Prohibition of the Buying and Selling of Personal Data

Strict supervision over personal data processing activities

According to Deputy Minister of Public Security Lê Quốc Hùng, a prominent feature of the Personal Data Protection Law is the establishment of six principles for personal data protection. Accordingly, the collection and processing of personal data must be limited to the appropriate scope, for specific and clearly defined purposes, and must ensure the accuracy of the data. The protection of personal data must be associated with safeguarding national and ethnic interests, thereby reflecting a balance between individual rights and the public interest.

Data subjects are granted six rights over their personal data, including crucial rights establishing a legal basis for the processing of personal data by relevant organizations and individuals, such as: the right to be informed, the right to consent or not to consent, and the right to withdraw consent.

Additionally, data subjects have the right to access, rectify or request rectification, request provision, erasure, restriction of processing, or to object to the processing of personal data. When their rights are infringed, data subjects are entitled to lodge complaints, denunciations, initiate lawsuits, and claim compensation for damages.

The Law clearly provides for the responsibilities of relevant parties in the process of personal data processing, including: personal data controllers, personal data processors, and entities acting as both controllers and processors of personal data.

The Law also defines state management responsibilities for personal data protection, under which the Government exercises unified state management; the Ministry of Public Security serves as the principal authority; the Ministry of National Defense, other ministries, branches, and provincial-level People’s Committees also bear responsibilities within the scope of their functions and duties. This creates a multi-layered management mechanism, ensuring strict supervision of personal data processing activities nationwide.

Regarding the personal data protection force, apart from the specialized authority on personal data protection under the Ministry of Public Security and organizations and individuals mobilized to participate in personal data protection, the Law requires agencies and organizations that are not exempted to designate a qualified department or personnel responsible for personal data protection, or to hire organizations and individuals providing personal data protection services. At the same time, the Law mandates the Government to provide regulations on the conditions and duties of such departments, personnel, and service providers in personal data protection.

To ensure feasibility and effectively prevent violations of the law on personal data protection, the Law stipulates prohibited acts in close alignment with practical circumstances, ensuring comprehensiveness and focusing on common and serious violations, such as: processing personal data with the intent to oppose the State; abusing personal data protection activities to commit unlawful acts; using another person’s personal data, or permitting others to use one’s own personal data, to commit acts contrary to law; misappropriating, intentionally falsifying, or destroying personal data.

“Notably, the prohibition of the act of buying and selling personal data, except where otherwise provided by law, will create a legal framework to combat crimes that treat personal data as an ordinary commodity to be bought and sold, thereby gravely infringing upon human rights and the lawful rights and interests of individuals and organizations,” Deputy Minister of Public Security emphasized.

Fines up to 10 Times the Illegal Proceeds from Buying and Selling Personal Data

The Law provides for administrative sanctions in the field of personal data protection.

Specifically, for the act of buying and selling personal data, the maximum fine is 10 times the illegal proceeds obtained from the violation. Where there are no illegal proceeds, or where the fine calculated on the basis of illegal proceeds is less than VND 3 billion, the maximum fine of VND 3 billion will apply. The Government will provide regulations on the method for calculating illegal proceeds obtained from violations of the law on personal data protection.

For violations of regulations on cross-border transfers of personal data, the maximum fine is 5% of the turnover of the preceding year of the organization concerned. Where there is no turnover in the preceding year, or where the fine calculated based on turnover is less than VND 3 billion, the maximum fine of VND 3 billion will apply.

For other violations, the maximum fine is VND 3 billion for organizations. The fine applicable to individuals is one-half of the fine applicable to organizations for each corresponding violation.

Recognizing the importance of personal data protection in specific and critical sectors, the Law contains detailed provisions regulating personal data protection during processing in such contexts as: recruitment, management, and use of employees; advertising services; social networking platforms, online media services; big data processing, artificial intelligence, blockchain, metaverse, cloud computing; financial, banking, and credit information activities; insurance business; audio and video recording in public places.

The Law also designates as conditional business lines the business of personal data processing services, and assigns the Government the responsibility to provide detailed regulations to strictly manage this business sector of large-scale and sensitive data processing.

For the personal data of children, persons who have lost or have limited legal capacity, and persons with cognitive or behavioral difficulties, the Law provides specific and stringent provisions to safeguard the personal data of these vulnerable groups.

For location data and biometric data, the Law requires stringent security measures, restricted access rights, and notification mechanisms to the data subject in the event of harm.

A noteworthy new point of the Law is that organizations and individuals conducting cross-border transfers of personal data must prepare a cross-border personal data transfer impact assessment dossier and submit it to the specialized personal data protection authority within 60 days from the date of transfer.

Deputy Minister of Public Security Lê Quốc Hùng stated: “The aforementioned provision both enables the specialized authority to manage the cross-border transfer of Vietnamese citizens’ personal data and creates a flexible mechanism for enterprises, as it does not require prior licensing or censorship before the transfer of personal data across borders.”

Similarly, the Law specifies that organizations and individuals must prepare a personal data processing impact assessment dossier to control risks during personal data processing. However, to facilitate enterprises, the Law exempts such obligations for small businesses, startups, household businesses, and micro-enterprises, except where they engage in personal data processing services, directly process sensitive data, or process data of a large number of data subjects.

The Law will enter into force on January 1, 2026.