Published in Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2019


Screenshot 2019-11-27 at 3.03.18 PMBy founding partner Hoang Nguyen Ha Quyen, senior associate Nguyen Duy Thanh and associate Ngo Thi Phuc Tam, LNT & Partners



Thanks to the invention of the internet, enterprises can now use cyberspace as an effective tool to sell goods and provide services. With high internet and smartphone penetration rates, Vietnam — the 15th most populous country in the world — can arguably be called a land of opportunities for domestic and foreign e-commerce companies. As in many other jurisdictions, the laws of Vietnam require enterprises to protect personal data that they collect during the course of online business. However, compliance with this requirement may prove a challenge due to the lack of a single comprehensive legislation which contains all relevant regulations.

This article presents some of the key takeaways that enterprises should be aware of in this area.

Enterprises’ obligations to protect personal data in cyberspace under the laws of Vietnam

Screenshot 2019-11-27 at 10.54.14 AMThe legal framework on protection of personal data is scattered across many legal instruments, among which the Law No. 86/2015/QH13 on Cyber-Information Security (Law on Cyber-Information Security) is considered the general legal document. Other rules could be found in the Law No. 67/2006/QH11 on Information Technology (Law on Information Technology), the Law No. 51/2005/QH11 on E-transactions (Law on E-transactions), Decree 52/2013/ND-CP on E-commerce (Decree 52/2013/ND-CP), the Law No. 59/2010/QH12 on protection of consumers’ rights (Law on protection of consumers’ rights), etc. In addition, the recently promulgated Law No. 24/2018/QH14 on Cyber-security (Law on Cyber-security) also provides for additional obligations for enterprises processing personal data on the internet.

Under the Law on Cyber-Information Security, “personal data” is defined as information associated with the identification of a specific person (Article 3.15) and “processing personal data” means the performance of one or more of the following operations: collecting, editing, utilising, storing, providing, sharing or spreading personal information in cyberspace for commercial purposes (Article 3.17). These are arguably the only legal definitions of the terms, given that they are not clearly defined in any other legal documents.

In general, obligations that enterprises need to pay attention to when “processing personal data” in cyberspace can be summarised as follows:

Screenshot 2019-11-27 at 3.03.35 PM(a) Collecting personal data

All of the above legal instruments state that any enterprise wishing to process personal data in cyberspace shall obtain prior consent of the data owner.1 Each instrument, however, provides for different consent requirements. For instance, the Law on Cyber-Information Security requires that the consent shall include the scope and purposes of personal data collection and usage,2 while the Law on Information Technology asks enterprises to inform the data owners of the form and place of processing data in addition to the content above.3

There are nonetheless exemptions from the prior consent requirement. Under the Law on Information Technology, an enterprise is not required to obtain consent where the collected information is used for the following purposes:4

  • Signing, modifying or performing contracts on the use of information, products or services in the network environment;
  • Pricing [or] calculating charges for use of information, products or services in the network environment;
  • Performing other obligations in accordance with laws.

Furthermore, e-commerce businesses (ie businesses conducting some or all of their commercial activities by electronic means connected to the internet, mobile telecommunications network or other open networks) are not required to obtain data owners’ consent where the collected information is already published on e-commerce websites; or where the information is being collected to conclude or perform sale or purchase contracts, or to calculate prices or charges for use of information, products and services online.5

(b)    Using personal data

Issuing a policy
Personal data shall generally be used in accordance with the scope and purposes identified by the enterprises processing the data when obtaining consent of the data owners, except where the enterprise (i) has an agreement to the contrary with the data owners; (ii) is providing services/goods as requested by the data owners; or (iii) fulfilling other obligations as required by laws.6
Under the Law on Cyber-Information Security, enterprises processing personal data in cyberspace are required to create and issue data security regulations in using information systems. However, currently there is no specific guidance on this legal instrument.

Decree 52/2013/ND-CP provides more detailed guidance on the requirement of building a data security policy, and specifies the mandatory provisions as follows:7

  • Purpose(s) of collecting personal information;
  • Scope of information use;
  • Duration of information storage;
  • Persons or organisations that may access such information;
  • Address of the information collection and management unit, indicating how consumers can ask about the collection and processing of information relevant to them;
  • Method and tools for consumers to access and modify their personal data on the e-commerce system of the information collection unit.

Other legal instruments do not set out any security policy requirement.

In addition to the security policy, enterprises processing personal data shall also apply suitable managing and technical methods to protect the collected data.8

Screenshot 2019-11-27 at 3.03.48 PMSharing with a third party
The Law on Cyber-Information Security, the Law on Information Technology, the Law on E-transactions, the Law on protection of consumers’ rights as well as Decree 52/2013/ND-CP prohibit enterprises from sharing, disclosing or transferring personal data to any third party except with prior approvals of the data owners or otherwise required by laws.9

Rights of the data owners
The data owners are entitled to request the data collecting enterprises to review, update, modify or delete their own data. Such enterprises shall comply with the request of the data owners and accordingly review, update, modify or even delete their information.10

Law on Cyber-security

Along with providing for duties of competent authorities, this set of law also sets out a number of additional obligations for enterprises, the most notable of which are:

•    Storing data in Vietnam
Article 26.3 requires that domestic and foreign providers of services on telecom networks and on the internet and other value added services in cyberspace in Vietnam [cyberspace service providers] which collect, utilise, analyse and process their users’ relationship information shall store data in Vietnam for a period [to be] specified by the government. It is worth noting that the Law on Cyber-security stipulates that the data shall be stored in Vietnam but does not clearly mention the server. Thus, it is arguable that enterprises may place their servers outside of Vietnam.

•    Establishing commercial presence in Vietnam
Remarkably, offshore entities which collect, utilise, analyse and process user data are required to establish a branch or representative office in Vietnam. On a literal interpretation, this requirement would apply to all cyberspace service providers such as Google, Facebook or Sephora, etc and may present operational challenges.

Waiting for the Decree guiding the Law on Cyber-security

Implementation of the above obligations under the Law on Cyber-security awaits further guidance from the government. Such guiding Decree is expected to clarify key issues such as what types of data shall be stored in Vietnam and when, whether the server shall be located in Vietnam, and provides detailed guidance on the requirement that offshore enterprises must establish a commercial presence in Vietnam.

However, in light of the government’s increasingly stringent approach to cyberspace security, from now on any enterprise that processes personal data should stay up-to-date with relevant regulations to ensure compliance with the laws of Vietnam.




  1. Article 17.1 (a) Law on Cyber-Information Security; Article 70.1 Decree 52/2013/ND-CP; Article 21.1 Law on Information Technology; Article 6.2 (a) and (b) Law on protection of consumers’ right
  2. Article 17.1 (a) Law on Cyber-Information Security
  3. Article 21.2 (a) Law on Information Technology
  4. Article 21.3 Law on Information Technology
  5. Article 70.4 Decree 52/2013/ND-CP
  6. Article 17.1 (b) Law on Cyber-Information Security; Article 21.2 (b) Law on Information Technology; Article 71.1 Decree 52/2013/ND-CP
  7. Article 69.1 Decree 52/2013/ND-CP
  8. Article 19.1 Law on Cyber-Information Security; Article 21.2 (c) Law on Information Technology
  9. Article 17.1 (c) Law on Cyber-Information Security; Article 22.2 Law on Information Technology; Article 46.2 Law on E-transaction; Article 70.3 Decree 52/2013/ND-CP; Article 6.2 (dd) Law on protection of consumers’ right
  10. Article 18 Law on Cyber-Information Security; Article 22.1 Law on Information Technology; Article 73 Decree 52/2013/ND-CP; Article 6.2 (d) Law on protection of consumers’ right


Screenshot 2019-11-27 at 2.49.51 PM


Official Publication: Asian-mena CounselClick Here to read the full issue of Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2019.

Related Articles by Firm
Notable changes introduced by the amended Labour Code 2019
The legislation includes changes to holidays, retirement age, labour contracts, trade unions and overtime.
Can backdating be acceptable?
The effective date of a contract under Vietnamese laws.
Development of collaborative economy in Vietnam
New regulation promises a clear and effective regulatory environment for collaborative economy investors.
The challenges of establishing residential housing projects on mixed-use land areas in Vietnam
Grey areas in Vietnam's housing laws may increase financial risks to developers.
Managing the relationship with special managers in Vietnam
Successful cooperation between a special manager and the acquirer requires the involved parties to know, name and manage this relationship ...
The Law on Cybersecurity and its effects on enterprises in Vietnam
Foreign service providers may be affected by a new regulation aimed at improving cybersecurity in the country ...
Understanding “Business Transfer”
When investing in a business in Vietnam, an investor may prefer to cherry-pick a specific part of the business rather than buying the entire company ...
Related Articles
PPP projects in Thailand’s EEC
Thailand will continue to aggressively move forward with legislation that streamlines implementation of important PPP projects. This legislative trend presents new opportunities for foreign and local investors alike, with a focus particularly in Thailand’s infrastructure sector ...
Outlook on Indonesian renewable energy sector in 2020
Indonesia’s presidential election in 2019 ended uncertainty surrounding doing business in Indonesia. It was hoped that the investment inflow would be boosted by the introduction of numerous innovative regulations by the new government ...
Wind, power and Vietnam
Although Vietnam has long had favorable wind patterns and supporting geography, the serious development of wind power has only recently begun. The industry holds great promise ...
Related Articles by Jurisdiction
E-commerce in Vietnam
Vietnam has been ranked 15th for Internet users internationally, however only 20 percent of those users in Hanoi and Ho Chi Minh City use the internet for online shopping1. The Vietnam E-Commerce and …
New list of state-owned enterprises to be equitised by the end of 2020
The new list includes several major SOEs, such as Agribank, Vinacomin and VNPT.
New decree on enterprise registration
On November 26, 2014 the National Assembly of Vietnam adopted a new law on enterprise (2014 Enterprise Law) which takes ...
Latest Articles
Sigrid Wettwer
We speak to the head of group legal for the Middle East & Asia Pacific at DNV GL, the world’s largest classification society, about change, technology and running a lean and efficient legal organisation ...
Compliance with official measures to combat Covid-19 made mandatory
Significant responsibility for ensuring compliance with directives to stop the spread of Covid-19 has been delegated to the law enforcement authorities of the UAE.