Violating the law on personal data protection will be fined up to 3 billion VND
According to the law, organizations and individuals who violate the law on personal data protection can be fined or prosecuted for criminal liability.
The Law on Personal Data Protection stipulates personal data, personal data protection and the rights, obligations and responsibilities of relevant agencies, organizations and individuals; effective from January 1, 2026.
According to the Ministry of Public Security, the Law clearly stipulates that the protection of personal data and organizations and individuals who violate will be handled according to the provisions of law.
The content of the above regulation is stated in Article 8 on handling violations of the law on personal data protection.
Accordingly, Clause 1 states that organizations and individuals who violate the provisions of this Law and other legal provisions related to personal data protection may be subject to administrative sanctions or criminal prosecution; if they cause damage, they must be compensated according to the provisions of law.
In Clause 2 of this Article, the handling of administrative violations in the field of personal data protection shall be implemented in accordance with the provisions of Clauses 3, 4, 5, 6 and 7 of this Article and the law on handling administrative violations.
Clause 3 states that the maximum fine for administrative sanctions for the act of buying and selling personal data is 10 times the revenue from the violation; in case there is no revenue from the violation or the fine calculated according to the revenue from the violation is lower than the maximum fine prescribed in Clause 5 of this Article, the fine prescribed in Clause 5 of this Article shall apply.
Clause 4 stipulates the maximum penalty for administrative sanctions for organizations that violate the regulation on translating cross-border personal data, which is 5% of the revenue of the previous year of that organization; in case there is no revenue of the previous year or the penalty calculated according to revenue is lower than the maximum penalty as prescribed in Clause 5 of this Article, the penalty level as prescribed in Clause 5 of this Article shall apply.
The maximum fine for administrative sanctions for other violations in the field of personal data protection is 3 billion VND, as prescribed in Clause 5.
The maximum fine prescribed in Clauses 3, 4 and 5 of this Article shall be applied to organizations and individuals who commit the same violation, the maximum fine shall be one-half of the fine for the organization.
The Government stipulates the method of calculating revenue from the implementation of violations of the law on personal data protection.
See the original here
