Employee Data Privacy

Vietnam - Data Privacy Laws and Regulations

 Download as a PDF

What laws apply to the collection and use of individuals’ personal information?

Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.


Legislative Framework

Vietnam does not have an overarching data protection law. Instead, laws on the protection of privacy and personal data are derived from the principles found in the Civil Code (No. 91/2015/QH13) and sector-specific laws.

The Vietnamese Government is in the process of drafting a decree on personal data protection which, if it moves forward, will introduce new guidance and requirements in relation to personal data management.


Civil Code

Under Vietnam’s Civil Code (No. 91/2015/QH13), individuals have certain rights relating to their "private life," "personal secrets" and "family secrets." There is no formal definition of these terms under the law, and because of this, authorities can interpret the law broadly to include HR-related information or personal employee data.

Collecting, storing, using and/or publishing information about an individual’s private life, personal secrets or family secrets can only be done with the individual’s consent (Art. 38.1).


Labour Code

Under the Labour Code (No. 45/2019/QH14), certain personal information is required for an individual to enter into an employment contract. Employees must provide employers with their: name, date of birth, gender, home address, level of education level, level of professional skills, health status and other information directly related to the employment contract.

 

Law on Cybersecurity

katie-montgomery-96671

Where data protection laws exist, requirements and the applicability of the law can be vague. One example is Vietnam’s Law on Cybersecurity (No. 24/2018/QH14), which went into effect in January 2019, with some areas having a potential grace period until January 2020. Under the Law, domestic and foreign service providers who use telecommunication networks and the Internet must store certain data in Vietnam for a specified period:

  • users’ personal data;
  • data on the relationships of users; and,
  • data generated by users in Vietnam.


The regulations relating to the Cybersecurity Law have not been finalized and are open to interpretation. There will hopefully be clarity soon, once the Vietnamese Government publishes decrees implementing this new law.


Law on Network Information Security

The Law on Network Information Security (No. 86/2015/QH13) (as amended), includes some personal information rights. Under this Law, personal information is defined as information associated with the identity of a specific person (Art. 3.15). Entities that collect, process and use personal information must obtain the individual’s consent.


Law on Information Technology

The Law on Information Technology (No. 67/2006/QH11) (as amended), requires that entities obtain consent to collect, process and use personal data in a network environment. In addition, the data collector can only use the data for purposes approved by the data subject and, can only store the personal data for a time period approved by law or agreed to by the data subject. Consent is not necessary when:

  • collected to fulfill obligations provided for by other laws;
  • used to sign, perform or modify a contract relating to the use of information, products or services in the networked environment; or,
  • used to calculate charges for use of information, products or services in the networked environment.


Law on Electronic Transactions

Under the Law on Electronic Transactions (No. 51/2005/QH11, Art. 46), a party with control or access to information about an individual’s private life must have the individual’s advanced consent, unless the information is required by law.

_____________________________________

 

There is no overarching data protection authority in Vietnam. Instead, there are sector specific regulators. The Ministry of Information and Communications, the Ministry of National Defense and the Ministry of Public Security are some of the sector specific authorities who are responsible for enforcement.

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk