{"id":13809,"date":"2026-01-22T13:40:10","date_gmt":"2026-01-22T06:40:10","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=13809"},"modified":"2026-01-22T13:52:58","modified_gmt":"2026-01-22T06:52:58","slug":"internal-control-responsibilities-and-data-sharing-within-organizations","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/internal-control-responsibilities-and-data-sharing-within-organizations\/","title":{"rendered":"Internal control responsibilities and data sharing within organizations"},"content":{"rendered":"<p><em>The promulgation of the Law on Personal Data Protection 2025 and Decree No. 356\/2025\/ND-CP has marked a significant legal turning point, shifting the data protection framework from discretionary recommendations to mandatory obligations subject to strict sanctions. One of the critical amendments is the codification of the Data Controller\u2019s <\/em><em>responsibility to establishing internal control systems. Currently, the mindset that &#8220;internal data can be freely shared&#8221; still persists in many enterprises; however, when <\/em><em>assessed<\/em> <em>against current regulations, this perspective poses serious legal risks. This article focuses on analyzing control responsibilities and internal data-sharing principles to ensure legal compliance.<\/em><\/p>\n<figure id=\"attachment_12102\" aria-describedby=\"caption-attachment-12102\" style=\"width: 533px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-12102\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/pexels-kindelmedia-6774148-1-533x400.jpg\" alt=\"\" width=\"533\" height=\"400\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/pexels-kindelmedia-6774148-1-533x400.jpg 533w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/pexels-kindelmedia-6774148-1-1067x800.jpg 1067w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/pexels-kindelmedia-6774148-1-768x576.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/pexels-kindelmedia-6774148-1-1536x1152.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/07\/pexels-kindelmedia-6774148-1-2048x1536.jpg 2048w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><figcaption id=\"caption-attachment-12102\" class=\"wp-caption-text\">Source: pexels-kindelmedia-6774148<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/internal-control-responsibilities-and-data-sharing-within-organizations\/#1_Responsibility_to_Establish_an_Internal_Control_System\" >1. Responsibility to Establish an Internal Control System<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/internal-control-responsibilities-and-data-sharing-within-organizations\/#2_Training_and_Awareness_Enhancement\" >2. Training and Awareness Enhancement<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/internal-control-responsibilities-and-data-sharing-within-organizations\/#3_Control_of_Internal_Data_Sharing\" >3. Control of Internal Data Sharing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/cdlaf.vn\/en\/internal-control-responsibilities-and-data-sharing-within-organizations\/#4_Compliance_Recommendations\" >4. Compliance Recommendations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/cdlaf.vn\/en\/internal-control-responsibilities-and-data-sharing-within-organizations\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_Responsibility_to_Establish_an_Internal_Control_System\"><\/span>1. Responsibility to Establish an Internal Control System<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Under the Law on Personal Data Protection 2025, enterprises acting as Data Controllers and Data Processors must bear end-to-end responsibility for the data processing process, rather than merely for the outcome.<\/p>\n<p><strong>Development and Implementation of Operating Procedures <\/strong><\/p>\n<p>Enterprises are obligated to integrate data protection measures from the design stage of their operating procedures of operating procedures, rather than applying remedial solutions only after an incident occurs. Specifically:<\/p>\n<ul>\n<li><strong>Data Classification: <\/strong>Enterprises must clearly distinguish between Basic Data and Sensitive Data in accordance with the list in Decree No. 356\/2025\/ND-CP at the time of collection to apply commensurate security measures (e.g., encryption for sensitive data).<\/li>\n<li><strong>System Logs:<\/strong> The system must be capable of automatically recording all access, copying, and extraction activities by internal personnel to serve inspection and examination activities by competent state authorities.<\/li>\n<li><strong>Incident <\/strong><strong>Response:<\/strong> Establish a mechanism to report violations to the competent authority and the personal data subject within a maximum of 72 hours from the detection of the incident.<\/li>\n<li><strong>Ensuring Data Subject Rights:<\/strong> The system must be standardized to meet the deadlines under Decree No. 356\/2025\/ND-CP, including: Confirmation of Request: Respond within 02 working days from receipt of the request; Right to View\/Edit: Complete within 10 days (or 15 days if via a third party); Request to Withdraw Consent\/Restrict Processing: Complete within 15 days (or 20 days if via a third party); Request to Delete Data: Complete within 20 days (or 30 days if via a third party).<\/li>\n<\/ul>\n<p><em>Note:<\/em> Departments must eliminate decentralized storage (fragmented personal files, emails) and plan for a centralized data system to ensure retrievability and effective deletion.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Training_and_Awareness_Enhancement\"><\/span>2. Training and Awareness Enhancement<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Decree No. 356\/2025\/ND-CP requires enterprises to develop plans and conduct training not only for specialized teams but for the entire workforce on data protection risks and procedures. Any violation arising from human error (such as misdirected emails, malware-infected devices) is considered a direct breach of the Data Controller&#8217;s obligations.<\/p>\n<p><strong>Strengthening Personal Data Protection Personnel <\/strong><\/p>\n<p>Enterprises are mandatorily required to appoint a personal data protection department or designated personnel or outsource this function (except for small enterprises\/startups in their first five years of operation, which are eligible for a temporary exemption mechanism)\ufffc<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a> The appointed personnel must meet the following standards: hold a College degree or higher, have a minimum of 02 years of relevant experience (Law, IT, etc.), and possess a data protection training certificate\ufffc. This serves as the focal point responsible for monitoring<a href=\"#_ftn2\" name=\"_ftnref2\">[2]<\/a>nd liaising with functional authorities.<\/p>\n<p><strong>Personal Data Processing Impact Assessment (DPIA)<\/strong><\/p>\n<p>This is a continuous risk control process, not a one-time administrative formality. The DPIA dossier must be established from the commencement of data processing, describing data flows, purposes, risks, and mitigation measures. The dossier must be submitted to the Department of Cybersecurity and High-Tech Crime Prevention within 60 days and updated periodically every 06 months.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3_Control_of_Internal_Data_Sharing\"><\/span>3. Control of Internal Data Sharing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Enterprises need to eliminate the mindset that \u201cinternal data is shared property\u201d. The transfer of data between departments (e.g., HR transferring to Accounting, Sales transferring to Marketing) is legally considered a data processing activity and entails significant legal risks if uncontrolled. Internal sharing activities must strictly adhere to the following principles:<\/p>\n<ul>\n<li><strong>Proper Purpose:<\/strong> Data may only be shared and used for the purposes notified to the data subject. Arbitrary use for arising purposes without supplementary consent is strictly prohibited (e.g., delivery data cannot automatically be used for product marketing).<\/li>\n<li><strong>Data Minimization and Necessity:<\/strong> Apply a granular authorization mechanism, ensuring departments only access the minimum amount of data necessary to execute their duties (e.g., Customer Service does not need access to bank account information unless processing refunds).<\/li>\n<li><strong>Approval Process:<\/strong> Large-scale data sharing between departments must be approved by the data protection personnel or the Head of the department owning the data, accompanied by a written confidentiality commitment from the receiving party.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"4_Compliance_Recommendations\"><\/span>4. Compliance Recommendations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To minimize legal risks and ensure compliance with the Law on Personal Data Protection 2025, enterprises need to synchronously deploy the following solutions:<\/p>\n<ul>\n<li><strong>Review Data Flows: <\/strong>Coordinate across departments to clearly define data paths and storage locations.<\/li>\n<li><strong>Institutionalize Regulations: <\/strong>Promulgate Internal Data Protection Regulations, concretize legal provisions into company rules, and establish disciplinary sanctions for violations.<\/li>\n<li><strong>Awareness Training: <\/strong>Conduct mandatory training, especially for personnel who frequently access sensitive data.<\/li>\n<li><strong>Establish Technical Barriers: <\/strong>Coordinate with the IT department to deploy security layers, encryption, and detailed access authorization systems.<\/li>\n<\/ul>\n<p>Compliance with the Law on Personal Data Protection 2025 is not merely a legal obligation but a key factor in protecting the enterprise&#8217;s reputation and financial stability. A robust internal control system combined with transparent data sharing processes serves as an effective shield against legal risks in the digital era.<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> Law on Personal Data Protection 2025, Article 38; Decree 356\/2025\/ND-CP, Article 41<\/p>\n<p><a href=\"#_ftnref2\" name=\"_ftn2\">[2]<\/a> Decree 356\/2025\/ND-CP, Article 13, Clause 2<\/p>\n<ul>\n<li>\n<h4><strong>Advisory email<\/strong> info@cdlaf.vn<\/h4>\n<\/li>\n<li>\n<h4><strong>Hotline:<\/strong> (+84) 909 668 216<\/h4>\n<\/li>\n<\/ul>\n<p><strong><em>Time<\/em><\/strong><strong><em> of writing<\/em><\/strong><em>: 02\/01\/2026<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/personal-data-protection-personnel-under-decree-356-in-house-implementation-or-hiring-professional-external-services\/\">Personal data protection Personnel under Decree 356: In-house Implementation or Hiring Professional External Services?<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/conditions-for-the-transfer-of-data-to-partners-to-be-considered-valid\/\">Conditions for the transfer of data to partners to be considered \u201cvalid\u201d<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/regulations-regarding-personal-data-under-current-personal-data-protection-law\/\">Regulations regarding Personal Data under current Personal Data Protection Law<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/data-and-legal-considerations-in-outsourcing-contracts-part-1\/\">Data and Legal Considerations in Outsourcing Contracts (Part 1)<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/tong-quan-cac-quy-dinh-moi-va-co-che-uu-dai-tai-nghi-dinh-354-2025-nd-cp-ve-khu-cong-nghe-so-tap-trung\/\">Overview of New Regulations and Incentive Mechanisms under Decree 354\/2025\/ND-CP on Concentrated Digital Technology Zones<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/claims-for-damages-in-commercial-contracts\/\">Claims for Damages in Commercial Contracts<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/13809#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>The promulgation of the Law on Personal Data Protection 2025 and Decree No. 356\/2025\/ND-CP has marked a significant legal turning point, shifting the data protection framework from discretionary recommendations to mandatory obligations subject to strict sanctions. One of the critical amendments is the codification of the Data Controller\u2019s responsibility to establishing internal control systems. Currently,&#8230;<\/p>\n","protected":false},"author":4,"featured_media":12102,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-13809","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=13809"}],"version-history":[{"count":3,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13809\/revisions"}],"predecessor-version":[{"id":13815,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/13809\/revisions\/13815"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/12102"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=13809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=13809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=13809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}