In operational practice, many enterprises implicitly assume that transferring data to partners is an “obvious” need serving activities such as marketing, cloud storage, or payroll processing. However, from the perspective of the 2025 Law on Personal Data Protection and Decree No. 356/2025/ND-CP, legality is not assessed based on internal business needs, but based on valid legal grounds for each specific processing purpose. Accordingly, a transfer of data that lacks valid consent from the data subject, or where such consent is merely formalistic or overly general, may cause the enterprise’s entire data processing chain to be considered as exceeding legal limits. The risks do not stop at strict administrative sanctions, but may also lead to a loss of effective control over “information assets” when data spreads to subcontractors or through cross-border intermediary systems.
1. Lawful data processing purpose
The first condition, which is foundational and applies throughout the entire data processing chain, is that the processing purpose must be lawful, specific and demonstrable. In many outsourcing service agreements, the parties often include broad and general undertakings, such as use data solely for contract performance. However, under the current personal data regulations, it should be understood that the collection and processing of personal data by each party, in the capacity of a data processor, a data controller or a data controller and processor, must be documented in a structured manner: clearly identifying each type of data, the purpose of use for each type of data, specific data protection measures…. If the transfer of data to a partner exceeds the identified purposes, or if new purposes arise without being assessed and timely assessment and documentation updates, then the validity of the entire processing activity may be called into question.
2. Data subject consent and alignment with the processing purpose
The condition that enterprises most commonly recognize first is the consent of the personal data subject. Accordingly, from the time the Law on Personal Data Protection and Decree No. 356 take effect, the processing of personal data without the data subject’s consent is deemed a violation, except for specific cases expressly provided by law as provided by law. In other cases, the consent of the personal data subject is mandatory. From the enterprise’s perspective, the enterprise will need to classify personal data and determine its role in relation to each category of data, so as to identify who specifically is responsible for obtaining the personal data subject’s consent, and whether the enterprise or a third party is the party required to obtain such consent from the data subject.
In parallel with that, the alignment between the processing purpose and the data subject’s notice and consent is an inseparable factor. In practice, many enterprises have a data protection policy or a privacy notice, but the content does not accurately reflect actual operational practices or personal data processing activities, especially for enterprises providing outsourcing services. The data subject may have agreed for the enterprise to collect and use data for certain purposes, but has never been notified that their data will be transferred to a third party, processed on international cloud systems, or accessed from multiple countries. In such cases, the consent – even if it has been collected – may be deemed incomplete or invalid. This puts the enterprise in a high risk position, especially when there is a complaint or a compliance inspection.
3. Procedures for personal data processing impact assessment and cross border personal data transfer impact assessment
Enterprises providing outsourcing services handle large volumes of personal data belonging to partner customers. Therefore, the first step is to determine whether such outsourcing service providers have fully completed the procedures for the personal data processing impact assessment and the impact assessment for cross border transfers of personal data. If the enterprise has already carried out these procedures, it should then be considered whether the declared dossiers are consistent with actual internal practices with each other. In that context, a data processing impact assessment is not merely a compliance formality, but a core risk management tool. Through this assessment, the enterprise must analyze data flows, identify potential risks to the rights and interests of data subjects, and evaluate the capabilities of partners as well as the data storage infrastructure that the outsourcing service provider will use to store the data.
Finally, for a cross-border data transfer to be considered lawful, the enterprise must be able to demonstrate that it has effectively established technical measures, legal measures, and practical control mechanisms. Technical measures may include encryption, access control, monitoring, and logging for traceability. Legal measures are reflected through contractual clauses that bind responsibilities, audit rights, notification obligations, and coordination duties in the event of an incident. However, the key factor remains the Vietnamese enterprise’s ability to maintain control, specifically, whether it has the right to require the processing to stop, to recall the data, or to terminate the contract when compliance risks arise. If the answer is no, then regardless of how advanced the infrastructure may be, the cross-border transfer of data still carries the risk of being deemed non-compliant with legal requirements.
From a practical advisory perspective, the greatest risk for an enterprise does not lie in choosing the wrong technology, but in conducting an insufficiently in-depth assessment of a partner’s compliance capability prior to contract execution. Many enterprises enter into outsourcing or cloud relationships with a mindset of relying on the provider’s brand, market experience, or international certifications, but they do not carry out a structured review from legal, technical, and strategic perspectives. When issues arise, the enterprise then realises that it lacks sufficient information and tools to control the risks. For that reason, CDLAF always recommends that enterprises apply a multi layer checklist, not to “find faults” with the partner, but to determine the level of compliance readiness and the capacity for long term cooperation.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 02/01/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Regulations regarding Personal Data under current Personal Data Protection Law
- Data and Legal Considerations in Outsourcing Contracts (Part 1)
- Overview of New Regulations and Incentive Mechanisms under Decree 354/2025/ND-CP on Concentrated Digital Technology Zones
- Claims for Damages in Commercial Contracts
- Decree No. 356/2025/ND-CP: Which enterprises are exempt from personal data procedures?
- Cross-Border Personal Data Transfers – Procedural Steps to Be Implemented under Decree No. 3362025ND-CP
