Vietnam’s personal data protection legal framework has evolved significantly in recent years to address the growing importance of data privacy and security in the digital economy. Previously governed by Decree 13/2023/ND-CP (“Decree 13“), the regime has now been elevated with the enactment of Vietnam’s first comprehensive Personal Data Protection Law (Law No. 91/2025/QH15) (the “PDPL“) and its implementing decree (Decree No. 356/2025/ND-CP) (“Decree 356“). Both instruments took effect on 1 January 2026, replacing Decree 13 as the primary legal framework for personal data protection.

Below are the questions most frequently raised by foreign enterprises operating in Vietnam regarding their compliance obligations under the personal data protection framework. The answers will help you plan your compliance strategy in 2026.

1. Does the PDPL apply to our organization?
  • Yes, if your organization is established in Vietnam and engages in personal data processing activities.
  • Yes, if your organization is established outside Vietnam but directly participates in, or is otherwise connected to, the processing of personal data of Vietnamese citizens or individuals of Vietnamese origin whose nationality remains undetermined, provided such individuals reside in Vietnam and have been issued identity certificates.
2. What constitutes “Personal Data”?
  • Personal Data means digital data or information in other forms that identifies or enables the identification of a specific individual.
  • Personal Data includes the following categories:

    (i) Basic personal data: personal data reflecting common personal identity and background elements that are frequently used in transactions and social relations, as listed in the Government-issued catalogue (e.g., full name, date of birth, marital status).
    (ii) Sensitive personal data: personal data that is closely linked to an individual’s privacy and which, if violated, would directly affect the lawful rights and interests of agencies, organizations, or individuals, as listed in the Government-issued catalogue (e.g
3. What constitutes personal data processing?

Personal data processing refers to any activity that impacts personal data, including one or more of the following: collecting, analyzing, compiling, encoding, decoding, modifying, deleting, destroying, de-identifying, providing, disclosing, or transferring personal data, as well as any other activity that impacts personal data.

Accordingly, performing any one or more of these activities will result in an organization being considered as engaged in personal data processing, thereby potentially triggering the obligation to comply with Vietnam’s personal data protection regulations.

4. What are the lawful bases for processing personal data?

Consent remains the primary legal basis for processing personal data under the PDPL. However, several exemptions apply as outlined below.

  • Requirements for valid consent:

    Content: The data subject must be provided with sufficient information to give consent voluntarily and with full knowledge of the following: (i) the type of personal data to be processed and the purpose of the processing; (ii) the identity of the personal data controller or the personal data controller cum processor; and (iii) the rights and obligations of the personal data subject.
    Form: Consent from personal data subjects may be obtained through the following methods: (i) in writing; (ii) via recorded telephone calls; (iii) through consent syntax in SMS messages; (iv) via email, websites, platforms, or applications with technical settings configured for obtaining consent; or (v) by other appropriate methods capable of being printed or copied in writing, including electronic form or any verifiable format.

    Such methods must ensure verifiable capability regarding the identification of the data subject who provided consent, the time at which consent was given, and the content to which consent was provided.

    Principles: Consent must satisfy the following principles: (i) Consent must be specific to each processing purpose; (ii) Consent must not be made conditional upon acceptance of purposes beyond those expressly stated; (iii) Consent remains valid until withdrawn by the data subject or as otherwise prescribed by law; and (iv) Silence or non-response does not constitute valid consent.
  • Exemptions from consent requirement:

    (i) Processing is necessary to protect the life, health, honor, dignity, rights, or lawful interests of the data subject or other individuals in urgent situations, or to safeguard the legitimate rights or interests of the data subject, other parties, the State, or relevant agencies and organizations against acts infringing such interests. The personal data controller, personal data processor, combined controller-processor, and third parties bear the burden of proving the applicability of this exemption;
    (ii) Processing necessary to address emergencies, threats to national security not yet declared as a state of emergency, or the prevention and control of riots, terrorism, crimes, or other legal violations;
    (iii) Processing necessary to serve the activities of state agencies or state management functions in accordance with applicable law;
    (iv) To perform contractual obligations arising from agreements between the personal data subject and relevant agencies, organizations, or individuals as prescribed by law;
    (v) Other cases as expressly provided by law.
  • Rights of personal data subjects in relation to consent:

    (i) Except in cases where personal data processing does not require consent, the personal data subject has the right to withdraw consent previously given for personal data processing and to request restrictions on the processing of their personal data.
    (ii) The personal data controller or personal data controller-cum-processor must receive and implement, and require the personal data processor to implement, requests for withdrawal of consent and restrictions on personal data processing submitted by the personal data subject within the timeframes prescribed by law.
  • Rights of personal data subjects:

    (i) The right to be informed of personal data processing activities;
    (ii) The right to consent or withhold consent, and to request withdrawal of consent, for personal data processing;
    (iii) The right to access, correct, or request correction of personal data;
    (iv) To request the provision, deletion, or restriction of processing of personal data, and to lodge objections to personal data processing;
    (v) To complain, denounce, initiate lawsuits, and claim compensation for damages in accordance with law; and
    (vi) To request that competent authorities, agencies, organizations, and individuals involved in personal data processing implement measures and solutions to protect their personal data in accordance with law.

  • Obligations of regulated enterprises in respect of data subject rights:

Where an organization is classified as a personal data controller or personal data controller-cum-processor, it shall be subject to the following obligations:

  1. Establish clear processes, procedures, and forms to facilitate the exercise of personal data subject rights, in accordance with the organization’s personal data processing activities and the responsibilities of relevant departments;
  2. Ensure that personal data subjects are duly informed of the procedures for exercising their rights as prescribed by law;
  3. Respond to and implement requests from data subjects to exercise their rights within the timelines prescribed by law:
Data subject requestTimeline for responseTimeline for implementation
Withdrawal of consent / Restriction of personal data processing / Objection to personal data processingTwo (2) working daysFifteen (15) days from receipt of the request (or twenty (20) days if a personal data processor or third party is involved). This period may be extended depending on the nature and complexity of the request.
Viewing, editing, or requesting the editing of personal data; provision of personal dataTwo (2) working daysTen (10) days from receipt of the request (or fifteen (15) days if a personal data processor or third party is involved). This period may be extended depending on the nature and complexity of the request.
Deletion of personal dataTwo (2) working daysTwenty (20) days from receipt of the request (or thirty (30) days if a personal data processor or third party is involved). This period may be extended depending on the nature and complexity of the request.
Implementation of measures and solutions to protect personal dataTwo (2) working daysFifteen (15) days from receipt of the request. This period may be extended depending on the nature and complexity of the request.

Note: Failure to respond within the prescribed timelines may expose the organization to regulatory scrutiny and potential administrative penalties under the PDPL.

6. What are the data breach notification requirements?
  • Responsible parties: The personal data controller, personal data controller-cum-processor, and any third party involved in the processing activity.
  • Government body receiving notification: The Department of Cyber Security and Hi-Tech Crime Prevention under the Ministry of Public Security (the “A05 Department”).
  • Reportable data breaches: Violations of personal data protection regulations that may cause harm to national defense, national security, social order and safety, or that infringe upon the life, health, honor, dignity, or property of personal data subjects.
  • Notification deadline: Within 72 hours of the occurrence of the violation, using the prescribed mandatory form. Where an information system attack poses a risk to consumer information cybersecurity, the notification deadline is reduced to 24 hours. Any notification submitted after the applicable deadline must include an explanation for the delay. The notifying party is required to cooperate with the A05 Department in any subsequent investigation.
7. What are the requirements for preparing, filing, and updating a Data Protection Impact Assessment (“DPIA”)?
  • Responsible parties: The personal data controller, the personal data controller-cum-processor, and the personal data processor, as applicable.
  • Obligations:
    (i) Prepare, retain, and submit a copy of the DPIA to the A05 Department within sixty (60) days from the commencement of the relevant personal data processing activity.
    (ii) Update the DPIA periodically every six (6) months in the event of any regulated changes, or immediately in other cases as required by law.
  • Application form: The prescribed form is set out in Article 19 of Decree 356.
  • Exceptions: The DPIA requirement does not apply to, among others, household businesses and micro-enterprises, except where such entities are engaged in personal data processing services, directly process sensitive personal data, or process personal data of a large number of data subjects.
8. What are the requirements for appointing a data protection officer (“DPO”) or establishing a data protection department (“DPD”)?
  • Under the PDPL, agencies and organizations are required to designate a DPO or DPD with adequate capacity to protect personal data in accordance with applicable legal requirements, or alternatively, to engage organizations or individuals providing personal data protection services.
    This represents a departure from the former Decree 13, which applied this requirement only to agencies and organizations processing sensitive personal data and did not impose qualification requirements on appointed personnel.
  • The designation of personal data protection personnel or a personal data protection department must be documented in writing.
  • Agencies and organizations may appoint internal personnel or, where necessary, engage external service providers — whether individuals or organizations — that satisfy the applicable legal requirements for the provision of personal data protection services.
  • Note: Organizations should ensure that appointed personnel or engaged service providers possess demonstrable expertise in data protection law and practice, as the PDPL now imposes qualification requirements that were absent under the former Decree 13.
9. What are the requirements for the transfer of personal data?
  • Permissible grounds: Agencies and organizations may only transfer personal data on certain permitted grounds specified by law (e.g., transfer of personal data with the consent of the data subject; sharing of personal data between departments within the same agency or organization to process personal data in accordance with the established processing purpose)
  • Agreement requirements: Organizations and individuals transferring personal data must, prior to the transfer, enter into an agreement with the personal data recipient that clearly specifies the content required by law (e.g., the purpose of the transfer, the duration of processing, and the legal basis for the transfer).

Exceptions: An agreement is not required where personal data is shared between departments within the same agency or organization for processing in accordance with the established processing purpose.

10. Is cross-border transfer of personal data permitted under the PDPL? If so, what are the applicable requirements?
  • What constitutes a cross-border transfer of personal data under Vietnamese law?
  1. Personal data storage activities involving the transfer of personal data collected and stored in Vietnam to server systems located outside the territory of the Socialist Republic of Vietnam, or to cloud computing services provided by foreign service providers;
  2. The transfer of personal data from agencies, organizations, or individuals in Vietnam to recipient organizations or individuals located abroad; and
  3. Personal data processing activities in which data collected in Vietnam is transferred to platforms located outside the territory of the Socialist Republic of Vietnam for continued processing.
  • Requirements for cross-border data transfers:

From a data privacy perspective, the PDPL does not impose outright restrictions on cross-border data transfers. However, as with all personal data processing activities, in order for such transfers to comply with the PDPL, the party transferring personal data abroad (the “Personal Data Transferor“) must satisfy the following requirements:

  1. As a data controller, obtain valid consent from the relevant data subjects for the cross-border transfer of their personal data;
  2. Prepare, retain, and submit a copy of a cross-border transfer impact assessment dossier (the “TIA”) in respect of the cross-border data transfer.
  • Filing, Maintaining, and Updating the TIA Dossier
  1. Responsible party: The Personal Data Transferor.
  2. Specific obligations: (i) submit the TIA to the A05 Department within 60 days from the first day of the cross-border data transfer; (ii) periodically update the TIA every six months in the event of any regulated changes, or update it immediately in other cases as required by law; and (iii)  retain the TIA at the head office throughout the operating period of the relevant organization or individual.
  3. Application form: The TIA must be prepared using the prescribed form set out in Article 18 of Decree 356 and is required to be submitted once.
  4. Exceptions: The TIA filing requirement does not apply to, among others:
    – cross-border personal data transfers conducted for cross-border personnel management purposes in accordance with applicable labor rules, regulations, and collective labor agreements;
    – Cross-border provision of personal data for the purpose of executing contracts or completing procedures relating to cross-border transportation, logistics, remittances, payments, hotel reservations, visa applications, or scholarship applications;
    – Household businesses and micro-enterprises, except for those engaged in personal data processing services, those directly processing sensitive personal data, or those processing personal data of a large number of data subjects.
  • The A05 Department is entitled to inspect and audit the Personal Data Transferor’s personal data management practices and policies, including those governing cross-border transfers of personal data, on an annual basis or more frequently where deemed necessary.
  • Note: Organizations are advised to maintain comprehensive records of all cross-border data transfer activities and to ensure that internal policies and procedures are audit-ready in order to facilitate any inspection by the A05 Department.
11. Are there sector-specific rules applicable to our industry or business activities?

The PDPL represents a significant regulatory development by introducing sector-specific compliance requirements applicable to particular industries and activities, including employment, healthcare, insurance, financial services, advertising, telecommunications, cloud computing, and virtual reality.

Entities operating in or seeking to enter Vietnam’s digital market should carefully review these industry-specific provisions to ensure full compliance with the applicable regulatory framework.

12. What are the penalties for non-compliance, and what is the current enforcement landscape?
  • Penalties for non-compliance:

Vietnam has not yet enacted a dedicated decree on administrative penalties for data privacy violations. However, the PDPL establishes guiding principles pursuant to which the Government is expected to promulgate such penalties in a forthcoming implementing decree.

Notably, the PDPL introduces significant statutory caps on administrative sanctions, permitting fines of up to VND 3 billion (approximately USD 115,000) for most violations. Violations relating to cross-border transfers of personal data may attract more severe sanctions, with fines of up to 5% of the offending entity’s revenue in the preceding fiscal year. In cases involving the illegal purchase or sale of personal data, administrative fines may be imposed at up to 10 times the unlawful proceeds, which could substantially exceed the general cap. Where such proceeds cannot be determined, the fine reverts to the VND 3 billion statutory maximum.

In addition to these PDPL-specific caps, penalties are also prescribed under existing laws governing consumer protection, electronic transactions, and telecommunications. Key violations subject to such penalties include: (i) Collecting or using consumers’ information, or providing, sharing, or disseminating such information to other parties without obtaining consent as required by law; and (ii) Collecting, using, disseminating, or unlawfully trading in another person’s personal information.

  • Enforcement environment

In practice, while compliance with the PDPL among Vietnamese enterprises is improving, it remains incomplete. Many businesses have not yet fulfilled procedural requirements, such as the preparation and submission of DPIA and TIA dossiers, due to implementation complexity. Given the increase in government inspections and regulatory directives, companies are strongly advised to ensure compliance with PDPL requirements and to seek periodic legal consultation regarding regulatory developments.

The enforcement risk for non-compliance with personal data protection regulations remains relatively low due to practical challenges faced by Vietnamese authorities. However, regulators are increasingly prioritizing data protection enforcement and have demonstrated a greater willingness to scrutinize and penalize non-compliance.

For further guidance on compliance strategies tailored to your organization’s specific circumstances, please contact DFDL.

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

DFDL Cambodia would like to take this opportunity to wish all our readers a healthy, happy and prosperous 2026. As we start the new year and come back to the office, we have put together this update to remind readers of the most recent and salient legal, tax and accounting annual compliance obligations for enterprises in Cambodia.

We note that annual compliance requirements may vary for different enterprises. In all cases, we encourage you to seek expert advice from a professional advisor regarding the annual compliance requirements that may be applicable to your entity.

Click on “download” button to continue reading in detail.

M&A activities in Vietnam have been vibrant, with the number of economic concentration notification dossiers submitted to the Vietnam Competition Commission (“VCC”) steadily increasing over the years: from 63 dossiers in 2020, to 130 dossiers in 2021, and to 197 dossiers in 2024. This trend reflects the consistent growth of the national economy, while also indicating the increasing attention and compliance of foreign and domestic enterprises with Vietnam’s competition regulations.1

In September 2019, the Government of Vietnam issued Decree No. 75/2019/ND-CP on administrative penalties for competition violations (“Decree 75”). After five years of implementation, the Government has identified a number of issues which it seeks to address in the draft decree amending Decree 75 (“Draft Amending Decree”) released on 29 July 2025 for public consultation by the Ministry of Industry and Trade (“MOIT”).2

The MOIT has been collecting and addressing feedback on the Draft Amending Decree since its initial release culminating with the most recent revision issued on 12 September 2025. We understand that the Draft Amending Decree is expected to be submitted to the Government for consideration in November 2025.

Key highlights of the Draft Amending Decree include the following:

    Decree 75 does not fully address enterprises’ obligation to comply with a decision issued imposing conditions on an economic concentration. Under the existing legal framework, failure to fully implement the conditions set out in a conditional economic concentration decision only results in administrative fines which does not fully address potential market distortions caused by the lack of compliance.

    The Draft Amending Decree introduces a remedial measure explicitly requiring enterprises to fully comply with conditions under conditional economic concentration decisions.

    The Draft Amending Decree raises the administrative fine for competition violations committed by enterprises with zero (0) revenue in the relevant market during the preceding fiscal year from VND 100,000,000 – VND 200,000,000 (approx. USD 3,846 – USD 7,692) to VND 400,000,000 – VND 600,000,000 (approx. USD 15,385 – USD 23,077).

    The increased fine cap is additionally applied to violating enterprises engaging in economic concentrations (i) not being within the same relevant market; (ii) do not operate at different stages in the same production, distribution, or supply chain for a specific type of goods or services; and (iii) do not have business lines that are input or supplementary to each other.

    3. Amendments to fines imposed on violations of failure to notify an economic concentration and other economic concentration violations
    3.1 Violations of (i) failure to notify an economic concentration and (ii) implementation of an economic concentration prior to preliminary appraisal/issuance of clearance decision

    Under the Draft Amending Decree, failure to notify an economic concentration will subject enterprises to a fixed fine, replacing the current percentage-of-revenue penalty mechanism under Decree 75. Specifically, violating enterprises will be subject to an administrative fine of (i) from VND 500,000,000 to VND 1,000,000,000 (approximately from USD 19,231 to USD 38,462) for enterprises with less than VND 3 trillion in assets, revenues or purchase turnover in Vietnam in the preceding fiscal year or (ii) from VND 1,000,000,000 to VND 2,000,000,000 (approximately from USD 38,462 to USD 76,923) for enterprises with at least VND 3 trillion in assets, revenues or purchase turnover in Vietnam in the preceding fiscal year.  In either case, the fixed penalty is capped at 5% of the relevant enterprise’s total revenue in the relevant market during the preceding fiscal year.

    The same rule is proposed for implementing an economic concentration prior to the preliminary appraisal result or before the issuance of the clearance decision.

    3.2 Violations of (i) failure to implement/incomplete implementation of conditions set out in the decision on conditional economic concentration or (ii) implementing a prohibited economic concentration

    In contrast to cases applying the fixed-fine mechanism, violations involving failure to fully implement conditions specified in a conditional economic concentration decision, or implementation of a prohibited economic concentration, remain subject to the percentage-of-revenue penalty mechanism under the Draft Amending Decree. Accordingly, proposed fines for such violations will range from 1% to 5% of the total revenue of the violating enterprise in the relevant market during the preceding fiscal year.

    The Draft Amending Decree contemplates higher fines and more detailed remedial measures for these violations and imposes liability on a broader range of parties (e.g., parties involved in economic concentration, individuals/parties submitting notification dossiers, and those requesting exemptions for prohibited anti-competitive agreements, etc.).

    First-ever published fine for failure to file a merger notification issued by the VCC

    The proposed amendments to the penalty decree underscore a more rigorous focus on competition enforcement which is further illustrated by the first-ever published fine for failure to file a merger notification in Vietnam: an administrative penalty imposed on Duc Giang Lao Cai Chemicals One Member Limited Liability Company (“Duc Giang”) and Phosphorus 6 One Member Limited Liability Company (“Phot Pho 6”).3

    In 2024, Duc Giang was fined VND 1,323,982,880 (approximately USD 50,000), while Phot Pho 6 received a fine of VND 100,000,000 (approximately USD 3,800). The sanction stemmed from Duc Giang’s acquisition of 100% interest in Phot Pho 6 without notifying the VCC, as legally required under Article 44.1 of the Law on Competition.

    Duc Giang appealed the decision arguing that a warning should have been issued instead of the penalty, but the appeal was rejected as the only penalty available under Decree 75 was the fine. To date, we are not aware of any public information regarding the relevant market determination, the methodology used to calculate the fines imposed on the purchaser and the target or why the seller was not also penalized in this case.

    Together, this first imposed penalty and the focus on amending the penalty structure under Decree 75 demonstrate the VCC’s increasing monitoring and enforcement efforts which parties to M&A transactions should carefully consider in their regulatory and risk assessments relating to economic concentrations under Vietnam’s merger regime.

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    1. https://vcc.gov.vn/default.aspx?page=news&do=detail&category_id=e0904ba0-4694-4595-9f66-dc2df621842a&id=a0a20963-d194-47f1-8366-277436ed7aaa. Note: This article is available in Vietnamese only. ↩︎
    2. https://vcc.gov.vn/default.aspx?page=news&do=detail&category_id=e0904ba0-4694-4595-9f66-dc2df621842a&id=4f6a3cf5-7904-4b6f-8006-6bc17ccfda61. Note: This article is available in Vietnamese only. ↩︎
    3. Page 17, 2024 Annual Report, issued by the VCC of the MOIT. Available at: https://en.vcc.gov.vn/?page=document&category_id=4e53a6f8-2c47-4fe0-8625-97169914b781&current_id=7a6db5ba-88dd-4f41-8f46-9ba54b5b05dc# ↩︎

    Background:

    The Ministry of Health’s Food and Drug Administration (FDA) has issued “Minimum Compliance Points for Food Businesses” to align domestic food safety inspection and certification with Codex Alimentarius, ASEAN standards, and the National Food Safety Policy. These requirements are mandatory for all food production businesses and are enforced through systematic inspections based on Good Manufacturing Practices (GMP).

    Scope:

    • Applies to all food businesses (72 points) and drinking water purification businesses (66 points).
    • Developed in accordance with Codex General Principles of Food Hygiene.
    • Effective from June 2023, with official adoption confirmed in July 2025.

    Minimum Compliance Points – Summary Table

    SectionCompliance AreaExample Criteria/Requirements
    1Location of Establishment & PremisesFree from contaminants, not flood-prone, clean, pest-free
    2Building DesignSegregated processing areas, durable/cleanable materials, proper drainage, pest-proof windows
    3FacilitiesAdequate hygiene facilities, waste disposal, storage, cleaning facilities
    4Cross ContaminationSeparation of raw and ready-to-eat foods, foreign body prevention
    5Equipment & ToolsNon-toxic, rust-free, easy to clean, proper waste containers
    6Utilities (Water, Ice)Use of potable water, regular testing, proper ventilation and lighting
    7Preventive MaintenanceWell-maintained equipment and premises
    8Cleaning & SanitationClean premises/equipment, safe chemical use, written cleaning programs
    9Pest Control SystemsNo infestation, sealed entry points, exclusion of animals
    10Waste ManagementNo waste accumulation, clean waste containers
    11Personnel HygieneHealthy staff, medical checks, personal cleanliness, protective clothing
    12Incoming Raw & Packaging MaterialsApproved sources, inspection, non-toxic packaging
    13TransportationSuitable vehicles, temperature/humidity control, cleanliness
    14Product Information & Consumer AwarenessProper labeling, recall procedures
    15TrainingStaff trained in hygiene and chemical handling, regular review of training programs
    16Control of OperationsTemperature/time controls for storage and processing
    17AdditivesUse and recording of approved additives, detection of adulterants

    Inspection Process:

    • All 72 points must be checked for food businesses (66 for water businesses).
    • Each criterion is rated as “Good” or “Needs Work,” with corrective actions and deadlines required for nonconformance.
    • Inspections are to be revised every three years.

    Non-compliance may result in enforcement actions, including suspension of production approval. Businesses should review their operations against these points and implement corrective measures as needed.

    Action Required:

    Food businesses should conduct an internal audit using the above compliance points, address any deficiencies, and maintain documentation to demonstrate ongoing compliance during FDA inspections.

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    On 20 August 2025, the Directorate of Investment and Company Administration (DICA) issued an announcement outlining companies’ obligations under Section 141 of the Myanmar Companies Law (“the Law”). Key highlights include:

    Registered Office Requirement: Under the Law, every company must maintain a registered office from the date of incorporation to receive official communications and notices. Any change to the registered office address must be reported to the Registrar in accordance with the provisions of the Law.

    Verification of Addresses: To ensure the accuracy of registered office information submitted via the Myanmar Companies Online (MyCO) system, companies must, when filing their Annual Return which must be filed within two months of incorporation, provide evidence verified by the relevant authorities that both the directors’ residential addresses and the company’s registered office are genuine. Foreign directors are also required to submit Immigration Form C.

    Non-Compliance Penalty: DICA has emphasized that failure to comply with the requirements under Section 141 may result in a fine of MMK 400,000, in addition to other enforcement actions.

    Compliance Reminder: Companies are encouraged to review their compliance with these requirements to ensure proper registration and avoid potential penalties.

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    On 19 February 2025, the Ministry of Interior (“MOI”) issued Notification No. 571 (“Notification 571”) on the Obligation to Comply with the Requirements under the Law on Associations and Non-Governmental Organizations (“LANGO”). Notification 571 serves as the fourth reminder from the MOI for associations and local non-governmental organizations (“LNGOs”) to adhere to the obligations outlined under the LANGO. The objectives of Notification 571 are to safeguard both the public interest and the interests of associations and LNGOs in accordance with the law. Additionally, it seeks to strengthen the relationship between these associations, LNGOs, and the public authorities.

    To achieve these objectives and in accordance with the LANGO, Notification 571 reiterates the obligations for associations and LNGOs, along with the timeline for compliance, as follows:

    ObligationTimeline
    Submission of a written notification detailing the bank account used for operations in Cambodia to the MOI and the Ministry of Economy and Finance (“MEF”).Within 30 days from the registration date. Associations or LNGOs that have failed to notify in the past must notify by the end of March 2025.
    Submission of the summary of the activities report and annual financial report of the LNGOs to the MOI and MEF.Before the end of February 2025.
    In case of receiving financial aid from donors, the LNGOs must submit: a copy of the summary report of activities and the annual financial report, copied from the original document submitted to the donors; and a copy of documents related to the activities program and the financial agreement that the donors have agreed to provide such aid.   The above documents must be kept at the registered office of the LNGOs for five years.within 30 days from the date of sending it to the donors.within 30 days from the date of the agreement of the donors.        
    Submission of a written notification to the MOI on the changes in LNGO’s particulars such as the amendment of its statute, registered address, change of director or executive director, and change of information regarding bank account, the operation.  Within 15 days from the date of such change.

    In line with the LANGO, Notification 571 further emphasize that associations and LNGOs shall refrain from:

    1. engaging in any activities that are contrary to those outlined in their statute, applicable laws, and regulations; and
    2. undertaking any activities designed to generate profit for their own benefit or distributing profits, or activities that may endanger security, stability, public order, national security, national unity, culture, or traditions of Cambodia. 

    It is advisable for associations and LNGOs to adhere to the requirements under Notification 571 to avoid non-compliance, which may result in removal from the registration list under the LANGO.

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    DFDL Cambodia would like to take this opportunity to wish all our readers a healthy, happy and prosperous 2025. As we start the new year and come back to the office, we have put together this update to remind readers of the most recent and salient legal, tax and accounting annual compliance obligations for enterprises in Cambodia.

    We note that annual compliance requirements may vary for different enterprises. In all cases, we encourage you to seek expert advice from a professional advisor regarding the annual compliance requirements that may be applicable to your entity.

    *Our previous article on the proposed amendments introduced by the Personal Data Protection (Amendment) Bill 2024 is accessible here.

    Pursuant to a notification in the Gazette published on 24 December 2024, the Personal Data Protection (Amendment) Act 2024 (“PDPA Amendment Act”), which received royal assent on 9 October 2024, is set to come into effect in 3 phases. The first phase will commence on 1 January 2025, followed by the second phase scheduled on 1 April 2025, and the final phase on 1 June 2025. We set out below an overview of each phase.

    First phase

    Sections 7, 11, 13 and 14 of the PDPA Amendment Act to be effective on 1 January 2025

    • Allows for service of notices or any other document which may be given under the Personal Data Protection Act 2010 (“PDPA”) upon any person by way of electronic means. 
    • The amendments are generally administrative in nature and do not impose new obligations.

    Second phase

    Sections 2 – 5, 8, 10 and 12 of the PDPA Amendment Act to be effective on 1 April 2025

    (a) Change in terminology and revision to definitions

    • Substitution of the term “data user” with “data controller”.
    • Definition of “sensitive personal data” expanded to include “biometric data”.
    • “Personal data breach” defined to mean any breach, loss, misuse or unauthorized access of personal data.
    • Exclusion of personal data of deceased individuals from the scope of the PDPA.

    (b) New obligation on data processors

    • Data processors will be directly regulated under the security principle outlined in section 9 of the PDPA when processing personal data.
    • Non-compliance will result in penalties imposed directly on data processors.

    (c) Increased penalties

    • Maximum penalties for non-compliance with the personal data protection principles increased to a fine of RM1,000,000 from RM300,000 and/or imprisonment for a term of 3 years from 2 years.

    (d) Amendments to cross-border data transfers

    • Removal of whitelisting regime.
    • Permits for the transfer of personal data to countries with substantially similar data protection laws or equivalent levels of protection.

    Third phase

    Sections 6 and 9 of the PDPA Amendment Act to be effective on 1 June 2025

    (a) Mandatory appointment of data protection officer

    • Both data controllers and data processors must appoint a data protection officer to oversee compliance with the PDPA.

    (b) Mandatory data breach notification

    • Data controllers are required to notify the Personal Data Commissioner (“Commissioner”) of personal data breaches.
    • Where the breach is likely to cause significant harm to the data subject, to notify the data subject.

    (c) New rights to data portability for data subjects

    Guidelines and Revised Personal Data Protection Standard to be Issued

    According to an announcement by the Commissioner on 18 November 2024, four guidelines and a revised version of the Personal Data Protection Standard are expected to be issued in early 2025, with the remaining three guidelines to follow in the third quarter of 2025. The first four guidelines to be published addresses areas such as the Data Protection Officer, Data Breach Notification, Cross-border Data Transfer and Data Portability. It is anticipated that these guidelines will provide clearer details and practical steps to facilitate compliance with the amended regulations. While we await the finalized guidelines, businesses and organizations are encouraged to review its existing privacy policies and personal data processing practices, and to identify any updates require to align with the amendments introduced by the PDPA Amendment Act.

    DFDL Compliance and Investigations Practice Group

    DFDL’s compliance and investigations practice works side-by-side with other practice groups and leverages our expertise across a range of compliance risks including data protection, cyber security, anti-bribery and anti-corruption, anti-money laundering, legal design for UX/UI compliance, and human rights supply-chain due diligence. With our extensive experience in Asian emerging markets we can help in proactively assessing compliance risks, developing policies and procedures, as well as support with compliance failure mitigation and investigations.

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    On 29 August 2024, the Ministry of Tourism (“MOT”) and the Ministry of Economy and Finance issued a Joint Prakas 537 on the Penalties under the Authorities of the Ministry of Tourism (“Joint Prakas 537”) setting out a list of penalties in relation to violation of the Law on Tourism and related tourism regulations that are under the authorities of the MOT. This Joint Prakas 537 will come into effect on 1 October 2024 abrogating previous Prakas such as Joint Prakas 160 on Tourism Related Penalties dated 17 February 2020.

    The penalties under Joint Prakas 537 include monetary fines (to be paid by specified deadline) and subsequent fines on late payment of up to 20 million riels (approximately USD 5,000).

    We note that this new regulation provides clarity, particularly with respect to the delegation of authority to the capital and provincial administrations and some changes regarding the monetary fines, in comparison to the previous Prakas

    The table below highlights some of the key offenses and penalties:

    In light of the above, we recommend business operators adhere to the requirements set out in the Law on Tourism and to check the expiration date of their licenses or obtain a new license, if necessary, as failure to do so may result in monetary fines as specified in this Prakas.

    Should you have any concerns or queries on the matters mentioned above, please feel free to contact us at [email protected].

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    The Personal Data Protection (Amendment) Bill 2024 (“PDP Bill”) was passed by the Dewan Rakyat (House of Representatives) on 16 July 2024 and, subsequently, by the Dewan Negara (the Senate) on 31 July 2024. The PDP Bill is not yet in force. To come into effect, it must be presented for Royal Assent and will only become law upon publication in the Gazette on a date to be appointed by the Digital Minister.

    The PDP Bill proposes several revisions to the Personal Data Protection Act 2010 (“PDPA”) to bring Malaysian data protection legislation closer in line with international norms. The key amendments introduced by the PDP Bill are set out below:

    1. Change in terminology

    2. Increased penalties

    3. Data processors to comply with the security principle

    4. Mandatory data breach notification to the Personal Data Protection Commissioner

    The Personal Data Protection Commission has, on 19 August 2024, issued 3 consultation papers (collectively, “Consultation Papers”) including Public Consultation Paper No.01/2024 (The Implementation of Data Breach Notification) to ask for public feedback in relation to the development of the Personal Data Protection (Personal Data Breach Notification) Regulations and the Data Breach Notification Guideline.

    These include feedback on: (a) the notification thresholds and timeline for, both, breach notifications to the Commissioner and data subjects; (b) the manner and form in which such notifications are to be made; (c) applicable exemptions from the requirement to notify data subjects of a breach; (d) the obligations of data processors in relation to the breach notification obligations; (e) the concurrent application of the proposed data breach notification regime with that of other laws/sectoral breach notification regimes; and (f) management of personal data breaches and record keeping obligations.

    5. Requirement to appoint data protection officer(s)

    The second public consultation paper, Public Consultation Paper No.02/2024 (The Appointment of Data Protection Officer), seeks for public feedback on: (a) the threshold requirement for mandatory appointment of a data protection officer; (b) consistency with other legal requirements to a role similar to a data protection officer; (c) sector-specific risks for data protection officers to be aware of when carrying out their functions; (d) reporting lines; (e) regional data protection officer appointment and local residency requirements; (f) minimum expertise, qualifications, and certifications; and (g) factors the Commissioner may consider in exercising its discretion to mandate the appointment of a data protection officer.

    6. New rights to data portability

    The third public consultation paper, Public Consultation Paper No.03/2024 (The Right to Data Portability), seeks for public feedback on: (a) the readiness of data controllers for the right to data portability; (b) the types of personal data subject to such right; (c) timeline for compliance after a request from data subjects; (d) whether there should be a time limit / limitation period imposed such  requests for personal data processed and retained by the data controller prior to the request; (e) whether fees are to be chargeable for responding to such requests; and (f) the method for transmitting personal data arising from a data portability request.

    7. Sensitive personal data to include biometric data

    8. Abolishment of the current whitelist cross-border transfer regime

    9. Data subjects to exclude deceased individuals

    What’s Next?

    The amendments proposed by the PDP Bill represent a significant advancement in the country’s data protection framework, reflecting a growing commitment to safeguarding personal data in an increasingly digital age. The proposed amendments will, upon coming into force, enhance transparency, accountability, and control for data subjects over their personal data, aligning Malaysia

    The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    The Insurance Regulator of Cambodia (“IRC“) issued Prakas No. 044 on Rules and Guidelines for Reinsurance (“Prakas 044“) dated July 12, 2024. Prakas 044 applies to general insurance companies, life insurance companies, reinsurance companies, and microinsurance companies operating in Cambodia.

    Prakas 044 specifies that insurance companies must obtain prior approval from the IRC after receiving a resolution from their board of directors for both offshore and onshore reinsurance agreements and reinsurance policies. After the approval, any changes to these reinsurance agreements or reinsurance policies also require IRC approval: within 15 days for reinsurance agreements and within 30 days for reinsurance policies, following the board resolution.

    Prakas 044 stipulates that insurance companies must manage risk by adhering to limits based on a basic model for each risk and event related to their insurance products. They are prohibited from issuing policies with amounts exceeding their insurance retention thresholds unless covered by reinsurance.

    • Reinsurance Agreement: Insurance companies must obtain prior approval from the IRC for preparing reinsurance agreements after receiving a resolution from their board of directors. For any upcoming agreements, insurance companies should apply for this approval before November 1 each year or concurrently with their insurance product applications. Insurance companies may transfer excess risk beyond their insurance retention thresholds to reinsurance companies, whether offshore or onshore, as long as it complies with the terms outlined in Prakas 044.
    • Reinsurance Policy: Insurance companies are required to prepare their reinsurance policies and submit them to the IRC within 30 days of the board resolution. Additionally, they must review and evaluate their reinsurance policies at least once every three years.

    Both reinsurance agreements and reinsurance policies must be prepared in accordance with the terms and conditions set forth in Prakas 044. The IRC also requires insurance companies to submit a report summarizing their reinsurance activities by January 15 of the following year.  

    Under Prakas 044, if there is non-compliance, the IRC allows insurance companies to explain their situation before any disciplinary sanctions are imposed. Please note that sanctions for violations of Prakas 044 will be in accordance with the Law on Insurance and other relevant regulations.

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    Overview

    Prakas 095 on Unfair Practices in Business Related to Advertisements and Sale Promotions was issued on 12 April 2024 by the Ministry of Commerce (“Prakas 095”). Prakas 095 covers unfair practices in business related to advertisement and sale promotions that are not addressed by the Law on Consumer Protection, with the objective of protecting consumers’ rights and interests.

    Prakas 095 applies to all persons (including individuals and entities) engaged in supplying and advertising goods and services that provides false or misleading promises, advertisements or representation via all forms and methods, including digital methods, within the Kingdom of Cambodia. The main prohibitions outlined by Prakas 095 encompass three areas: (1) prize giveaways; (2) advertisements and sale promotions; and (3) false or misleading advertisements.

    We summarize the key prohibitions as follows:

    Certain Prohibited Unfair Practices

    Prize giveaways

    1. not giving away prizes, insufficient prizes as planned and inequivalent value of the prizes as planned, except where there is acceptable evidence; and
    2. providing fake, false or deceptive documents or information related to the identity of the prize winner and not providing any other relevant documents as required by the investigating officer of the Consumer Protection Competition and Fraud Repression Directorate-General (“CCF”).

    Business operators who will conduct advertisements attached with prizes must submit the prize giveaway plan and documents and information related to the identity of prize winners in a timely manner as required by the investigating officer of the CCF.

    Advertisement and sale promotions

    1. having minor to offer prizes and advertisement related to alcoholic, energy drinks or any other practices prohibited by other relevant regulations;
    2. using labels, all kinds of advertising signs that do not have Khmer letters, or Khmer fonts are not above foreign fonts or are not twice as large as foreign fonts;
    3. advertising goods and services that are prohibited to commercialize and/or to advertise; and
    4. advertising goods and services without displaying the minimum information as required by applicable regulations.

    False or misleading advertisements

    1. encouraging minors to think, act, speak or act contrary to the tradition and morality, adversely affect the health, safety or natural development of minors;
    2. using words or phrases such as the best, only one, number one, superior, unmatchable, or words with similar meanings without proper documentation certified by the relevant ministries, institutions and authorities;
    3. using words or phrases such as pop to win, scratch to win, buy to win, open to win, pop more win more, scratch more win more, buy more win more, or using words or phrases that have similar meanings without specifying to the consumer the types of goods and services to be provided;
    4. using words, writings or pictures that are false, misleading or distorting the truth, obscene, obscene words;
    5. using articles or spot advertisement that are not in accordance with a compliance certificate issued by the MOC;
    6. hiring or order any persons to falsely promote that they have received a prize or other benefits from any goods or services; and
    7. comparing own’s goods and services with the goods and services of others with the intent to downgrade or harm the others’ products and services.

    Prakas 095 also stipulates the necessary requirements that business operators must adhere to when conducting sale, clearance sale, special discount, goods and services bundled with additional services exceeding the requirements (as a package), and lucky draw.

    Any individual who commits an offence in violation of the provisions under Prakas 095 relating to, among others, reporting to the CCF, prize giveaways, advertisement and sale promotions will be subject to an interim fine not exceeding KHR 50,000,000 (approximately USD 12,500) or, for violation of provisions relating to false or misleading advertisements, not exceeding KHR 80,000,000 (approximately USD 20,000).

    PRAKAS 084 ON FORMALITIES, PROCEDURES AND MEASURES TO MANAGE ADVERTISEMENT OF ALCOHOLIC PRODUCTS

    Overview

    The Ministry of Information (“MOI”) issues Prakas 084 on Formalities, Procedures and Measures to Manage Advertisements of Alcoholic Products on 23 July 2024, to regulate advertisements of alcoholic products (“Prakas 084”). The scope of Prakas 084 applies to all alcoholic products containing more than 3% ethanol content and covers all forms and means of advertisement, including digital advertising in Cambodia.

    Key Provisions under Prakas 084

    1. Permit Requirement

    All individuals and entities intending to advertise alcoholic products must apply for a permit from the Alcoholic Products Advertisement Management Working Group (“Working Group”). Applications can be submitted online or offline through the one-window service of Secretariat of the Working Group located at the MOI. The Secretariat of the Working Group has seven working days upon receipt of application documents to review the application. If the application documents are sufficient, the Secretariat of the Working Group will issue a permit in digital form.

    It is important to note that, in addition to the above permit, business operators may request a compliance certificate from the Ministry of Commerce (on a voluntary basis) to confirm that the advertisement complies with applicable laws.

    2. Key Advertisement Principles

    There are certain key principles for advertisements of alcoholic products:

    1. Content Restrictions:
      1. displaying required warning messages (i.e., ‘drink do not drive’ or ‘drink responsibly’) clearly and visibly in a font size 1/4 of the advertisement size and avoiding the use of characters, logos, or themes for the purpose of attracting minors;
      2. alcohol advertising must not depict alcohol consumption before or while driving, claim health benefits for pregnant or breastfeeding women, or make general health claims; and
      3. respect for religious beliefs, cultural values, and women’s health and well-being is required.
      4. prohibiting the use of exaggerated descriptions, linking alcohol consumption to sexual performance or attractiveness, depicting alcohol consumption in advertisement, encouraging alcohol consumption on stage, targeting minors, or using minors as advertisers;
    2. Time Restrictions: No alcohol advertising on television and radio between 6 PM and 8 PM except for simple display of logo or product name.
    3. Location Restrictions: No alcohol advertising within 200 meters of educational, health, religious, cultural and historical institutions, and international airports.
    4. Online Advertising: Alcohol advertisements on electronic platforms must include a warning message prohibiting minors from viewing them.

    3. Compliance and Enforcement

    Individuals and entities that have advertised or are currently advertising alcoholic products must obtain a permit from the Secretariat of the Working Group within three months of the issue date of Prakas 084, being 23 October 2024. Media outlets are required to broadcast only advertisements of alcohol products authorized by the Working Group. Non-compliance with Prakas 084 will result in legal action under the applicable laws and regulations.

    Considering the above, businesses involved in alcoholic products advertising must carefully review Prakas 084 to ensure compliance. Key actions include obtaining permits on advertising, adhering to strict content principles to avoid penalties, and reviewing existing advertising materials to ensure compliance.

    Should you have any concerns or queries on the matters mentioned above, please feel free to contact us at [email protected].

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    The Ministry of Labour and Vocational Training and the Ministry of Economy and Finance issued a Joint Prakas 498, which replaced the previous Joint Prakas 659 on Monetary Fines for Those Who Violate the Provisions of the Labour Law dated 6 June 2016. The new Joint Prakas 498 updates the penalty for those who violate the provisions of the Labour Law and consolidates the increase of daily base wage and related penalties.

    The key updates introduced by Joint Prakas 498 are highlighted below:

    (1) increase of daily base wage: the daily base wage, used to calculate penalty for any non-compliance with the Labour Law, is increased from KHR 40,000 (approximately USD 10) to KHR 80,000 (approximately USD 20). There is also a new separate daily base wage of KHR 200,000 (approximately USD 50) used for the calculation of the penalty for violation of Articles 261, 264 and 372 of the Labour Law on work permit and employment of foreign nationals as stated under Joint Prakas 326 on the New Daily Base Wage dated 25 November 2022 (“Joint Prakas 326”); and

    (2) removal of the monetary penalty by a competent court: monetary fines that can be imposed by a competent court included in the previous Joint Prakas 659 have been removed from Joint Prakas 498. Instead, under Joint Prakas 498, if an offender refuses to pay the fine as determined, the Labour Inspector will file a case to the competent court in accordance with the legal procedures in force.

    In the table below, we highlight some of the offences related to labour registration obligations:

    DescriptionArticle of the Labour LawDaily Wage (Khmer Riel)Number of days for fineAmount of fine (Khmer Riel)Amount of fine (USD)
     123= 1×2USD 1 = 4,000 Khmer Riels
    Failure to declare opening and closing of enterpriseArticles 17 and 1880,000635,040,0001,260
    Failure to register enterprise establishment bookArticle 2080,000211,680,000420
    Failure to declare staff movement (in) and (out)Article 2180,000423,360,000840
    Absence of internal work rulesArticle 2280,000211,680,000420
    Failure to apply for visa-in or visa-out in workbook for entry or departure of Cambodian employeesArticle 3780,000211,680,000420
    Absence of payroll ledgerArticle 3980,000635,040,0001,260
    Failure to conduct election of shop stewards or comply with election proceduresArticle 28380,000635,040,0001,260
    Failure to elect shop stewards for next mandateArticle 29280,000635,040,0001,260
    Failure to obtain approval of quota for employing foreign employees*Artcle 264200,0006312,600,0003,150
    Hiring foreign employees without valid work permitsArticle 372200,0006312,600,0003,150
    Foreign National who conducts business in Cambodia without valid work permits including self-employed person*Articles 261 and 382200,00025250,400,00012,600

    *For more details on the work permit penalty for foreign national who conducts business in Cambodia including self-employed person without a work permit, please check our article in the following link.

    Should you need further information or legal support, please contact us at: [email protected].

    The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

    HUSK was founded in 2017 in Cambodia by Heloise Buckland and Carol Rius and produces biochar (a carbon-like byproduct of organic waste materials), carbon-based fertilizers and crop protection products, offering innovative solutions to local farmers. The company has received a USD 5 million capital injection from Mekong Capital, a leading Private Equity fund in Vietnam, which will help fuel its product development and its regional expansion.

    DFDL advised Mekong Capital on the transaction, including legal due diligence and advice on regulatory approvals. The DFDL team included partners, Chris Robinson and Vansok Khem, Soromnear Sin and Davin Hor.

    In recent weeks, cyber-attacks, particularly ransomware attacks, in Vietnam are on the rise and anticipated to become potentially more complex in the near term, posing a serious risk to both economic and social development activities. Specifically, since late March, Vietnam has witnessed at least three large-scale data encryption attacks targeting major companies such as VnDirect, PVOil, and a telecommunications service provider, along with incidents affecting smaller businesses.

    Government agencies assess that hackers continue targeting critical entities with increasingly sophisticated methods. These hacks have the potential to disrupt entire operations, and transactions, making sensitive data irrecoverable once it falls into the hands of hackers.

    Given this situation, on 8 April 2024, the Prime Minister of Vietnam issued a directive requesting ministries, sectoral, and local government agencies to review and assess the current cybersecurity situation.

    Specifically, the Prime Minister noted and admitted that certain sectors and areas have not implemented cybersecurity regulations effectively, resulting in incidents and potential risks to Vietnam’s cyberspace safety. Consequently, the Prime Minister directed as follows:

    1. Ministers, heads of ministerial-level agencies, and heads of central-affiliated cities and provinces to oversee directly and ensure cybersecurity within their scope of supervision.

    2. State agencies, organizations, and state-owned enterprises are required to review comprehensively and assess the cybersecurity status of systems under their management, as guided by the Ministry of Information and Communications.

    3. In the event of a cyberattack, agencies, organizations, and enterprises are required to report incidents, comply with the coordination and instructions of the National Coordination Agency (i.e. Vietnam Cybersecurity Emergency Response Teams/Coordination Centre – VNCERT/CC), collect and analyze information, address and mitigate incidents, investigate causes and trace origins, and issue statements and disclosures.

    4. The Ministry of Information and Communications is tasked with guiding ministries, sectors, and localities in reviewing and evaluating the cybersecurity status of state agencies, organizations, and enterprises’ information systems prior to 11 April 2024.

    With this new directive, as soon as guidance from the Ministry of Information and Communications is sent to businesses, they need to conduct immediately a review of their information systems, and report/notify VNCERT/CC and relevant agencies/parties when any incident occurs that affects their systems in Vietnam.

    The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.