• Consent must be obtained from the data subjects.

• The original data must be stored in Vietnam.

• The data transferor must have proof that the recipient country has personal data protection at a level equal to or higher than the level specified in the Draft PDPD.

• A written approval for transfer must be obtained from the Personal Data Protection Committee (PDPC).

(Article 21, Draft PDPD.)

The Draft PDPD provides an exemption to this requirement when there is:

• Consent from the data subject.

• Approval from the PDPC.

• A commitment from the data processor to protect the data.

• A commitment from the data processor to apply measures to protect the data.

It is unclear from the wording of the Draft PDPD whether the data transferor needs to meet one or all of these criteria to be eligible for the exemption, but presumably all four must be met. In order to obtain a written approval from the PDPC, an application must include an impact assessment report with an assessment of potential harm and measures to manage, minimise or eliminate such harm. The PDPC has 20 working days from the date of submission to process applications for approval.

The Draft PDPD has been released for public comment, but the government has not set out any clear timeline regarding when the draft should be finalised and promulgated. Depending on feedback and pressures from the business community, the process may take years to complete.

Sanctions, ranging from administrative sanctions and fines to criminal liability for particularly serious violations, are set out in legislation. Additionally, compensatory damages may be awarded in successful lawsuits.