{"id":13796,"date":"2026-01-22T10:23:10","date_gmt":"2026-01-22T03:23:10","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=13796"},"modified":"2026-01-22T10:41:09","modified_gmt":"2026-01-22T03:41:09","slug":"data-and-legal-considerations-in-outsourcing-contracts-part-1","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/data-and-legal-considerations-in-outsourcing-contracts-part-1\/","title":{"rendered":"Data and Legal Considerations in Outsourcing Contracts (Part 1)"},"content":{"rendered":"<p><em>In modern governance models, the use of outsourcing services for functions such as accounting and payroll, HR, CRM, ERP, or IT managed services has become a standard practice to optimize costs and operational efficiency. However, this shift is creating a significant \u201clegal gap,\u201d where enterprises often assess outsourcing primarily from a technical perspective while overlooking actual data control rights. When data is stored on platforms such as cloud systems or processed by third parties with cross-border access rights, the boundary between \u201coutsourcing a service\u201d and \u201ctransferring control over data\u201d becomes increasingly blurred. This situation creates an urgent need for enterprises to verify their service providers\u2019 compliance with Vietnamese law in order to protect information assets and avoid violations related to personal data protection.<\/em><\/p>\n<figure id=\"attachment_11091\" aria-describedby=\"caption-attachment-11091\" style=\"width: 599px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11091\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/04\/pexels-cqf-avocat-188397-613508-1-599x400.jpg\" alt=\"\" width=\"599\" height=\"400\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/04\/pexels-cqf-avocat-188397-613508-1-599x400.jpg 599w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/04\/pexels-cqf-avocat-188397-613508-1-1198x800.jpg 1198w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/04\/pexels-cqf-avocat-188397-613508-1-768x513.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/04\/pexels-cqf-avocat-188397-613508-1-1536x1025.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/04\/pexels-cqf-avocat-188397-613508-1-2048x1367.jpg 2048w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><figcaption id=\"caption-attachment-11091\" class=\"wp-caption-text\">Source: pexels-cqf-avocat-188397-613508<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/data-and-legal-considerations-in-outsourcing-contracts-part-1\/#1_Level_of_access_to_data_from_the_outsourced_business_group\" >1. Level of access to data from the outsourced business group<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/data-and-legal-considerations-in-outsourcing-contracts-part-1\/#2_Legal_risks_arising_from_the_transfer_of_enterprise_and_customer_data_to_third_parties\" >2. Legal risks arising from the transfer of enterprise and customer data to third parties<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/data-and-legal-considerations-in-outsourcing-contracts-part-1\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_Level_of_access_to_data_from_the_outsourced_business_group\"><\/span>1. Level of access to data from the outsourced business group<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>From a legal perspective, outsourcing is not merely a matter of an enterprise \u201cpurchasing a service\u201d to replace internal resources. Each outsourcing decision\u2014especially in areas such as accounting and payroll, HR systems, CRM\/ERP, or IT managed services\u2014simultaneously constitutes a decision to grant data processing rights to a third party. When enterprises transfer employee data to a payroll service provider, or grant system access rights to an IT management provider, they are allowing another entity to directly manipulate, use, and influence the data, rather than merely \u201cperforming tasks on their behalf.\u201d<\/p>\n<p>Through our work with enterprises specializing in outsourcing services, we have observed that such enterprises typically establish security frameworks to safeguard clients\u2019 data. To achieve this, outsourcing providers, to varying extents, must rely on services from additional third parties\u2014most commonly enterprises that provide storage platforms, technology infrastructure, or software solutions.<\/p>\n<p>From the perspective of outsourcing service providers, considering the scope of work performed by both the outsourcing service provider itself and its third-party partners, it is evident that a substantial volume of personal data, corporate data, and in particular sensitive personal data is accessed, possessed, stored, and processed by these service providers.<\/p>\n<p><strong>From the perspective of the outsourced service provider<\/strong>, given the scope of work to be performed by the outsourcing service provider and by third parties engaged by such providers, it can be observed that a large volume of personal data, enterprise data, and in particular sensitive personal data is accessed, held, stored, and processed by these service providers. However, at present, most contracts between the parties merely stop at recording the scope of work and stipulating that the service provider must keep information confidential and must not sell customer data. These contracts do not address responsibilities for data control and data processing in general, and personal data in particular; the methods of data protection; provisions on handling data-related violations; incident response procedures in the event of data leakage; or procedures for the receipt and management of customer data by the service provider. Moreover, pursuant to the current regulations on personal data protection as set out in the Law on Personal Data Protection and Decree No. 356\/2025\/ND-CP on personal data, compliance with the procedures prescribed by law is regarded as a prerequisite for outsourcing service providers to offer their services to customers.<\/p>\n<p><strong>From the customer\u2019s side,<\/strong> when engaging outsourcing service providers, it should be noted that in many outsourcing contracts, data access rights are granted overly broadly. Service providers may be allowed to access entire databases for system operation purposes, download data for processing, and even share data with technical subcontractors\u2014all of which is often covered by nothing more than a general confidentiality clause. At that point, the legal question is no longer whether \u201cthey keep the data confidential\u201d, but rather <strong>what the legal role of each party is within the data processing chain. <\/strong>Are enterprises the data controller\u2014the party that determines the purposes and scope of data processing? Are partners merely a data processor, acting solely on enterprises\u2019 instructions? Or, in practice, are both parties jointly determining the manner of data processing, thereby creating a situation of <strong>joint controllership <\/strong>that many enterprises fail to recognize. The failure to identify, or the misidentification of these roles is a common reason why enterprises are unable to establish appropriate control mechanisms and consequently lose legal leverage when disputes arise or when they are subject to inspections.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Legal_risks_arising_from_the_transfer_of_enterprise_and_customer_data_to_third_parties\"><\/span>2. Legal risks arising from the transfer of enterprise and customer data to third parties<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before addressing the mechanisms that need to be established to protect enterprise data and personal data of users, employees, and the enterprise\u2019s own customers, based on my experience in corporate legal advisory work as well as my role as a personal data protection expert, I would like to draw the attention of enterprises\u2014whether acting as customers or as service providers\u2014to several legal risks that should be carefully considered, particularly in the context where the Government is intensifying data compliance enforcement.<\/p>\n<p><strong>Risk relating to the legality of data transfer,<\/strong> in many outsourcing models and in the provision of data storage platforms and online working platforms, enterprises often implicitly assume that transferring data to partners is lawful because it is an \u201cobvious\u201d operational necessity. However, the law does not assess legality based on an enterprise\u2019s internal operational needs, but rather on the existence of <strong>a specific legal basis<\/strong> corresponding to each data processing purpose. If enterprises has not obtained valid consent from data subjects, or if such consent is collected in a formalistic or overly general manner that does not accurately reflect the actual scope of processing, then the entire chain of data transfers to third parties may be deemed to exceed the legally permissible limits. The risk becomes even more significant when the data is subsequently used for additional purposes\u2014such as analysis, system optimization, algorithm training, or multi-platform integration\u2014while these purposes were never disclosed to, nor approved by, the data subjects from the outset. All of these elements are interrelated and may be understood as follows: where enterprises has not obtained valid consent from data subjects (employees, customers, users, etc.) and has not fully established the conditions required by law, any data transfer in such circumstances cannot be considered \u201clegally compliant\u201d as a matter of course.<\/p>\n<p><strong>Risk of losing effective control over data, <\/strong>on paper, enterprises may still be the \u201cdata owner\u201d; however, in practice, they may not know precisely where the data is being stored, at which data centers backups are maintained, who has direct access rights, or how long the data will be retained after the contract has terminated. In many complex cloud and outsourcing models, data access is not confined to a single service provider, but extends to subcontractors (sub-processors), technical teams located in multiple countries, and intermediary systems used for backup, analysis, or technical support purposes. If contracts do not strictly limit and control these access rights, enterprises will find it extremely difficult to demonstrate that they continue to maintain the necessary level of control over the data.<\/p>\n<p>It should be noted that each country has its own legal framework and level of data protection. Enterprises may inadvertently become part of a cross-border data transfer chain without having sufficient information to assess the associated risks, let alone to proactively control or suspend such transfers when necessary. In such circumstances, data control exists more in theory, while actual control has become fragmented and dispersed.<\/p>\n<p><strong>Risk arising when a data incident occurs, <\/strong>When data is lost, unauthorized access takes place, or a data leak involving employee or customer information occurs, the issue is not merely a technical problem or a matter of brand reputation. From a legal perspective, such an incident immediately places the enterprise at the center of liability. When regulatory authorities intervene, they will not only ask \u201chow did the incident occur,\u201d but more importantly, whether the enterprises has fully complied with the obligations imposed by the Law on Personal Data Protection, the Law on Data, and other relevant regulations. They will also examine what measures the enterprise has implemented to prevent and control risks arising from its partners. If, in practice, enterprises have not implemented any meaningful compliance measures, it will be extremely difficult to demonstrate that it has fulfilled its risk governance obligations.<\/p>\n<p>In summary, in the digital era, outsourcing is not merely the procurement of services, but a transfer of legal responsibility over data assets. Enterprises cannot rely on a generic confidentiality undertaking in a contract to safeguard information security. They should not wait until a data breach occurs or until a competent authority initiates an inspection to revisit outsourcing agreements. In a context where the Government is intensifying the enforcement of Decree No. 356\/2025\/ND-CP, compliance is no longer a matter of choice, but a prerequisite for enterprises to maintain sustainable business operations. At CDLAF, I consistently emphasize to clients that a secure outsourcing contract must be designed on the basis of a deep understanding of technical data flows, combined with robust legal safeguards. Only when you are able to control your partners throughout the entire data lifecycle can you truly claim ownership of your own data.<\/p>\n<ul>\n<li>\n<h4><strong>Advisory email<\/strong> info@cdlaf.vn<\/h4>\n<\/li>\n<li>\n<h4><strong>Hotline:<\/strong> (+84) 909 668 216<\/h4>\n<\/li>\n<\/ul>\n<p><strong><em>Time<\/em><\/strong><strong><em> of writing<\/em><\/strong><em>: 02\/01\/2026<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/tong-quan-cac-quy-dinh-moi-va-co-che-uu-dai-tai-nghi-dinh-354-2025-nd-cp-ve-khu-cong-nghe-so-tap-trung\/\">Overview of New Regulations and Incentive Mechanisms under Decree 354\/2025\/ND-CP on Concentrated Digital Technology Zones<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/claims-for-damages-in-commercial-contracts\/\">Claims for Damages in Commercial Contracts<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/decree-no-356-2025-nd-cp-which-enterprises-are-exempt-from-personal-data-procedures\/\">Decree No. 356\/2025\/ND-CP: Which enterprises are exempt from personal data procedures?<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/2026-update-cross-border-data-transfer-under-decree-no-336-2025-nd-cp-regulations-and-compliance-procedures\/\">Cross-Border Personal Data Transfers \u2013 Procedural Steps to Be Implemented under Decree No. 3362025ND-CP<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/rights-of-personal-data-subjects-and-methods-of-obtaining-consent-under-decree-no-336-2025-nd-cp\/\">Rights of Personal Data Subjects and methods of obtaining consent under Decree No. 336\/2025\/ND-CP<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/differentiating-between-business-license-to-provide-cyber-information-security-services-and-product-and-business-license-for-civil-cryptography-products-and-services-confusions-to-eliminate\/\">Differentiating between Business License to provide cyber information security services and product and Business License for Civil Cryptography Products and Services: Confusions to Eliminate<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/13796#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>In modern governance models, the use of outsourcing services for functions such as accounting and payroll, HR, CRM, ERP, or IT managed services has become a standard practice to optimize costs and operational efficiency. However, this shift is creating a significant \u201clegal gap,\u201d where enterprises often assess outsourcing primarily from a technical perspective while overlooking&#8230;<\/p>\n","protected":false},"author":4,"featured_media":11091,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-13796","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=13796"}],"version-history":[{"count":2,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13796\/revisions"}],"predecessor-version":[{"id":13798,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13796\/revisions\/13798"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/11091"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=13796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=13796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=13796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}