Vietnam: What are the regulations on the handling of violations on personal data protection and personal data processing in the new draft of the Government?

Main Content

• What are the principles of personal data protection?
• How to handle violations of personal data protection regulations?
• How to handle administrative violations for violations of regulations on processing personal data?

What are the principles of personal data protection?

According to Article 3 of the Draft Decree on personal data protection of Vietnam, there are 8 protection principles, specifically:

- Legal principle: Personal data is collected only in cases where it is necessary in accordance with the law.

- Principle of purpose: Personal data is only processed in accordance with the registered purpose, stated in the processing of personal information.

- Principle of minimalism: Personal data is collected only to the extent necessary to achieve the defined purpose.

- Principle of limited use: Personal data is only used with the consent of the data subject or with the permission of the competent authority in accordance with the law.

- Principles of data quality: Personal data must be updated and complete to ensure data processing purposes.

- Principles of security: Personal data protection measures are applied during the processing of personal data.

- Personal principles: The data subject is aware of and receives notifications about his/her personal data processing activities.

- Principle of confidentiality: Personal data must be kept confidential during data processing.

Handling of violations on personal data protection and personal data processing

How to handle violations of personal data protection regulations?

According to Article 4 of the Draft Decree on personal data protection of Vietnam, violations of regulations on personal data protection will be handled as follows:

- Agencies and organizations that violate regulations on protection of personal data may, depending on the severity, be administratively sanctioned or penalized, and apply additional penalties as prescribed by law.

- The handling of violations of regulations on protection of personal data is applied to all domestic and foreign organizations, enterprises and individuals that have business activities in Vietnam.

- In addition to the prescribed fine, in case the Personal Data Processor commits multiple violations, with great consequences, a maximum fine of 5% of the Personal Data Processor's total revenue in Vietnam may be imposed.

How to handle administrative violations for violations of regulations on processing personal data?

According to Article 22 of the Draft Decree on protection of personal data of Vietnam, the handling of administrative violations for violations of regulations on processing of personal data is prescribed as follows:

- A fine ranging from VND 50,000,000 to VND 80,000,000 shall be imposed for one of the following acts:

Violation of regulations on the rights of data subjects related to the processing of personal data;

Violation of regulations on disclosure of personal data;

+ Violation of regulations on restricting access to personal data

+ Violation of regulations on data subject consent for personal data;

+ Violation of regulations on handling of personal data after the death of the data subject;

+ Violations against regulations on handling personal data without the consent of the data subject;

+ Violation of regulations on notifying data subjects about the processing of personal data;

+ Violations against regulations on processing personal data in service of scientific research or statistics;

+ Violation of regulations on automatic personal data processing;

+ Violation of regulations on handling of children's personal data;

+ Violation of regulations on the accuracy of personal data;

+ Violation of regulations on storage, deletion and destruction of personal data.

- A fine ranging from VND 80,000,000 to VND 100,000,000 shall be imposed for one of the following acts:

+ Failing to apply technical measures and develop regulations on protection of personal data;

+ Violation of regulations on registration of handling of sensitive personal data;

+ Violations against regulations on cross-border transfer of personal data;

+ The second violation for the acts specified in Clause 1 of this Article.

- A maximum fine of 5% of the total revenue of the personal data breach handler in Vietnam for the following acts:

+ The third violation for the acts specified in Clause 1 of this Article;

+ The second violation, for the acts specified at Points a, b, c, Clause 2 of this Article.

- Additional penalties:

+ Suspend the processing of personal data from 01 to 03 months for the violations specified in Clause 2 of this Article;

+ Deprivation of the right to use the written consent to process sensitive personal data and transfer personal data beyond the borders of the territory of Vietnam.

- Remedial measures: Forcing to pay back the money obtained from committing the violations specified in Clauses 1 and 2 of this Article.

- The Director of the Department of Cybersecurity and High-Tech Crime Prevention and Control, the Ministry of Public Security has the authority to sanction administrative violations as prescribed in Clauses 1, 2, 3, 4, 5 of this Article.

Download the Draft Decree on personal data protection here.