{"id":13502,"date":"2025-12-19T13:13:39","date_gmt":"2025-12-19T06:13:39","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=13502"},"modified":"2025-12-19T13:17:42","modified_gmt":"2025-12-19T06:17:42","slug":"guidelines-for-drafting-the-personal-data-protection-plan-in-the-cross-border-personal-data-transfer-impact-assessment-dossier-part-1","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-the-personal-data-protection-plan-in-the-cross-border-personal-data-transfer-impact-assessment-dossier-part-1\/","title":{"rendered":"Guidelines for Drafting the Personal Data Protection Plan in the Cross-Border Personal Data Transfer Impact Assessment Dossier (Part 1)"},"content":{"rendered":"<p>In the dossier for the <strong>Data Protection Impact Assessment (DPIA)<\/strong> under Decree No. 13\/2023\/N\u0110-CP \u2014 and, from January 1, 2026, referred to as the Cross-Border Personal Data Transfer Impact Assessment under the Personal Data Protection Law \u2014 enterprises are required to demonstrate that they have implemented measures to ensure the safety of personal data. This includes providing explanations on the standards applied, accompanying management measures, technical measures adopted, and regulations on inspecting the security of the cybersecurity system. Preparing this section requires close coordination between the legal, cybersecurity, IT, and operations teams, along with risk-management thinking aligned with international standards such as ISO\/IEC 27701, the GDPR, and other relevant data-governance models. Through this article, we will guide you on how to prepare this section in the cross-border personal data transfer impact assessment dossier.<\/p>\n<figure id=\"attachment_13382\" aria-describedby=\"caption-attachment-13382\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-13382\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/10\/pexels-serpstat-177219-572056-600x400.jpg\" alt=\"\" width=\"600\" height=\"400\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/10\/pexels-serpstat-177219-572056-600x400.jpg 600w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/10\/pexels-serpstat-177219-572056-1199x800.jpg 1199w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/10\/pexels-serpstat-177219-572056-768x512.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/10\/pexels-serpstat-177219-572056-1536x1025.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/10\/pexels-serpstat-177219-572056-2048x1366.jpg 2048w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><figcaption id=\"caption-attachment-13382\" class=\"wp-caption-text\">Source: pexels-serpstat-177219-572056<\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-the-personal-data-protection-plan-in-the-cross-border-personal-data-transfer-impact-assessment-dossier-part-1\/#1_Management_measures_and_plans_for_personal_data_protection\" >1. Management measures and plans for personal data protection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-the-personal-data-protection-plan-in-the-cross-border-personal-data-transfer-impact-assessment-dossier-part-1\/#2_Technical_measures\" >2. Technical measures<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-the-personal-data-protection-plan-in-the-cross-border-personal-data-transfer-impact-assessment-dossier-part-1\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_Management_measures_and_plans_for_personal_data_protection\"><\/span>1. Management measures and plans for personal data protection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Depending on the specific sector as well as the categories of personal data that enterprises holds and transfers cross-border, enterprises will need to provide a detailed explanation of the measures they are applying to ensure the safety of personal data. In general, the content will focus on key points including: management measures, technical measures, personnel, security systems, data-backup issues, etc., that enterprises are implementing.<\/p>\n<p>First, with respect to management measures, this is understood as the methods and measures promulgated by enterprises to manage internal data. Accordingly, enterprises must record and demonstrate whether they have developed and issued any personal data protection policies, including the name, reference number\/code, and issuance date of each policy; which department is in charge of enterprises\u2019 personal data; and whether there is an establishment decision specifying the functions, tasks, and powers of that department.<\/p>\n<p>In this section, enterprises must also demonstrate that, in addition to issuing policies, they have taken other actions to implement such policies in practice. Examples include regular monitoring of the company\u2019s cybersecurity systems and computer systems to check incoming and outgoing data, checking data security, evaluating the effectiveness of firewalls, maintaining weekly, monthly, or quarterly inspection schedules, and identifying whether the scope of inspections includes vulnerability scanning and access-log reviews.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Technical_measures\"><\/span>2. Technical measures<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Technical measures constitute an indispensable component in demonstrating that enterprises have implemented adequate measures to ensure the safety of personal data, particularly in the context of cross-border data transfers. Enterprises must therefore describe in detail the hardware, software, systems, equipment, and the purposes for which they are used. The analysis will primarily focus on the following key technical aspects:<\/p>\n<p><strong>Regarding network-layer protection<\/strong>, specifically firewalls, enterprises must record \u2026 The VLAN system must ensure clear segregation between sensitive data and internal operational data based on VLANs within the internal network.<\/p>\n<p><strong>Regarding server-protection methods, <\/strong>enterprises must clearly describe in the dossier the core protection measures adopted to secure their servers, for example:<\/p>\n<ul>\n<li>Implement data encryption, whereby enterprises use strong encryption algorithms (e.g., AES-256) for both data at rest and backup data to ensure that even in the event of unauthorized access, personal information cannot be exploited. Encryption during data transmission must be clearly documented and evidenced in the records.<\/li>\n<li>Apply secure data transmission protocols. To prevent eavesdropping or interference during information transmission, advanced security protocols such as <strong>TLS 1.3<\/strong> must be consistently deployed across the email system, connections to cloud infrastructure, or any external data storage platforms.<\/li>\n<li>Enterprises shall implement isolation of sensitive data, meaning that highly sensitive personal data must be stored in dedicated, segregated databases separate from other business systems. At the same time, access rights must be restricted to the maximum extent possible, ensuring that only specifically authorized individuals with a genuine business need are granted access.<\/li>\n<\/ul>\n<p><strong>Regarding the methods of protecting the enterprises\u2019 websites and applications <\/strong>\u2014 which are platforms holding a massive volume of personal data \u2014 have enterprises implemented control and protection measures, for example:<\/p>\n<p>Authentication and access authorization: enterprises should deploy <strong>Microsoft Active Directory<\/strong> or an equivalent centralized identity management system to manage personnel accounts. Login must be <strong>strengthened with<\/strong> <strong>multi-factor authentication (MFA)<\/strong> \u2014 combining a password with a one-time password (OTP), for example via Google Authenticator \u2014 to minimize the risk of account takeover.<\/p>\n<p>Periodic security assessment and penetration testing: to ensure applications remain in a secure state, enterprises should regularly conduct penetration testing and vulnerability assessments using specialized tools such as Nessus. This is a critical step to proactively identify and remediate weaknesses that could be exploited.<\/p>\n<p><strong>Endpoint protection: <\/strong>this refers to the enterprisess measures to control risks originating from end-user devices. Employee endpoint devices (laptops, PCs) are often the weakest link in the personal data security chain. Enterprisse must protect these devices with integrated security tools, specifically ensuring that Windows Defender Firewall (or an equivalent solution) is enabled and properly configured on all devices that access personal data, thereby preventing unauthorized access and malware infiltration.<\/p>\n<p>Have enterprises enforced MFA in all scenarios where personal data is accessed from endpoint devices? Do enterprises implement <strong>MFA <\/strong>to reduce the risk of account leakage or unauthorized access?<\/p>\n<p>Continuous security patching: do enterprises ensure that all endpoint devices receive regular security updates and patches for the operating system and related applications in a timely manner, so that known vulnerabilities that could be exploited by attackers are promptly addressed?<\/p>\n<p><strong>Data backup and recovery<\/strong>, regarding this issue, enterprises will need to clearly present the backup software and systems used (for example: storing backups on AWS S3, encrypted with AES-256), the backup plan (performing regular data backups weekly or monthly to internal servers or to cloud storage platforms managed by enterprises or provided by the storage service provider \u2013 restoration), what data is included in the backups, what tools are used, and how long the backup data is retained (for example, 5 years or another period corresponding to each type of data).<\/p>\n<p>Thus, the personal data protection measures have been clearly defined in terms of scope and actual implementation methods. However, for the personal data protection plan within the Impact Assessment Report on Cross-Border Personal Data Transfer to be considered complete and sufficient, enterprises must further demonstrate that they have adopted appropriate standards and implemented measures related to cybersecurity, system security, etc. These contents will be presented in detail in <strong>Part 2<\/strong> through the application of recognized personal data protection standards and regular cybersecurity audits.<\/p>\n<p><strong><em>Time<\/em><\/strong><strong><em> of writing<\/em><\/strong><em>: 26\/11\/2025<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/reviewing-payment-terms-under-double-taxation-agreements\/\">Reviewing payment terms under double taxation Agreements<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/procedures-for-handling-delayed-capital-contribution-in-an-investment-project\/\">Procedures for handling delayed capital contribution in an Investment project<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/legal-issues-arising-from-delays-in-extending-the-operational-term-of-investment-projects\/\">Legal issues arising from delays in extending the Operational term of Investment Projects<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/foreign-investors-and-how-to-establish-a-technology-company-in-vietnam-part-2\/\">Foreign investors and how to establish a technology company in Vietnam <\/a><br \/>(Part 2)<\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/foreign-investors-and-how-to-establish-a-technology-company-in-vietnam-part-1\/\">Foreign investors and how to establish a technology company in Vietnam <\/a><br \/>(Part 1)<\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/13502#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>In the dossier for the Data Protection Impact Assessment (DPIA) under Decree No. 13\/2023\/N\u0110-CP \u2014 and, from January 1, 2026, referred to as the Cross-Border Personal Data Transfer Impact Assessment under the Personal Data Protection Law \u2014 enterprises are required to demonstrate that they have implemented measures to ensure the safety of personal data. This&#8230;<\/p>\n","protected":false},"author":4,"featured_media":13382,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-13502","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=13502"}],"version-history":[{"count":2,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13502\/revisions"}],"predecessor-version":[{"id":13504,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13502\/revisions\/13504"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/13382"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=13502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=13502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=13502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}