In modern governance models, the use of outsourcing services for functions such as accounting and payroll, HR, CRM, ERP, or IT managed services has become a standard practice to optimize costs and operational efficiency. However, this shift is creating a significant “legal gap,” where enterprises often assess outsourcing primarily from a technical perspective while overlooking actual data control rights. When data is stored on platforms such as cloud systems or processed by third parties with cross-border access rights, the boundary between “outsourcing a service” and “transferring control over data” becomes increasingly blurred. This situation creates an urgent need for enterprises to verify their service providers’ compliance with Vietnamese law in order to protect information assets and avoid violations related to personal data protection.
1. Level of access to data from the outsourced business group
From a legal perspective, outsourcing is not merely a matter of an enterprise “purchasing a service” to replace internal resources. Each outsourcing decision—especially in areas such as accounting and payroll, HR systems, CRM/ERP, or IT managed services—simultaneously constitutes a decision to grant data processing rights to a third party. When enterprises transfer employee data to a payroll service provider, or grant system access rights to an IT management provider, they are allowing another entity to directly manipulate, use, and influence the data, rather than merely “performing tasks on their behalf.”
Through our work with enterprises specializing in outsourcing services, we have observed that such enterprises typically establish security frameworks to safeguard clients’ data. To achieve this, outsourcing providers, to varying extents, must rely on services from additional third parties—most commonly enterprises that provide storage platforms, technology infrastructure, or software solutions.
From the perspective of outsourcing service providers, considering the scope of work performed by both the outsourcing service provider itself and its third-party partners, it is evident that a substantial volume of personal data, corporate data, and in particular sensitive personal data is accessed, possessed, stored, and processed by these service providers.
From the perspective of the outsourced service provider, given the scope of work to be performed by the outsourcing service provider and by third parties engaged by such providers, it can be observed that a large volume of personal data, enterprise data, and in particular sensitive personal data is accessed, held, stored, and processed by these service providers. However, at present, most contracts between the parties merely stop at recording the scope of work and stipulating that the service provider must keep information confidential and must not sell customer data. These contracts do not address responsibilities for data control and data processing in general, and personal data in particular; the methods of data protection; provisions on handling data-related violations; incident response procedures in the event of data leakage; or procedures for the receipt and management of customer data by the service provider. Moreover, pursuant to the current regulations on personal data protection as set out in the Law on Personal Data Protection and Decree No. 356/2025/ND-CP on personal data, compliance with the procedures prescribed by law is regarded as a prerequisite for outsourcing service providers to offer their services to customers.
From the customer’s side, when engaging outsourcing service providers, it should be noted that in many outsourcing contracts, data access rights are granted overly broadly. Service providers may be allowed to access entire databases for system operation purposes, download data for processing, and even share data with technical subcontractors—all of which is often covered by nothing more than a general confidentiality clause. At that point, the legal question is no longer whether “they keep the data confidential”, but rather what the legal role of each party is within the data processing chain. Are enterprises the data controller—the party that determines the purposes and scope of data processing? Are partners merely a data processor, acting solely on enterprises’ instructions? Or, in practice, are both parties jointly determining the manner of data processing, thereby creating a situation of joint controllership that many enterprises fail to recognize. The failure to identify, or the misidentification of these roles is a common reason why enterprises are unable to establish appropriate control mechanisms and consequently lose legal leverage when disputes arise or when they are subject to inspections.
2. Legal risks arising from the transfer of enterprise and customer data to third parties
Before addressing the mechanisms that need to be established to protect enterprise data and personal data of users, employees, and the enterprise’s own customers, based on my experience in corporate legal advisory work as well as my role as a personal data protection expert, I would like to draw the attention of enterprises—whether acting as customers or as service providers—to several legal risks that should be carefully considered, particularly in the context where the Government is intensifying data compliance enforcement.
Risk relating to the legality of data transfer, in many outsourcing models and in the provision of data storage platforms and online working platforms, enterprises often implicitly assume that transferring data to partners is lawful because it is an “obvious” operational necessity. However, the law does not assess legality based on an enterprise’s internal operational needs, but rather on the existence of a specific legal basis corresponding to each data processing purpose. If enterprises has not obtained valid consent from data subjects, or if such consent is collected in a formalistic or overly general manner that does not accurately reflect the actual scope of processing, then the entire chain of data transfers to third parties may be deemed to exceed the legally permissible limits. The risk becomes even more significant when the data is subsequently used for additional purposes—such as analysis, system optimization, algorithm training, or multi-platform integration—while these purposes were never disclosed to, nor approved by, the data subjects from the outset. All of these elements are interrelated and may be understood as follows: where enterprises has not obtained valid consent from data subjects (employees, customers, users, etc.) and has not fully established the conditions required by law, any data transfer in such circumstances cannot be considered “legally compliant” as a matter of course.
Risk of losing effective control over data, on paper, enterprises may still be the “data owner”; however, in practice, they may not know precisely where the data is being stored, at which data centers backups are maintained, who has direct access rights, or how long the data will be retained after the contract has terminated. In many complex cloud and outsourcing models, data access is not confined to a single service provider, but extends to subcontractors (sub-processors), technical teams located in multiple countries, and intermediary systems used for backup, analysis, or technical support purposes. If contracts do not strictly limit and control these access rights, enterprises will find it extremely difficult to demonstrate that they continue to maintain the necessary level of control over the data.
It should be noted that each country has its own legal framework and level of data protection. Enterprises may inadvertently become part of a cross-border data transfer chain without having sufficient information to assess the associated risks, let alone to proactively control or suspend such transfers when necessary. In such circumstances, data control exists more in theory, while actual control has become fragmented and dispersed.
Risk arising when a data incident occurs, When data is lost, unauthorized access takes place, or a data leak involving employee or customer information occurs, the issue is not merely a technical problem or a matter of brand reputation. From a legal perspective, such an incident immediately places the enterprise at the center of liability. When regulatory authorities intervene, they will not only ask “how did the incident occur,” but more importantly, whether the enterprises has fully complied with the obligations imposed by the Law on Personal Data Protection, the Law on Data, and other relevant regulations. They will also examine what measures the enterprise has implemented to prevent and control risks arising from its partners. If, in practice, enterprises have not implemented any meaningful compliance measures, it will be extremely difficult to demonstrate that it has fulfilled its risk governance obligations.
In summary, in the digital era, outsourcing is not merely the procurement of services, but a transfer of legal responsibility over data assets. Enterprises cannot rely on a generic confidentiality undertaking in a contract to safeguard information security. They should not wait until a data breach occurs or until a competent authority initiates an inspection to revisit outsourcing agreements. In a context where the Government is intensifying the enforcement of Decree No. 356/2025/ND-CP, compliance is no longer a matter of choice, but a prerequisite for enterprises to maintain sustainable business operations. At CDLAF, I consistently emphasize to clients that a secure outsourcing contract must be designed on the basis of a deep understanding of technical data flows, combined with robust legal safeguards. Only when you are able to control your partners throughout the entire data lifecycle can you truly claim ownership of your own data.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 02/01/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Overview of New Regulations and Incentive Mechanisms under Decree 354/2025/ND-CP on Concentrated Digital Technology Zones
- Claims for Damages in Commercial Contracts
- Decree No. 356/2025/ND-CP: Which enterprises are exempt from personal data procedures?
- Cross-Border Personal Data Transfers – Procedural Steps to Be Implemented under Decree No. 3362025ND-CP
- Rights of Personal Data Subjects and methods of obtaining consent under Decree No. 336/2025/ND-CP
- Differentiating between Business License to provide cyber information security services and product and Business License for Civil Cryptography Products and Services: Confusions to Eliminate
