From 1 January 2026, the Law on Personal Data Protection No. 91/2025/QH15, together with Decree No. 356/2025/ND-CP guiding the implementation of the Law on Personal Data Protection, will officially take effect. This marks a significant “upgrade” of Vietnam’s legal framework, elevating personal data protection regulations in a specialized law.
In the context of manufacturing enterprises employing a large workforce—such as those in the textile, garment, and footwear industries—these regulations are not merely a matter of legal compliance. They are closely linked to labor relations stability, operational safety, and corporate reputation with international customers and partners.
1. What is personal data, and why is “de-identification” not an absolute shield?
The Law defines personal data as data (in digital or other forms) that can identify or help identify a specific individual, including basic personal data and sensitive personal data. An important point is that data which has been properly de-identified is no longer considered personal data under the Law. However, this requires enterprises to apply genuine and effective de-identification methods, ensuring that the data cannot be re-identified.
For textile and footwear enterprises, human resources information often contains a very “dense” volume of personal data, including sensitive personal data, such as recruitment records, citizen identification numbers, addresses, bank account details, timekeeping data, labor discipline records, KPI evaluations, factory surveillance camera footage, and health information collected during recruitment or periodic health checks. Even a partial data breach may lead to complaints, disputes, or misuse for fraudulent purposes.
2. Core principle: “Right purpose – right scope – right duration”
The Law emphasizes key principles, including: collecting and processing data only within a specific, clear, and legitimate purpose and scope; ensuring data accuracy; retaining data only for a period appropriate to the processing purpose; and applying protective measures across institutional, technical, and human dimensions.
In labor-intensive factories, this is often the weakest point, as data may be collected out of habit (collecting “everything just in case”), stored for excessively long periods, widely shared internally, or transmitted via uncontrolled chat groups or email systems.
3. Employees’ rights over their personal data: enterprises must be ready to respond
The Law recognizes multiple rights of data subjects, notably the right to be informed about data processing activities; the right to give or withhold consent and to withdraw consent; and the right to have their requests handled promptly by the data controller or data processor in accordance with statutory time limits.
In practice, this directly affects common “touchpoints” in manufacturing operations, such as recruitment forms, collection of relatives’ information, ID photos, biometric timekeeping data (fingerprints or facial recognition), publication of reward and disciplinary lists, or sharing employee records with third parties (insurance providers, payroll banks, service contractors, etc.).
Although enterprises must comply with requirements regarding the deletion of personal data, they are still obligated to fulfill legal requirements related to labor management, taxation, accounting, auditing, and other regulatory obligations. To ensure the exercise of data subject rights without undermining the rights and responsibilities of the enterprise, each company must review the personal data collected from employees to determine which information is necessary, which is unnecessary (to limit excessive collection), which constitutes sensitive data requiring special protection mechanisms, which data may be deleted upon request, and which data must be retained by law to fulfill management responsibilities.
Illustrative image
4. High-risk acts: trading in data, data leakage or loss
The Law lists prohibited acts, including the buying and selling of personal data (unless otherwise permitted by law), as well as the misappropriation, intentional disclosure, or loss of personal data.
For enterprises with a large workforce, risks often arise from HR or IT staff downloading employee lists; contractors for timekeeping, catering, or transportation having overly broad access; the use of personal USB devices; or the provision of employee lists to “partners” without a clear legal basis.
5. RBV’s recommendations on priority actions for enterprises
- Develop a “human resources data map”: what data is collected, where it is stored, who uses it, with whom it is shared, and how long it is retained.
- Standardize internal regulations and guidelines on personal data protection to ensure transparency of purpose and scope; limit the use of Excel files containing employee lists; prohibit data sharing via uncontrolled channels.
- Conduct internal training for personnel involved in collecting, managing, and using personal data (recruitment, HR, production management, etc.).
- Manage data sharing with contractors and partners (timekeeping, catering, security, transportation, payroll, health checks): include personal data protection clauses in contracts and maintain access logs.
- Establish data breach incident response scenarios, including procedures for receiving reports, containment, remediation, tracing, and internal communication.