Under the Personal Data Protection Law 2025 and Decree No. 356/2025/ND-CP, businesses have the right to either appoint internal personnel or hire professional personal data protection services. Internal personal data protection personnel must hold at least a college degree, have a minimum of 02 years of relevant experience (in areas such as legal affairs, IT, risk management, etc.), and have completed specialized training. For organizations providing outsourced services, the entity must have appropriate business functions, possess at least 03 personnel meeting the required standards, and maintain a capability dossier demonstrating their ability to protect personal data. At present, due to the absence of detailed guidelines on in-depth training programs, establishing this function requires careful preparation of assignment documents and actual substantiated capability records.
1. What conditions must the personnel or department responsible for personal data protection (PDP) within the enterprise meet?
Pursuant to Clause 2, Article 33 of the Personal Data Protection Law 2025 (“PDPL”), enterprises are responsible for designating a department or personnel with sufficient capability to protect personal data, or for hiring organizations/individuals providing personal data protection services.
Accordingly, enterprises may appoint an internal department and/or personnel to handle personal data protection depending on their scale and internal needs, provided that they meet the capability requirements prescribed by law or hire organizations/individuals providing personal data protection services. In cases where an enterprise appoints its own personnel or department for personal data protection, such designation must be made in writing and clearly define the assignment, functions, duties, powers, and other requirements related to personal data protection work within the enterprise, as stipulated in Clause 1, Article 13 of Decree No. 356/2025/ND-CP (“Decree 356”).
Personnel responsible for personal data protection, or members of the personal data protection department (if such a department is established), must satisfy the capability conditions set out in Clauses 2 and 3, Article 13 of Decree 356, specifically:
- Hold at least a college degree;
- Have at least 02 years of work experience (from the date of graduation) in one of the following fields: legal affairs, information technology, cybersecurity, data security, risk management, compliance control, human resource management, or organizational personnel affairs;
- Have completed training or professional development in laws and specialized skills related to personal data protection.
Regarding the condition “have completed training or professional development in laws and specialized skills related to personal data protection”, currently neither the PDPL nor Decree 356 provides specific regulations or detailed guidance on the content of the training programs, training duration, or the competent entities authorized to organize such training or professional development courses.
2. What are the conditions for individuals or organizations providing personal data protection services?
Conditions for individuals providing personal data protection services are stipulated in Clause 2, Article 15 of Decree 356 as follows:
- Hold at least a college degree;
- Have at least 03 years of work experience (from the date of graduation) in one of the following fields: legal affairs, personal data processing, cybersecurity, data security, risk management, compliance control;
- Have completed in-depth training or professional development in laws and specialized skills related to personal data protection.
Conditions for organizations providing personal data protection services are stipulated in Clause 1, Article 16 of Decree 356 as follow:
- Be an organization or enterprise having functions, tasks, or business lines/sectors related to technology, law, or technology/legal consulting, engaged by agencies or organizations to provide compliance consulting and perform personal data protection tasks as agreed;
- Have at least 03 personnel who fully satisfy the capability conditions required of individuals providing personal data protection services.
Similar to the training requirement for internal personnel/departments handling PDP, there are currently no specific regulations regarding the training programs content, duration, or competent authorities for organizing training/professional development courses for individuals or organizations providing PDP services.
In addition, Clause 2, Article 16 of Decree 356 requires organizations providing PDP services to prepare and maintain a capability dossier demonstrating their ability to protect personal data, and to provide this dossier to agencies or organizations that need to use their services. The dossier must demonstrate: business lines/sectors; scale, scope, and experience in providing services; service provision policies; standards, qualifications, and capabilities of personnel; and relevant supporting documents and papers.
The fact that Decree No. 356/2025/ND-CP raises the experience threshold to 03 years for outsourced services (compared to 02 years for internal personnel) affirms the specialized nature of the Data Protection Officer (“DPO”) role as a distinct risk advisory function, rather than mere administrative support. Based on CDLAF’s experience, enterprises need to shift their mindset from “hiring to complete formalities” to “hiring to protect actual operations”.
The key lies in the capability dossier of the consulting firm: a qualified organization must be able to demonstrate a combination of legal knowledge and technical control capabilities (technical control capabilities) from at least 03 dedicated specialists. In the current context where the Ministry of Public Security has not yet issued detailed guidance on in-depth training programs, the capability dossier serves as the most important “certificate of due diligence” enabling enterprises to prove to inspection authorities that they have fully fulfilled their obligation to vet their partners. Therefore, selecting an organization with a robust incident response process and deep understanding of actual data flows not only ensures legal compliance but also serves as the best safeguard for the enterprise’s reputation and financial position in the digital era of 2026.
-
Advisory email info@cdlaf.vn
-
Hotline: (+84) 909 668 216
Time of writing: 02/01/2026
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Conditions for the transfer of data to partners to be considered “valid”
- Regulations regarding Personal Data under current Personal Data Protection Law
- Data and Legal Considerations in Outsourcing Contracts (Part 1)
- Overview of New Regulations and Incentive Mechanisms under Decree 354/2025/ND-CP on Concentrated Digital Technology Zones
- Claims for Damages in Commercial Contracts
