Personal Data and the Role of Businesses in Data Protection

Thuế suất thuế TNDN mới áp dụng từ 1/10/2025 theo Luật Thuế Thu nhập Doanh nghiệp 2025

In the era of digital transformation, protecting personal data is not only a legal responsibility but also a key factor in sustaining a company’s reputation and long-term success. Uncontrolled collection, storage, processing, and sharing of personal data can lead to serious legal, financial, and reputational risks.

Legal Framework in Vietnam

  • Cybersecurity Law (2018)
  • Decree No. 53/2022/NĐ-CP guiding the Cybersecurity Law
  • Personal Data Protection Law (2025)
  • Decree No. 13/2023/NĐ-CP on Personal Data Protection
  • What Is Personal Data?

Personal data refers to any information, digital or otherwise, that identifies or can help identify a specific individual. It is divided into two main categories:

Basic personal data: Commonly used identifiers such as name, date of birth, gender, permanent address, nationality, photo, phone number, ID or passport number, tax code, and social insurance number.

Sensitive personal data: Information closely linked to privacy—such as political or religious beliefs, health status, racial or ethnic origin, or criminal records—that, if exposed, could harm an individual’s rights or interests.

A data subject is any individual whose personal data is being processed by another entity.
Data processing covers any operation on personal data—collection, analysis, aggregation, encryption, decryption, modification, deletion, anonymization, disclosure, or transfer.

  • The Roles of Businesses in Personal Data Processing

Personal Data Controller” refers to an organization or individual that decides purposes and means of processing personal data.

Example: An e-commerce company collecting customer information (name, phone, address) for delivery and marketing.

“Personal Data Processor” refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.

Example: An IT service provider offering data storage without deciding how the data is used.

“Personal Data Controller-cum-Processor” refers to an organization or individual that jointly decides purposes and means, and directly processes personal data.

Example: An e-commerce company that both collects and uses customer data for promotions and user experience improvements.

“Third Party” refers to an organization or individual other than the data subject, Personal Data Controller, Personal Data Processor, and Personal Data Controller-cum-Processor that is permitted to process personal data.

Example: A tax authority receiving transaction data from a bank under legal obligation.

Depending on business operations, an organization can play multiple roles simultaneously.

Conclusion

In today’s rapidly digitalizing era, personal data protection is not only a legal responsibility but also a critical factor for maintaining a company’s reputation and ensuring its sustainable growth.

Uncontrolled collection, storage, processing, and sharing of personal data can lead to serious legal, financial, and reputational risks. Therefore, businesses must take a proactive approach by developing and implementing a comprehensive data governance strategy that ensures compliance, security, and long-term trust.

News & Insights
tax-solution-for-foreign-investors-in-vietnam-768x1365
Terms of Service
By submitting this form, you agree to our consulting terms and conditions.
All information provided will be kept strictly confidential and used solely for professional advisory purposes.
Our consulting services may cover legal, tax, accounting, and labor compliance matters related to business operations in Vietnam.