Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Vietnamese law does not include a required notification to data protection authorities or data subjects in the event of a personal data breach.
The Law on Network Information Security (No. 86/2015/QH13, Art. 19.2) contains a general requirement that entities (such as employers) take steps to remedy and stop “cyber information” security incidents (and potential incidents) as soon as possible.
HR Best Practices: Employers should develop and implement a “cyber information” security incident response plan to protect employee, job applicant and other personal HR data.
The Vietnamese government is drafting a decree on personal data protection (the Draft PDP Decree). In the current version of the draft, individuals and organizations would be responsible for promptly notifying the PDP Committee on any breaches relating to personal data protection.