Outbound Call Regulations in Vietnam

Obligation to Consult DNC Database: Outbound call centers must scrub their contact lists against the DNC registry. Telecom and internet service providers are required to support this by blocking marketing calls to listed numbers. Marketing callers are also obligated to immediately stop calling a number if the recipient asks to opt out or if the number is newly added to DNC. Failure to respect the DNC list can lead to administrative fines ranging roughly from VND 3–20 million for individuals and higher for organizations.

Do Not Originate (DNO) Measures: Vietnam does not have a named public Do-Not-Originate registry akin to some other jurisdictions, but telecom authorities employ measures to block fraudulent or illegitimate call origins. Carriers use analytics (big data/AI) to detect and block suspected spam callers and fake caller IDs. For example, if a subscriber is identified as source of spam calls, telecom operators will block that subscriber's outgoing calls and even cross-carrier incoming calls. International scam calls (e.g. those spoofing official numbers or using VoIP with fake local numbers) are a known issue. The Authority of Telecommunications under MIC coordinates with the Ministry of Public Security (MPS) to identify and shut down fraudulent call operations, including blocking calls from unallocated or spoofed numbers and investigating illegal VoIP gateways. In practice, Vietnamese carriers will not allow certain number types to be used as caller ID – for instance, outbound calls presenting a toll-free number are outright disallowed by carriers. These measures serve a similar purpose to DNO rules by preventing calls from numbers that should not legitimately originate traffic.

Law on Cybersecurity (2018)

The Cybersecurity Law (effective Jan 1, 2019) requires both domestic and foreign service providers operating in Vietnam's cyberspace to protect users' personal data and system security. Key provisions include:

Cooperation Duty: The law also mandates that companies verify user identities and comply with law enforcement requests to prevent and investigate misuse of their platforms. For an outbound call center, this means ensuring any platform or technology used for calling Vietnamese individuals adheres to local cybersecurity requirements (e.g. storing call records or customer contact data in Vietnam if required, and having a local point of contact for authorities).

Personal Data Protection Decree 13/2023/ND-CP

Vietnam's first comprehensive data protection regulation took effect on July 1, 2023.

Scope: It applies to any entity (individual or organization), Vietnamese or foreign, that processes personal data in Vietnam or of Vietnamese individuals – even if the processing is done abroad. Outbound call centers fall under its scope since they handle personal data (phone numbers, call recordings, etc.) of individuals.

Consent Requirements: Vietnam's regime is largely consent-based. Except for a few limited exceptions, valid consent of the data subject is required for all processing activities, including using personal data for marketing or sales calls. The burden is on businesses to obtain and document explicit opt-in consent before calling someone for promotional purposes, and pre-ticked boxes or silence do not count as consent. Individuals have the right to withdraw consent at any time, and firms must honor such withdrawals. This dovetails with the DNC rules – calling consumers without prior consent would violate both telecom spam regulations and data protection law.

Privacy Notices and Data Rights: Companies must inform individuals about the purpose and scope of data collection (for example, informing call recipients if their call is recorded and how their information will be used) and ensure data is only used for the stated purpose. Data subjects have rights to access, deletion, etc., which call centers must accommodate (for instance, a customer can request what data the call center holds on them).

Data Security: Organizations must protect personal data with appropriate security measures to prevent leaks. If a call center records calls or stores customer phone lists, it must implement measures to secure that data and notify authorities of serious data breaches as required by law.

Cross-Border Data Transfer: If an outbound call center or dialing platform is based overseas and accesses Vietnamese personal data, it constitutes a cross-border transfer. Decree 13 requires such transfers to meet certain conditions, including conducting a transfer impact assessment (TIA) and possibly notifying the MPS's Department of Cybersecurity (A05). In essence, foreign call centers processing Vietnamese personal data are held to the same standards as local ones in terms of consent and data protection, and may need to implement additional compliance steps (like TIAs or designating a contact person for data issues).

Interaction of Privacy Law with Calls: Vietnam's privacy laws reinforce the outbound call regulations by treating a phone number and call recording as personal data. Express consent is required to use personal data for marketing calls, and this is echoed in Decree 91's requirement for prior consent before making advertising calls. Additionally, the new Law on Protection of Consumer Rights (2023) defines "consumer information" broadly (including personal data and details of consumer transactions) and requires businesses to handle such information with confidentiality and only for disclosed purposes. This means call centers must not misuse or share consumer phone numbers without permission, and they must secure any data collected during calls. Both domestic and foreign companies should update their data handling policies accordingly, as compliance with Vietnam's PDP rules is mandatory alongside call-specific rules.

Consent for Marketing Calls: Unsolicited telemarketing calls are largely prohibited unless the consumer has given prior consent. Decree 91/2020 shifted Vietnam to an opt-in regime for advertising communications. A business may place an advertising call only if the recipient has actively agreed in advance to receive such calls. The only exception is that a company is allowed to send one inquiry (often via SMS) asking for consent – if the user ignores or refuses, no further marketing contact is allowed. In practice, call centers should obtain written or recorded consent (e.g. via an online form, hotline opt-in, or text message response) before adding a customer to any call list.

Time-of-Day Restrictions: Advertising calls may only be made between 8:00 AM and 5:00 PM local time (Monday through Sunday) unless the recipient explicitly agrees to receive calls at another time. This rule is designed to prevent nuisance calls during early morning, evening, or night hours. Promotional text messages have a broader allowed window (7:00 AM to 10:00 PM) but calls are confined to business hours. Outbound call centers must schedule their campaigns accordingly to avoid fines for off-hours calls.

Frequency and Volume Limits: Vietnam caps the number of marketing contacts to prevent harassment. No more than one advertising call per day can be made to the same phone number (and no more than 3 marketing SMS or emails per day to the same recipient). Exceeding these limits, unless the consumer has agreed to more frequent communications, is a violation. Call centers should ensure their autodialer systems or calling plans adhere to these limits (e.g. not repeatedly calling the same lead in a single day).

Caller Identification (Branding) Requirements: Telemarketers must identify themselves clearly when calling. Decree 91 introduced a "Brand Name" registration system for entities that send advertising messages or calls. Companies engaged in telephonic marketing should register a unique identifier (brand name) with the MIC, which is then used in caller ID or in text message headers. This ensures that recipients can recognize the caller – for example, promotional SMS messages in Vietnam often show a brand name instead of a phone number. The MIC maintains an official portal for managing these registered brand names (at tendinhdanh.ais.gov.vn) where one can search approved identifiers. Each registered brand name is valid for 3 years, after which it must be renewed. For calls, enterprises typically cannot hide their number; the originating number (or name) must be displayed. Using someone else's number or masking the caller ID unlawfully is prohibited. In short, call centers should use a registered caller line identity that reflects their business or client name, and all marketing calls must begin with a proper introduction of the caller/company.

Call Recording and Monitoring: Many call centers record calls for quality or training. Under Vietnamese law, call recordings constitute personal data (as they contain the voice and potentially personal information of the individual). While there isn't a separate call-recording statute, general privacy principles apply. Best practice – and effectively required by the data protection rules – is to obtain the customer's consent before recording. Often this is done by playing a disclaimer at the start of the call (e.g. "this call is recorded for quality purposes") and proceeding only if the customer doesn't object. Decree 13/2023 requires transparency and consent for collecting personal data, so informing the person that their voice will be recorded satisfies the notice requirement and their continued participation can be treated as consent. Additionally, Vietnam's laws (both the cybersecurity domain and consumer protection law) forbid unauthorized use or disclosure of "consumer information". Thus, recorded call data must be stored securely and not shared without permission. In sum, if call centers record calls, they should disclose this and protect the recordings in compliance with personal data regulations.

Other Operational Rules: Outbound callers must provide an opt-out mechanism. Even outside of the DNC list, any marketing call or message must allow the recipient to refuse further communication. If a consumer says "do not call me again", the caller is legally obligated to stop and not contact that person for marketing in the future. Call centers are also expected to comply with content regulations – the content of calls must not violate any advertising content laws or contain prohibited topics (e.g. fraudulent information, misinformation, etc.). If the call center uses automated dialing or prerecorded messages, they must still ensure consent and compliance; fully automated marketing calls without prior consent would be considered spam. Finally, if the call center is offering to sell goods or services, the new Consumer Protection Law (2023) classifies this as a form of remote contract, which means the business must provide the consumer with full information about the seller's identity, terms of the sale, and the right to refuse the offer. In practice, telemarketers should clearly state the company name, purpose of the call, and not engage in aggressive or misleading tactics, as general consumer protection and advertising laws (e.g. the Law on Advertising 2012) would apply.

Other Relevant Authorities

If the outbound calls relate to certain sectors, other regulators may be involved. For instance, the State Bank of Vietnam (SBV) and finance regulators oversee debt collection calls and bank product marketing (with guidelines to ensure fair treatment of customers), and the Ministry of Finance could impose additional telemarketing rules for consumer finance. Similarly, calls that constitute debt collection are regulated by laws on debt collection practices. However, the central rules for calling conduct (DNC, consent, hours, etc.) remain under the purview of MIC and MPS as described above.

In summary, MIC oversees telecom compliance, MPS handles cybersecurity and privacy, and MOIT (Consumer Authority) protects consumers in marketing interactions. These agencies often collaborate to curb issues like scam calls, reflecting a multi-pronged regulatory oversight.

Do-Not-Call List Registration: As discussed, companies must purge DNC-listed numbers from their call lists. The DNC database is maintained by AIS. Subscription to the DNC feed is available – by 2022, dozens of enterprises had connected to the DNC management system to regularly download the updated list of opted-out numbers. This requires registering with the AIS system as an advertiser. Practically, an outbound call center should sign up with the DNC registry portal to obtain credentials for checking numbers. Consumers can register their number on the DNC list by texting to the 5656 service or via AIS's website (the exact procedure is guided by MIC, e.g. by texting the keyword "DK DNC" to 5656). Before initiating a campaign, call centers are expected to query the DNC database and remove any matching numbers to avoid illegal calls.

"Brand Name" (Caller ID) Registration: Any person or entity making marketing calls or messages must register a Brand Name (Tên định danh) with the MIC. This is done through the official portal (tendinhdanh.ais.gov.vn) managed by AIS. The registration involves providing the desired brand name and relevant business details; once approved, the brand name is used in the caller identification for messages/calls. Telecommunication service providers in Vietnam will recognize these registered names and display them on recipients' devices. Organizations should search the MIC's public register to ensure their chosen name is unique and valid. Using a telecom "brand name" is effectively mandatory for bulk SMS and advised for call centers to properly identify themselves. This system also helps authorities trace the source of marketing calls. Brand Name registration is valid for 3 years and must be renewed or it will expire. Call centers should keep this registration current and use the assigned identifier in all communications.

Anti-Spam Reporting System (5656): While not a registration per se, companies sending bulk SMS advertisements must integrate with the 5656 spam reporting system. Decree 91/2020 requires that every advertising SMS be copied to the 5656 system in real-time. This allows AIS to monitor compliance and collect evidence of spam. For call centers, if any automated SMS or confirmation messages are part of their process, those must also follow this rule. Additionally, organizations can access the 5656 system's feedback data – e.g. if users report a number as spam, that number could be flagged. Telecom carriers and AIS share information on spam sources ("blacklists") across the industry. No separate registration is needed to receive spam reports, but call centers should be aware that users can and will report unwanted calls, leading to blocking or penalties.

Business Registration and Licensing: Outbound call center companies must of course be legally registered businesses in Vietnam (or operate via a registered local entity if foreign). If the call center's activity falls under certain categories (telemarketing on behalf of clients), the business license should include "advertising services" or "call center services" as appropriate. Vietnam doesn't have a specialized call center license, but value-added telecom services might require notification to MIC. For example, if a company provides large-scale VoIP call services to others, it may need a VAS license from MIC for telephony over the internet. Most in-house call centers or BPOs use licensed telecom providers for connectivity, so a separate telecom license is not needed for just making calls. However, they should ensure compliance with numbering regulations – e.g. using officially assigned numbers or short codes. Short codes (5-digit or similar numbers) for customer service or campaigns must be obtained from MIC. There are also databases for numbering plans managed by the Authority of Telecommunications.

Personal Data Processing Registration: Vietnam's Decree 13/2023 does not require general registration of data processing like some countries do (there is no single Data Protection Authority where you register databases). However, certain high-risk activities trigger a need to submit documents to regulators. For instance, if a call center will process "sensitive personal data" (such as information on health, political views, biometric data, etc.), they must notify the MPS and possibly get approval. Also, if transferring data abroad or handling a large volume of data subjects, they might need to conduct and submit a Data Protection Impact Assessment (DPIA) or a Transfer Impact Assessment to A05. These are essentially filings rather than public registrations, but companies should keep records that they have carried out these compliance steps. In summary, while there isn't an open registry for personal data, outbound call centers handling customer data should be prepared for compliance documentation (privacy policy, consent records, DPIA reports) that could be requested by authorities.

Consumer Protection Portal: With the new consumer law, MOIT may introduce or enhance a consumer complaints database or require businesses to register certain information for remote sales. For example, e-commerce sites in Vietnam have to register with MOIT; if a company were purely doing telesales, it should at least have a clear presence (website or hotline) for consumer inquiries and could be subject to declaration if selling certain products. Companies should monitor the Vietnam Consumer Protection Authority's portal for any required registration related to distance selling contracts. At the time of writing, registrations are mostly for e-commerce and multilevel marketing, not one-off telesales, so the main registries of concern remain the DNC and brand name systems.

Extraterritorial Application: Vietnam's laws explicitly apply to overseas entities handling Vietnamese data or engaging with Vietnamese users. The Personal Data Protection Decree 13/2023 covers foreign organizations processing personal data of people in Vietnam. Likewise, the Cybersecurity Law and Decree 53 can obligate foreign telecom or internet service providers to comply with data storage and local office requirements if they provide services in Vietnam. In practical terms, if a foreign call center (say, in another country) is calling Vietnamese phone numbers, it is expected to follow the same consent and DNC rules as a local call center. Vietnamese authorities could coordinate with foreign regulators or use technical measures (blocking, filtering) if a foreign entity is spamming Vietnamese users.

Use of Local Partner for Advertising Calls: Vietnam's advertising law and Decree 91/2020 require that foreign businesses without a Vietnamese presence conduct advertising through a local service. A foreign company "wishing to advertise... in Vietnam" must hire a Vietnam-based advertising service provider to perform the activity. In other words, if a foreign company wants to run a telemarketing campaign targeting Vietnam, it should contract a licensed Vietnamese call center or marketing firm. That local partner would ensure compliance (checking DNC list, registering a brand name, etc.). If a foreign entity ignores this and directly cold-calls Vietnamese consumers, it would be violating Vietnamese law. The calls might be blocked by carriers, and the foreign company could be blacklisted, making it difficult to reach Vietnamese users in the future.

Caller ID and Access to Numbers: Foreign call centers typically cannot obtain Vietnamese telephone numbers to use as caller ID unless they go through a local telecom carrier. Vietnam does not allow "toll-free" or foreign numbers to be used as outbound caller ID into Vietnam. So a foreign call center often shows an international number when calling (+ foreign country code), which Vietnamese consumers may not answer. To improve pickup rates and legitimacy, foreign companies partner with local telecom operators to display a local number or a registered brand name. This again points to using a local intermediary. If a foreign company does manage to get a Vietnamese number (e.g., via VoIP providers), they must still register the brand name and comply with all spam call rules. Not being physically in Vietnam does not exempt them from, for example, refraining from calling DNC-listed numbers or calling only during allowed hours.

Data Transfer and Local Representative: Foreign firms that collect or use Vietnamese personal data (such as a list of Vietnamese customer phone numbers) should be aware of cross-border data rules. They may need to conduct a Transfer Impact Assessment and, upon request from MPS, appoint a representative office in Vietnam to handle data issues. While enforcement on an overseas entity is challenging, Vietnam can leverage cooperation mechanisms or, as a last resort, block communications from that entity's domains/lines if there is egregious non-compliance. To avoid such conflicts, foreign call centers should voluntarily comply: obtain explicit consent from any Vietnamese individuals they plan to call, honor opt-out requests (including the national DNC list entries, which are publicly available), and follow the same standards a Vietnamese company would.

Penalties and Legal Exposure: If a foreign company engages in practices that violate Vietnamese consumer protections (for instance, a misleading scam call impersonating a Vietnamese bank), Vietnamese authorities (MIC or MPS) can announce public warnings and work with telecom carriers to cut off the offending call traffic. The foreign company's local assets (if any) or partners could face fines. Additionally, Vietnam's 2018 Cybersecurity Law empowers the government to prevent and delete illegal content or transmissions; thus, repeated spam or fraud calls from abroad could result in technical blocking at the network level. For legitimate businesses, the key is to localize compliance: many multinationals set up local subsidiaries or hire local call centers to ensure they meet Vietnam's requirements. A foreign entity doing significant calling into Vietnam will likely need to register a branch/representative office eventually if it falls under regulated services. This rep office requirement can be triggered if the service has a large user base or has been found non-compliant with cybersecurity cooperation requests.

Summary for Foreign Operators: Treat Vietnam's call regulations with equal importance as your home country's rules. Ensure marketing calls to Vietnam are only made to consenting individuals, avoid contacting anyone on Vietnam's DNC list, use a proper identification when calling (preferably via a Vietnam-registered number/brand name), and follow the time and frequency limits. If unsure, work with a Vietnamese telecom provider or call center who can navigate the regulations. All the data privacy obligations (consent, security, responding to user requests about their data) apply to you as well. By aligning with Vietnam's laws, foreign companies can engage with Vietnamese consumers lawfully and respectfully, minimizing the risk of enforcement action or reputational damage.