{"id":13805,"date":"2026-01-22T13:14:05","date_gmt":"2026-01-22T06:14:05","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=13805"},"modified":"2026-01-22T13:16:43","modified_gmt":"2026-01-22T06:16:43","slug":"personal-data-protection-personnel-under-decree-356-in-house-implementation-or-hiring-professional-external-services","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/personal-data-protection-personnel-under-decree-356-in-house-implementation-or-hiring-professional-external-services\/","title":{"rendered":"Personal data protection Personnel under Decree 356: In-house Implementation or Hiring Professional External Services?"},"content":{"rendered":"<p><em>Under the Personal Data Protection Law 2025 and Decree No. 356\/2025\/ND-CP, businesses have the right to either appoint internal personnel or hire professional personal data protection services. Internal personal data protection personnel must hold at least a college degree, have a minimum of 02 years of relevant experience (in areas such as legal affairs, IT, risk management, etc.), and have completed specialized training. For organizations providing outsourced services, the entity must have appropriate business functions, possess at least 03 personnel meeting the required standards, and maintain a capability dossier demonstrating their ability to protect personal data. At present, due to the absence of detailed guidelines on in-depth training programs, establishing this function requires careful preparation of assignment documents and actual substantiated capability records.<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-12409\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/Trust-beyond-711x400.jpg\" alt=\"\" width=\"711\" height=\"400\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/Trust-beyond-711x400.jpg 711w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/Trust-beyond-1400x788.jpg 1400w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/Trust-beyond-768x432.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/Trust-beyond-1536x864.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/Trust-beyond-2048x1152.jpg 2048w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/em><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/personal-data-protection-personnel-under-decree-356-in-house-implementation-or-hiring-professional-external-services\/#1_What_conditions_must_the_personnel_or_department_responsible_for_personal_data_protection_PDP_within_the_enterprise_meet\" >1. What conditions must the personnel or department responsible for personal data protection (PDP) within the enterprise meet?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/personal-data-protection-personnel-under-decree-356-in-house-implementation-or-hiring-professional-external-services\/#2_What_are_the_conditions_for_individuals_or_organizations_providing_personal_data_protection_services\" >2. What are the conditions for individuals or organizations providing personal data protection services?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/personal-data-protection-personnel-under-decree-356-in-house-implementation-or-hiring-professional-external-services\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_What_conditions_must_the_personnel_or_department_responsible_for_personal_data_protection_PDP_within_the_enterprise_meet\"><\/span>1. What conditions must the personnel or department responsible for personal data protection (PDP) within the enterprise meet?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Pursuant to Clause 2, Article 33 of the Personal Data Protection Law 2025 (\u201cPDPL\u201d), enterprises are responsible for designating a department or personnel with sufficient capability to protect personal data, or for hiring organizations\/individuals providing personal data protection services.<\/p>\n<p>Accordingly, enterprises may appoint an <strong>internal department and\/or personnel<\/strong> to handle personal data protection depending on their scale and internal needs, provided that they meet the capability requirements prescribed by law or <strong>hire organizations\/individuals providing personal data protection services<\/strong>. In cases where an enterprise appoints its own personnel or department for personal data protection, such designation must be made in writing and clearly define the assignment, functions, duties, powers, and other requirements related to personal data protection work within the enterprise, as stipulated in Clause 1, Article 13 of Decree No. 356\/2025\/ND-CP (\u201cDecree 356\u201d).<\/p>\n<p>Personnel responsible for personal data protection, or members of the personal data protection department (if such a department is established), must satisfy the capability conditions set out in Clauses 2 and 3, Article 13 of Decree 356, specifically:<\/p>\n<ul>\n<li>Hold at least a college degree;<\/li>\n<li>Have at least 02 years of work experience (from the date of graduation) in one of the following fields: legal affairs, information technology, cybersecurity, data security, risk management, compliance control, human resource management, or organizational personnel affairs;<\/li>\n<li>Have completed training or professional development in laws and specialized skills related to personal data protection.<\/li>\n<\/ul>\n<p>Regarding the condition \u201c<em>have completed training or professional development in laws and specialized skills related to personal data protection<\/em>\u201d, currently neither the PDPL nor Decree 356 provides specific regulations or detailed guidance on the content of the training programs, training duration, or the competent entities authorized to organize such training or professional development courses.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_What_are_the_conditions_for_individuals_or_organizations_providing_personal_data_protection_services\"><\/span>2. What are the conditions for individuals or organizations providing personal data protection services?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Conditions for individuals providing personal data protection services are stipulated in Clause 2, Article 15 of Decree 356 as follows:<\/p>\n<ul>\n<li>Hold at least a college degree;<\/li>\n<li>Have at least 03 years of work experience (from the date of graduation) in one of the following fields: legal affairs, personal data processing, cybersecurity, data security, risk management, compliance control;<\/li>\n<li>Have completed in-depth training or professional development in laws and specialized skills related to personal data protection.<\/li>\n<\/ul>\n<p>Conditions for organizations providing personal data protection services are stipulated in Clause 1, Article 16 of Decree 356 as follow:<\/p>\n<ul>\n<li>Be an organization or enterprise having functions, tasks, or business lines\/sectors related to technology, law, or technology\/legal consulting, engaged by agencies or organizations to provide compliance consulting and perform personal data protection tasks as agreed;<\/li>\n<li>Have at least 03 personnel who fully satisfy the capability conditions required of individuals providing personal data protection services.<\/li>\n<\/ul>\n<p>Similar to the training requirement for internal personnel\/departments handling PDP, there are currently no specific regulations regarding the training programs content, duration, or competent authorities for organizing training\/professional development courses for individuals or organizations providing PDP services.<\/p>\n<p>In addition, Clause 2, Article 16 of Decree 356 requires organizations providing PDP services to prepare and maintain a capability dossier demonstrating their ability to protect personal data, and to provide this dossier to agencies or organizations that need to use their services. The dossier must demonstrate: business lines\/sectors; scale, scope, and experience in providing services; service provision policies; standards, qualifications, and capabilities of personnel; and relevant supporting documents and papers.<\/p>\n<p>The fact that Decree No. 356\/2025\/ND-CP raises the experience threshold to <strong>03 years<\/strong> for outsourced services (compared to 02 years for internal personnel) affirms the specialized nature of the Data Protection Officer (\u201cDPO\u201d) role as a distinct risk advisory function, rather than mere administrative support. Based on CDLAF\u2019s experience, enterprises need to shift their mindset from \u201chiring to complete formalities\u201d to \u201chiring to protect actual operations&#8221;.<\/p>\n<p>The key lies in the <strong>capability dossier<\/strong> of the consulting firm: a qualified organization must be able to demonstrate a combination of legal knowledge and technical control capabilities (technical control capabilities) from at least 03 dedicated specialists. In the current context where the Ministry of Public Security has not yet issued detailed guidance on in-depth training programs, the capability dossier serves as the most important \u201ccertificate of due diligence\u201d enabling enterprises to prove to inspection authorities that they have fully fulfilled their obligation to vet their partners. Therefore, selecting an organization with a robust incident response process and deep understanding of actual data flows not only ensures legal compliance but also serves as the best safeguard for the enterprise\u2019s reputation and financial position in the digital era of 2026.<\/p>\n<ul>\n<li>\n<h4><strong>Advisory email<\/strong> info@cdlaf.vn<\/h4>\n<\/li>\n<li>\n<h4><strong>Hotline:<\/strong> (+84) 909 668 216<\/h4>\n<\/li>\n<\/ul>\n<p><strong><em>Time<\/em><\/strong><strong><em> of writing<\/em><\/strong><em>: 02\/01\/2026<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/conditions-for-the-transfer-of-data-to-partners-to-be-considered-valid\/\">Conditions for the transfer of data to partners to be considered \u201cvalid\u201d<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/regulations-regarding-personal-data-under-current-personal-data-protection-law\/\">Regulations regarding Personal Data under current Personal Data Protection Law<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/data-and-legal-considerations-in-outsourcing-contracts-part-1\/\">Data and Legal Considerations in Outsourcing Contracts (Part 1)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/tong-quan-cac-quy-dinh-moi-va-co-che-uu-dai-tai-nghi-dinh-354-2025-nd-cp-ve-khu-cong-nghe-so-tap-trung\/\">Overview of New Regulations and Incentive Mechanisms under Decree 354\/2025\/ND-CP on Concentrated Digital Technology Zones<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/claims-for-damages-in-commercial-contracts\/\">Claims for Damages in Commercial Contracts<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/13805#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Under the Personal Data Protection Law 2025 and Decree No. 356\/2025\/ND-CP, businesses have the right to either appoint internal personnel or hire professional personal data protection services. Internal personal data protection personnel must hold at least a college degree, have a minimum of 02 years of relevant experience (in areas such as legal affairs, IT,&#8230;<\/p>\n","protected":false},"author":4,"featured_media":12409,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-13805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=13805"}],"version-history":[{"count":2,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13805\/revisions"}],"predecessor-version":[{"id":13807,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13805\/revisions\/13807"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/12409"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=13805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=13805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=13805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}