Legal News

[Personnel and Labor Relations] Update on Draft Penalties for Violations of the Cybersecurity and Privacy Decree (Part 2)

2024/05/16

Following the news of “Update on Draft Penalties for Violation of the Cybersecurity and Personal Information Protection Cabinet Order” distributed on May 9, this issue provides a sequential update on matters that companies should be particularly aware of in the violation of laws and regulations regarding personal information protection.

◆ Fines of VND20,000,000 to VND40,000,000 will be imposed for processing personal information without the consent of the individual, collecting wrong information, not informing the individual of the purpose, processing for a purpose different from what the individual agreed to, not informing the individual about the information processing, etc.

◆ Failure to prepare or keep the information processing impact assessment and information transfer impact assessment to overseas since the beginning of information processing, or failure to submit the assessment to the Ministry of Public Security within the statutory time limit shall be fined 140,000,000 to 200,000,000VND.

◆ A fine of up to 5% of the gross business revenue of the previous fiscal year shall be imposed for the following acts
・Using or providing customers’ personal information more than once in marketing or advertising service business.
・Illegally transferring, trading or collecting personal information more than twice.
・Leakage or loss of personal information of more than 5 million Vietnamese citizens.

This draft is scheduled to take effect on June 1, 2024. In order to avoid the risk of the above administrative sanctions, companies are required to comply with the personal information processing regulations stipulated in Decree No. 13/2023/ND-CP.

 

References:
・Decree No. 13/2023/ND-CP
・Draft Decree on Sanctions for Administrative Violations in the Field of Cyber Security