In the context of the Law on Personal Data Protection 2025 and Decree No. 356/2025/ND-CP, tightening the requirements for the collection, use, and transfer of personal data, advertising and media enterprises are becoming one of the sectors most directly affected. From running advertisements and multi-platform marketing to collaborating with technical partners, suppliers, or employees, most activities involve the processing of personal data. Therefore, enterprises do not only require standard service contracts but must establish comprehensive contractual terms, agreements, and data control mechanisms in accordance with legal regulations to mitigate legal risks and protect brand reputation.
1. Agreements Between Advertising Service Clients and Advertising Companies
According to clause 1, Article 28 of the Law on Personal Data Protection 2025, an enterprise providing advertising services (“advertising company”) is only permitted to: “use personal data of customers transferred by the personal data controller or the personal data controller and processor under an agreement, or collected through its own business activities, to conduct advertising services. The collection, use, and transfer of personal data must ensure the rights of data subjects as prescribed in Article 4 of this Law”. Concurrently, clause 2, Article 28 of the Law on Personal Data Protection 2025 also stipulates that the personal data controller or the personal data controller and processor may only transfer personal data to an advertising company in accordance with the law.
In the relationship between the advertising company, the client, and the recipient of advertising information, where the client provides the recipients’ personal data to the advertising company for advertising purposes, the use of such data may only be conducted based on the valid consent of the data subject, consistent with point a, clause 1, Article 17 of the Law on Personal Data Protection 2025.
Furthermore, the provisions regarding the transfer of personal data must be clearly specified in the service contract between the client and the advertising company, ensuring full compliance with the requirements under point a, clause 1, Article 7 of Decree No. 356/2025/ND-CP, specifically:
- The purpose of the personal data transfer;
- The categories of data subjects and the types of personal data being transferred, appropriate to the purpose of the transfer;
- The duration for processing personal data and requirements for data deletion or destruction upon completion of the transfer purpose;
- The legal basis for the transfer of personal data;
- Responsibilities for personal data protection during the transfer and processing stages;
- Responsibilities for implementing the rights of the data subjects;
- Responsibilities for coordination and compliance between parties in the event of a detected violation of personal data protection regulations.
2. Agreements between third-party service providers (suppliers) and advertising companies
Pursuant to clause 6, Article 18 of the Law on Personal Data Protection, an advertising company is prohibited from subcontracting or agreeing to let another organization or individual perform the entire advertising service involving the use of personal data on its behalf.
Accordingly, where an advertising company enters into contracts with service providers to support the implementation of advertising activities, the contract should clearly specify that such parties are only engaged to perform partial auxiliary work under the control and supervision of the advertising company, and do not replace the advertising company’s role in carrying out the entire advertising service involving the personal data of data subjects.
3. Agreements between advertising companies and employees
Under clause 2, Article 25 of the Law on Personal Data Protection 2025, advertising companies bear responsibility for the management and use of employees’ personal data, including:
- Complying with the provisions of this Law, labor and employment laws, data protection laws, and other relevant legal regulations;
- Storing employees’ personal data for the duration prescribed by law or as agreed upon;
- Deleting or destroying employees’ personal data upon termination of the labor contract, except where otherwise agreed or prescribed by law.
Although clause 2, Article 25 requires the deletion or destruction of data upon contract termination, enterprises must pay special attention to record-keeping obligations under tax, accounting, and social insurance laws for post-clearance audits and inspections. To harmonize data protection obligations with specialized legal compliance, enterprises should specify in agreements with employees: “Personal data shall be stored and only deleted or destroyed after the enterprise has fulfilled all legal obligations and mandatory retention periods related to taxes, insurance, and labor as prescribed by current law.”
Additionally, according to clause 3, Article 25 of the Law on Personal Data Protection, the processing of employee personal data collected via technological or technical measures for management purposes must satisfy the following:
- Only appropriate technological and technical measures consistent with the law shall be applied, ensuring the rights and interests of the data subject, provided that the employee is fully aware of such measures;
- Processing or using personal data collected from technological or technical measures in violation of the law is strictly prohibited.
In personnel management, applying monitoring measures such as camera systems or productivity management software does not stop at signing a consent agreement. By law, the enterprise must ensure the employee “clearly knows” about these activities. Consequently, enterprises must issue and publicly post a personal data processing notice at workplaces or send direct notifications via internal management systems. This notice must clarify the scope of monitoring, the purpose of data use, and the corresponding security measures to ensure transparency and the rights of the data subject.
To ensure compliance with the Law on Personal Data Protection regarding the processing of employee personal data, advertising companies should draft a personal data protection agreement and require employees to sign it before or concurrently with the execution of the labor contract. This agreement may be a separate document or integrated into the labor contract, clearly expressing the employee’s consent to the collection and processing of personal data, including the application of technological measures such as video recording, timekeeping, and monitoring employees’ use of work devices.
Time of writing: May 08, 2026
The article contains general information which is of reference value. In case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Responsibilities of Enterprises when employing Foreign Workers
- Is it Mandatory for Enterprises to Appoint Personal Data Protection Personnel?
- How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 2)
- How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 1)
