The Personal Data Protection Law, expected to take effect in early 2026, will pose significant challenges for businesses in the race to comply with data regulations. This is particularly critical for sectors that hold large volumes of personal information, such as education, healthcare, e-commerce, and banking & finance. In this article, CDLAF shares key legal requirements on personal data that businesses in the education sector need to pay attention to in order to ensure compliance.
1. Personal Data Collected by Education Companies and Schools
Personal data is not merely information that identifies an individual, but also includes data from customers and related parties. It is both a valuable asset and a potential legal risk. Decree No. 13/2023/ND-CP on personal data protection, together with the upcoming Personal Data Protection Law, places strict compliance obligations on education businesses, especially since their primary subjects are children under 16 years old – who are afforded the highest level of legal protection under both Vietnamese and international law. So, what types of personal data are educational institutions, schools, and training centers currently collecting?
Basic personal data (Basic PD), during the process of admissions, teaching, and management, educational businesses typically collect:
Identification information: full name, date of birth, gender, nationality, ID/CCCD number, portrait photo, signature.
Contact information: address, phone number, email of students, parents, and teachers.
Academic information: learning outcomes, transcripts, certificates, teacher evaluations and comments.
Financial information: tuition fees, payment methods, account details if parents pay via bank transfer or e-wallet.
Professional/educational background: qualifications, degrees, professional licenses of teachers and staff..
Sensitive personal data (Sensitive PD), some of the data collected by educational businesses is legally classified as sensitive personal data, including:
Health data: student medical records (vaccinations, medical conditions, allergies, medical check-ups for school admission).
Location data: if schools/centers use GPS systems or cameras to monitor student pick-up and drop-off.
Biometric data: fingerprints, facial recognition used for attendance or access control.
Private life information: family circumstances, household income, marital status of parents (which schools may require in applications for tuition waivers or scholarships).
Detailed financial information: bank card numbers, tuition payment transactions (which in certain cases may be considered sensitive).
2. What does personal data law require from educational businesses?
Under the current legal framework—namely Decree No. 13/2023/ND-CP and the upcoming Personal Data Protection Law—educational businesses must ensure that:
The information collected, used, and stored by the company has obtained clear and explicit consent from the data subject (or from parents/guardians in the case of students under 16). Such consent must be expressed in writing, electronically, or in another verifiable form.
The company must provide full prior notice to data subjects before processing their data, including details on: types of data collected, purposes of use, retention periods, and any third parties with access (if applicable). At the same time, the company must only collect data within the necessary scope for training and management purposes and use it in accordance with those purposes. It must also establish security measures: encryption, access control, secure storage, and leak prevention. The company also needs to build mechanisms to fulfill the rights of the data subject regarding access, correction, withdrawal of consent, and the right to request data deletion.
3. What should educational businesses do to ensure compliance?
Regarding contracts and legal terms, businesses will need to include personal data protection clauses in training contracts, student enrollment forms, and employment contracts with teachers.
A Privacy Policy must also be developed and published openly on the website/application, clearly explaining what types of data are collected, the purposes of use, and the rights of parents/students.
Within the Terms & Conditions, provisions on data collection and processing should be included, along with disclaimers for technical limitations. An “I agree” checkbox must be applied before collecting data online.
For internal governance, businesses are required to maintain a Data Processing Record. Access rights to data should be strictly defined: teachers may only access academic information; accountants may only process financial data; the admissions department may only handle enrollment records. Set up a data breach response plan that clearly specifies the timeframe for notifying parents and competent authorities in the event of a data leak.
Carrying out mandatory administrative procedures on personal data:
Develop a personal data processing impact assessment: Prepare the dossier ensuring that its contents reflect the company’s actual operations and fully comply with statutory requirements; submit the original dossier to the competent authority (the Ministry of Public Security) within 60 days from the commencement of data processing; keep and maintain the dossier at the head office/office at all times to serve inspections by competent authorities.
Develop a personal data transfer impact assessment (once the Personal Data Protection Law comes into force, this will be called the “Cross-Border Personal Data Transfer Impact Assessment”): Prepare the dossier ensuring that its contents reflect the company’s actual operations and fully comply with statutory requirements; submit the original dossier to the competent authority (the Ministry of Public Security) within 60 days from the commencement of data transfer; keep and maintain the dossier at the head office/office at all times to serve inspections by competent authorities.
Protecting personal data in the education sector is no longer just a “mandatory legal procedure”, but has become a strategic governance standard. Educational businesses are operating in an environment where the trust of parents and students is their most valuable asset. Once data is mishandled or leaked, the loss is not only legal costs, but also the collapse of brand reputation—something no business model can compensate for.
In modern governance practice, personal data must be treated as a tangible asset: subject to management processes, auditing mechanisms, protective measures, and lawful exploitation strategies. This requires educational institutions not only to comply with the law, but also to go one step further—turning data compliance into a commitment of transparency to parents and society. By doing so, businesses not only mitigate legal risks but also build a foundation for expanding international cooperation, particularly in cross-border EdTech projects.
CDLAF’s perspective & recommendations
From our experience advising and working alongside major enterprises, CDLAF recommends that educational institutions should:
Immediately prepare a Personal Data Processing Impact Assessment for children’s data and sensitive personal data.
Conduct a comprehensive review of all training contracts, internal policies, and online platforms, and incorporate clauses on the collection and use of personal data.
Appoint a data protection officer or a dedicated compliance team to ensure consistent adherence and minimize risks.
Establish a regular audit mechanism and a data breach response plan to handle incidents effectively.
We believe that a transparent and standardized data strategy will not only strengthen the legal resilience of educational businesses but also foster sustainable growth by earning the trust of parents and students—an irreplaceable competitive advantage in the digital era.
Time of writing: 29/08/2025
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Rights of foreign enterprises in importing veterinary medicines and equipment and distributing them in Vietnam
- Labor Regulations – Are they truly necessary for Businesses and Guidelines for Drafting (Part 2)
- Labor Regulations – Are they truly necessary for Businesses and Guidelines for Drafting (Part 1)
- Procedures for adjustment of investment project implementation location and enterprise headquarters in accordance with the 2025 legal provisions
