EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Legal Update | March 2025
This Update highlights the latest regulations relating to the administrative penalties applicable to data privacy law violations.
Key content
This Update highlights the latest regulations relating to the administrative penalties applicable to data privacy law violations.
Key points of focus under this Update:
- Increasing monetary fines and expanding the categories of violation acts related to consumers’ information:
- Violations related to notifications on the collection and use of consumers’ information
- Violations related to the processing of consumers’ information
- Regulations on violations related to authorizing or hiring a third party to process consumers’ information
- Regulations on violations related to the formulation and announcement of policies on consumers’ information protection
- Regulations on violations related to the breach of information
- Special case
- Aspects that are stricter and more demanding than Decree No.13/2023/ND-CP dated 17 April 2023 issued by the Government (Decree No.13)
- Recommendations
Details
Decree No. 24/2025/ND-CP amending and supplementing Decree No. 98/2020/ND-CP on administrative penalties for the protection of consumers’ rights
On 21 February 2025, the Government issued Decree No. 24/2025/ND-CP (Decree 24) amending and supplementing Decree No. 98/2020/ND-CP (Decree 98) on administrative penalties for the protection of consumers’ rights. Effective from 21 February 2025, Decree 24 marks a significant development in Vietnam’s personal data protection legislation which (i) increases monetary fines as well as (ii) expands the categories of violating acts related to consumers’ information committed by enterprises, as set forth below.
Comparison between Decree 24 and Decree 98 regarding data privacy law violations
1. Violations related to notifications on the collection and use of consumers’ information
Category Decree 98 Decree 24
|
Violating act |
Failure to clearly and publicly notify consumers of the purpose before collecting and using consumers’ information |
Failure to notify or notify consumers not in accordance with the law of the purpose, scope of information collection and use, and duration of information storage before collecting and using consumers’ information |
|---|---|---|
|
Monetary fines |
VND20 million to VND40 million |
VND40 million to VND60 million |
2. Violations related to the processing of consumers’ information
|
Violating act |
|
|
|---|---|---|
|
Monetary fines |
VND20 million to VND40 million |
Monetary fines from VND40 million to VND60 million for the first 4 violations, or VND60 million to VND80 million for the last 3 violations |
3. Regulations on violations related to authorizing or hiring a third party to process consumers’ information
|
Violating act |
Not provided |
|
|---|---|---|
|
Monetary fines |
Not provided |
|
4. Regulations on violations related to the formulation and announcement of policies on consumers’ information protection
|
Violating act |
Not provided |
|
|---|---|---|
|
Monetary fines |
Not provided |
VND40 million to VND60 million |
5. Regulations on violations related to the breach of information system
|
Violating act |
Not provided |
Failure to notify the competent state management agency within 24 hours from the time of detecting the breach of the information system, causing risks to consumers’ information safety and security |
|---|---|---|
|
Monetary fines |
Not provided |
VND60 million to VND80 million |
6. Special case
|
Violating act & Monetary fines |
Monetary fines are doubled when information belongs to the personal secrets of consumers. |
Monetary fines are doubled when the relevant information is sensitive personal data of consumers or quadrupled when violations are committed by organizations establishing and operating large digital platforms. |
|---|
Comparison of compliance requirements between Decree 24 and Decree No. 13 on personal data protection
Of note, Law on Protection of Consumers’ Rights 2023 and Decree 24 have certain aspects that are stricter and more demanding than the Decree No.13 on personal data protection. B2C enterprises and digital platforms should pay attention to these requirements, including:
- Consent of the data subject/consumer: Aside from the purposes of data processing as provided in the Decree No.13, the consumers under Decree 24 have the new right to choose the scope of information they agree to provide. Consumers can also choose to allow or not to allow the sharing, disclosing, or transferring information to a third party; or the use of consumer information to advertise and promote products, goods, services and other commercial activities.
- Change of purpose of data/consumer information processing: When there is a change to the purpose of data processing, there is no clear instruction in the Decree No.13 on the course of action that the data controller, the data controller cum processor needs to take. Whereas, under Decree 24, the organization collecting and using the consumer information is explicitly obligated to notify and obtain the consumer’s consent prior to the change in the purpose and scope of use of the information notified to consumers.
- Handling of data/consumer information breach: Under the Decree No.13, data controllers are required to notify the A05 within 72 hours from the occurrence of the breach. Whereas, under Decree 24, organizations are required to notify the competent state management agency within 24 hours from the time of detecting the breach of the information system which causes risk to consumer information safety and security.
- Data subject rights: Decree 24 also includes the right of consumers to request inspection, deletion, transferring, or ceasing the transfer of consumer information. The organizations collecting and using consumer information are obligated to comply with these requests or provide consumer with tools and information for self-implementation.
The sanctions imposed by Decree 24 hence mandate alignment with not only the Decree No.13, but also the strict requirements under the Law on Protection of Consumers’ Rights 2023. It should be noted that although Decree 24 only provides for monetary fines for violations of consumer data privacy, once the draft Law on Personal Data Protection and draft Cybersecurity Administrative Penalties Decree go into effect, additional penalties and remedial measures may be imposed, including temporary suspension of personal data processing, or temporary withdrawal of business and professional licenses.
Recommendations
To avoid the risk of financial penalty, additional penalties and remedial measures, cessation of operations, reputational damages as well as loss of customer trust, it is recommended that enterprises develop or review data protection frameworks, policies, consent form, processing notification, relevant contracts and procedures, internal management, third party risk management as well as breach management policies in compliance with both the Decree No.13 and the Law on Protection of Consumers’ Rights 2023, especially for enterprises establishing and operating digital platforms — who may be subject to heavy fines for non-compliance.