Thân Trọng Lý – Partner

Nguyễn Thị Hồng Nhung – Junior Associate

Nguyễn Đình Việt Hưng – Paralegal

Following DIMAC’s previous Legal Alert outlining notable new provisions and penalties applicable to organizations, individuals violating personal data protection regulations, this legal update highlights the obligations regarding personal data protection in certain specific activities, fields under the Personal Data Protection Law 2025, with a view to providing you with further information for your compliance.

1.      Protection of personal data in the recruitment, management, and using employees

Currently, several enterprises are collecting, storing, and processing personal data of job applicants and employees without establishing clear principles, or they are processing such data exceeding the necessary scope for recruitment and human resources management purposes. To address this issue, the Personal Data Protection Law (“PDPL”) sets out specific requirements, establishing a legal basis for enterprises to comply with and fulfill their obligations to protect personal data throughout the entire process of recruiting, managing, and employing personnel.

Accordingly, agencies, organizations, and individuals (“Employers”) involved in the recruitment of employees shall have the following obligations:

• Only request information necessary for the recruitment purpose, in accordance with applicable laws
• Ensure that the information provided is used solely for recruitment purposes, and for other purposes as agreed upon by the parties in accordance with the law;
• Process the provided information in compliance with legal regulations, and obtain the valid consent of the applicant prior to processing; and
• Delete, destroy the applicant’s information in the event the recruitment does not lead to employment, unless otherwise agreed with the applicant.

In addition, during the course of employment, the Employer must retain the employee’s personal data for the duration prescribed by law or as agreed upon by both parties. Upon termination of the employment contract, the Employer is also required to delete, destroy the employee’s personal data, unless otherwise agreed by the parties or otherwise provided by law.

2.       Protection of personal data related to health information and insurance business activities

The insurance business, including life insurance, health insurance, and non-life insurance, is a specialized sector that requires the collection of customers’ health information to assess risk, enter into contracts, and settle insurance claims. Accordingly, health status information is classified as sensitive personal data and must be subject to stricter protection measures than those applied to basic personal data.

Given the sensitive nature and high risk associated with processing this type of data, the PDPL mandates that all agencies, organizations, and individuals operating in the health and insurance sectors must comply with the following requirements:

• Obtain the data subject’s valid consent when collecting and processing personal data, except in cases where such processing does not require consent as stipulated in Article 19.1 of the PDPL;
• Do not disclose personal data to third parties, including healthcare service providers or providers of health and life insurance services, unless there is a written request from the data subject or the processing falls under an exception to the consent requirement as provided in Article 19.1 of the PDPL; and
• Any transfer of personal data by reinsurance, retrocession companies to partners must be clearly specified in the contract with the customers.

Please view and download the full document here to learn more about the personal data protection on other areas:

• Protection of personal data in financial, banking, and credit information activities
• Protection of personal data in advertising services
• Protection of personal data on social media platforms, online communication services
• Protection of personal data in the context of big data, artificial intelligence, blockchain, metaverse, and cloud computing
• Protection of personal data concerning location data and biometric data
• Protection of personal data collected from audio, video recordings in public places and public activities

Here is our NOTABLE PROVISIONS OF THE PERSONAL DATA PROTECTION LAW - PROTECTION OF PERSONAL DATA IN SPECIFIC FIELDS. If you are interested or require legal support regarding electronic identification procedures for enterprises, please visit our DIMAC Website and explore the News Category to stay updated with the latest legal insights and shared market experiences.