Cyber Security in Vietnam

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Yes. Using passwords or information of organisations or individuals without their authorisation is prohibited.1 Stealing, using, revealing, transferring or selling information relating to the business secrets of other traders, organisations or individuals, or the personal information of consumers in e-commerce, without the consent of the parties concerned, is unlawful.2 Generally, the collection and publication of information and materials that constitute an individual’s personal information must be consented to by that person. In cases where that person has died, lost his/her capacity or is under 15 years, the consent of his/her family member or representative is required, except for cases where the collection and publication of information and materials are made by the decision of a competent agency or organisation.3 Personal information may be collected, processed, and used without consent in the following cases:

  • Concluding, modifying or performing contracts on the use of information, products or services in the network environment;
  • Calculating charges for use of information, products or services in the network environment;
  • Performing other obligations provided for by law.4

Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? No. There is no legal mechanism for such purpose. Generally, competent authorities can request that entities provide information and materials if needed.5 In case a data breach is considered a cybercrime, competent authorities are allowed to seek access to or retrieve a copy of data that has been accessed without authority as well as find out the person who accessed the data without authority.6 However, this is not available as a legal mechanism for the data subjects/data owners. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? No. There is no specific regulation on this issue. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? There is no specific regulation on this issue. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? Generally it is possible to suspend, rather than withdraw, the petition for any civil action in Vietnamese courts without prejudice. Is there an obligation in your jurisdiction to hold personal information securely? Yes. Generally, letters, telephones, telegrams, and other forms of electronic information of individuals shall be safely and confidentially guaranteed.7 Organisations and individuals that collect, process and use personal information of other people have to take necessary managerial and technical measures to ensure that personal information shall not be lost, stolen, disclosed, modified or destroyed.8 In transactions with consumers, consumers’ information shall be kept safe and confidential when they participate in transactions or use goods or services, except where competent state agencies require the information.9 In electronic transactions, agencies, organisations and individuals must not use, provide or disclose information on private and personal affairs or information of other agencies, organisations and/or individuals which is accessible by them or under their control in e-transactions without the latter’s consent, unless otherwise provided for by law.13 Agencies, organisations and individuals conducting e-transactions must take necessary measures to ensure smooth operations of information systems under their control. If they cause technical errors to such information systems which cause damage to other agencies, organisations and/or individuals, they shall be handled in accordance with the provisions of the law.10 Specifically, e-commerce data collectors must ensure that personal information which they have collected and stored is safe and secure and must prevent the following acts:

  • Hacking or illegally accessing information;
  • Illegally using information;
  • Illegally altering or destroying information.11

Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? No. Generally, there is no restriction or condition on the transfer of personal or other information from Vietnam to other foreign jurisdictions provided the requisite consent of the data subjects has been obtained. Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? No. There is no specific obligation to notify data subjects of a data breach in Vietnam. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? Yes. Generally, providers and users of internet services and online information are responsible for ensuring information safety and information security within their information system and cooperating with competent authorities, other organisations and individuals in ensuring online information safety and information security.16 Cooperating with competent authorities can be interpreted to include notifying the authorities of a data breach. Are there sector specific mandatory data breach notification obligations in your jurisdiction? Yes. In the e-commerce sector, if an information system is hacked, posing a risk of loss of consumer information, information storing units shall notify the incident to a functional agency within twenty-four hours after detecting it.12


1 Article 5.4 Decree No. 72/2013/ND-CP.

2 Article 4.4.a Decree No. 52/2013/ND-CP.

3 Article 38.2 Civil Code No. 33/2005/QH11 (“Civil Code”).

4 Articles 21.3 Law No. 67/2006/QH11 on Information Technology (“Law on Information Technology”).

5 Article 38.2 Civil Code; Article 14.3 Law No. 47/2010/QH12 on Credit Institutions (“Law on Credit Institutions”).

6 Article 14.1 Decree No. 25/2014/ND-CP.

7 Article 38.3 Civil Code.

8 Article 21.1.c Law on Information Technology.

9 Article 6.1 Law No. 59/2010/QH12 on Protection of Consumers’ Rights (“Law on Protection of Consumers’ Rights” ).

10 Article 46.2 Law No. 51/2005/QH11 on Electronic Transactions (“Law on Electronic Transactions”).

11 Article 44.2 Law on Electronic Transactions.

12 Article 72.1 Decree No. 52/2013/ND-CP.