Appointment of data protection department and personnel under Viet Nam’s Personal data protection law

1. Introduction 

Personal data protection has recently become a topic of growing concern in Vietnam. Within the Vietnamese legal system, Decree No. 13/2023/ND-CP (“Decree 13”) and, in the near future, the Law on Personal Data Protection of 2025 (“LPDP 2025”) (effective from January 01, 2026) are the primary legal normative documents that directly regulate legal issues related to personal data protection.  

One of the key compliance obligations that enterprises, agencies, and organizations need to be aware of is the obligation to appoint a data protection department and personnel. The purpose of this Article is to provide a general introduction, a brief analysis, and a comparison of the relevant provisions of Decree 13 and LPDP 2025 concerning the obligation to appoint a data protection department and personnel. 

2. The Obligation to Appoint a Data Protection Department and Personnel under Vietnamese Law 

2.1. Which department or individual can become the Data Protection Department and Personnel? 

Article 30.1.b of Decree 13 stipulates: “A department and personnel with the function of protecting personal data shall be designated within an agency, organization, or enterprise to ensure compliance with regulations on personal data protection”. Accordingly, agencies, organizations, and enterprises will appoint internal departments and personnel to carry out data protection responsibilities. These entities have full discretion to appoint any department (such as the Legal Department, Human Resources Department, Information Technology Department, etc.) or any personnel (such as a Legal Officer, an HR & Admin Officer, an IT Officer, etc.) to become their data protection department and personnel. 

LPDP 2025 introduces an additional option for agencies, organizations, and enterprises regarding the appointment of a data protection department and personnel. Specifically, Article 33.2 of LPDP 2025 states: “Agencies and organizations have the responsibility to appoint a department or personnel that meets the qualification and capacity requirements for personal data protection or to hire an organization or individual that provides data protection services”. Thus, from January 01, 2026, entities will have the right to hire external organizations or individuals (outsource) to serve as the department and personnel responsible for their data protection duties. Article 33.2 of LPDP 2025 also emphasizes that the appointed department and personnel must meet the qualification and capacity requirements for personal data protection. LPDP 2025 does not yet specify these capacity requirements in detail, and it is possible that future guiding documents for the implementation of LPDP 2025 will regulate and provide detailed guidance on this matter. 

One point that remains unclear under both Decree 13 and LPDP 2025 is whether agencies, organizations, and enterprises must appoint both a data protection department and personnel, or if they can choose to appoint either a department or personnel. Based on the wording of Article 30.1.b of Decree 13 and Article 33.2 of LPDP 2025, it may be interpreted that entities might need to appoint both a department and personnel for data protection. In this case, is it mandatory for the number of data protection personnel to consist of two (02) or more individuals? These points, therefore, need to be clarified and specified in greater detail in the forthcoming guiding documents for the implementation of LPDP 2025. 

2.2. In which cases do the obligation to appoint a data protection department and personnel arise? 

According to Article 28 of Decree 13, when an agency, organization, or enterprise processes sensitive personal data, it incurs the obligation to appoint a data protection department and personnel. An entity may be exempt from this obligation in the following cases under the provisions of Decree 13: 

1. The agency, organization, or enterprise only processes basic personal data and does not process sensitive personal data; 
2. Micro, small, medium-sized, and start-up enterprises have the option to be exempt from the regulation on appointing an individual and department for personal data protection during the first 02 years from their establishment, in accordance with Article 43.2 of Decree 13. 

Under LPDP 2025, Article 33.2 stipulates that agencies, organizations, and enterprises have the obligation to appoint a data protection department and personnel or to hire an organization or individual providing data protection services in all cases, without distinguishing between the type of personal data processed or the scale of the enterprise, unlike the approach of Decree 13. 

2.3. Why must agencies, organizations, and enterprises appoint a data protection department and personnel? 

As mentioned in Section 1 (Introduction), the obligation to appoint a data protection department and personnel is a mandatory legal obligation for entities that carry out personal data processing activities (Decree 13 limits this to the processing of sensitive personal data).  

The purposes of this regulation are to: 

1. Ensure that the agency, organization, or enterprise always has a dedicated department and personnel to implement its regulations on personal data protection (Article 30.1.b of Decree 13);  
2. Additionally, the appointed department and personnel will act as the point of contact with the competent state authority for personal data protection or with the Data Subject in cases where the Data Subject exercises their rights (right to consent, right to withdraw consent, right to request access, update, rectification, etc.) in accordance with the laws on personal data protection. 

2.4. In which legal documents, records, and files can information about the Data Protection Department and Personnel be recorded? 

As mentioned in Section 2.3, the data protection department and personnel act as the point of contact with the competent state authority and the Data Subjects. Accordingly, information such as the name of the department/personnel, phone number, email, and the title/academic degree of the data protection personnel will be recorded in legal documents, records, and files such as: 

1. The Data Processing Impact Assessment (DPIA) file, according to Form D24-DLCN-01; 
2. The Cross-border Data Transfer Impact Assessment file, according to Form D25-DLCN-01; 
3. The Personal Data Processing Notice sent to the Data Subject; the publicly posted Personal Data Protection Policy of the agency, organization, or enterprise; 
4. The Internal Decision on the Appointment/designation of the data protection department and personnel, following the internal template of the entity. 
5. The Data Processing Agreement with the Data Processor, Data Processing Agreement with Employees; 
6. Other legal documents, records, and files as decided by the agency, organization, or enterprise or as required by personal data protection laws, as amended or supplemented from time to time. 

2.5. How do agencies, organizations, and enterprises appoint the Data Protection Department and Personnel? 

Neither Decree 13 nor LPDP 2025 specifies the procedure for appointing a data protection department and personnel. Thus, entities have full discretion to decide on the appointment procedure in accordance with the personnel appointment processes stipulated in their internal legal documents, such as the Charter, internal regulations, and policies (e.g. the personal data protection policy).  

Agencies, organizations, and enterprises do not need to perform an independent administrative procedure with the competent authority regarding the appointment of the data protection department and personnel. However, because the data protection department and personnel information is recorded in the DPIA file and the Cross-border Data Transfer Impact Assessment file, the entity must carry out the procedure to notify changes to the content of these files in cases where there is a change in its data protection department or personnel. Information about this change must also be updated by the entity in the legal documents, records, and files mentioned in Section 2.4 of this Article, and this update must be communicated to relevant parties such as Data Subjects, partners, Data Processors, and employees of the entity. 

3. Conclusion 

In summary, the obligation to appoint a data protection department and personnel is a significant compliance responsibility for agencies, organizations, and enterprises. Broadly, entities should take note of the following points regarding this compliance obligation under Decree 13 and LPDP 2025: 

Ngày viết bài: 20/09/2025

Related posts

1. Regulations on the appointment of a department and personnel for personal data protection under the European union’s general data protection regulation and Vietnamese Laws on Personal Data Protection (Part 1)
2. Regulations on the appointment of a department and personnel for personal data protection under the European union’s general data protection regulation and Vietnamese Laws on Personal Data Protection (Part 2)
3. Regulations on the appointment of a department and personnel for personal data protection under the European union’s general data protection regulation and Vietnamese Laws on Personal Data Protection (Part 3)

Share: