{"id":12857,"date":"2025-09-05T12:58:47","date_gmt":"2025-09-05T05:58:47","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=12857"},"modified":"2025-09-05T15:55:19","modified_gmt":"2025-09-05T08:55:19","slug":"personal-data-management-in-the-education-sector-under-the-personal-data-protection-law","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/personal-data-management-in-the-education-sector-under-the-personal-data-protection-law\/","title":{"rendered":"Personal data management in the education sector under the Personal Data Protection Law"},"content":{"rendered":"<p>The Personal Data Protection Law, expected to take effect in early 2026, will pose significant challenges for businesses in the race to comply with data regulations. This is particularly critical for sectors that hold large volumes of personal information, such as education, healthcare, e-commerce, and banking &amp; finance. In this article, CDLAF shares key legal requirements on personal data that businesses in the education sector need to pay attention to in order to ensure compliance.<\/p>\n<figure id=\"attachment_9628\" aria-describedby=\"caption-attachment-9628\" style=\"width: 533px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-9628 size-large\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2024\/05\/pexels-junior-teixeira-1064069-2047905-533x800.jpg\" alt=\"\" width=\"533\" height=\"800\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2024\/05\/pexels-junior-teixeira-1064069-2047905-533x800.jpg 533w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2024\/05\/pexels-junior-teixeira-1064069-2047905-267x400.jpg 267w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2024\/05\/pexels-junior-teixeira-1064069-2047905-768x1152.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2024\/05\/pexels-junior-teixeira-1064069-2047905-1024x1536.jpg 1024w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2024\/05\/pexels-junior-teixeira-1064069-2047905-1365x2048.jpg 1365w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2024\/05\/pexels-junior-teixeira-1064069-2047905-scaled.jpg 1707w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><figcaption id=\"caption-attachment-9628\" class=\"wp-caption-text\">Source: pexels-junior-teixeira-1064069-2047905<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/personal-data-management-in-the-education-sector-under-the-personal-data-protection-law\/#1_Personal_Data_Collected_by_Education_Companies_and_Schools\" >1. Personal Data Collected by Education Companies and Schools<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/personal-data-management-in-the-education-sector-under-the-personal-data-protection-law\/#2_What_does_personal_data_law_require_from_educational_businesses\" >2. What does personal data law require from educational businesses?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/personal-data-management-in-the-education-sector-under-the-personal-data-protection-law\/#3_What_should_educational_businesses_do_to_ensure_compliance\" >3. What should educational businesses do to ensure compliance?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/cdlaf.vn\/en\/personal-data-management-in-the-education-sector-under-the-personal-data-protection-law\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_Personal_Data_Collected_by_Education_Companies_and_Schools\"><\/span>1. Personal Data Collected by Education Companies and Schools<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Personal data is not merely information that identifies an individual, but also includes data from customers and related parties. It is both a valuable asset and a potential legal risk. Decree No. 13\/2023\/ND-CP on personal data protection, together with the upcoming Personal Data Protection Law, places strict compliance obligations on education businesses, especially since their primary subjects are children under 16 years old &#8211; who are afforded the highest level of legal protection under both Vietnamese and international law. So, what types of personal data are educational institutions, schools, and training centers currently collecting?<\/p>\n<p>Basic personal data (Basic PD), during the process of admissions, teaching, and management, educational businesses typically collect:<\/p>\n<p><strong>Identification information: <\/strong>full name, date of birth, gender, nationality, ID\/CCCD number, portrait photo, signature.<\/p>\n<p><strong>Contact information: <\/strong>address, phone number, email of students, parents, and teachers.<\/p>\n<p><strong>Academic information<\/strong>: learning outcomes, transcripts, certificates, teacher evaluations and comments.<\/p>\n<p><strong>Financial information:<\/strong> tuition fees, payment methods, account details if parents pay via bank transfer or e-wallet.<\/p>\n<p><strong>Professional\/educational background:<\/strong> qualifications, degrees, professional licenses of teachers and staff..<\/p>\n<p>Sensitive personal data (Sensitive PD), some of the data collected by educational businesses is legally classified as sensitive personal data, including:<\/p>\n<p><strong>Health data:<\/strong> student medical records (vaccinations, medical conditions, allergies, medical check-ups for school admission).<\/p>\n<p><strong>Location data:<\/strong> if schools\/centers use GPS systems or cameras to monitor student pick-up and drop-off.<\/p>\n<p><strong>Biometric data:<\/strong> fingerprints, facial recognition used for attendance or access control.<\/p>\n<p><strong>Private life information:<\/strong> family circumstances, household income, marital status of parents (which schools may require in applications for tuition waivers or scholarships).<\/p>\n<p><strong>Detailed financial information:<\/strong> bank card numbers, tuition payment transactions (which in certain cases may be considered sensitive).<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_What_does_personal_data_law_require_from_educational_businesses\"><\/span>2. What does personal data law require from educational businesses?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Under the current legal framework\u2014namely Decree No. 13\/2023\/ND-CP and the upcoming Personal Data Protection Law\u2014educational businesses must ensure that:<\/p>\n<p>The information collected, used, and stored by the company has obtained clear and explicit consent from the data subject (or from parents\/guardians in the case of students under 16). Such consent must be expressed in writing, electronically, or in another verifiable form.<\/p>\n<p>The company must provide full prior notice to data subjects before processing their data, including details on: types of data collected, purposes of use, retention periods, and any third parties with access (if applicable). At the same time, the company must only collect data within the necessary scope for training and management purposes and use it in accordance with those purposes. It must also establish security measures: encryption, access control, secure storage, and leak prevention. The company also needs to build mechanisms to fulfill the rights of the data subject regarding access, correction, withdrawal of consent, and the right to request data deletion.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3_What_should_educational_businesses_do_to_ensure_compliance\"><\/span>3. What should educational businesses do to ensure compliance?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Regarding contracts and legal terms, businesses will need to include personal data protection clauses in training contracts, student enrollment forms, and employment contracts with teachers.<\/p>\n<p>A <strong>Privacy Policy<\/strong> must also be developed and published openly on the website\/application, clearly explaining what types of data are collected, the purposes of use, and the rights of parents\/students.<\/p>\n<p>Within the <strong>Terms &amp; Conditions<\/strong>, provisions on data collection and processing should be included, along with disclaimers for technical limitations. An <strong>\u201cI agree\u201d checkbox <\/strong>must be applied before collecting data online.<\/p>\n<p><strong>For internal governance, <\/strong>businesses are required to maintain a Data Processing Record. Access rights to data should be strictly defined: teachers may only access academic information; accountants may only process financial data; the admissions department may only handle enrollment records. Set up a data breach response plan that clearly specifies the timeframe for notifying parents and competent authorities in the event of a data leak.<\/p>\n<p><strong>Carrying out mandatory administrative procedures on personal data:<\/strong><\/p>\n<p><strong>Develop a personal data processing impact assessment: <\/strong>Prepare the dossier ensuring that its contents reflect the company\u2019s actual operations and fully comply with statutory requirements; submit the original dossier to the competent authority (the Ministry of Public Security) within 60 days from the commencement of data processing; keep and maintain the dossier at the head office\/office at all times to serve inspections by competent authorities.<\/p>\n<p><strong>Develop a personal data transfer impact assessment <\/strong>(once the Personal Data Protection Law comes into force, this will be called the \u201c<strong>Cross-Border Personal Data Transfer Impact Assessment<\/strong>\u201d): Prepare the dossier ensuring that its contents reflect the company\u2019s actual operations and fully comply with statutory requirements; submit the original dossier to the competent authority (the Ministry of Public Security) within 60 days from the commencement of data transfer; keep and maintain the dossier at the head office\/office at all times to serve inspections by competent authorities.<\/p>\n<p>Protecting personal data in the education sector is no longer just a \u201cmandatory legal procedure\u201d, but has become a strategic governance standard. Educational businesses are operating in an environment where the trust of parents and students is their most valuable asset. Once data is mishandled or leaked, the loss is not only legal costs, but also the collapse of brand reputation\u2014something no business model can compensate for.<\/p>\n<p>In modern governance practice, personal data must be treated as a <strong>tangible asset<\/strong>: subject to management processes, auditing mechanisms, protective measures, and lawful exploitation strategies. This requires educational institutions not only to comply with the law, but also to go <strong>one step further<\/strong>\u2014turning data compliance into a commitment of transparency to parents and society. By doing so, businesses not only mitigate legal risks but also build a foundation for expanding international cooperation, particularly in cross-border EdTech projects.<\/p>\n<p><strong>CDLAF\u2019s perspective &amp; recommendations<\/strong><\/p>\n<p>From our experience advising and working alongside major enterprises,<strong> CDLAF recommends<\/strong> that educational institutions should:<\/p>\n<p><strong>Immediately prepare a Personal Data Processing Impact Assessment <\/strong>for children\u2019s data and sensitive personal data.<\/p>\n<p><strong>Conduct a comprehensive review of all training contracts, internal policies, and online platforms,<\/strong> and incorporate clauses on the collection and use of personal data.<\/p>\n<p><strong>Appoint a data protection officer <\/strong>or a dedicated compliance team to ensure consistent adherence and minimize risks.<\/p>\n<p><strong>Establish a regular audit mechanism<\/strong> and a data breach response plan to handle incidents effectively.<\/p>\n<p>We believe that a transparent and standardized data strategy will not only strengthen the legal resilience of educational businesses but also foster sustainable growth by earning the trust of parents and students\u2014an irreplaceable competitive advantage in the digital era.<\/p>\n<p><strong><em>Time of writing:<\/em><\/strong> 29\/08\/2025<\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/rights-of-foreign-enterprises-in-importing-veterinary-medicines-and-equipment-and-distributing-them-in-vietnam\/\">Rights of foreign enterprises in importing veterinary medicines and equipment and distributing them in Vietnam<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/labor-regulations-are-they-truly-necessary-for-businesses-and-guidelines-for-drafting-part-2\/\">Labor Regulations \u2013 Are they truly necessary for Businesses and Guidelines for Drafting (Part 2)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/labor-regulations-are-they-truly-necessary-for-businesses-and-guidelines-for-drafting-part-1\/\">Labor Regulations \u2013 Are they truly necessary for Businesses and Guidelines for Drafting (Part 1)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/procedures-for-adjustment-of-investment-project-implementation-location-and-enterprise-headquarters-in-accordance-with-the-2025-legal-provisions\/\">Procedures for adjustment of investment project implementation location and enterprise headquarters in accordance with the 2025 legal provisions<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/12857#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>The Personal Data Protection Law, expected to take effect in early 2026, will pose significant challenges for businesses in the race to comply with data regulations. This is particularly critical for sectors that hold large volumes of personal information, such as education, healthcare, e-commerce, and banking &amp; finance. In this article, CDLAF shares key legal&#8230;<\/p>\n","protected":false},"author":4,"featured_media":9628,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-12857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/12857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=12857"}],"version-history":[{"count":2,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/12857\/revisions"}],"predecessor-version":[{"id":12859,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/12857\/revisions\/12859"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/9628"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=12857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=12857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=12857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}