Penalties for Personal Data Violations in Vietnam: From Disciplinary Action to Criminal Charges

Personal data protection (PDP) is increasingly becoming a pivotal factor in today’s digital business and social environment. In Vietnam, Decree No. 13/2023/ND-CP on Personal Data Protection has established a significant and fairly comprehensive legal framework. While this Decree itself doesn’t specify detailed administrative fines, it outlines general forms of sanctions (disciplinary, administrative, criminal). Administrative penalties are referenced from existing specialized decrees or will be specifically stipulated in a separate Decree on administrative sanctions in the field of personal data protection – a document currently under development, aligning with the aim of a more comprehensive Personal Data Protection Law expected to come into effect in 2026.

Understanding these forms of violation handling is crucial for organizations and inpiduals to proactively ensure compliance, mitigate legal risks, and build lasting trust with customers.

 

According to Decree 13/2023/ND-CP, violations of personal data protection regulations can be subject to three main categories of penalties, depending on the nature and severity of the violation:

  1. Disciplinary Action

Disciplinary action primarily applies to inpiduals who commit violations, especially cadres, civil servants, and public employees within state agencies. This type of action will be implemented based on current disciplinary regulations, notably Decree 112/2020/ND-CP on the disciplinary handling of cadres, civil servants, and public employees, along with the internal regulations of each specific agency or organization.

The objective of disciplinary action is to rectify behavior, deter future violations, and ensure strict adherence to PDP regulations within the state sector.

 

  1. Administrative Penalties

Administrative penalties apply to all organizations and inpiduals who violate PDP regulations. Although Decree 13/2023/ND-CP does not specify concrete administrative fines, penalties can currently be referenced from other relevant specialized legal documents. This is a point that businesses should pay particular attention to, as the potential financial damage can be substantial.

Documents that may be applied for administrative penalties include:

  • Decree 15/2020/ND-CP (as amended and supplemented by Decree No. 14/2022/NĐ-CP) stipulates administrative penalties in the fields of postal services, telecommunications, radio frequency, information technology, and electronic transactions.
  • Decree 24/2025/ND-CP (effective from February 21, 2025, amending Decree 98/2020/ND-CP) on administrative penalties in the field of consumer rights protection.

Examples of penalties under Decree 24/2025/ND-CP:

Decree 24/2025/ND-CP introduces more stringent penalty provisions related to consumer information, including personal data. Specifically, violations such as:

  • Collecting, storing, or using consumer information improperly: may incur a fine of up to VND 30 million.
  • If the violation involves sensitive personal data: the fine may increase to up to VND 60 million.
  • Actions like failing to report a security breach within 24 hours, lacking adequate security measures, or sharing consumer information without consent: may result in a fine of up to VND 40 million.
  • For large digital platforms committing similar violations: the fine can reach up to VND 160 million.
  • For particularly serious violations by large digital platforms: the fine can be up to VND 400 million.

Actions that may be subject to administrative penalties under Decree 13/2023/ND-CP (referenced from other documents):

  • Collecting or processing personal data without valid consent from the data subject.
  • Illegally disclosing, sharing, or trading personal data for unauthorized purposes.
  • Failing to conduct a Data Protection Impact Assessment (DPIA) or Cross-Border Data Transfer Impact Assessment (DTIA) as required.
  • Failing to apply or inadequately applying necessary security measures to protect personal data.
  • Failing to promptly notify competent authorities or data subjects about cybersecurity incidents leading to data breaches within the specified timeframe (72 hours).

 

  1. Criminal Charges

Criminal charges represent the most severe form of sanction, applied when a personal data protection violation results in especially serious consequences or shows signs of constituting a crime under the Penal Code. Inpiduals found in violation may face significant prison sentences and substantial fines.

Some criminal offenses directly or indirectly related to personal data violations include:

  • Crime of infringing upon the secrecy or safety of correspondence, telephone, telegraph, or other forms of private information of others (Article 159 of the Penal Code): Relates to unauthorized appropriation, disclosure, or use of private information.
  • Crime of illegally putting or using information on computer networks or telecommunication networks (Article 288 of the Penal Code): Includes acts such as illegally uploading information to networks, trading, exchanging, or publicly disclosing legitimate private information without permission.
  • Crimes related to theft or appropriation of personal data if the act meets the elements of property crimes or other offenses under the Penal Code.

 

Conclusion: Raising Awareness and Preparing for Compliance

The figures for administrative fines and the potential for criminal charges underscore the critical importance of strict compliance with Decree 13/2023/ND-CP. Non-compliance not only poses significant legal risks but also gravely impacts a business’s reputation and trust.

Specifically, “inadequate security measures” and “failure to report breaches within 72 hours” are common pitfalls for many organizations. This highlights the growing necessity of investing in professional data protection solutions and processes.

To ensure strict compliance with Decree 13/2023/ND-CP and to effectively protect data, organizations must proactively develop and implement a comprehensive data protection strategy. This involves regularly assessing risks, applying appropriate technical and organizational measures, and establishing clear incident response procedures.

A thorough understanding of regulations and proactive actions will not only help businesses avoid severe penalties but also build a robust foundation for sustainable development in the digital age.

 

Disclaimer: This publication is intended for general informational purposes only. It should not be construed as professional legal advice for any specific case, organization, or inpidual.