{"id":13234,"date":"2025-10-21T15:42:04","date_gmt":"2025-10-21T08:42:04","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=13234"},"modified":"2025-10-21T15:57:09","modified_gmt":"2025-10-21T08:57:09","slug":"sensitive-data-what-your-business-might-be-handling-without-knowing-it","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/sensitive-data-what-your-business-might-be-handling-without-knowing-it\/","title":{"rendered":"Sensitive Data: What your business might be handling without knowing it"},"content":{"rendered":"<p>According to the Personal Data Protection Law 2025, <strong><em>sensitive data<\/em><\/strong> refers to information that, if disclosed, misused, or illegally exploited, could infringe upon an individual\u2019s honor, dignity, property, life, freedom, or privacy; or directly affect the lawful rights and interests of businesses, individuals, and organizations protected by law. In practice, following a series of User Data leaks, the legal framework governing personal data protection has recently been strengthened to better regulate emerging activities related to personal data, including sensitive personal data.<\/p>\n<p>In the context of diversified business activities, working methods, and the rapid development of digital technology and AI as at present, enterprises are holding a vast amount of sensitive personal data, but to ensure that they truly understand which types of sensitive personal data they possess and what legal obligations they are required to comply with when performing a series of actions such as collecting, processing, or transferring such data \u2014 actions that sometimes even the enterprises themselves do not fully realize \u2014 the law imposes specific obligations on them. The following article will provide a clearer discussion of this matter.<\/p>\n<figure id=\"attachment_13235\" aria-describedby=\"caption-attachment-13235\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-13235 size-full\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/10\/pexels-asphotography-95916-600x400-1.jpg\" alt=\"\" width=\"600\" height=\"400\" \/><figcaption id=\"caption-attachment-13235\" class=\"wp-caption-text\">Source: pexels-asphotography-95916<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/sensitive-data-what-your-business-might-be-handling-without-knowing-it\/#1_When_every_sector_encounters_sensitive_data\" >1. When every sector encounters sensitive data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/sensitive-data-what-your-business-might-be-handling-without-knowing-it\/#2_Which_sectors_are_holding_large_volumes_of_sensitive_personal_data\" >2. Which sectors are holding large volumes of sensitive personal data?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/sensitive-data-what-your-business-might-be-handling-without-knowing-it\/#3_Core_legal_obligations_regarding_sensitive_data\" >3. Core legal obligations regarding sensitive data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/cdlaf.vn\/en\/sensitive-data-what-your-business-might-be-handling-without-knowing-it\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_When_every_sector_encounters_sensitive_data\"><\/span>1. When every sector encounters sensitive data<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><em>Sensitive personal data<\/em> refers to personal data associated with an individual\u2019s privacy, the infringement of which directly affects the lawful rights and interests of agencies, organizations, and individuals, as listed in the categories promulgated by the Government. It is not only banks or hospitals that process sensitive data. Today, any enterprise that digitalizes its operations \u2014 from human resources to marketing \u2014 may be operating within this high-risk legal zone.<\/p>\n<p>So, what types of information are considered sensitive data? Currently, the Personal Data Protection Law has not yet provided detailed provisions on this matter. However, Decree No. 13\/2023\/N\u0110-CP has enumerated categories of information understood to constitute sensitive personal data, and we observe that when sub-law documents are issued to provide further guidance, they will, to some extent, inherit the principles of the existing regulations. Accordingly, sensitive personal data includes data relating to:<\/p>\n<ul>\n<li>Political opinions and religious beliefs;<\/li>\n<li>Health status and private life recorded in medical records, excluding information about blood type;<\/li>\n<li>Information relating to racial or ethnic origin;<\/li>\n<li>Information concerning inherited or acquired genetic characteristics of an individual;<\/li>\n<li>Information about physical attributes and unique biological characteristics of an individual;<\/li>\n<li>Data on crimes and criminal acts collected and stored by law enforcement authorities;<\/li>\n<li>Customer information held by credit institutions, branches of foreign banks, providers of intermediary payment services, and other authorized organizations, including: identification information of customers as prescribed by law; account information; deposit information; asset custody information; transaction information; and information on organizations or individuals acting as guarantors at credit institutions, bank branches, or intermediary payment service providers;<\/li>\n<li>Location data of individuals determined through location-based services;<\/li>\n<li>Other types of personal data prescribed by law as special and requiring appropriate security measures.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"2_Which_sectors_are_holding_large_volumes_of_sensitive_personal_data\"><\/span>2. Which sectors are holding large volumes of sensitive personal data?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The first to be mentioned is the healthcare sector, under which it is not merely the storage of personal data, but rather that hospitals, health check-up centers, and testing laboratories are currently holding a vast amount of sensitive data belonging to individuals undergoing medical examination and treatment. Such sensitive data are recorded in medical records, test results, genetic data, and psychological conditions, and even include health-related habits collected from wearable devices. In certain cases, cross-border transfers of sensitive data are carried out for the purpose of testing or diagnosing medical conditions that cannot yet be performed in Vietnam.<\/p>\n<p>Next is the group comprising the financial, banking, and insurance sectors. In recent times, a number of leaks of users\u2019 credit information have raised alarming concerns about the management and control of personal data security, particularly regarding sensitive personal data. We will not, for the time being, discuss the extent of damage caused by data breaches involving financial and banking data as compared to those in other sectors. However, we can first recognize that the damage resulting from leaks of sensitive information such as account numbers, transactions, credit histories, eKYC facial images, fingerprints, or insurance beneficiary information may lead to fraud, asset misappropriation, or money laundering. Therefore, the Personal Data Protection Law 2025 requires financial institutions to comply with relevant legal provisions; to apply measures for preventing unauthorized access, use, disclosure, or modification of customers\u2019 personal data; to establish solutions for restoring customers\u2019 personal data in case of loss; and to ensure confidentiality during the collection, provision, and processing of customers\u2019 personal data for credit information assessment purposes.<\/p>\n<p>In addition, sectors such as sociology, application development, and e-commerce are also collecting a large volume of sensitive data. When the law comes into effect together with accompanying sanctions such as penalties or suspension of data-related activities, we believe that these sectors and fields should take the lead in complying with legal provisions on personal data protection so that, at the very least, their business operations will not be disrupted.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3_Core_legal_obligations_regarding_sensitive_data\"><\/span>3. Core legal obligations regarding sensitive data<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Personal Data Protection Law has not yet concretized the specific obligations that enterprises holding sensitive data must perform, and in the coming time, when the implementing regulations are issued, the manner in which the law imposes requirements on enterprises in protecting sensitive data will be more specifically provided. As for Decree No. 13\/2023\/ND-CP, it stipulates that enterprises must apply measures to protect sensitive personal data, such as designating a department in charge of personal data protection, appointing personnel responsible for personal data protection, and exchanging information about such department and personnel with the specialized authority for personal data protection. In cases where the Personal Data Controller, the Personal Data Controller and Processor, the Personal Data Processor, or the Third Party is an individual, the information of the individual performing such function must be provided. The data subject must also be informed that his or her sensitive personal data is being processed.<\/p>\n<p>In the context where the Personal Data Protection Law 2025 has become the legal framework governing all data processing activities, understanding, controlling, and demonstrating compliance with respect to sensitive data is no longer a choice but a mandatory requirement. CDLAF accompanies enterprises in building data maps, conducting Data Protection Impact Assessments (DPIA), and establishing sensitive data governance frameworks, helping organizations move from reactive compliance to proactive risk management, thereby protecting both trust and brand value in the era of the data-driven economy.<\/p>\n<p><strong><em>Time of writing<\/em><\/strong><em>: October 14, 2025<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/key-considerations-for-enterprises-for-private-placement-of-shares\/\">Key considerations for Enterprises for Private placement of Shares<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/new-provisions-under-the-corporate-income-tax-law-effective-from-october-1-2025-2\/\">New Provisions under the Corporate Income Tax Law effective from October 1, 2025<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/divorce-involving-foreigners-in-vietnam-and-division-of-assets\/\">Divorce involving foreigners in Vietnam and division of assets<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/conditions-and-issues-to-note-when-foreigners-divorce-in-vietnam\/\">Conditions and issues to note when foreigners divorce in Vietnam<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/when-should-enterprises-enter-into-a-short-term-or-long-term-foreign-loan-agreement\/\">When should enterprises enter into a short-term or long-term foreign loan agreement?<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/13234#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>According to the Personal Data Protection Law 2025, sensitive data refers to information that, if disclosed, misused, or illegally exploited, could infringe upon an individual\u2019s honor, dignity, property, life, freedom, or privacy; or directly affect the lawful rights and interests of businesses, individuals, and organizations protected by law. In practice, following a series of User&#8230;<\/p>\n","protected":false},"author":4,"featured_media":13235,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-13234","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=13234"}],"version-history":[{"count":2,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13234\/revisions"}],"predecessor-version":[{"id":13238,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13234\/revisions\/13238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/13235"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=13234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=13234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=13234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}