ePrivacy | Marketing and cookies

  1. National Legislation
  2. Cookies 
  3. Marketing by E-mail
  4. Marketing by Telephone
  5. Marketing by Fax


General | Data Protection Laws


National Legislation

    General data protection laws

    The most comprehensive legal framework on data protection is the Law on Cyber Information Security (Law No. 86/2015/QH13) (the "LCIS").

    Other relevant provisions can be found in the Constitution, the Civil Code (Law No. 33/2005/QH11), the Law on Protection of Consumers’ Rights (Law No. 59/2010/QH12), the Law on E-Commerce (Law No. 51/2005/QH11), the Law on Information Technology (Law No. 67/2006/QH11), the Law on Insurance Business (Law No. 24/2000/QH11 as amended by Law No. 61/2010/QH12), and the Law on Credit Institutions (Law No. 47/2010/QH12).

    Primary legislation tends to be generally drafted leaving its precise application open to interpretation. This interpretation is sometimes clarified by detailed regulations, but not in all cases. Therefore, application of the law to a particular set of facts is not always clear.

    Entry into force

    The LCIS came into effect recently, in July 2016. Other laws referred to above came into effect on a number of different dates.

    _____________________________________________________________________      Top

    National Regulatory Authority

Details of the competent national regulatory authority

Not applicable.

Notification or registration scheme and timing

    There is no notification or registration scheme for the collection, use or disclosure of personal data.


    Not applicable.

    Appointment of a data protection officer

    There is no legal requirement to appoint a data protection officer.

    _____________________________________________________________________      Top

    Personal Data

    What is personal data?

    The LCIS defines “personal data” as information associated with the identification of a specific person. Other laws related to personal data also have their own definitions, which resemble the definition in the LCIS. Personal data also includes personal secrets (see below).

    Is information about legal entities personal data?

    No. However, if information about legal entities includes information that meets the definition of personal data, for example, information about employees, the information is considered personal data.  

    What are the rules for processing personal data?

    Under the LCIS organisations and individuals processing personal data: (i) must only collect personal data after obtaining the consent of the data subject on the scope and purpose of the collection and use of such information; (ii) must obtain the consent of the data subject to use the collected personal information for anything other than the initial purposes; and (iii) must not disclose personal information they have collected, accessed or controlled to a third party, unless they obtain the consent of the data subject or at the request of authorised state bodies. Similar provisions can be found in other laws referred to above.

    The Law on Information Technology sets out other conditions in which personal data can be processed without the consent of the data subject. However, it is likely to have been superseded by the LCIS in this respect and those conditions are no longer likely to apply.

    Are there any formalities to obtain consent to process personal data?

    There are no specific formalities to obtain consent from the data subject.

    _____________________________________________________________________      Top

    Sensitive Personal Data

    What is sensitive personal data?

    Sensitive personal data is not defined as such under Vietnamese law. However, Vietnamese law does contain the concept of personal secrets being medical records, tax payment dossiers, social insurance card numbers, credit card numbers and other information defined by law.

    Are there additional rules for processing sensitive personal data?

    There is some additional protection for personal secrets. For example, state agencies holding personal secrets must protect that information and only supply or share it with competent third parties in cases specified by law. Vietnamese law also provides additional protection for medical records.

    Are there any formalities to obtain consent to process sensitive personal data?


    _____________________________________________________________________      Top

Scope of Application 

    What is the territorial scope of application?

    All the Vietnamese laws apply to activities conducted partly or wholly in the territory of Vietnam.

    Who is subject to data protection legislation?

General principles relating to the protection of personal data apply to individuals, companies and state bodies.

Are both manual and electronic records subject to data protection legislation?

The LCIS only applies to information processed over telecommunications and computer networks.

The other laws discussed above do not make any specific distinction between manual and electronic records..


Under the Civil Code, if personal data rights are infringed, the data subject is entitled to demand or request a competent body or person to compel the infringing party to compensate the data subject.

Fair processing information

Under the LCIS, an organisation must notify the person whose data are processed of the scope and purpose of the collection and use of his or her personal data. As a result, if there is a request by the data subject for information about the use of data for the purposes of the data subject providing consent to the collection of the data, the person collecting the data is required to provide this information.

Rights to access information

Data subjects can request personal information-processing organisations and individuals to provide its personal information.

Objection to direct marketing

The consent of the data subject is required in order to use personal data for the purposes of direct marketing.

Other rights

Under the LCIS, where the data subject requests the data-processing organisations and individuals to update, amend, or delete its personal information, or stop providing its personal information to a third party, the data-processing organisations and individuals must (i) comply with the request and either notify the data subject or allow them to alter or delete their information; and (ii) take appropriate measures to protect such personal information or notify the data subject in case their request cannot be fulfilled because of technical or other reasons. The data-processing organisations and individuals must delete the stored personal information when they have accomplished its use purposes or the storage time has expired and notify the data subject, unless otherwise prescribed by law. Similar provisions can be found in other laws referred to above.

    _____________________________________________________________________      Top

Security requirements in order to protect personal data

Under the LCIS, organisations and individuals processing personal information must take appropriate managerial or technical measures to protect such information, and observe applicable technical regulations and standards.

In addition, information systems are classified into five security levels according to their function and the level of confidentiality of the information they process, for the purpose of applying corresponding managerial and technical measures to protect these information systems.

Further, an organisation administering an information system must: (i) determine the security level of the system; (ii) assess and manage the security risks posed to the system; (iii) supervise, speed up and examine the protection of the system; (iv) comply with the reporting regime; (v) conduct public information for raising awareness of cyber information security; (vi) adopt measures to protect the system, including managerial and technical measures in accordance with applicable technical standards and regulations; and (vii) supervise the security of the system.

Specific rules governing processing by third party agents (processors)

There are no specific rules governing processing of personal data by a third party agent.

Notice of breach laws

There are no specific requirements to inform a regulator and/or data subjects of data security breaches.

_____________________________________________________________________      Top

    Transfer of Personal Data to Third Countries 

    Restrictions on transfers to third countries

    There are no specific restrictions on the transfer of personal data to third countries. Vietnamese laws only cover cross-border transfer of public information.

    Notification and approval of national regulator (including notification of use of Model Contracts)

    There is no national privacy regulator in Vietnam.

    Use of binding corporate rules

    There is no ability to use binding corporate rules in respect of transfers to third countries.

    _____________________________________________________________________      Top



    Infringement of privacy laws may lead to the following administrative fines or criminal penalties: (i) administrative fines of between USD 250 and 500 for using personal data without the consent of the service user (applied to legal entities providing social network services); (ii) administrative fines of between USD 500 and 1000 for publishing personal secrets or other personal data without the consent of the data subject, failing to keep necessary management and technical measures to ensure the safety of personal data of other persons or supplying personal data of other persons to a third party in a network environment; and (iii) criminal penalties of up to two years’ imprisonment for infringement of other persons’ rights to privacy or other circumstances arising in relation to the access or interception of communications (mail, telephone and/or telegraphic communications) without the consent of the data subject.

    Consumers' personal data in e-commerce activities is also protected by administrative fines including: (i) administrative fines of USD 250 and 500 for developing policies to protect personal data which are not compatible with regulations, not showing consumers the policies for personal data protection before or at the time of collecting such data, or failing to check, update, amend or cancel personal information when requested by the subject of information to do so; (ii) administrative fines of between USD 500 and 1,000 for failing to set up a mechanism for receiving and resolving complaints from consumers or not implementing policies to ensure safety and security for the collection and use of personal data of consumers; (iii) administrative fines of between USD 1,000 and 1,400 for collecting personal data of consumers without the consent of the data subject, setting up a default mechanism to force consumers to agree that their personal data be shared, disclosed or used for the purposes of advertising and other commercial purposes, or using the personal information of consumers improperly with the purpose and the notified scope.

    Besides monetary fines, e-commerce activities may be suspended for 6 to 12 months for the repeated violation of point (iii). In addition, administrative fines of between USD 1,400 and 2,000 may be applied for stealing, using, revealing, transferring or selling information relating to trade secrets of other business persons or personal data of customers in e-commerce activities without consent from related parties.


    There have been some cases of regulators imposing administrative fines for breaches of personal privacy, mostly in a network environment. However, privacy laws are not regularly enforced. There is no exact statistic on the number of enforcement actions taken in the last 12 months and the majority of enforcement actions are not publicly disclosed.

    Although the leaking of personal data is a common situation in Vietnam, there have not been any recorded enforcement actions in relation to such leaking. Many people find their personal data, often phone numbers, leaked after they provide such information to service providers for their records. The numbers are then used to send messages or make phone calls to market products or services. 

    Enforcement authority

    The regulator with jurisdiction over the applicable regulation is responsible for enforcing breaches of that regulation.  Courts have authority to enforce civil or criminal sanctions.

    _____________________________________________________________________      Top

ePrivacy |  Marketing and cookies


    National Legislation

    ePrivacy laws

    There is no specific ePrivacy law in Vietnam. However, the LCIS, the Law on Information Technology and Law on Electronic Transactions contain some provisions that address ePrivacy issues.

     _____________________________________________________________________      Top


    Conditions for use of cookies

    The use of cookies is not specifically regulated under Vietnamese law. However, personal data collected via the use of cookies is subject to Vietnamese privacy laws in the same manner as other personal data. 

    Regulatory guidance on the use of cookies

    Not applicable.

    _____________________________________________________________________      Top

    Marketing by E-mail

    Conditions for direct marketing by e-mail to individual subscribers

    Decree 90 dated 13 August 2008 on Anti-Spam as amended (“Decree 90”) requires that any service provider sending advertising emails must satisfy all the following conditions: (i) the service provider must have a website using the "dot vn" domain name and a server for sending advertising emails which is set up in Vietnam; (ii) the service provider must have a system for the receipt and processing of opt-out requests; (iii) the service provider must have been issued with a management code number by the Ministry of Information and Communication.

    The following conditions must also be satisfied upon sending advertising emails to individual subscribers: (i) advertising emails must be sent only after obtaining the prior express consent of recipients; (ii) advertising emails must not be sent after receiving opt-out requests from recipients; (iii) advertising emails must only be sent from electronic addresses and systems which conform with regulations of the Ministry of Information and Communications; (iv) when sending advertising emails, a copy must be concurrently sent to the technical system of the Ministry of Information and Communications; (v) no more than  three advertising messages must be sent to an email address within 24 hours, unless otherwise agreed upon with recipients; and (vi) advertising contents must comply with the advertising law.

    Conditions for direct marketing by e-mail to corporate subscribers

    The rules are the same as for individual subscribers.

    Exemptions and other issues

    Decree 90 provides for other requirements. In particular, advertising service providers and advertisers must provide information such as name, telephone, email address, geographical address, and website (if any). This information must be expressly set out in the email and must be provided immediately before the select function permitting the recipient to opt-out of email marketing.

    Where necessary, an opt-out mechanism must be provided by the advertising service provider so that the recipient can opt-out of marketing relating to one product or a group of products. The opt-out mechanism may be provided by way of a website, email or telephone. Upon receiving an opt-out request, the advertiser or advertising service provider must immediately send confirmation of its receipt of the opt-out request and stop sending the applicable type of opt-out advertising emails to the recipient.

    Marketing emails must be marked as commercial in their subject field. If the emails come from advertising service providers, this must be accompanied by the management code number of the sender of the email.

    _____________________________________________________________________      Top

    Marketing by Telephone

    Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

    There are no regulations that govern direct marketing to individuals by telephone. However, direct marketing by text message to telephone subscribers is subject to the same conditions as email marketing referred to above. In addition, sending marketing text messages is only allowed between the hours of 07.00 and 22.00, unless otherwise agreed by the recipients.

    Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

    The rules are the same as for individual subscribers. 

    Exemptions and other issues

    Not applicable.

    _____________________________________________________________________      Top

    Marketing by Fax

    Conditions for direct marketing by fax to individual subscribers

    There are no regulations that specifically govern direct marketing to individuals by fax. While the position is not entirely certain, it is possible that the obligations relating to direct marketing by text messages may apply to direct marketing by fax. However, this position has not yet been considered by any regulator or court. 

    Conditions for direct marketing by fax to corporate subscribers

    The rules are the same as for individual subscribers. 

    Exemptions and other issues

    Not applicable. 



Contact Details

Bill Magennis, Vinh Dang & Ngoc Anh Tran


Tel: +(84) 903 404 440
+(84) 904 125 285
      +(84) 943 898 151

Fax: +(84) 4 3 9360 984

Suite 401
49 Hai Ba Trung
Hanoi Towers

National Regulatory Authority


National Legislation

(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).