A personal data protection policy is defined as a mandatory document that every enterprise must develop to comply with the provisions of the Law on Personal Data Protection and Decree No. 356/2026/ND-CP. Depending on the business sector, the extent of data collection, the applied technology, and various other factors, the personal data protection enterprise’s PD protection policy will vary. However, in general, a personal data protection policy must clearly stipulate the enterprise’s role as a personal data controller or a personal data controller-cum-processor for each type of personal data, the types of personal data (“PD”) collected by the company, protection measures, methods for recording and managing the data subject’s consent, the responsibilities of each party, and data breach response procedures, etc., all of which must be explicitly prescribed in the PD protection enterprise’s PD protection policy.
1. The Necessity of Provisions on the Scope of Application and Interpretation of Terms
The PD protection policy must identify the applicable subjects, the scope of personal information governed by the policy, and the categories of individuals constituting the data subjects, while concurrently determining the scope of factual activities that qualify as personal data processing operations. Furthermore, while regulations on personal data have been implemented in other countries for a considerable time and are no longer a new issue, the matter of PD in Vietnam has only truly garnered attention and been widely implemented across enterprises since mid-2025. Consequently, in the context of newly implemented legal regulations, it is not easy for enterprises, relevant parties, and data subjects to acquire a correct and uniform understanding of the terms utilized within the personal data policy, such as basic personal data, sensitive personal data, de-identification, third parties, consent, etc. All terms shall be interpreted in detail in accordance with the correct legal understanding and the specific operational context of the enterprise.
2. Provisions on the Categories of Personal Data to be processed
Pursuant to regulations, personal data comprises basic personal data and sensitive personal data; furthermore, personal data shall be collected and processed in either a digital or physical environment depending on the enterprise’s business operations and the technologies applied by the enterprise. Within this provision, the enterprise must clearly stipulate the following matters:
Basic personal data collected and processed by the company, this category is construed as all information pertaining to an individual excluding the sensitive personal data group; examples of certain basic personal data are as follows:
Last name, middle name, and first name at birth, aliases; date of birth; citizen identity card information (name, number, gender, date of birth, title); Place of birth, place of origin, permanent residential address, temporary residential address, current address; Nationality, etc.
Sensitive personal data is defined as a category of information directly related to the fundamental privacy of an individual, the infringement of which may cause severe negative impacts on the lawful rights and interests of the subject. This category includes, but is not limited to: political and religious views; health status; biometric and genetic data; information regarding sex life and sexual orientation; criminal data; geographic location data; along with all electronic identification information and data pertaining to finance, banking, insurance, securities, transaction history, and data reflecting individuals’ behavior and activities of individuals in cyberspace.
However, the aforementioned data constitutes only the primary categories of personal data currently collected and processed by most enterprises, and for a personal data policy to be accurate and comprehensive for each enterprise, it is necessary to rely on the enterprise’s actual operational modalities to incorporate into this provision other data deemed as personal data that the enterprise will collect. Typically, for the group of enterprises operating in the e-commerce and financial sectors, other personal data collected and processed by the enterprise shall not be limited to certain data such as: image data, biometrics, audio, video, facial recognition, data uploaded by the individual for the purpose of utilizing the enterprise’s platform or application, digital accounts created by the individual, call logs, voice messages, etc.
3. Provisions on the purposes of controlling and processing Personal Data
Pursuant to Article 4 of the Law on Personal Data Protection, every individual has the right to be informed about the personal data processing activities of the enterprise, specifically the types of personal data collected and processed, and the enterprise’s purpose in collecting and processing PD. Consequently, the enterprise, acting as the Personal Data Controller or the Personal Data Controller-cum-Processor, is compelled to establish clear processes, procedures, and forms to implement the rights of data subjects in accordance with personal data processing activities and the responsibilities of relevant departments; ensuring that data subjects are informed of the purposes for which the enterprise collects and processes PD.
Accordingly, this provision within the Policy shall clearly list the enterprise’s purposes, for instance, the group of purposes concerning contract execution and service provision: information exchange, customer care, complaint resolution, product warranty, phase-specific service provision, execution of other tasks as recorded in the contract, etc. Alternatively, the group of anti-fraud purposes in accordance with cybersecurity laws, such as identity verification, prevention of customer data theft, account protection, etc. The enterprise shall rely on its business operations to appropriately categorize these purposes.
To draft the provision on “Purposes of collecting and processing personal data” in a standardized manner, the enterprise must design the content based on the principles of specification and purpose stratification to ensure maximum transparency. Instead of utilizing generic terminology, the enterprise must explicitly list purpose groups associated with operational activities such as contract execution, delivery, account management, promotions, and customer support, while strictly segregating optional purposes such as market research, experience personalization, or marketing, which necessitate separate consent from the subject. Notably, in the spirit of Law No. 91/2025/QH15 and Decree No. 356/2025/ND-CP, this provision must also articulate mandatory legal compliance purposes such as tax obligations or fraud prevention to create a “compliant framework” for data flows. The detailed drafting of provisions also assists the enterprise in meeting the stringent requirements of the Data Protection Impact Assessment (DPIA) dossier.
The establishment of the aforementioned basic provisions is deemed the initial requisite clauses in a PD protection policy; in Part 2, CDLAF will guide you in drafting other mandatory provisions such as: Methods of collecting, controlling, and processing PD; PD retention period; Rights of PD subjects; Processing of PD without the consent of the PD subject; The PD protection department and personnel, alongside other essential provisions that must be included in the enterprise’s policy. Standardizing these contents not only helps domestic enterprises resolve challenges related to technical infrastructure but also serves as the most critical legal evidence to demonstrate compliance capabilities, mitigating the risks of being subject to severe financial sanctions and the suspension of data processing activities.
Time of writing: 30/03/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Capital Contribution Errors: Losing The Right To Become A Member Or Shareholder Due To Misunderstanding The Nature Of The Transaction
- Transactions With Related Parties And Conditions For Validity
- Conditions for the Recognition and Enforcement of Foreign Arbitration’s Awards in Vietnam
- Removing Bottlenecks For Long-Term Projects: The Right To Freely Adjust The Operating Term Of An Investment Project
- Legal Impacts Of Narrowing The Scope Of Projects Subject To Investment Policy Approval Under The 2025 Law On Investment
