Published in Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2019


Screenshot 2019-11-27 at 3.03.18 PMBy founding partner Hoang Nguyen Ha Quyen, senior associate Nguyen Duy Thanh and associate Ngo Thi Phuc Tam, LNT & Partners



Thanks to the invention of the internet, enterprises can now use cyberspace as an effective tool to sell goods and provide services. With high internet and smartphone penetration rates, Vietnam — the 15th most populous country in the world — can arguably be called a land of opportunities for domestic and foreign e-commerce companies. As in many other jurisdictions, the laws of Vietnam require enterprises to protect personal data that they collect during the course of online business. However, compliance with this requirement may prove a challenge due to the lack of a single comprehensive legislation which contains all relevant regulations.

This article presents some of the key takeaways that enterprises should be aware of in this area.

Enterprises’ obligations to protect personal data in cyberspace under the laws of Vietnam

Screenshot 2019-11-27 at 10.54.14 AMThe legal framework on protection of personal data is scattered across many legal instruments, among which the Law No. 86/2015/QH13 on Cyber-Information Security (Law on Cyber-Information Security) is considered the general legal document. Other rules could be found in the Law No. 67/2006/QH11 on Information Technology (Law on Information Technology), the Law No. 51/2005/QH11 on E-transactions (Law on E-transactions), Decree 52/2013/ND-CP on E-commerce (Decree 52/2013/ND-CP), the Law No. 59/2010/QH12 on protection of consumers’ rights (Law on protection of consumers’ rights), etc. In addition, the recently promulgated Law No. 24/2018/QH14 on Cyber-security (Law on Cyber-security) also provides for additional obligations for enterprises processing personal data on the internet.

Under the Law on Cyber-Information Security, “personal data” is defined as information associated with the identification of a specific person (Article 3.15) and “processing personal data” means the performance of one or more of the following operations: collecting, editing, utilising, storing, providing, sharing or spreading personal information in cyberspace for commercial purposes (Article 3.17). These are arguably the only legal definitions of the terms, given that they are not clearly defined in any other legal documents.

In general, obligations that enterprises need to pay attention to when “processing personal data” in cyberspace can be summarised as follows:

Screenshot 2019-11-27 at 3.03.35 PM(a) Collecting personal data

All of the above legal instruments state that any enterprise wishing to process personal data in cyberspace shall obtain prior consent of the data owner.1 Each instrument, however, provides for different consent requirements. For instance, the Law on Cyber-Information Security requires that the consent shall include the scope and purposes of personal data collection and usage,2 while the Law on Information Technology asks enterprises to inform the data owners of the form and place of processing data in addition to the content above.3

There are nonetheless exemptions from the prior consent requirement. Under the Law on Information Technology, an enterprise is not required to obtain consent where the collected information is used for the following purposes:4

  • Signing, modifying or performing contracts on the use of information, products or services in the network environment;
  • Pricing [or] calculating charges for use of information, products or services in the network environment;
  • Performing other obligations in accordance with laws.

Furthermore, e-commerce businesses (ie businesses conducting some or all of their commercial activities by electronic means connected to the internet, mobile telecommunications network or other open networks) are not required to obtain data owners’ consent where the collected information is already published on e-commerce websites; or where the information is being collected to conclude or perform sale or purchase contracts, or to calculate prices or charges for use of information, products and services online.5

(b)    Using personal data

Issuing a policy
Personal data shall generally be used in accordance with the scope and purposes identified by the enterprises processing the data when obtaining consent of the data owners, except where the enterprise (i) has an agreement to the contrary with the data owners; (ii) is providing services/goods as requested by the data owners; or (iii) fulfilling other obligations as required by laws.6
Under the Law on Cyber-Information Security, enterprises processing personal data in cyberspace are required to create and issue data security regulations in using information systems. However, currently there is no specific guidance on this legal instrument.

Decree 52/2013/ND-CP provides more detailed guidance on the requirement of building a data security policy, and specifies the mandatory provisions as follows:7

  • Purpose(s) of collecting personal information;
  • Scope of information use;
  • Duration of information storage;
  • Persons or organisations that may access such information;
  • Address of the information collection and management unit, indicating how consumers can ask about the collection and processing of information relevant to them;
  • Method and tools for consumers to access and modify their personal data on the e-commerce system of the information collection unit.

Other legal instruments do not set out any security policy requirement.

In addition to the security policy, enterprises processing personal data shall also apply suitable managing and technical methods to protect the collected data.8

Screenshot 2019-11-27 at 3.03.48 PMSharing with a third party
The Law on Cyber-Information Security, the Law on Information Technology, the Law on E-transactions, the Law on protection of consumers’ rights as well as Decree 52/2013/ND-CP prohibit enterprises from sharing, disclosing or transferring personal data to any third party except with prior approvals of the data owners or otherwise required by laws.9

Rights of the data owners
The data owners are entitled to request the data collecting enterprises to review, update, modify or delete their own data. Such enterprises shall comply with the request of the data owners and accordingly review, update, modify or even delete their information.10

Law on Cyber-security

Along with providing for duties of competent authorities, this set of law also sets out a number of additional obligations for enterprises, the most notable of which are:

•    Storing data in Vietnam
Article 26.3 requires that domestic and foreign providers of services on telecom networks and on the internet and other value added services in cyberspace in Vietnam [cyberspace service providers] which collect, utilise, analyse and process their users’ relationship information shall store data in Vietnam for a period [to be] specified by the government. It is worth noting that the Law on Cyber-security stipulates that the data shall be stored in Vietnam but does not clearly mention the server. Thus, it is arguable that enterprises may place their servers outside of Vietnam.

•    Establishing commercial presence in Vietnam
Remarkably, offshore entities which collect, utilise, analyse and process user data are required to establish a branch or representative office in Vietnam. On a literal interpretation, this requirement would apply to all cyberspace service providers such as Google, Facebook or Sephora, etc and may present operational challenges.

Waiting for the Decree guiding the Law on Cyber-security

Implementation of the above obligations under the Law on Cyber-security awaits further guidance from the government. Such guiding Decree is expected to clarify key issues such as what types of data shall be stored in Vietnam and when, whether the server shall be located in Vietnam, and provides detailed guidance on the requirement that offshore enterprises must establish a commercial presence in Vietnam.

However, in light of the government’s increasingly stringent approach to cyberspace security, from now on any enterprise that processes personal data should stay up-to-date with relevant regulations to ensure compliance with the laws of Vietnam.




  1. Article 17.1 (a) Law on Cyber-Information Security; Article 70.1 Decree 52/2013/ND-CP; Article 21.1 Law on Information Technology; Article 6.2 (a) and (b) Law on protection of consumers’ right
  2. Article 17.1 (a) Law on Cyber-Information Security
  3. Article 21.2 (a) Law on Information Technology
  4. Article 21.3 Law on Information Technology
  5. Article 70.4 Decree 52/2013/ND-CP
  6. Article 17.1 (b) Law on Cyber-Information Security; Article 21.2 (b) Law on Information Technology; Article 71.1 Decree 52/2013/ND-CP
  7. Article 69.1 Decree 52/2013/ND-CP
  8. Article 19.1 Law on Cyber-Information Security; Article 21.2 (c) Law on Information Technology
  9. Article 17.1 (c) Law on Cyber-Information Security; Article 22.2 Law on Information Technology; Article 46.2 Law on E-transaction; Article 70.3 Decree 52/2013/ND-CP; Article 6.2 (dd) Law on protection of consumers’ right
  10. Article 18 Law on Cyber-Information Security; Article 22.1 Law on Information Technology; Article 73 Decree 52/2013/ND-CP; Article 6.2 (d) Law on protection of consumers’ right


Screenshot 2019-11-27 at 2.49.51 PM


Official Publication: Asian-mena CounselClick Here to read the full issue of Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2019.

Related Articles by Firm
Notable changes introduced by the amended Labour Code 2019
The legislation includes changes to holidays, retirement age, labour contracts, trade unions and overtime.
Can backdating be acceptable?
The effective date of a contract under Vietnamese laws.
Development of collaborative economy in Vietnam
New regulation promises a clear and effective regulatory environment for collaborative economy investors.
The challenges of establishing residential housing projects on mixed-use land areas in Vietnam
Grey areas in Vietnam's housing laws may increase financial risks to developers.
Managing the relationship with special managers in Vietnam
Successful cooperation between a special manager and the acquirer requires the involved parties to know, name and manage this relationship ...
The Law on Cybersecurity and its effects on enterprises in Vietnam
Foreign service providers may be affected by a new regulation aimed at improving cybersecurity in the country ...
Understanding “Business Transfer”
When investing in a business in Vietnam, an investor may prefer to cherry-pick a specific part of the business rather than buying the entire company ...
Related Articles
Growth of e-discovery across Asia
The e-discovery landscape across Asia is diverse, but increased adoption was in evidence at the 10th annual Relativity Fest, write Tim Gilkison and Rahul Prakash.
The techlash is coming
For many organisations, artificial intelligence has arrived or will be coming soon, bringing all sorts of new challenges for counsel, especially with respect to cross-border data flows ...
Debunking tech and data myths
Practical ways to tackle laws regarding the collection, use, ownership and deletion of data.
Related Articles by Jurisdiction
Investigative Intelligence
Vietnam: ASEAN’s next emerging market
Remarkable changes in FOREX Rules
On July 17th, 2014 the Government issued Decree No. 70/2014/ND-CP (Decree 70) guiding the implementation of a number of articles of Ordinance No. 28/2005/PL-UBTVQH11 dated December …
Latest Articles
DIFC Workplace Savings Scheme (with effect from 1 February 2020)
The Amendment introduces a new mandatory workplace savings scheme, which replaces the current end-of- service gratuity regime.
New KPPU regulation on merger filings
Simplification yet some clarity is needed.