Obligations to comply with personal data protection in the labor outsourcing sector

When the Law on Personal Data Protection is enacted, a number of enterprises will be required to fully carry out procedures related to personal data, among which those operating in the fields of labor outsourcing, employment, and human resources services … are considered to hold a massive amount of personal data of individuals. Therefore, when considering the obligation to comply with personal data protection, this will be the group of enterprises that regulatory authorities will likely review first, given the level of risk concerning data security. Acting as entities that process and control personal data, labor outsourcingenterprises—depending on the categories of data they hold, such as basic data or sensitive data, or the nature of data-related activities such as domestic data processing or cross-border data transfer—will accordingly determine the obligations that must be fulfilled. The following article will provide a more detailed explanation of the obligations of labor outsourcing enterprises in relation to personal data.

1. Labor Outsourcing Enterprise – Data Controller or Data Processor

The law on personal data establishes definitions and methods for determining whether an enterprise is a data processor, a data controller, or both a data controller and processor. Accordingly, these parties are defined as follows:

• A data controller is an agency, organization, or individual that determines the purposes and means of processing personal data.
• A data processor is an agency, organization, or individual that processes personal data at the request of the data controller or the data controller-cum-processor under a contract.
• A data controller-cum-processor is an agency, organization, or individual that determines the purposes and means and directly processes personal data.

The term processing of personal data refers to any operation performed on personal data, including one or more of the following activities: collection, analysis, aggregation, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer, and other actions affecting personal data.

Based on these definitions and by comparing them with the activities of labor outsourcing enterprises, it can be seen that such enterprises are the entities that collect, store, and determine the purposes for which the personal data of employees are used. They are also the parties directly responsible for recruitment, execution of labor contracts, fulfillment of insurance obligations, payment of salaries, and management of personnel records. According to the legal definitions, these acts demonstrate the authority to determine the “purposes and means of data processing”; therefore, the labor outsourcing enterprise is considered the “data controller”.

In this capacity, the labor outsourcing enterprise bears the highest legal responsibility for protecting employees’ personal data, including: notifying and obtaining valid consent from employees before sharing information with the client enterprise; ensuring that data processing is carried out for the correct purposes and within the scope of the labor contract and the labor outsourcingcontract; entering into a Data Processing Agreement (DPA) with the client enterprise to establish confidentiality mechanisms and define responsibilities; implementing technical and operational security measures as well as internal procedures to prevent data leakage or unauthorized access; and conducting personal data processing impact assessments and cross-border data transfer procedures in cases where the enterprise transfers data in any form outside the territory of Vietnam, for example, reporting to the parent company or storing data on foreign-based systems …

2. Is the Labor Hirer a Data Processor or a Data Controller?

The labor hirer is the enterprise that receives the personal data of employees from the labor outsourcing enterprise for the purposes of labor utilization, timekeeping, performance monitoring, and ensuring occupational safety. If the labor hirer merely retains employees’ personal data for administrative management purposes while other matters are handled by the labor outsourcing enterprise, then the labor hirer shall be considered the data processor.

However, in practice, many labor hirers may jointly determine the purposes and means of data processing (e.g., capability assessments, retention of records for long-term recruitment, or onward transfer of data to tax and accounting service providers, transfer of data to the parent company…). In these cases, the hirer and the lessor are both personal data controllers and must have a written agreement that clearly stipulates:

• Clearly specifying the responsibilities, rights, and obligations of the parties under the agreement or contract related to the processing of personal data as prescribed by law;
• Determining the purposes and means of personal data processing in documents and agreements with data subjects, ensuring compliance with principles and content as provided by law;
• Agreeing on appropriate management and technical measures to protect personal data in accordance with the law, reviewing and updating such measures when necessary.

3. Obligations of the Labor Outsourcing Enterprise and the Labor Hirer in Complying with Personal Data Processing Regulations

Depending on the role of each party, they are required to prepare a Personal Data Processing Impact Assessment Report and submit 01 original copy to the authority in charge of personal data protection within 60 days from the date of the first personal data processing activity. This procedure is understood as the Personal Data Processing Impact Assessment submitted to the Ministry of Public Security. In cases where data is transferred outside the territory of Vietnam, the enterprise must additionally prepare a Cross-Border Personal Data Transfer Impact Assessment Report.

It should be noted that the personal data processing impact assessment is carried out once for the entire duration of operation of the data controller, the data controller-cum-processor, and is updated in accordance with regulations. The data controller, the data controller-cum-processor, and the data processor must update or supplement the personal data processing impact assessment report when there are any changes to the information previously submitted to the authority in charge of personal data protection.

From the above analysis, in the labor outsourcing model, to ensure compliance, CDLAF recommends that the labor outsourcing enterprise should proactively prepare the Personal Data Processing Impact Assessment Report, including personnel data, candidate profiles, and information shared with the labor hirer; both parties should sign a Data Processing Agreement (DPA) that clearly defines the scope, responsibilities, security measures, and mechanisms for responding to requests from competent authorities or data subjects; When there are activities involving the transfer of employee data abroad (for example,: reporting to the parent corporation), the Cross-Border Data Transfer Impact Assessment must be conducted.

Time of writing: 31/10/2025

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer  at  info@cdlaf.vn

You can refer for more information:

• Non-Compliance with Social insurance regulations in Vietnam: Legal risks for FDI Enterprises
• When can enterprises use foreign currency within Vietnam’s territory?
• Discussion on the form of capital contribution by management experience in enterprises
• Why must enterprises protect employees’ personal information?
• Analysis of the roles and responsibilities of the parties involved in data processing under Vietnamese law
• Sensitive Data: What your business might be handling without knowing it