Last review date: 2 January 2025

☒  omnibus – all personal data

☒  sector-specific

e.g., banking, consumer protection, healthcare, telecommunications

☒  constitutional

Last review date: 2 January 2025

• Civil Code No. 91/2015/QH13, adopted by the National Assembly on 24 November 2015 ("Civil Code")
• Criminal Code No. 100/2015/QH13, adopted by the National Assembly on 27 November 2015 ("Criminal Code")
• Labor Code No. 45/2019/QH14, adopted by the National Assembly on 20 November 2019 ("Labor Code")
• Law No. 67/2006/QH11, adopted by the National Assembly on 29 June 2006, on Information Technology ("IT Law")
• Law No. 86/2015/QH13, adopted by the National Assembly on 19 November 2015, on Cyber Information Security ("LOCIS")
• Law No. 10/2016/QH13, adopted by the National Assembly on 24 November 2015, on Children ("Law on Children")
• Law No. 24/2018/QH14, adopted by the National Assembly on 12 June 2018, on Cybersecurity ("LOCS")
• Law No. 19/2023/QH15, adopted by the National Assembly on 20 June 2023, on Protection of Consumers' Rights ("Consumer Protection Law")
• Decree No. 52/2013/ND-CP, dated 16 May 2013, on e-commerce, as amended and supplemented by Decree No. 85/2021/ND-CP ("Decree No. 52")
• Decree No. 15/2020/ND-CP, dated 03 February 2020, providing penalties for administrative violations pertaining to postal, telecommunication, information technology, radio frequency areas and e-transactions as amended and supplemented by Decree No. 14/2022/ND-CP ("Decree No. 15")
• Decree No. 91/2020/ND-CP, dated 14 August 2020, on spam messages, spam emails and spam calls ("Decree No. 91")
• Decree No. 13/2023/ND-CP, dated 17 April 2023, on personal data protection ("PDPD")
• Decree No. 147/2024/ND-CP, dated 9 November 2024, on the management, provision, and use of Internet services and online information ("Decree No. 147")

Last updated date: 2 January 2025

• Law No. 24/2018/QH14, adopted by the National Assembly on 12 June 2018, on Cybersecurity ("LOCS")
• Law No. 67/2006/QH11, adopted by the National Assembly on 29 June 2006, on Information Technology ("IT Law")
• Decree No. 53/2022/ND-CP, dated 15 August 2022, detailing the implementation of the Law on Cybersecurity ("Decree No. 53")
• Decree No. 91/2020/ND-CP, dated 14 August 2020, on spam messages, spam emails and spam calls ("Decree No. 91")

Last review date: 2 January 2025

• Law No. 86/2015/QH13, adopted by the National Assembly on 19 November 2015, on Cyber Information Security ("LOCIS")
• Law No. 104/2016/QH13, adopted by the National Assembly on 6 April 2016, on Access to Information ("Information Access Law")
• Law No. 19/2023/QH15, adopted by the National Assembly on 20 June 2023, on Protection of Consumers' Rights ("Consumer Protection Law")
• Law No. 20/2023/QH15, adopted by the National Assembly on 22 June 2023, on E-transactions ("E-transactions Law")
• Law No. 60/2024/QH15, adopted by the National Assembly on 30 November 2024, on Data (“Data Law”)
• Circular No. 10/2022/TT-BNV, dated 19 December 2022, prescribing document retention periods

Last review date: 2 January 2025

Yes.

To enforce new privacy requirements under the PDPD, the Government has been working on a draft decree on administrative sanctions in the field of cybersecurity ("CASD"). The latest version of the draft CASD, submitted to the Ministry of Justice for appraisal in May 2024, maintained the previously proposed GDPR-type fine of 5% of the offender's total revenue of the preceding fiscal year in Vietnam. Additional sanctions and remedial measures under the draft CASD remain substantially unchanged, including license revocation, confiscation of the means used to process personal data, and mandatory cessation of data processing for 1-3 months. The issuance schedule of the CASD remains to be seen.

The Data Law, which will take effect on 1 July 2025, seeks to regulate digital data in general, which can encompass personal and non-personal data. The Law introduces new requirements regarding different forms of data processing, such as overseas transfer of important data and core data, and data disclosure to State authorities. Data-related products and services such as data intermediary, data analysis and synthesis, and data exchange are also captured. The Law delegates the Government to provide detailed regulations for guidance purposes.

Vietnam is also drafting a Personal Data Protection Law (PDPL), which is aimed at providing a comprehensive legal framework on personal data protection with a higher legal effect than the current PDPD. Under the latest version released for public consultation, the draft PDPL proposed to regulate personal data processing in specific contexts such as marketing, behavioral and targeted advertising, big data processing, AI, cloud computing, recruitment and employment monitoring, banking and finance, social networks, and media services. It also addresses specific categories of personal data, including health and insurance data, location data, biometric data, credit data, and children's data. The draft PDPL is expected to be enacted in May 2025 and take effect on 1 January 2026.