Amid the rapid rise of commercialization and digital technology, the Vietnamese government has placed a strong emphasis on the strict management of digital information. This stems from the increasing prevalence of scams exploiting personal data leaks, for which businesses collecting user information are held accountable.

Currently, the Draft Law on Personal Data Protection is under review and pending approval by the National Assembly. In the meantime, Decree No. 13/2023/NĐ-CP remains the primary legal framework regulating businesses’ responsibilities in collecting, storing, and processing personal data of employees and customers. According to this Decree, all activities involving personal data must obtain the consent of the data subject. So, what is the scope and how should such consent be expressed? The following article will provide a detailed analysis.

1. Is the consent of the data subject mandatory

Within the scope of relationships between users and service providers, businesses and employees, and other similar interactions, obtaining the consent of the data subject is mandatory, except in certain specific cases. According to Decree No. 13/2023/NĐ-CP, the consent of the data subject applies to all activities within the personal data processing cycle, unless otherwise stipulated by law.

To ensure that the consent of the data subject is valid, the data processor (including businesses, organizations, e-commerce platforms, etc.) must have a clear basis to confirm that the data subject is fully aware of the information being collected and processed and has voluntarily given their consent. Accordingly, the data processor must ensure that the data subject clearly understands the following:

• The types of personal data being processed;
• The purpose of processing personal data;
• The organizations and individuals authorized to process personal data;
• The rights and obligations of the data subject.

Additionally, the data processor must ensure that the data subject’s consent is expressed explicitly and specifically through written documents, voice recordings, ticking an agreement box, consent syntax via messages, selecting technical consent settings, or any other action demonstrating consent.

Consent must be given for a single purpose. If multiple purposes exist, the data controller or processor must list them clearly, allowing the data subject to consent to one or more of the specified purposes.

2. Forms of Expressing the Consent of the Data Subject

The consent of the data subject must be expressed in a format that can be printed or copied in writing, including electronic or verifiable formats. The personal data processor must also recognize that silence or a lack of response from the data subject cannot be considered as consent.

Accordingly, the method of obtaining consent will vary depending on the specific circumstances, the method of data collection, and the intended use of personal data. For instance, when collecting employees’ personal data, the terms regarding the rights and scope of data collection and processing must be documented in one of the following: the employment contract, an annex to the employment contract, or another written document that clearly expresses the employee’s consent.

In business relationships with service providers handling personal data, the terms regarding data processing must also be documented in contracts or other legally recognized forms that clearly express the data subject’s consent. For businesses operating in sectors such as human resources, payroll, labor outsourcing, insurance, and finance, it is essential to establish contractual obligations with service users, ensuring that service providers have the right to process personal data obtained either directly or indirectly from them.

For websites, e-commerce platforms, or digital services that collect user information upon access, it is crucial to transparently inform users about the types of data being collected, the purpose of collection, and how consent is obtained and recorded as evidence of the user’s authorization for data collection.

Given the current regulations governing the collection and processing of personal data—as well as the upcoming Personal Data Protection Law—businesses must take proactive measures to ensure that, across all relationships and platforms, they have obtained the explicit consent of data subjects for the collection, storage, and processing of personal data.

We anticipate that regulatory authorities will enforce stricter oversight in the near future. Currently, legal frameworks and monitoring tools are being developed, and penalties for non-compliance with personal data processing regulations—including domestic processing and cross-border data transfers—will soon be effectively implemented. Therefore, at this stage, with newly issued legal provisions and less strict supervision from the regulatory authorities, particularly the Ministry of Public Security, the process of complying with personal data regulations is expected to be relatively straightforward. The conditions imposed on data processors are also expected to be less stringent at this initial stage.

Time of writing: 18/03/2025

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer  at  info@cdlaf.vn

You can refer for more information:

• Conditions for establishing a company operating in the logistics field
• Conditions for conducting Organization of Conventions and Trade Shows: A legal perspective and advice for Foreign Investors
• Legal requirements for organizing various types of events in Vietnam: A comprehensive guide for investors