Last review date: 2 January 2025

Vietnamese laws do not use a consistent definition of personal data, with definitions varying across sectors and their relevant regulations.

In general, Vietnam's data privacy-related laws protect information associated with or enabling the identification of a specific individual. Information enabling the identification of a specific person refers to information generated from the activities of an individual that, when combined with other stored data and information, can identify a specific person.

Last review date: 2 January 2025

Sensitive data includes:

☒  personal data revealing racial or ethnic origin

☒  personal data revealing political opinions

☒  personal data revealing religious or philosophical belief (philosophical belief is not explicitly covered under the PDPD)

☒  genetic data

☒  biometric data for the purpose of uniquely identifying a natural person or biometric templates

☒  data concerning health/medical information

☒  data concerning a natural person's sex life or sexual orientation

☒  financial information

☒  personal data regarding an individual's criminal convictions or record

☒  other

The PDPD defines sensitive personal data as data associated with the privacy of an individual that, when being infringed upon, will directly affect the legitimate rights and interests of such individual. Sensitive personal data is enumerated under a non-exhaustive list, covering the following:

• Political views and/or religious views
• Health status and private life included in the medical records, excluding blood type information
• Information concerning racial origin and/or ethnic origin
• Information concerning inherited or acquired genetic characteristics of an individual
• Information about the physical traits and/or biological characteristics of an individual
• Information about the sex life and/or sexual orientation of an individual
• Data about crimes and/or criminal acts collected and stored by law enforcement agencies
• Customer information of credit institutions, foreign bank branches, payment intermediary service providers or other authorized organizations, including customer identification information as prescribed by laws, information on accounts, information on deposits, information on deposited assets, information on transactions, information on organizations and individuals that are guarantors at credit institutions, bank branches, or payment intermediary service providers
• Location data of an individual as determined by location services
• Other personal data as specified by laws to be peculiar and requiring necessary security measures

Last review date: 2 January 2025

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

• the controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
• the processor/agent is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Yes, save for the fact that the PDPD does not explicitly recognize the concept of joint controllership.

In addition, although the PDPD differentiates a data controller from a data controlling and processing entity ("C&P Entity"), in the sense that the former does not directly process personal data, a C&P Entity should assume obligations similarly as a controller since both stakeholders determine the purposes and means of personal data processing. The C&P Entity will only incur a processor's obligations if it processes personal data on another controller's behalf, in which case it shall only be defined as a processor in relation to the particular delegated processing activities.