What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
Vietnam does not have an overarching data protection law. Instead, laws on the protection of privacy and personal data are derived from the principles found in the Civil Code (No. 91/2015/QH13) and sector-specific laws.
The Vietnamese Government is in the process of drafting a decree on personal data protection which, if it moves forward, will introduce new guidance and requirements in relation to personal data management.
Under Vietnam’s Civil Code (No. 91/2015/QH13), individuals have certain rights relating to their "private life," "personal secrets" and "family secrets." There is no formal definition of these terms under the law, and because of this, authorities can interpret the law broadly to include HR-related information or personal employee data.
Collecting, storing, using and/or publishing information about an individual’s private life, personal secrets or family secrets can only be done with the individual’s consent (Art. 38.1).
Under the Labour Code (No. 45/2019/QH14), certain personal information is required for an individual to enter into an employment contract. Employees must provide employers with their: name, date of birth, gender, home address, level of education level, level of professional skills, health status and other information directly related to the employment contract.
Law on Cybersecurity
Where data protection laws exist, requirements and the applicability of the law can be vague. One example is Vietnam’s Law on Cybersecurity (No. 24/2018/QH14), which went into effect in January 2019, with some areas having a potential grace period until January 2020. Under the Law, domestic and foreign service providers who use telecommunication networks and the Internet must store certain data in Vietnam for a specified period:
- users’ personal data;
- data on the relationships of users; and,
- data generated by users in Vietnam.
The regulations relating to the Cybersecurity Law have not been finalized and are open to interpretation. There will hopefully be clarity soon, once the Vietnamese Government publishes decrees implementing this new law.
Law on Network Information Security
The Law on Network Information Security (No. 86/2015/QH13) (as amended), includes some personal information rights. Under this Law, personal information is defined as information associated with the identity of a specific person (Art. 3.15). Entities that collect, process and use personal information must obtain the individual’s consent.
Law on Information Technology
The Law on Information Technology (No. 67/2006/QH11) (as amended), requires that entities obtain consent to collect, process and use personal data in a network environment. In addition, the data collector can only use the data for purposes approved by the data subject and, can only store the personal data for a time period approved by law or agreed to by the data subject. Consent is not necessary when:
- collected to fulfill obligations provided for by other laws;
- used to sign, perform or modify a contract relating to the use of information, products or services in the networked environment; or,
- used to calculate charges for use of information, products or services in the networked environment.
Law on Electronic Transactions
Under the Law on Electronic Transactions (No. 51/2005/QH11, Art. 46), a party with control or access to information about an individual’s private life must have the individual’s advanced consent, unless the information is required by law.
There is no overarching data protection authority in Vietnam. Instead, there are sector specific regulators. The Ministry of Information and Communications, the Ministry of National Defense and the Ministry of Public Security are some of the sector specific authorities who are responsible for enforcement.