Under personal data protection laws, what are the obligations of enterprises?

LexNovum Lawyers

19/05/2026

Currently, the legal framework on personal data protection is being progressively refined in a more detailed and stringent manner. In addition to the Personal Data Protection Law (“PDPL”) and Decree No. 356/2025/ND-CP (“Decree 356”), both of which have already taken effect, the draft Decree on administrative sanctions in this sector has completed the public consultation process and is currently being submitted to the Government for approval, with issuance expected in 2026. These developments demonstrate that the regulatory approach to personal data processing is no longer limited to merely establishing compliance obligations, but is increasingly accompanied by specific supervisory mechanisms and enforcement measures. Accordingly, enterprises are required not only to “fully perform their statutory obligations” but also to “be prepared to demonstrate compliance” in practice. In the event of non-compliance, enterprises may face significant legal risks, including administrative penalties, obligations to compensate for damages, and even criminal liability, depending on the nature and severity of the violation.

In LNV’s experience, depending on each specific data processing flow, an enterprise may assume different roles, each of which entails distinct legal obligations. Failure to properly identify such a role is one of the common reasons why enterprises fail to fully or accurately comply with the applicable statutory requirements.

On that basis, in order to assist enterprises in correctly identifying their roles in personal data processing activities, thereby determining and performing the corresponding legal obligations and mitigating operational risks, this article will focus on analyzing: (i) the roles of enterprises in personal data processing activities; and (ii) the obligations of enterprises under personal data protection laws.

1. Roles of enterprises in personal data processing activities

As mentioned above, accurately identifying the role of an enterprise in personal data processing activities is of critical importance, as it serves as the basis for determining the full scope of legal obligations with which the enterprise must comply. Depending on the complexity and diversity of the relevant “personal data processing flows”, an enterprise may assume different roles, including that of a Data Controller, Data Processor, Data Controller-cum-Processor, or even all of these roles simultaneously.

For example, in practice, in order to conduct business and production activities, enterprises inevitably have the need to “employ labor”. Accordingly, during the course of employment, the enterprise will (i) decide on the purposes and means of processing; and (ii) directly process (such as collecting, storing,…) the personal data of employees. Therefore, in all cases relating to the processing flow of employees’ personal data, the enterprise acts as a Data Controller-cum-Processor. However, where the same enterprise, in addition to processing its employees’ personal data, also provides recruitment services (head hunter), payroll and social insurance administration services, or any other services involving the nature of “personal data processing” on behalf of another entity, such enterprise would, in addition to its role as a Data Controller (or Data Controller-cum-Processor) as mentioned above, simultaneously assume the role of a Data Processor for the enterprises to which such services are provided.

This is precisely why LNV believes that, before determining the obligations with which an enterprise must comply, the enterprise should first identify the personal data processing flows currently involved in its operations, as well as the specific roles it assumes in each of those processing activities.

2. Obligations of enterprises under personal data protection laws

Based on LNV’s experience, most enterprises assume the role of a Data Controller, at least in relation to the personal data of the employees they employ. Accordingly, the obligations arising from such a role may be regarded as the general obligations applicable to enterprises. In addition, depending on the nature of the services provided by the enterprise, it may also assume other roles, giving rise to separate and specific obligations. Details are as follows:

2.1. General obligations

a. Obtaining the data subject’s consent before the processing of personal data

Before processing personal data, enterprises are obligated to obtain the data subject’s consent authorizing the enterprise to process his/her personal data. Such consent shall only be deemed valid if it fully satisfies the requirements as to both form and content in accordance with Article 9 of the PDPL and Article 6 of Decree 356.

b. Establishing and communicating procedures for the exercise of data subjects’ rights

This is a new obligation imposed on enterprises under Article 5.1 of Decree 356. Specifically, enterprises are required to establish clear procedures, processes, and templates for the exercise of data subjects’ rights, in a manner appropriate to the relevant personal data processing activities and the responsibilities of the related departments. Enterprises must also ensure that data subjects are informed of the procedures for exercising their statutory rights.

c. Appointment of personal data protection personnel/department or engagement of personal data protection service providers

Pursuant to Article 33.2 of the PDPL, enterprises are required to appoint:

i. Internal personnel or a department responsible for personal data protection; or

ii. Engage and enter into a service agreement with an organization or individual providing personal data protection services.

Accordingly, the applicable laws have set out specific competency and qualification requirements for each of the aforesaid subjects under Articles 13 through 16 of Decree 356. Therefore, during implementation, enterprises should carefully review the relevant regulatory requirements in order to appoint or engage subjects that satisfy the legal conditions prescribed by law.

d. Entering into personal data processing agreements/contracts with Data Processors (if any)

Where an enterprise engages a third party to support the processing of personal data, such as HR management software providers, data storage systems, or similar service providers, such parties may be identified as Data Processors of the enterprise (pursuant to Article 2.8 of the PDPL). Accordingly, the enterprise is required to enter into a personal data processing agreement or contract with the Data Processor, which must clearly set out the responsibilities, rights, and obligations to be complied with by each party throughout the personal data processing activities (pursuant to Articles 37.1.a and 37.2.a of the PDPL, as well as the requirements applicable to the Personal Data Processing Impact Assessment Dossier).

e. Conducting mandatory impact assessments and updating the relevant dossiers (if any changes arise)

Enterprises are required to perform the following impact assessment procedures:

i. Personal Data Processing Impact Assessment Dossier

Pursuant to Article 21 of the PDPL, enterprises are required to prepare and store a Personal Data Processing Impact Assessment Dossier and submit one original copy thereof to the Department of Cybersecurity and Hi-Tech Crime Prevention under the Ministry of Public Security (“MPS”) within 60 days from the date on which the personal data processing activities are first conducted.

As analyzed above, most enterprises act as Data Controller-cum-Processors with respect to the processing flow of employees’ personal data and, therefore, are required to perform this obligation.

ii. Cross-Border Personal Data Transfer Impact Assessment Dossier (if any)

The determination of what constitutes a cross-border transfer of personal data is provided under Article 20.1 of the PDPL. However, not all cases of cross-border personal data transfer require the preparation of an impact assessment dossier. For exemptions, enterprises may refer to Article 20.6 of the PDPL, including, for example, cases where the enterprise ONLY transfers the personal data of its employees abroad and such transfer is conducted ONLY through cloud storage systems. Accordingly, where the obligation arises, the enterprise must prepare a Cross-Border Personal Data Transfer Impact Assessment Dossier and submit one original copy thereof to the MPS within 60 days from the date of the first cross-border transfer of personal data.

Following the completion of the impact assessment procedures, enterprises may also be required to update the Personal Data Processing Impact Assessment Dossier and the Cross-Border Personal Data Transfer Impact Assessment Dossier periodically every 06 months from the date of the initial submission, or within 10 days upon the occurrence of certain events, such as changes to personal data protection personnel or the addition of new personal data processing purposes,… in accordance with Article 20 of Decree 356.

f. Notification of violations (if any)

Pursuant to Article 23 of the PDPL, during the course of personal data processing activities, where a violation of personal data protection regulations is detected and such violation may cause harm to national defense, national security, social order and safety, or infringe upon the life, health, honor, dignity, or property of data subjects, the enterprise must notify the MPS no later than 72 hours from the time the violation is detected.

g. Implementing technical measures as required by law to protect personal data

Pursuant to Article 37 of the PDPL, enterprises are required to implement appropriate managerial and technical measures to protect personal data in accordance with applicable laws, and to review and update such measures when necessary. Many enterprises encounter difficulties in understanding this obligation, particularly with respect to what constitutes the “technical measures as required by law.” From LNV’s perspective, not all enterprises are required to implement highly sophisticated technical measures for personal data protection, and in fact, current personal data protection laws have not prescribed any specific technical measures that all enterprises must uniformly adopt. In practice, the level of compliance required under this obligation will vary depending on factors such as: the types of data collected by the enterprise, the scale of data processing activities, the purposes of processing, and the methods by which the data is processed. Typically, for ordinary enterprises that mainly process the personal data of employees or certain individual partners, such as experts, consultants, promoters (artists, or influencers), with a moderate scale of processing (ranging from several dozen to several hundred individuals), and where the processing activities are conducted primarily for the purpose of performing ordinary labor, cooperation, business, or consultancy agreements, with storage mainly maintained in hard-copy form at the enterprise’s premises, the required technical measures may simply consist of “establishing biometric, mechanical, or password-protected locking systems to restrict unauthorized access to storage areas.” Where such enterprises additionally store electronic copies on computers or hard drives, the technical measures may merely include “firewall and anti-virus systems installed on the relevant servers or devices.”

In practice, however, there remain certain special cases in which enterprises are required to comply with specific technical protection measures prescribed by law. This generally applies where, based on the aforementioned criteria, the enterprise falls within the category of entities subject to separate technical protection standards or regulations. In this regard, clients may refer to LNV’s article on the subject. HERE

2.2. Other arising obligations

a. Compliance with statutory conditions for the provision of personal data processing services

Decree 356 is the first legal instrument to specifically enumerate personal data processing services. Accordingly, where an enterprise provides personal data processing services, it should note that it must (i) fully satisfy the statutory requirements relating to operational form, personnel, infrastructure, administrative procedures, and other relevant conditions pursuant to Articles 22 and 23 of Decree 356; and (ii) submit an application dossier for the issuance of a Certificate of Eligibility for the Provision of Personal Data Processing Services in accordance with Article 25 of Decree 356.

b. Obligations arising from operations in specialized sectors

Where an enterprise operates in specialized sectors such as labor management, finance and banking, insurance, advertising services, online communication services, big data processing, artificial intelligence systems, virtual environments, blockchain technology, and cloud computing, …, the enterprise should further review the provisions set out in Articles 25 – 31 of the PDPL and Articles 8 – 12 of Decree 356 in order to ensure full compliance with the sector-specific legal obligations applicable to its business activities.

c. Performing personal data processing impact assessment procedures in the role of a Data Processor

Where an enterprise provides services such as payroll administration, recruitment, or similar services, it may additionally assume the role of a Data Processor pursuant to Article 2.8 of the PDPL. Under Article 21.3 of the PDPL, the enterprise is required to prepare and retain a Personal Data Processing Impact Assessment Dossier and submit one original copy thereof to the MPS.

As discussed above, most enterprises also assume the role of a Data Controller and are therefore required to perform the impact assessment procedures referred to in Section 2.2.e of this article. Accordingly, where an enterprise simultaneously acts as both a Data Controller and a Data Processor, it may consolidate the declarations relating to the processing activities corresponding to each role within a single Personal Data Processing Impact Assessment Dossier.

The above provides a brief overview of the fundamental obligations of enterprises under personal data protection laws. LNV hopes that the information set out in this article will be useful to our valued clients. Should you have any questions or concerns in relation thereto, please feel free to contact LNV for further advice and detailed consultation.

Authors: Lawyer Phan Nhi and Junior Associate Ngoc Mai

Disclaimer: This article has been prepared based on the prevailing laws of Vietnam and practical experience. The information provided herein is for reference purposes only. We shall not bear any responsibility or legal obligation toward any individual or organization using the information contained in this article for purposes other than reference. Before making any choice or decision, Clients are advised to seek formal recommendations or contact LexNovum Lawyers for in-depth legal advice from our team.

Please cite “LexNovum Lawyers” as the source when using or sharing this article in any form.