{"id":14549,"date":"2026-04-17T08:25:26","date_gmt":"2026-04-17T01:25:26","guid":{"rendered":"https:\/\/cdlaf.vn\/?p=14549"},"modified":"2026-04-17T08:29:33","modified_gmt":"2026-04-17T01:29:33","slug":"guidelines-for-drafting-a-personal-data-protection-policy-under-the-new-law-part-1","status":"publish","type":"post","link":"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-a-personal-data-protection-policy-under-the-new-law-part-1\/","title":{"rendered":"Guidelines for Drafting a Personal Data Protection Policy Under the New Law (Part 1)"},"content":{"rendered":"<p><em>A personal data protection policy is defined as a mandatory document that every enterprise must develop <\/em><em>to comply with<\/em><em> the provisions of the Law on Personal Data Protection and Decree No. 356\/2026\/ND-CP. Depending on the business sector, the extent of data collection, the applied technology, and various other factors, the personal data protection <\/em><em>enterprise\u2019s PD protection policy<\/em><em> will vary. However, in general, a personal data protection policy must clearly stipulate the enterprise&#8217;s role as a personal data controller or a personal data controller-cum-processor for each type of personal data, the types of personal data (<strong>&#8220;PD&#8221;<\/strong>) collected by the company, protection measures, methods for recording and managing the data subject&#8217;s consent, the responsibilities of each party, and data breach response procedures, etc., all of which must be explicitly prescribed in the PD protection <\/em><em>enterprise\u2019s PD protection policy<\/em><em>.<\/em><\/p>\n<figure id=\"attachment_12680\" aria-describedby=\"caption-attachment-12680\" style=\"width: 698px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-12680\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/08\/pexels-artempodrez-5716037-1-698x400.jpg\" alt=\"\" width=\"698\" height=\"400\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/08\/pexels-artempodrez-5716037-1-698x400.jpg 698w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/08\/pexels-artempodrez-5716037-1-1395x800.jpg 1395w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/08\/pexels-artempodrez-5716037-1-768x440.jpg 768w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/08\/pexels-artempodrez-5716037-1-1536x881.jpg 1536w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2025\/08\/pexels-artempodrez-5716037-1-2048x1174.jpg 2048w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><figcaption id=\"caption-attachment-12680\" class=\"wp-caption-text\">Source: pexels-artempodrez-5716037<\/figcaption><\/figure>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents:<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #a32411;color:#a32411\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #a32411;color:#a32411\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-a-personal-data-protection-policy-under-the-new-law-part-1\/#1_The_Necessity_of_Provisions_on_the_Scope_of_Application_and_Interpretation_of_Terms\" >1. The Necessity of Provisions on the Scope of Application and Interpretation of Terms<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-a-personal-data-protection-policy-under-the-new-law-part-1\/#2_Provisions_on_the_Categories_of_Personal_Data_to_be_processed\" >2. Provisions on the Categories of Personal Data to be processed<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-a-personal-data-protection-policy-under-the-new-law-part-1\/#3_Provisions_on_the_purposes_of_controlling_and_processing_Personal_Data\" >3. Provisions on the purposes of controlling and processing Personal Data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/cdlaf.vn\/en\/guidelines-for-drafting-a-personal-data-protection-policy-under-the-new-law-part-1\/#SEND_CONSULTATION_REQUEST\" >SEND CONSULTATION REQUEST<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"1_The_Necessity_of_Provisions_on_the_Scope_of_Application_and_Interpretation_of_Terms\"><\/span>1. The Necessity of Provisions on the Scope of Application and Interpretation of Terms<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The PD protection policy must identify the applicable subjects, the scope of personal information governed by the policy, and the categories of individuals constituting the data subjects, while concurrently determining the scope of factual activities that qualify as personal data processing operations.\u00a0 Furthermore, while regulations on personal data have been implemented in other countries for a considerable time and are no longer a new issue, the matter of PD in Vietnam has only truly garnered attention and been widely implemented across enterprises since mid-2025. Consequently, in the context of newly implemented legal regulations, it is not easy for enterprises, relevant parties, and data subjects to acquire a correct and uniform understanding of the terms utilized within the personal data policy, such as basic personal data, sensitive personal data, de-identification, third parties, consent, etc. All terms shall be interpreted in detail in accordance with the correct legal understanding and the specific operational context of the enterprise.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"2_Provisions_on_the_Categories_of_Personal_Data_to_be_processed\"><\/span>2. Provisions on the Categories of Personal Data to be processed<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Pursuant to regulations, personal data comprises basic personal data and sensitive personal data; furthermore, personal data shall be collected and processed in either a digital or physical environment depending on the enterprise\u2019s business operations and the technologies applied by the enterprise. Within this provision, the enterprise must clearly stipulate the following matters:<\/p>\n<p><strong>Basic personal data collected and processed by the company, <\/strong>this category is construed as all information pertaining to an individual excluding the sensitive personal data group; examples of certain basic personal data are as follows:<\/p>\n<p><em>Last name, middle name, and first name at birth, aliases; date of birth; citizen identity card information (name, number, gender, date of birth, title); Place of birth, place of origin, permanent residential address, temporary residential address, current address; Nationality, etc.<\/em><\/p>\n<p><strong>Sensitive personal data <\/strong>is defined as a category of information directly related to the fundamental privacy of an individual, the infringement of which may cause severe negative impacts on the lawful rights and interests of the subject.\u00a0 This category includes, but is not limited to: <em>political and religious views; health status; biometric and genetic data; information regarding sex life and sexual orientation; criminal data; <\/em><em>geographic location data<\/em><em>; along with all electronic identification information and data pertaining to finance, banking, insurance, securities, transaction history, and <\/em><em>data reflecting individuals\u2019 behavior<\/em><em> and activities of individuals in cyberspace.<\/em><\/p>\n<p>However, the aforementioned data constitutes only the primary categories of personal data currently collected and processed by most enterprises, and for a personal data policy to be accurate and comprehensive for each enterprise, it is necessary to rely on the enterprise&#8217;s actual operational modalities to incorporate into this provision other data deemed as personal data that the enterprise will collect. Typically, for the group of enterprises operating in the e-commerce and financial sectors, other personal data collected and processed by the enterprise shall not be limited to certain data such as: image data, biometrics, audio, video, facial recognition, data uploaded by the individual for the purpose of utilizing the enterprise&#8217;s platform or application, digital accounts created by the individual, call logs, voice messages, etc.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3_Provisions_on_the_purposes_of_controlling_and_processing_Personal_Data\"><\/span>3. Provisions on the purposes of controlling and processing Personal Data<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Pursuant to Article 4 of the Law on Personal Data Protection, every individual has the right to be informed about the personal data processing activities of the enterprise, specifically the types of personal data collected and processed, and the enterprise&#8217;s purpose in collecting and processing PD. Consequently, the enterprise, acting as the Personal Data Controller or the Personal Data Controller-cum-Processor, is compelled to establish clear processes, procedures, and forms to implement the rights of data subjects in accordance with personal data processing activities and the responsibilities of relevant departments; ensuring that data subjects are informed of the purposes for which the enterprise collects and processes PD.<\/p>\n<p>Accordingly, this provision within the Policy shall clearly list the enterprise&#8217;s purposes, for instance, the group of purposes concerning contract execution and service provision: information exchange, customer care, complaint resolution, product warranty, phase-specific service provision, execution of other tasks as recorded in the contract, etc. Alternatively, the group of anti-fraud purposes in accordance with cybersecurity laws, such as identity verification, prevention of customer data theft, account protection, etc. The enterprise shall rely on its business operations to appropriately categorize these purposes.<\/p>\n<p>To draft the provision on &#8220;Purposes of collecting and processing personal data&#8221; in a standardized manner, the enterprise must design the content based on the principles of specification and purpose stratification to ensure maximum transparency. Instead of utilizing generic terminology, the enterprise must explicitly list purpose groups associated with operational activities such as contract execution, delivery, account management, promotions, and customer support, while strictly segregating optional purposes such as market research, experience personalization, or marketing, which necessitate separate consent from the subject. Notably, in the spirit of Law No. 91\/2025\/QH15 and Decree No. 356\/2025\/ND-CP, this provision must also articulate mandatory legal compliance purposes such as tax obligations or fraud prevention to create a &#8220;compliant framework&#8221; for data flows. The detailed drafting of provisions also assists the enterprise in meeting the stringent requirements of the Data Protection Impact Assessment (DPIA) dossier.<\/p>\n<p>The establishment of the aforementioned basic provisions is deemed the initial requisite clauses in a PD protection policy; in <strong>Part 2<\/strong>, CDLAF will guide you in drafting other mandatory provisions such as: Methods of collecting, controlling, and processing PD; PD retention period; Rights of PD subjects; Processing of PD without the consent of the PD subject; The PD protection department and personnel, alongside other essential provisions that must be included in the enterprise&#8217;s policy. Standardizing these contents not only helps domestic enterprises resolve challenges related to technical infrastructure but also serves as the most critical legal evidence to demonstrate compliance capabilities, mitigating the risks of being subject to severe financial sanctions and the suspension of data processing activities.<\/p>\n<p><strong><em>Time<\/em><\/strong><strong><em> of writing<\/em><\/strong><em>: 30\/03\/2026<\/em><\/p>\n<p><em>The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer \u00a0at\u00a0 <a href=\"https:\/\/mail.google.com\/mail\" target=\"_blank\" rel=\"noopener\"><strong>info@cdlaf.vn<\/strong><\/a><\/em><\/p>\n<div class=\"content-post-nd\">\n<div style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5519 size-full aligncenter\" src=\"http:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png\" alt=\"\" width=\"1080\" height=\"600\" srcset=\"https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG.png 1080w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-720x400.png 720w, https:\/\/cdlaf.vn\/wp-content\/uploads\/2023\/05\/CHUONG-TRINH-THANG-768x427.png 768w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/><\/div>\n<\/div>\n<div class=\"content-post-nd\">\n<p><strong>Why choose CDLAF\u2019s service?<\/strong><\/p>\n<ul class=\"li-content\">\n<li>We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;<\/li>\n<li>We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;<\/li>\n<li>Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;<\/li>\n<li>As a Vietnamese law firm, we have a thorough understanding of Vietnam&#8217;s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;<\/li>\n<li>CDLAF&#8217;s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.<\/li>\n<li>Strict information security procedures throughout the service performance and even after the service is completed.<\/li>\n<\/ul>\n<\/div>\n<p><strong style=\"color: #a32411;\">You can refer for more information:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/capital-contribution-errors-losing-the-right-to-become-a-member-or-shareholder-due-to-misunderstanding-the-nature-of-the-transaction\/\">Capital Contribution Errors: Losing The Right To Become A Member Or Shareholder Due To Misunderstanding The Nature Of The Transaction<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/transactions-with-related-parties-and-conditions-for-validity\/\">Transactions With Related Parties And Conditions For Validity<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/conditions-for-the-recognition-and-enforcement-of-foreign-arbitrations-awards-in-vietnam\/\">Conditions for the Recognition and Enforcement of Foreign Arbitration\u2019s Awards in Vietnam<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/removing-bottlenecks-for-long-term-projects-the-right-to-freely-adjust-the-operating-term-of-an-investment-project\/\">Removing Bottlenecks For Long-Term Projects: The Right To Freely Adjust The Operating Term Of An Investment Project<\/a><\/li>\n<li><a href=\"https:\/\/cdlaf.vn\/en\/legal-impacts-of-narrowing-the-scope-of-projects-subject-to-investment-policy-approval-under-the-2025-law-on-investment\/\">Legal Impacts Of Narrowing The Scope Of Projects Subject To Investment Policy Approval Under The 2025 Law On Investment<\/a><\/li>\n<\/ul>\n\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f2681-o1\" lang=\"en-US\" dir=\"ltr\" data-wpcf7-id=\"2681\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/en\/wp-json\/wp\/v2\/posts\/14549#wpcf7-f2681-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"Contact form\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"2681\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.5\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"en_US\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f2681-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<h2 class=\"tt-form\"><span class=\"ez-toc-section\" id=\"SEND_CONSULTATION_REQUEST\"><\/span>SEND CONSULTATION REQUEST\n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><label>Full name<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"full-name\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"text\" name=\"full-name\" \/><\/span><br \/>\n<label>Email<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" value=\"\" type=\"email\" name=\"email\" \/><\/span><br \/>\n<label>Phone Number<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"phone\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-tel wpcf7-text wpcf7-validates-as-tel\" aria-invalid=\"false\" value=\"\" type=\"tel\" name=\"phone\" \/><\/span><br \/>\n<label>Message<\/label><br \/>\n<span class=\"wpcf7-form-control-wrap\" data-name=\"coment\"><textarea cols=\"40\" rows=\"10\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea\" aria-invalid=\"false\" name=\"coment\"><\/textarea><\/span><br \/>\n<input class=\"wpcf7-form-control wpcf7-submit has-spinner btn-yellow\" type=\"submit\" value=\"Send\" \/>\n<\/p><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>A personal data protection policy is defined as a mandatory document that every enterprise must develop to comply with the provisions of the Law on Personal Data Protection and Decree No. 356\/2026\/ND-CP. Depending on the business sector, the extent of data collection, the applied technology, and various other factors, the personal data protection enterprise\u2019s PD&#8230;<\/p>\n","protected":false},"author":4,"featured_media":12680,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[64],"tags":[],"class_list":["post-14549","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/14549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/comments?post=14549"}],"version-history":[{"count":2,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/14549\/revisions"}],"predecessor-version":[{"id":14551,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/posts\/14549\/revisions\/14551"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media\/12680"}],"wp:attachment":[{"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/media?parent=14549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/categories?post=14549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cdlaf.vn\/en\/wp-json\/wp\/v2\/tags?post=14549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}