Notable Provisions of the Personal Data Protection Law Part 2: Protection of Personal Data in Specific Fields

Following DIMAC’s previous Legal Alert outlining notable new provisions and penalties applicable to organizations, individuals violating personal data protection regulations, which you can find here, this legal update highlights the obligations regarding personal data protection in certain specific activities, fields under the Personal Data Protection Law 2025, with a view to providing you with further information for your compliance.

1. Protection of personal data in the recruitment, management, and using employees[1]

Currently, several enterprises are collecting, storing, and processing personal data of job applicants and employees without establishing clear principles, or they are processing such data exceeding the necessary scope for recruitment and human resources management purposes. To address this issue, the Personal Data Protection Law (“PDPL”) sets out specific requirements, establishing a legal basis for enterprises to comply with and fulfill their obligations to protect personal data throughout the entire process of recruiting, managing, and employing personnel.

Accordingly, agencies, organizations, and individuals (“Employers”) involved in the recruitment of employees shall have the following obligations:

• Only request information necessary for the recruitment purpose, in accordance with applicable laws;
• Ensure that the information provided is used solely for recruitment purposes, and for other purposes as agreed upon by the parties in accordance with the law;
• Process the provided information in compliance with legal regulations, and obtain the valid consent of the applicant prior to processing; and
• Delete, destroy the applicant’s information in the event the recruitment does not lead to employment, unless otherwise agreed with the applicant.

In addition, during the course of employment, the Employer must retain the employee’s personal data for the duration prescribed by law or as agreed upon by both parties. Upon termination of the employment contract, the Employer is also required to delete, destroy the employee’s personal data, unless otherwise agreed by the parties or otherwise provided by law.

2. Protection of personal data related to health information and insurance business activities[2]

The insurance business, including life insurance, health insurance, and non-life insurance, is a specialized sector that requires the collection of customers’ health information to assess risk, enter into contracts, and settle insurance claims. Accordingly, health status information is classified as sensitive personal data and must be subject to stricter protection measures than those applied to basic personal data.

Given the sensitive nature and high risk associated with processing this type of data, the PDPL mandates that all agencies, organizations, and individuals operating in the health and insurance sectors must comply with the following requirements:

• Obtain the data subject’s valid consent when collecting and processing personal data, except in cases where such processing does not require consent as stipulated in Article 19.1 of the PDPL;
• Do not disclose personal data to third parties, including healthcare service providers or providers of health and life insurance services, unless there is a written request from the data subject or the processing falls under an exception to the consent requirement as provided in Article 19.1 of the PDPL; and
• Any transfer of personal data by reinsurance, retrocession companies to partners must be clearly specified in the contract with the customers.

3. Protection of personal data in financial, banking, and credit information activities[3]

The PDPL clearly stipulates the responsibilities of organizations, individuals operating in the fields of finance, banking, and credit information activities as follows:

• Do not use the data subject’s credit information for credit scoring, credit rating, credit information assessment, creditworthiness evaluation without the data subject’s prior valid consent;
• Only collect personal data necessary for credit information activities from sources that comply with the PDPL and other relevant legal provisions; and
• Notify the data subject in the event of any disclosure, loss of their banking, financial, credit account and credit information.

4. Protection of personal data in advertising services[4]

Currently, many advertising companies engage in the collection and use of personal data without obtaining the data subject’s explicit consent. Common violations include: not providing notice at the time of data collection; use of data for advertising purposes without offering an opt-out mechanism; the sale or sharing of data with third parties without the data subject’s consent. To safeguard consumer rights, the PDPL provides specific regulations governing advertising activities as follows:

• Organizations and individuals engaging in advertising services shall only use customers’ personal data that has been lawfully transferred by the data controller or the data controller-cum-processor under agreement, or that they have lawfully collected through their own business operations. The processing of personal data for advertising purposes must be based on the customer’s valid consent, whereby the customer is clearly informed of the content, methods, forms, and frequency of product promotion, and provided with a mechanism to opt out of receiving advertising communications;
• Data controllers, data controller-cum-processors shall only transfer personal data to advertising service providers in accordance with legal regulations;
• The use of personal data for advertising purposes must comply with legal provisions on the prevention of spam messages, spam emails, and spam calls, as well as other relevant advertising laws;
• Organizations, individuals engaging in advertising services must provide a mechanism to cease advertising upon the request of the data subject, and bear the responsibility to prove that the use of the customer’s personal data for advertising complies with the law;
• Organizations, individuals engaging in advertising services are prohibited from subcontracting or entering into agreements with other entities or individuals to perform the entirety of the advertising services involving the use of personal data on their behalf; and
• When using personal data for behavioral, targeted, or personalized advertising, organizations and individuals may only: (i) collect personal data through website or application tracking with the data subject’s consent; and (ii) establish mechanisms allowing the data subject to opt out of data sharing, define data retention periods, deletion, destruction of data when no longer necessary.

5. Protection of personal data on social media platforms, online communication services[5]

A social network is an information system established on a website or online application that provides services, tools allowing users to provide, exchange, interact, and share information with one another[6]. Accordingly, organizations, individuals that provide social networking services and online media services are subject to the following key obligations:

• Clearly inform data subjects of the types of personal data being collected when they install and use social network platforms, online media services;
• Do not (i) illegally collecting personal data or collecting data exceeding the scope agreed with the user; (ii) Requesting users to provide images, videos containing all or part of their identity documents as a means of account verification; and (iii) Listening in, eavesdropping, or recording calls, and reading text messages without the data subject’s valid consent, unless otherwise provided by law;
• Provide users with the option to refuse the collection and sharing of data files (“cookies:), and offer a “do not follow” option or only track users’ activity on social media and communication platforms with their consent; and
• Publish privacy policy, explaining how personal data is collected, used, and shared; provide users with mechanisms to access, amend, delete their data, and set privacy preferences for their personal information; enable reporting of security and privacy breaches; protect the personal data of Vietnamese citizens in cross-border data transfers; and develop an effective and prompt data protection violation handling process.

6. Protection of personal data in the context of big data, artificial intelligence, blockchain, metaverse, and cloud computing[7]

The rapid development of digital technologies has led to the widespread adoption of models such as Big Data, Artificial Intelligence (AI), Blockchain, the Metaverse, and Cloud Computing. These technologies enable the processing of vast amounts of personal data, but also pose significant risks to privacy especially when data is collected in a non-transparent manner, without a clear purpose, or without the consent of the data subject. To mitigate these risks and ensure the protection of personal data in the context of technologies application, the PDPL sets out several notable principles and regulatory requirements, including:

• The processing of personal data in environments involving Big Data, AI, Blockchain, the Metaverse, and Cloud Computing must: (i) comply with PDPL and other relevant legal provisions; (ii) conform to ethical standards and the cultural traditions and customs of Vietnam; and (iii) be carried out for proper purposes and within necessary limits, ensuring the protection of the lawful rights and interests of the data subject;
• Systems and services utilizing Big Data, AI, Blockchain, the Metaverse, and Cloud Computing must integrate appropriate personal data protection measures, must use suitable authentication, identification methods, and decentralization of access for data processing;
• The processing of personal data through AI must classify risk level to appropriate safeguards be applied; and
• It is prohibited to use or develop systems involving Big Data, AI, Blockchain, the Metaverse, Cloud Computing processing personal data for purposes that harm national defense, national security, public order, social safety, or that infringe upon the life, health, honor, dignity, or property of others.

7. Protection of personal data concerning location data and biometric data[8]

Location data and biometric data are two types of sensitive personal data that are subject to special legal protection. Personal location data refers to information that identifies an individual’s whereabouts through positioning technologies, enabling the recognition and tracking of that person’s movements. Biometric data refers to information relating to an individual’s distinctive and stable physical or biological characteristics, such as fingerprints, facial features, iris patterns, voice, etc., which are used to verify personal identity.

a.   Legal Provisions on the protection of personal location data:

• Do not apply location tracking via radio frequency identification and other positioning technologies, except the data subject has given explicit consent or there is a request from a competent authority in accordance with the law or  otherwise provided by law; and
• Organizations, individuals providing mobile application platforms must notify users about the use of their personal location data; implement measures to prevent the collection of personal location data by unrelated third parties; and provide users with options to manage and control location tracking settings.

b.  Legal Provisions on the protection of biometric data:

• Agencies, organizations, individuals collecting and processing biometric data must implement physical security measures for devices used to store and transmit biometric data; restrict access rights to biometric data; maintain a monitoring system to prevent and detect unauthorized access to biometric data; Comply with applicable laws and relevant international standards concerning biometric data protection; and
• In cases where the processing of biometric data causes harm to the data subject, the organization, individual responsible for collecting and processing such data must notify the affected data subject in accordance with regulations issued by the Government.

8. Protection of personal data collected from audio, video recordings in public places and public activities[9]

Personal data collected from audio or video recordings in public places or during public activities constitutes a sensitive type of information that can be easily misused if not properly controlled. Accordingly, the PDPL  establishes the following principles:

• Agencies, organizations, and individuals may record, film, and process personal data obtained from audio and video recordings in public places or during public activities without the consent of the data subjects in the following cases (i) For the purposes of national defense, national security, the maintenance of public order and safety, or the protection of the lawful rights and interests of agencies, organizations, or individuals; (ii) Where audio, images, or other identifiable information are obtained from public activities such as conferences, seminars, sporting events, artistic performances, and other public events, provided that such processing does not infringe upon the honor, dignity, reputation of the data subject; (iii) In other cases as prescribed by law;
• Agencies, organizations, and individuals are responsible for notifying, or using other forms of communication to inform, data subjects that they are being audio or video recorded in public places, unless otherwise provided by law;
• Personal data collected must be processed and used solely for the intended purpose of processing, and must not be used for unlawful purposes or in a manner that infringes upon the lawful rights and interests of the data subject;
• Personal data collected from audio and video recordings in public places or during public activities shall only be retained for the period necessary to fulfill the original purpose of collection, unless otherwise provided by law. Upon the expiration of the retention period, such personal data must be deleted, destroyed in accordance with the provisions of PDPL; and
• Agencies, organizations, and individuals that conduct audio or video recordings and process personal data obtained through such activities shall be responsible for protecting such data in accordance with PDPL and other relevant legal provisions.

We trust that the above information is clear and helpful for your business operations. Should you have any questions or require further clarification on this matter, please do not hesitate to contact us for assistance.

Than Trong Ly – Partner

Le Thi Hong Nhung – Associate

Nguyen Dinh Viet Hung – Paralegal

DIMAC LAW FIRM 

[1] Article 25 PDPL
[2] Article 26 PDPL 
[3] Article 27 PDPL
[4] Article 28 PDPL
[5] Article 29 PDPL

[6] Clause 25, Article 3, Decree 147/2024/ND-CP dated 09 November 2024
[7] Article 30 PDPL
[8] Article 31 PDPL
[9] Article 32 PDPL