Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal data can be collected, stored and processed only after consent from the data owner is obtained. However, consent is not required where personal information is collected in order to:

  • sign, modify or perform goods and services contracts;
  • calculate prices or charges for the use of information, products and services online; and
  • perform other obligations in accordance with the law.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No specific limitations or restrictions on the period are set out by law. However, the organisations and individuals collecting, processing and using personal information may retain this information only for a certain period, as agreed by the data owners.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes – if the personal information was collected, edited, used, stored, provided, shared or spread in cyberspace for commercial purposes. Data owners have the right to request the organisations or individuals collecting, processing and using their personal information to provide them access to their personal information.

In other cases, data owners have the right to request the organisations or individuals collecting, processing and using their personal information to check, correct or delete the information, but not to access it directly.

Do individuals have a right to request deletion of their data?

Yes. Data owners also have the right to request the organisations or individuals collecting, processing and using their personal information to update or alter their information or have those organisations stop providing this information to third parties.

Depending on the requested action, the organisations or individuals collecting, processing and using the personal information must:

  • comply with the request and notify the data owner or grant him or her the right to access the information in order to update, alter or delete it;
  • take appropriate measures to protect personal information and notify the data owner if there is a failure to comply with the request due to technical reasons or otherwise;
  • not supply or use relevant personal information until such information has been corrected; and
  • delete stored personal information once the purpose for which it was collected is complete or the storage time has expired, and notify the same to the data owners.

Consent obligations
Is consent required before processing personal data?

Yes – however, consent is not required when collecting personal information in order to:

  • sign, modify or perform goods and services contracts;
  • calculate prices or charges for the use of information, products and services online; or
  • perform other obligations in accordance with the law.

The laws generally do not require a specific form in which consent must be given. However, the laws require express consent from data owners in relation to e-commerce and marketing activities. Consequently, it is unclear whether consent must be given affirmatively (ie, opt-in) or whether a notice and lack of objection suffices.

If consent is not provided, are there other circumstances in which data processing is permitted?

See above.

What information must be provided to individuals when personal data is collected?

If personal information is to be collected, used or processed in a network environment (eg, telecoms networks, the Internet and computer networks and databases), the form, scope, place and purpose therein must be notified to the data owners. In addition, both parties must agree on how long the organisation will store or process the information.

Organisations and individuals that process personal information for commercial purposes must develop and publicise the means by which they process and protect the information.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Vietnamese law does not specifically distinguish between the transfer of data inside or outside Vietnam. As such, the rules for the transfer of personal information both inside and outside Vietnam are the same. According to the law, organisations and individuals (if they fall within the scope of applicable law) must refrain from providing or sharing with a third party personal information which they have collected, accessed or controlled, unless they obtain the data owner’s consent or as required by the proper state agencies.

Are there restrictions on the geographic transfer of data?

No, please see above.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

No specific requirement exists, but consent from the data owner is required.

Click here to view the full article.