Global Data and Cyber Handbook

Vietnam

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 2 January 2025

Yes.

The following are potential legal bases for processing personal data:

☒  the data subject has provided consent to the processing for the identified purposes

☒  the personal data is necessary to perform a contract with the data subject

☒  the personal data is necessary to comply with a legal obligation

☒  the personal data is necessary for a public interest

☒  other

The PDPD provides for the following legal bases for personal data processing:

  • When the data subject has given their valid consent
  • In the event of an emergency where the relevant personal data needs to be immediately processed in order to protect the life or health of the data subject or other individuals
  • Publicizing personal data in accordance with law
  • Data processing by competent State authorities during a state of emergency involving national defense and security, social order and safety, major disasters, and dangerous epidemics; where there is a risk threatening the national security and defense but not to the extent of proclaiming the state of emergency; or to prevent and fight against riots and terrorism, to prevent and fight against crimes and violations of the law in accordance with law
  • In order to fulfill the obligations under the contract between the data subject and relevant agencies, organizations and/or individuals in accordance with a law
  • Serving the operation of a State agency as prescribed by a specialized law
  • Processing the personal data obtained from audio recording and/or video recording activities in public places by a competent agency or organization for the purpose of protecting national security, social order and safety, and/or legitimate rights and interests of organizations and/or individuals in accordance with provisions of laws

Legal bases for personal data processing can also be specified in sector-specific regulations (e.g., health and medication, consumer protection, banking and finance).

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 2 January 2025

Yes.

The following are potential legal bases for processing sensitive personal data:

☒  the data subject has given consent to the processing, where consent is measured to the same standard as non-sensitive personal data

☒  the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

☒  processing is necessary for reasons of substantial public interest

☒  processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services (this legal basis might be indirectly and partially recognized via different other legal justifications for data processing, such as contractual performance, health and medication-related purposes)

☒  processing is necessary for reasons of public interest in the area of public health

☒  other

The PDPD does not distinguish between the legal bases for sensitive personal data and those for non-sensitive personal data. Please refer to the detailed answers under the Legal Bases for Processing of Personal Data section.

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 2 January 2025

Yes. For clarity, special requirements under data privacy laws apply to children (those under the age of 16) instead of minors (those under the age of 18). There are rules, however, under the Civil Code on the formation and validity of a civil transaction in relation to a minor.

In what circumstances do these special requirements apply?

Last review date: 2 January 2025

Generally

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 2 January 2025

What are the special requirements that apply to collecting personal data from minors?

☒  consent must be given or authorized by the holder of parental responsibility over the child

☒  additional data security requirements apply

Under the PDPD, a child's personal data must be processed with consent from their parent or guardian and, in case the child is seven years of age or above, by the children themselves, except for when consent is not the legal basis for data processing pursuant to Article 17 of the PDPD. The data controller and data processor must verify the age of the child before processing their personal data.

{{ $store.state.loadingScreen.message }} ...