1. Authorization, Consent, and Documentation Requirements

 Any violator, whether an individual or an organization, processing consumer data must obtain explicit written authorization before assigning consumer information-related activities to a third party. Such authorization must be documented in a formal agreement that clearly specifies the scope of information processing and the responsibilities of each party involved. Assignments without well-defined documentation will be subject to administrative fines.

Failure to comply with these provisions may result in administrative fines ranging from VND 20,000,000 to VND 30,000,000^[1]. Moreover, if the violation occurs in the online space, the fine increases to a range of VND 50,000,000 to VND 70,000,000^[2].

2. Transparency and Public Disclosure of Data Protection Policies

 Merchants are obligated to develop and publicly disclose comprehensive consumer information protection policies. These policies must detail:

• (i) the specific purposes for which consumer data is collected;
• (ii) the scope of data usage, including any potential sharing with third parties
• (iii) the duration for which the data will be retained; and
• (iv) the rights of consumers concerning their personal data, including mechanisms for access, modification, and deletion.

 Failure to publish or adequately communicate these policies constitutes a violation and is subject to administrative fines ranging from VND 20,000,000 to VND 30,000,000 for individuals^[3], with the penalty being doubled for organizations^[4].

3. Information Security, Consumer Rights, and Incident Reporting

Businesses must implement robust security measures to prevent unauthorized access, breaches, or misuse of consumer information. This includes adopting appropriate technological safeguards to ensure data integrity and confidentiality; establishing mechanisms that allow consumers to review, update, delete, or transfer their personal data upon request; and resolving consumer complaints regarding unauthorized data collection or improper use within a specified timeframe. Additionally, in the event of a breach or cybersecurity incident, it is obliged to notify the competent authorities within 24 hours of detection.

Failure to comply with these obligations may result in heightened penalties, with fines ranging from VND 30,000,000 to VND 40,000,000^[5].

4. Strengthened Penalties for Sensitive Personal Data and Large-Scale Digital Platforms

Decree 24 specifies enhanced penalties for two distinct scenarios. In the first scenario, if a violation involves the sensitive personal data of consumers, the monetary fine shall be doubled compared to the standard amount, reaching up to VND 80,000,000[6]. In the second scenario, if the violation is conducted by an entity that operates a large-scale digital platform, the fine shall be quadrupled, reaching up to VND 160,000,000[7].

It should be noted that if the violation is committed by an organization, the fine shall be doubled fine ranges above^[8].

Decree 24 not only strengthens consumer rights but also raises awareness among relevant parties regarding the protection of the personal data of consumers. The increased fines underscore the seriousness of data security breaches and the urgent need to shield consumer rights.

• ^[1] Article 46.1 of Decree 98, as amended and supplemented by Article 1.5 of Decree 24
• ^[2] Article 53a of Decree 24
• ^[3] Article 46.1 of Decree 98, as amended and supplemented by Article 1.5 of Decree 24
• ^[4] Article 4.4 of Decree 98, as amended and supplemented by Article 3.1(b) of Decree 17
• ^[5] Article 46.2 of Decree 98, as amended and supplemented by Article 1.5 of Decree 24
• [6] Article 46.3 of Decree 98, as amended and supplemented by Article 1.5 of Decree 24
• [7] Article 46.4 of Decree 98, as amended and supplemented by Article 1.5 of Decree 24
• ^[8] Article 4.4 of Decree No. 98/ND-CP, as amended by Article 3.1(b) of Decree 17/2022/ND-CP