On May 2, 2024, the Ministry of Justice published the draft Decree on Cybersecurity Administrative Sanctions (the Decree). The Decree regulates administrative violations, forms of sanctions, levels of sanctions, remedial measures for each administrative sanction, and specific fines for each violation under the Law on Cybersecurity No. 24/2018/QH14 (June 12, 2018) (the Cybersecurity Law).

The Decree applies to Vietnamese organizations and individuals and foreign enterprises, branches, or representative offices, among others. More specifically, the Decree outlines sanctions including:

• suspension of the right to use licenses for a period of one to 24 months for licenses including telecommunication, network security products, and social networks;
• expulsion from Vietnamese territory;
• suspension of operations for a period of one to 24 months; and
• temporary suspension of the processing of personal data from one to three months.

Likewise, remedial measures under the Decree include:

• removal or deletion of programs and software;
• deletion or destruction where data has been illegally appropriated, traded, or exchanged;
• deletion or correction of information with content that is false, misleading, or violates the Cybersecurity Law;
• appraisal, assessment, testing, and re-certification of cybersecurity measures; and
• return of IP addresses, domain names, and account numbers.

Fines

The Decree stipulates fines from VND 50 million (approx. $1,975) to VND 70 million (approx. $2,765) for the following violations of personal data protection regulations:

• processing personal data contrary to the law;
• failing to inform data subjects about activities related to the processing of their personal data;
• failing to process personal data in accordance with the stated purpose of processing;
• failing to collect personal data within the stated scope of collection;
• updating or supplementing personal data contrary to the stated purpose of processing;
• failing to provide appropriate protection and security measures during processing, including the absence of measures related to loss, destruction, damage from incidents, and use of technical means; and
• storing personal data beyond the stated purpose.

The Decree also details fines relating to data subject rights, the use of personal data for marketing and advertising, the processing of personal data without consent and conditions of consent, and informing data subjects of the processing of their personal data and updates to processing operations.

Notably, the Decree details fines of up to 5% of organizations' total revenue from the previous fiscal year for:

• the repeated unlawful processing of personal data for marketing and advertising purposes;
• the unlawful purchase or sale of personal data; and
• the failure to submit a Data Protection Impact Assessment (DPIA).

Likewise, the Decree provides for a fine equal to between 3% and 5% of an organization's total revenue from the previous fiscal year for acts revealing, losing, or transferring personal data of over five million Vietnamese citizens.

You can access the legislative page for the Decree here and download the Dossier containing the Decree here, both only available in Vietnamese.