Last review date: 2 January 2025
There is no single data privacy and security regulator in Vietnam. The Ministry of Information and Communication (MIC) and the Ministry of Public Security (MPS) can both claim authority over most data privacy and cybersecurity matters as granted to them under various pieces of laws. Since data privacy is also prescribed in sector-specific regulations, the regulator of that specific sector will also have jurisdiction in relation to data privacy issues arising in the context of that sector (e.g., the Ministry of Industry and Trade regulates data-related issues in consumer protection; the Ministry of Labor, Invalids and Social Affairs regulates data-related issues in children protection; the State Bank of Vietnam regulates data-related issues in banking and finance). There is, hence, a regulatory overlap among State authorities in Vietnam.
As Vietnam is witnessing an overhaul of its government entities, State power over data privacy, non-personal data and cybersecurity might also be impacted. For example, regulatory power may be transferred to a newly formed authority following the merger of two other State agencies.
Last review date: 2 January 2025
The MPS might continue to request onshore and offshore companies to update their previously filed privacy impact assessments. They may also initiate a second round of privacy compliance checks in 2025.
Last review date: 2 January 2025
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 2 January 2025
There are:
☒ administrative remedies from regulators and law enforcement
Administrative remedies vary depending on the actual data privacy infringements, including but not limited to monetary fines that can reach VND 80 million (approx. USD 3,300). Notably, the draft decree on administrative sanctions against cybersecurity violations ("Draft CASD") can subject a data privacy offender to a fine of 5% of the total revenue of the preceding fiscal year in Vietnam. Additional sanctions and remedial measures under the Draft CASD include, among others, license revocation, confiscation of means used to process personal data, and mandatory cessation of data processing for 1-3 months.
☒ criminal penalties from regulators and law enforcement
Individuals will be criminally liable for committing the following privacy-related offenses:
- Infringement upon other persons' privacy or safety of letters, telephone, telegraph or other means of private communications
- Illegally uploading information onto or using information on computer networks and telecommunications networks
- Illegally collecting, possessing, exchanging, trading, or publishing information about bank accounts
Penalties can be in the form of monetary fines of up to VN 1 billion (approx. USD 41,000) or seven years of imprisonment.
In general, criminal liability applies to natural persons and only applies to entities in certain circumstances. Please note that the abovementioned criminal sanctions apply to individuals only.
☒ private remedies
The aggrieved data subject has the right to request a public apology and to claim compensation for any actual and direct damages caused by the illegal processing of their personal data.