Data Protected - Vietnam

Data privacy regulations are set out in number of different legal instruments. The most important is the Decree on Personal Data Protection ( Decree No.13/2023/ND-CP ) (the “PDPD”) which specifically regulates personal data protection.

However, there are a number of other important instruments, including the Law on Cyber Information Security ( Law No. 86/2015/QH13 ) (the “LCIS”) – which regulates cyberinformation security activities – and the Law on Cyber Security (Law No.24/2018/QH14) (the "LCS") – which regulates the protection of national security and public order in cyberspace .

Other relevant provisions can be found in the Constitution No. 18/2013/L-CTN, the Civil Code (Law No. 91/2015/QH13), the Penal Code (Law No.100/2015/QH13), the Law on Protection of Consumers’ Rights No. (Law No. 19/2023/QH15, which applies from 1 July 2024 ), the Law on Electronic Transactions (No. 20/2023/QH15, which applies from 1 July 2024 ), the Law on Information Technology (Law No. 67/2006/QH11), the Law on Judicial Records (Law No. 28/2009/QH12), the Law on Insurance Business (Law No. 08/2022/QH15), the Law on Medical Examination and Treatment (Law No. 15/2023/QH15 ), the Law on Telecommunications No. (24/2023/QH15,which applies from 1 July 2024 ), the Law on Credit Institutions (No. 32/2024/QH15 which applies from 1 July 2024) , the Law on Pharmacy (Law No. 105/2016/QH13), the Law on Statistics (Law No. 89/2015/QH13), the Law on Children (Law No. 102/2016/QH13), the Law on Technology Transfer (Law No. 07/2017/QH14), and the Law on Protection of State Secrets (Law No. 29/2018/QH14).

Primary legislation tends to be generally drafted leaving its precise application open to interpretation. This interpretation is sometimes clarified by detailed regulations, but not in all cases. Therefore, application of the law to a particular set of facts is not always clear.

Currently, the Ministry of Public Security is drafting a decree on administrative penalties in the cyberspace sector (“Penalties Decree”) to complete the data privacy legal framework .

Entry into force

The LCIS came into effect on 1 July 2016. The LCS came into effect on 1 January 2019. The PDPD came into effect on 1 July 2023. Other laws referred to above came into effect on a number of different dates .

National Supervisory Authority

Details of the competent national supervisory authority

Under the PDPD, the Department of Cybersecurity and Prevention of Hi-tech Crimes (the "A05") under the Ministry of Public Security is the key authority which assumes the prime responsibilities for data privacy regulation. It will coordinate with the Ministry of Information and Communications, Ministry of National Defence and other related ministries.

Department of Cybersecurity and Prevention of Hi-tech Crimes
207 Khuat Duy Tien Street
Nhan Chinh Ward
Thanh Xuan District
Hanoi
Vietnam

Ministry of Public Security
44 Yet Kieu Street
Cua Nam Ward
Hoan Kiem District
Hanoi
Vietnam

Ministry of Information and Communications
18 Nguyen Du Street
Hang Bai Ward
Hoan Kiem District
Hanoi
Vietnam

Notification or registration scheme and timing

There is no general notification obligation. However, there are various trigger events that will require notification and registration, namely: (i) general personal data processing; (ii) overseas transfer and processing of personal data; (iii) the notification of a breach of personal data; and (iv) notification of the appointment of a data protection officer. These are all discussed in more detail later on in this summary.

In addition to the above, there are other notification requirements, e.g. notification obligations to data subjects .

Exemptions to notification

Scope of Application

What is the territorial scope of application?

In principle, Vietnamese laws apply to activities conducted partly or wholly in the territory of Vietnam.

However, the scope of application of some laws may extend beyond Vietnam. Particularly, the PDPD may have extraterritorial jurisdictions as it broadly captures: (i) Vietnamese organisations and individuals, including those operating overseas; and (ii) foreign organisations and individuals in Vietnam, or participating in or relating to personal data processing activities in Vietnam.

The LCIS applies to, among others, foreign organizations and individuals directly involved in or related to cyberinformation security activities in Vietnam. If an organization or individual conducts the cyberinformation security activities outside the territory of Vietnam but the consequence occurs in Vietnam, they may still be subject to the law.

The LCS contains data localisation requirement where users' data in certain services must be stored in Vietnam as further discussed below.

Is there a concept of a controller and a processor?

Under the PDPD, a "Data Controller" means the organisation or individual that decides the purpose of, and means for, personal data processing.

A "Data Processor" means the organisation or individual that processes data on behalf of the Data Controller on a contractual basis.

The PDPD also provides for a "Data Controller-Processor" which is the organisation or individual that carries out the activities of both a Data Controller and a Data Processor, and has their corresponding obligations in the relevant capacity.

There is also a definition of “Third Party”, being the entity other than the data subject , Data Controller, Data Processor, and Data Controller-Processor, that is permitted to process personal data.

Other laws related to personal data also have their own definitions, which most commonly refers to “Processing Organisations”, being entities processing personal data.

Are both manual and electronic records subject to data protection legislation?

The other laws discussed above do not make any specific distinction between manual and electronic records. Therefore, both records would be subject to the same data protection regulation.

Are there any national derogations?

Personal Data

What is personal data?

Personal data is defined by the PDPD as information (in the form of symbols, texts, numbers, images, sounds or similar form in an electronic environment) which: (i) is attached to a specific individual; or (ii) is derived from personal activities and helps identify a specific individual when combined with other data and information.

Personal data is further classified into "basic personal data" and "sensitive personal data". The PDPD includes non-exhaustive and descriptive lists of basic personal data and sensitive personal data.

Basic personal data includes: (i) surname, middle name and first name on birth record, other name (if any); (ii) date, month and year of birth; date, month and year of death or official disappearance; (iii) gender; (iv) place of birth, place of birth registration; permanent residence address; temporary residence address; current address; hometown; contact address; (v) nationality; (vi) personal image; (vii); phone number, identification number; passport number; driver license number; vehicle plate number; personal tax number; social insurance number; medical insurance number; (viii) marriage condition; (ix) family relationship (parents, children); (x) personal digital account information; personal data reflecting activities and history of activities in cyberspace; and (xi) other personal data (that is not sensitive personal data).

Certain definitions of “personal information” can also be found in alternate laws which is broadly in line with the PDPD. In other legal instruments, personal data also includes personal secrets and the concept of personal privacy (see below) .

Is information about legal entities personal data?

No. However, if information about legal entities includes information that meets the definition of personal data, for example, information about employees, the information is considered personal data.

What are the rules for processing personal data?

The PDPD captures a wide range of data processing activities. Personal data processing is defined as one or more activities that impact personal data, such as collection, recording, analysing, confirmation, storage, modification, publication, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, termination of personal data or other relevant activities.

Under the PDPD, consent remains the key (but not the only) basis for processing personal data, and is subject to various stringent rules in order to be valid (see below).

Personal data can be processed without consent of the data subject based on one of the following grounds: (i) in an emergency situation to protect the life and health of the data subject ; (ii) disclosure of personal data in accordance with the law; (iii) processing by competent government authorities in a state of emergency concerning national defence, national security, social order and safety, major disasters or dangerous epidemics; or if there is a threat to security and national defence but not to the extent of declaring a state of emergency; or to prevent riots and terrorism, crimes and law violations in accordance with the law; (iv) processing to fulfil obligations pursuant to contract of the data subjects with the relevant organisations and individuals in accordance with the law; and (v) processing to serve operations of the government authorities in accordance with the law.

Similarly, the LCIS prescribes that Processing Organisations and individuals processing personal data: (i) must only collect personal data after obtaining the consent of the data subject on the scope and purpose of the collection and use of such information; (ii) must obtain the consent of the data subject to use the collected personal information for anything other than the initial purposes; and (iii) must not disclose personal information they have collected, accessed or controlled to a third party, unless they obtain the consent of the data subject or at the request of authorised state bodies. Similar provisions can be found in other laws referred to above.

The processing of personal information for national defence and security purposes, social order and safety or for non-commercial purposes must comply with other relevant laws.

The Law on Information Technology takes a similar approach for the collecting, processing and using of personal data. However, it also sets out other conditions in which personal data can be processed without the consent of a data subject including for: (i) signing, modifying or performing contracts on the use of data in the network environment; (ii) calculating charges for use of data or services in the network environment; or (iii) performing other obligations provided for by law.

Are there any formalities to obtain consent to process personal data?

Under the PDPD, in order for consent to be valid, it must satisfy various stringent conditions. Particularly, the consent to process personal data is only effective if such consent is voluntary and is given on the basis of the data subject being aware of: (i) the types of personal data to be processed; (ii) processing purposes; (iii) the parties who will process personal data; (iv) the lawful rights of data subject in relation to personal data; (v) the method of processing; (vi) start time and end time of data processing; and (vii) undesirable consequences and damage that may occur.

The consent to be granted must be express and specific, and can be withdrawn by the data subject at any time. Silence and deemed consent is not acceptable. If there is more than one purpose, the purposes must be listed out for the data subject to give consent to one or more of those listed purposes.

Consent from the data subject must be in a printable, and copyable format, including in electronic or verifiable format. In case of dispute, the Data Controller/Data Controller-Processor is responsible to prove that consent has been obtained.

Similarly, under the Law on Information Technology, and unless a legal exemption applies, Processing Organisations and individuals processing personal data must inform a data subject of the form, scope, place and purpose for the collection, processing and use of the data subject’s personal data .

Are there any special rules when processing personal data about children?

Under the PDPD and Law on Children, it is prohibited to disclose the personal data of a child without the consent of the child’s parents or guardian and the consent of the child in question (where such child is over the age of 7 but younger than 16 years old). There is also a general obligation on agencies, organisations and individuals operating online to apply measures for ensuring the safety and personal secrets for children .

Are there any special rules when processing personal data about employees?

The Labour Code does not impose specific obligations on employers to protect personal data of employees. However, the employer, as one party to the employment contract, has an obligation under the Civil Code to keep confidential information received from the employee and not to use such information for the private purposes of such party or for other illegal purposes.

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data is defined under the PDPD to be personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests.

Sensitive personal data includes: (i) political view; religious view; (ii) health and personal life conditions recorded in medical records, excluding blood type; (iii) information related to origin of race or ethnicity; (iv) information of hereditary characteristics inherited or acquired by an individual; (v) information of physical attributes or biological characteristics of an individual; (vi) information of sexual life or sexual orientation of an individual; (vii) data of crimes and criminal activities collected and archived by law enforcement agencies; (viii) customer information of credit institutions, foreign bank branches, intermediary payment service companies and other licensed entities, including: customers' identification information in accordance with the law, and information of accounts, cash deposits, deposited assets, transactions and organisations and individuals providing security measures; (ix) location data of an individual determined by location service; and (x) other personal data specified by law as special and requiring protection measures.

Vietnamese law also provides for the concept of personal privacy or personal secrets and considers any such related information as personal data. This includes any information that a data subject may wish to keep confidential, such as medical records, tax payment dossiers, social insurance numbers, credit card numbers and other information defined by law .

Are there additional rules for processing sensitive personal data?

A party that handles sensitive personal data has extra obligations to: (i) designate a department/person in charge of personal data protection, and exchanges information about that department/person with the A05; and (ii) notify data subject about the processing of their sensitive personal data (unless the data subject has agreed to the processing already, or in one of the consent-exemption cases).

There are some additional protections for personal privacy or personal secrets. For example, state agencies holding personal secrets must protect that information and only supply or share it with competent third parties in limited cases by law. Vietnamese law also provides additional protection for medical records, for persons participating in clinical trials of a drug, and for customers data in the banking sector.

Are there additional rules for processing information about criminal offences?

Under the PDPD, data of crimes and criminal activities collected and archived by law enforcement agencies is classified as a type of sensitive personal data and is subject to the processing requirements for that type of data.

There are no specific rules for processing information about criminal offences under the LCIS. However, if a data subject wishes information about criminal offences to be kept secret and such information meets the standard of a ‘personal secret’, the rules for processing are the same as for personal data.

The Law on Criminal Procedures allows a Court to hear a case in closed session. This applies in cases involving protection of persons aged below 18 or cases affecting personal privacy as per the litigant's request. However, the judgments must be pronounced publicly.

Are there any formalities to obtain consent to process sensitive personal data?

There are no special formalities to obtain consent to process sensitive personal data and the same rules as for personal data apply (see above).

The PDPD further emphasises that the data subject would need to be aware that the personal data to be processed are of sensitive nature and the consent to be obtained must be in printable and copyable format (among other requirements).

Data Protection Officers

When must a data protection officer be appointed?

The PDPD requires entities that handle sensitive personal data to designate a department/person in charge of personal data protection, and must notify of the same to the A05.

What are the duties of a data protection officer?

Although not expressly set out under the PDPD, the data protection officer is generally responsible for handling and ensuring compliance of personal data protection regulations within the entity .

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Under the LCIS and Law on Information Technology, Processing Organisations are generally required to apply necessary management and technical measures to protect personal data.

The same principle is adopted under the PDPD, where parties processing personal data are required to apply technical and organisational measures to prevent breaches of personal data protection regulations and to prevent data loss or any damage to personal data .

Are privacy impact assessments mandatory?

Under the PDPD, Data Controllers, Data Controller-Processor, and Data Processors are required to conduct an impact assessment ("IA") and maintain the IA dossier from the time they start personal data processing.

The dossier includes key details such as contact details of the Data Controller/Data Controller-Processor/Data Processor and its personnel in charge of personal data protection, processing purposes/activities, types of personal data to be processed, cases of offshore transfer of personal data, time durations, protective measures and impact levels, among others.

In addition to the above, any party which transfers personal data of Vietnamese citizens offshore is required by the PDPD to conduct an IA for overseas transfer (see below).

For both types of IA dossiers, the relevant party must submit the IA dossier to the A05 within 60 days after starting data processing. The authority will review and can request an update of the dossier.

Rights of Data Subjects

Privacy notices

Under the PDPD, Data Controller/Data Controller-Processor must notify the data subject of the scope and purpose of the collection and use of his or her personal data prior to processing, save for cases where consent has been obtained (see above) .

Rights to access information

Data subjects can access their personal data in order to review, rectify or request rectification of their personal data, and can also request their personal data from Data Controller/Data Controller-Processor.

Rights to data portability

Data subjects can request and authorise the Data Controller/Data Controller-Processor to provide the data subject ’s personal data to other organizations and individuals on behalf of the data subject .

Right to be forgotten

The right to be forgotten concept is not regulated under the laws of Vietnam.

However, under the PDPD, where a data subject requests that a Data Controller/Data Controller-Processor updates, amends, or deletes their personal data, or withdraws their consent to personal data processing, the Data Controller/Data Controller-Processor must: (i) comply with the request within 72 hours of receipt of the request; and (ii) notify the data subject in case the request cannot be fulfilled because of technical or other reasons.

The Data Controller/Data Controller-Processor/Data Processor must permanently delete any stored personal data when they have accomplished the desired purposes or the storage time has expired and notify the data subject , unless otherwise prescribed by law. Similar provisions can be found in other laws referred to above .

Objection to direct marketing and profiling

The consent of the data subject is required in order to use personal data for the purposes of direct marketing. The data subject has the right to object to the Controller/Data Controller-Processor processing their personal data in order to prevent or restrict the disclosure of personal data or the use of personal data for advertising and marketing purposes. The Data Controller/Data Controller-Processor shall comply with the data subject ’s request within 72 hours after receiving the request.

Other rights

The PDPD also provides the data subject with other rights including: (i) the right to request restriction on processing; (ii) the right to file complaints, denunciations and lawsuits; (iii) the right to claim damage; and (iv) the right of self-protection .

Security

Security requirements in order to protect personal data

Under the PDPD, a Data Controller, Data Processor or Data Controller-Processor may be held liable to the data subject for any damage caused by its data processing activity. They must also: (i) set up internal policies for personal data protection and (ii) implement organizational and technical measures and appropriate security measures to prove that the personal data is processed in accordance with regulations of the law on protection of personal data, and to review and update these measures when necessary.

Under the LCIS, Processing Organisations must take appropriate managerial or technical measures to protect information and observe applicable technical regulations and standards.

In addition, information systems are classified into five security levels according to their function and the level of confidentiality of the information they process, for the purpose of applying corresponding managerial and technical measures to protect these information systems.

Further, a Processing Organisation administering an information system must: (i) determine the security level of the system; (ii) assess and manage the security risks posed to the system; (iii) supervise, speed up and examine the protection of the system; (iv) comply with the reporting regime; (v) conduct public information for raising awareness of cyber information security; (vi) adopt measures to protect the system, including managerial and technical measures in accordance with applicable technical standards and regulations; and (vii) supervise the security of the system.

Specific rules governing processing by third party agents (processors)

A third party agent (or a Data Processor) must have a contract with the Data Controller, but the law does not provide for a specific contract template, or required provisions to be included in such contract.

Processing Organisations must coordinate with state authorities to ensure the protection of personal data.

Notice of breach laws

The PDPD requires that in case of a breach of personal data protection regulations, the Data Processor must notify the Data Controller as soon as possible and the Data Controller/Data Controller-Processor must notify the A05 within 72 hours of the breach. Notification can be made in stages if not all required information is available.

Under the LCS, a cyberspace service provider in Vietnam has to notify the user and report to the Cybersecurity Task Force (i.e. the A05) in the event of disclosure of, damage to or loss of data about user information. Agencies, organizations and individuals using cyberspace have to promptly provide information relating to cybersecurity to the competent agency and Cybersecurity Task Force.

Other Cybersecurity Task Force will be organised under ministries, branches, provincial people's committees, agencies and organizations which directly manage information systems critical for national security.

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Any party that wants to transfer personal data of Vietnamese citizens offshore must complete the cross-border transfer IA dossier. The dossier must include key details such as contact details of the data transferor and recipient, objectives of the personal data processing after transfer overseas, types of personal data to be transferred and measures for personal data protection, among others. As part of the IA dossier, the agreement between the data transferor and recipient must be submitted.

The party transferring data must also give notice to the A05, including information on the transfer and contact details of the responsible parties, after the data transfer has been completed.

The Ministry of Public Security can decide to inspect the offshore transfer once per year or more in cases of breach of personal data protection regulations. The Ministry of Public Security can also request to stop personal data transfer if: (i) the transferred data is used for activities violating the national interest and security of Vietnam; (ii) the transferor does not comply with requests to supplement the impact assessment dossier; or (iii) there is an incident of leakage or loss of personal data of Vietnamese citizens.

In addition to the above, the LCS obliges certain enterprises providing internet services in Vietnam (captured enterprises) to store certain users' data (captured data) in Vietnam.

Vietnam issued Decree 53/2022/ND-CP (“Decree 53”) that clarifies the operation of these rules. In particular, it defines “captured data” to be: (i) personally identifiable information data; (ii) data created by user in Vietnam, including account name to use service, time of service use, credit card information, email address, IP address of latest login or logout, registered phone number associated with the account or data; and (iii) data of a user's relationship in Vietnam, including the user’s friends or groups.

Decree 53 also treats local and foreign enterprises differently. A local enterprise will be a “captured enterprise” if it carries any of the following services in Vietnam: (i) telecommunication services; (ii) telecommunication-based application services; (iii) value-added telecommunication services (including email service, voicemail service, fax service, and internet access service); (iv) internet services; and (v) over-the-top content services on the internet.

In contrast, a foreign enterprise will only be a “captured enterprise” in limited situations. This categorisation will occur where it: (i) provides certain specified internet services; (ii) those services have been used to commit a breach of cyber security laws; (iii) the A05 under the Ministry of Public Security has notified the foreign enterprise of the cybersecurity law violation and requested co-operation; (iv) the foreign enterprise fails to provide that co-operation; and (v) the Minister of Public Security issues an order requiring the enterprise to store data locally and set up its branch or representative office in Vietnam. Where such an order is made the foreign enterprise must establish a branch or office in Vietnam and must keep the relevant information for 24 months at minimum.

Further, personal data that amount to a State secret must also be stored in Vietnam. Examples of this type of data include: (i) information on members of the People's Army, People's Public Security and intelligence agencies who are sent for training at home or abroad; (ii) information on protection of health of high-ranking leaders of the Party and the State; (iii) information, documents and figures on population surveys; and (iv) strategies, plans and schemes on organization and personnel work of Party and State agencies and socio-political organizations .

Notification and approval of national regulator (including notification of use of Model Contracts)

The Data Controller, Data Controller-Processor, Data Processor or Third Party that transfers personal data of Vietnamese citizens offshore must conduct an IA and submit the dossier to the A05 within 60 days after starting data processing (see above).

Use of binding corporate rules

There is no ability to use binding corporate rules in respect of transfers to third countries.

Enforcement

Fines

Currently, regulators are working on a draft Penalties Decree on administrative penalties in cybersecurity space. The latest draft Penalties Decree publicly available proposes certain sanctions for violations in processing personal data. In certain cases, repeated breaches may even result in an administrative fine of up to 5% of the revenue in the previous financial year, among other penalties.

As sanctions for specific violations are still in the pipeline under the draft Penalties Decree, sanctions for violations of personal data regulations are currently being scattered under various regulations. Particularly, infringement of privacy laws may lead to: (i) administrative fines of between VND10 million (c USD405) and VND20 million (c. USD810) for collecting personal data without the consent of the data subject ; and (ii) administrative fines of between VND40 million (c. USD1,625) and VND60 million (c. 2,440) for publishing personal secrets or other personal data without the consent of the data subject , VND20 million (c. USD810) to VND30 million (c.1,220) for failing to keep necessary management and technical measures to ensure the safety of personal data of other persons or supplying personal data of other persons to a third party in a network environment.

Consumers’ personal data in e-commerce activities is also protected by administrative fines including: (i) administrative fines of between VND2 million (c. USD80) and VND20 million (c. USD810) for developing policies to protect personal data which are not compatible with regulations, not showing consumers the policies for personal data protection before or at the time of collecting such data, or failing to check, update, amend or cancel personal information when requested by the subject of information to do so; (ii) administrative fines of between VND20 million (c.USD810) and VND40 million (c. USD1,625) for failing to set up a mechanism for receiving and resolving complaints from consumers or not implementing policies to ensure safety and security for the collection and use of personal data of consumers; (iii) administrative fines of between VND40 million (c.USD1,625) and VND60 million (c. USD2,440) for collecting personal data of consumers without the consent of the data subject , setting up a default mechanism to force consumers to agree that their personal data be shared, disclosed or used for the purposes of advertising and other commercial purposes, or using the personal information of consumers improperly with the purpose and the notified scope.

Besides monetary fines, e-commerce activities may be suspended for 3 to 6 months for violation of point (iii). In addition, administrative fines of between VND60 million (USD2,440) and VND80 million (c. USD3,250), confiscation of means of violation and suspension of e-commerce activities for 6 to 12 months may be applied for stealing, using, revealing, transferring or selling information relating to trade secrets of other business persons or personal data of customers in e-commerce activities without consent from related parties.

Imprisonment

Certain infringement of privacy laws may subject the violators to criminal liabilities, including imprisonment. Particularly, infringement of privacy and security of mails, telephones, telegrams or other forms of private communication may be subject to maximum three years’ imprisonment (among others), but this would only apply after having been subject to administrative penalties.

Further, disclosure of personal data of individuals or business data of organisations on the Internet and telecom networks without consent which results in illegal profit of more than VND200 million (c. USD 8,130) may lead to criminal penalties of up to seven years' imprisonment (among others).

Illegal accessing of computer networks, telecommunications networks and electronic devices of other persons, subject to the nature and severity of the breach, may result in criminal penalties of up to 12 years' imprisonment (among others).

Compensation

Under the civil code, if personal data rights are infringed, the data subject is entitled to demand or request a competent body or person to compel the infringing party to compensate the data subject .

Other powers

Practice

There have been some cases of regulators imposing administrative fines for breaches of personal privacy, mostly in a network environment. There have also been reported cases of criminal sanctions being imposed on acts of illegally accessing and stealing personal information for sale.

As regulations on personal data protection develop, we have seen more enforcement actions in this space. There is no exact statistic on the number of enforcement actions taken in the last 12 months and the majority of enforcement actions are not publicly disclosed.

ePrivacy | Marketing and cookies

National Legislation

ePrivacy laws

There is no specific ePrivacy law in Vietnam. However , the PDPD, the LCIS, the Law on Information Technology and Law on Electronic Transactions contain some provisions that address ePrivacy issues.

Cookies

Conditions for use of cookies

The use of cookies is not specifically regulated under Vietnamese law. However, personal data collected via the use of cookies is subject to Vietnamese privacy laws in the same manner as other personal data.

Regulatory guidance on the use of cookies

Since the use of cookies is not regulated, the guidance for storing personal data in cyberspace by using cookies are as the same as the rules apply to the management and processing of personal data which requires the consent of the data subject .

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Pursuant to Decree 91 dated 14 August 2020 on Anti-Spam Messages, Emails and Calls ("Decree on Anti-Spam"), advertisers via emails are only permitted to send advertising emails to users after users have provided express consent on receiving such advertising emails.

Advertisers must also provide a clear mechanism for users to opt-out from receiving advertising emails. As soon as advertisers receive opt-out requests from users, advertisers must acknowledge receipt of opt-out requests and stop sending advertising emails to users who opted out.

There are further requirements for advertisers to store subscription and opt-out requests and confirmation and to provide searching and storing tools so users can access these documents, among other obligations.

An advertiser is only permitted to send maximum three emails to one user within 24 hours, unless otherwise agreed with the user. Contents of the advertising emails must comply with laws on advertising.

Conditions for direct marketing by e-mail to corporate subscribers

The rules are the same as for individual subscribers.

Exemptions and other issues

Decree on Anti-Spam provides for other requirements. In particular, email subject and content must be consistent and advertising content must comply with laws on advertising. Advertising emails must be labelled with [QC] or [AD] at the beginning of the email subject to indicate that this is an advertising email. Advertisers must provide information such as name, telephone, email address, geographical address, and website, social network (if any). This information must be expressly set out in the email and must be provided immediately before the select function permitting the recipient to opt-out of email marketing. Where the advertising email concerns a chargeable service, the email must provide information on the fees to be charged. Further, an advertising email must include a function permitting users to opt out from receiving advertising emails.

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Under Decree on Anti-Spam, direct marketing by telephone and text messages follows similar principles on required consent and opt-out mechanism as set out above. Advertisers are also restricted to make maximum three advertising calls or send maximum three advertising text messages to one user within 24 hours unless otherwise agreed with the user.

Further to the above, advertisers are not permitted to make advertising calls or send advertising text messages to users within the Do Not Call list. Advertisers are required to carefully check the Do Not Call list before advertising. Unless otherwise agreed with users, advertisers are only permitted to send advertising text messages from 7:00 am to 10:00 pm every day, and make advertising calls from 8:00 am to 5:00 pm every day.

Advertisers are required to register with the Ministry of Information and Communications and obtain from this authority a name identifier code before they can make advertising calls or send advertising text messages.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The rules are the same as for individual subscribers.

Exemptions and other issues

There are further requirements in relation to advertising text messages. Particularly, advertising messages must be labelled with [QC] or [AD] at the beginning of the message subject to indicate that it is an advertising text message. Where the advertising text message concerns a chargeable service, the text message must provide information on the fees to be charged. Further, an advertising text message must include a function permitting users to opt-out from receiving advertising text messages.