{"id":13732,"date":"2026-01-07T14:58:22","date_gmt":"2026-01-07T07:58:22","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=13732"},"modified":"2026-01-14T11:25:18","modified_gmt":"2026-01-14T04:25:18","slug":"rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-356-2025-nd-cp","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-356-2025-nd-cp\/","title":{"rendered":"Rights of Personal Data Subjects and methods of obtaining consent under Decree No. 356\/2025\/ND-CP"},"content":{"rendered":"<p><em>Under Decree No. 356\/2025\/ND-CP, the responsibilities of data processing organizations have been significantly strengthened, with strict statutory timelines, including: (1) Response to data subject requests: must respond to requests from personal data subjects within 02 working days, and complete the exercise of such rights within 10 to 20 days.; (2) Valid consent: must be obtained through verifiable methods (such as written consent, audio recordings, or digital confirmations). The practice of \u201cdefault\u201d consent is strictly prohibited. Notably, Decree No. 336 places particular emphasis on the responsibility of data controllers to retain valid evidence of consent and to demonstrate transparency in the processing of sensitive personal data.<\/em><\/p>\n<figure id=\"attachment_13686\" aria-describedby=\"caption-attachment-13686\" style=\"width: 711px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-13686\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-jonas-svidras-785418-2-711x400.jpg\" alt=\"\" width=\"711\" height=\"400\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-jonas-svidras-785418-2-711x400.jpg 711w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-jonas-svidras-785418-2-1400x788.jpg 1400w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-jonas-svidras-785418-2-768x432.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-jonas-svidras-785418-2-1536x864.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2026\/01\/pexels-jonas-svidras-785418-2.jpg 1920w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><figcaption id=\"caption-attachment-13686\" class=\"wp-caption-text\">Source: pexels-jonas-svidras-785418<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-356-2025-nd-cp\/#1_How_are_the_Rights_of_Personal_data_Subjects_regulated_under_Decree_No_3562025ND-CP\" >1. How are the Rights of Personal data Subjects regulated under Decree No. 356\/2025\/ND-CP?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-356-2025-nd-cp\/#2_Methods_of_Expressing_Consent_by_Personal_Data_Subjects\" >2. Methods of Expressing Consent by Personal Data Subjects<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-356-2025-nd-cp\/#3_CDLAFs_recommendation\" >3. CDLAF\u2019s recommendation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/cdlaf.vn\/en\/rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-356-2025-nd-cp\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_How_are_the_Rights_of_Personal_data_Subjects_regulated_under_Decree_No_3562025ND-CP\"><\/span>1. How are the Rights of Personal data Subjects regulated under Decree No. 356\/2025\/ND-CP?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Personal data subjects <\/strong>have the right to request data controllers and data processors to respond to such requests within 02 working days to requests for withdrawal of consent for personal data processing, restriction of personal data processing, objection to personal data processing, provided that such requests are made in accordance with applicable procedures. At the same time, data controllers and data processors are required to provide the personal data subject with full information regarding the procedures for ceasing personal data processing and to complete such procedures within 15 days, except in cases where personal data processing does not require the data subject\u2019s consent pursuant to Article 19 of the Law on Personal Data Protection. Where it is necessary to require a data processor or a third party to cease processing the personal data of the data subject, such cessation must be completed within 20 days.<\/p>\n<p>Depending on the nature and complexity of the request, if an extension is required, the processing period may be extended once only, for a maximum additional period of 15 days. In such cases, the data controller and\/or data processor must notify the personal data subject of the reasons for the extension and bear the burden of proving that such extension is necessary and reasonable.<\/p>\n<p><strong>Personal data subjects <\/strong>have the right to request data controllers and data processors to allow them to access their personal data, rectify or request rectification of their personal data and be provided with their personal data in accordance with the prescribed procedures. Data controllers and data processors must respond within 02 working days, provide full information on the relevant procedures, and complete the request within 10 days. Where it is necessary to require a data processor or a third party to rectify the personal data of the data subject, such rectification must be completed within 15 days.<\/p>\n<p>Depending on the nature and complexity of the request, an extension may be granted once only, for a maximum additional period of 10 days, provided that the data controller and\/or data processor informs the data subject of the reasons for the extension and proves that the extension is necessary and reasonable.<\/p>\n<p><strong>Personal data subjects <\/strong>have the right to request data controllers and data processors to delete their personal data in accordance with the prescribed procedures. Data controllers and data processors must respond within 02 working days, provide full information regarding the procedures, and complete the deletion within 20 days. Where it is necessary to require a data processor or a third party to provide, delete, or restrict the processing of the personal data of the data subject, such actions must be completed within 30 days.<\/p>\n<p>Depending on the nature and complexity of the request, in cases where an extension of the processing time is necessary, the extension may be granted for a maximum of one time and not exceeding 20 days. The personal data controller or the personal data controller and processor shall notify the data subject of the reasons for the extension and bear the responsibility to prove that the extension is necessary and reasonable.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Methods_of_Expressing_Consent_by_Personal_Data_Subjects\"><\/span>2. Methods of Expressing Consent by Personal Data Subjects<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Methods of obtaining consent from personal data subjects must ensure verifiability, including the ability to determine the identity of the personal data subject; the time at which consent was given and the specific content to which consent was granted and include:<\/p>\n<ul>\n<li>Written consent;<\/li>\n<li>Recorded telephone calls;<\/li>\n<li>Consent via SMS syntax;<\/li>\n<li>Consent via email, websites, platforms, or applications equipped with technical mechanisms for obtaining consent;<\/li>\n<li>Other appropriate methods that can be printed, copied, or otherwise documented in writing, including electronic or other verifiable formats.<\/li>\n<\/ul>\n<p>Data controllers and data processors are required to retain records of consent. In the event of a dispute, the burden of proof regarding the data subject\u2019s consent rests with the data controller and\/or data processor. Data controllers and data processors are prohibited from establishing default consent mechanisms or creating unclear or misleading instructions that blur the distinction between consent and non-consent. Default settings must adhere to the principles of personal data protection and respect the rights of personal data subjects.<\/p>\n<p>For the processing of sensitive personal data, the personal data subject must be clearly informed that the data to be processed constitutes sensitive personal data.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3_CDLAFs_recommendation\"><\/span>3. CDLAF\u2019s recommendation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Based on our experience in advising on and developing internal regulations for personal data protection compliance, as well as assisting clients with personal data procedures from the implementation of Decree No. 13\/2023\/ND-CP to the present, we observe that:<\/p>\n<p><strong>Personal data compliance is no longer a reactive exercise. <\/strong>Decree No. 356\/2025\/ND-CP requires enterprises to respond to personal data subject requests within 02 working days, except in limited special cases. This creates a genuine \u201ctime trap\u201d for businesses that continue to manage data manually. Without close coordination between the legal\/compliance teams and IT departments to establish automated request intake systems, standardized procedures for handling data subject requests, and incident response processes, the risk of missing statutory deadlines is extremely high\u2014particularly for enterprises with large workforces. Businesses should not allow a minor administrative oversight to escalate into a large-scale regulatory inspection on personal data protection.<\/p>\n<p><strong>Advisory on \u201cDigital Evidence\u201d (Audit Trail)<\/strong><\/p>\n<p>A key development under Decree No. 356 is the tightened obligation to prove valid consent. While it is generally understood that any confirmation between parties should be documented, Decree No. 356\/2025\/ND-CP does not leave this to assumption. Instead, it expressly specifies which forms of evidence are acceptable to substantiate a data subject\u2019s consent. Our consistent advice to clients is: \u201cDo not merely obtain consent\u2014retain evidence of that consent.\u201d Enterprises should build transparent Log data systems that accurately record timestamps, IP addresses, and the specific version of the privacy policy accepted by the data subject. In the digital era, evidence lies not in verbal assurances, but in system data.<\/p>\n<p><strong>Third-Party Contracts and Data Processing Partners, <\/strong>Many enterprises focus heavily on customer relationships while overlooking data processing partners (vendors). Businesses should promptly update Data Processing Agreements (DPAs) with all third parties to incorporate the 02-working-day response requirement.<\/p>\n<p>If a third-party processor fails to respond in a timely manner, it is the enterprise\u2014not the vendor\u2014that bears legal responsibility under the spirit and provisions of Decree No. 356\/2025\/ND-CP.<\/p>\n<p><strong><em>CDLAF &#8211; A unit specializing in providing services to obtain licenses to trade in cyber information security products and services and civil cryptography.<\/em><\/strong><\/p>\n<ul>\n<li>\n<h4><strong>Advisory email<\/strong> info@cdlaf.vn<\/h4>\n<\/li>\n<li>\n<h4><strong>Hotline:<\/strong> (+84) 909 668 216<\/h4>\n<\/li>\n<\/ul>\n<p><strong><em>Time<\/em><\/strong><strong><em> of writing<\/em><\/strong><em>: 02\/01\/2026<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/differentiating-between-business-license-to-provide-cyber-information-security-services-and-product-and-business-license-for-civil-cryptography-products-and-services-confusions-to-eliminate\/\">Differentiating between Business License to provide cyber information security services and product and Business License for Civil Cryptography Products and Services: Confusions to Eliminate<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/execution-of-electronic-labor-contracts-compliance-conditions-and-implementation-process\/\">Execution of Electronic Labor Contracts: Compliance Conditions and Implementation Process<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/impacts-of-decree-no-337-2025-nd-cp-on-electronic-labour-contracts\/\">Impacts of Decree No. 337\/2025\/N\u0110-CP on Electronic Labour Contracts<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/essential-clauses-in-an-overseas-foreign-party-processing-contract\/\">Essential clauses in an overseas processing contracts<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/13732#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Under Decree No. 356\/2025\/ND-CP, the responsibilities of data processing organizations have been significantly strengthened, with strict statutory timelines, including: (1) Response to data subject requests: must respond to requests from personal data subjects within 02 working days, and complete the exercise of such rights within 10 to 20 days.; (2) Valid consent: must be obtained&#8230;<\/p>\n","protected":false},"author":4,"featured_media":13686,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-13732","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13732","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=13732"}],"version-history":[{"count":4,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13732\/revisions"}],"predecessor-version":[{"id":13765,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13732\/revisions\/13765"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/13686"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=13732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=13732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=13732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}