Regulations on the appointment of a department and personnel for personal data protection under the European union’s general data protection regulation and Vietnamese Laws on Personal Data Protection (Part 1)

Author: LUONG NGUYEN AN NHIEN
Update: 22/01/2026
Theo dõi Apolat trên

1. Introduction 

The appointment of a department or personnel for personal data protection (a “DPO”) is a key legal obligation within the personal data protection compliance program of agencies, organizations, and enterprises. This obligation is recognized in most legal frameworks for personal data protection, such as the European Union’s General Data Protection Regulation (“GDPR”), and is also a significant compliance duty under Vietnamese laws on personal data protection. 

This series of articles aims to provide a preliminary comparison of the regulations concerning the appointment of a DPO under the GDPR (Articles 37, 38, and 39) and the Vietnamese laws on personal data protection (“Vietnamese PDP Laws”), including the provisions of Decree No. 13/2023/ND-CP (“Decree 13”) and the Law on Personal Data Protection 2025 (“LPDP 2025”). To clarify the similarities and differences between the two legal systems, this series will be structured into three parts, focusing on the following comparative criteria: 

  1. The first article focuses on the criteria: (i) subjects eligible for appointment as a DPO; and (ii) legal circumstances giving rise to the obligation to appoint a DPO. 
  2. The second article focuses on the criteria: (i) the number of DPOs that may be appointed; and (ii) the required qualifications for an appointed DPO; 
  3. The third article focuses on the criteria: (i) the process for appointing a DPO; and (ii) the rights and obligations of a DPO. 

Within the scope of this first article, this Article will compare the regulations on DPO appointment between the GDPR, and the Vietnamese PDP Laws based on the first two criteria: (i) Subjects eligible for appointment as a DPO and (ii) Legal circumstances giving rise to the obligation to appoint a DPO. 

2. Regulations on DPOs under the GDPR and Vietnamese PDP Laws   

2.1. Subjects eligible for appointment as a DPO 

2.1.1. GDPR 

Regarding the subjects who may be appointed to the role of a DPO, Article 37.6 of the GDPR provides: “The data protection officer may be a staff member of the controller or the processor, or fulfil the tasks on the basis of a service contract”.  

Thus, under the GDPR, a Data Controller or Data Processor may either (a) appoint an internal staff member of the Data Controller or Data Processor to become the DPO; or (b) enter into an agreement with external organizations or individuals specializing in providing DPO services for them to assume the DPO role for the Data Controller or Data Processor on the basis of a service contract. 

2.1.2. Vietnamese PDP Laws 

On the same issue under the Vietnamese PDP Laws, there is a difference in the regulatory approach between Decree 13 and the LPDP 2025, specifically as follows: 

  1. Article 30.1.b of Decree 13 stipulates: “A department and personnel with the function of personal data protection shall be designated within the agency, organization, or enterprise to ensure the implementation of regulations on personal data protection”. Thus, under Decree 13, agencies, organizations, and enterprises may only appoint internal departments and personnel to hold the DPO role; 
  2. Article 33.2 of the LPDP 2025 provides: “Agencies and organizations have the responsibility to designate a department or personnel with sufficient capacity for personal data protection or to engage an organization or individual providing personal data protection services”. As such, from 01 January 2026, agencies and organizations will have the right to engage external organizations and individuals (outsource) to become the department or personnel carrying out personal data protection responsibilities for them. 

2.1.3. Preliminary conclusion for Section 2.1 

In summary, from the effective date of the LPDP 2025 (01 January 2026), the GDPR and the Vietnamese PDP Laws will have corresponding provisions regarding the conditions for subjects who can be designated or appointed as a DPO. Specifically, agencies and organizations may (i) appoint internal staff; or (ii) engage/enter into a service contract with organizations or individuals providing personal data protection services to hold the DPO role. 

2.2. Circumstances giving rise to the obligation to appoint a DPO 

2.2.1. GDPR 

Article 37.1 of the GDPR stipulates the cases where a Data Controller or Data Processor has the obligation to appoint a DPO as follows: 

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or 
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10. 

Article 37.1 of the GDPR sets out the cases where the Data Controller or Data Processor must appoint a DPO. In addition to these mandatory cases, Article 37.4 of the GDPR provides for cases where a Data Controller or Data Processor may appoint a DPO, providing: “In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. 2The data protection officer may act for such associations and other bodies representing controllers or processors”. 

In conclusion, under the GDPR, a Data Controller or Data Processor: (a) must appoint a DPO if they fall under the cases stipulated in Article 37.1 of the GDPR, and (b) may appoint a DPO in the case provided for in Article 37.4 of the GDPR.. 

2.2.2. Vietnamese PDP Laws 

According to Article 28 of Decree 13, when an agency, organization, or enterprise processes sensitive personal data, it incurs the responsibility to designate a department and personnel for personal data protection. An agency, organization, or enterprise may be exempt from this responsibility in the following cases under the provisions of Decree 13: 

  1. The agency, organization, or enterprise only processes basic personal data and does not process sensitive personal data; 
  2. Micro, small, and medium-sized enterprises, and start-up enterprises are entitled to an exemption from the regulation on designating an individual and a department for personal data protection for the first 02 years from their establishment, pursuant to Article 43.2 of Decree 13. 

Under the forthcoming LPDP 2025, Article 33.2 stipulates that agencies, organizations, and enterprises have the responsibility to designate a department or personnel for personal data protection or to engage an organization or individual providing such services in all cases, without distinguishing by the type of personal data processed or the scale of the enterprise conducting the processing, which differs from the approach of Decree 13. 

2.2.3. Preliminary conclusion for Section 2.2 

Regarding the basis for the obligation to appoint a DPO, the GDPR specifies cases where the Data Controller or Data Processor must appoint a DPO (Article 37.1) or may appoint one on a voluntary basis (Article 37.4). On the same issue under the Vietnamese PDP Laws, while Decree 13 stipulates that the obligation arises only when processing sensitive personal data and includes certain exceptions, the LPDP 2025 provides that the obligation to appoint a DPO will arise in all cases and does not provide for any exceptions to this responsibility. 

3. Conclusion for Part 1 

The analysis above reveals the approach of Vietnamese Laws on Personal data Protection: both harmonizing with international standards and establishing distinct requirements. Permitting the engagement of external DPOs under the LPDP 2025 is a move towards converging with the practice of the GDPR. Conversely, mandating the appointment of a DPO in all cases demonstrates a higher and more universal compliance requirement compared to the GDPR’s risk-based approach. 

A clear understanding of the two aspects of DPO appointment compared in this Part 1 is the first step for agencies and organizations to build an effective compliance roadmap. Issues concerning competency standards and the number of DPOs will be analyzed in further detail in Part 2 of this series of articles. 

Date written: 20/10/2025


Disclaimers:

This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.

For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.

Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.

Share: share facebook share twitter share linkedin share instagram

Related posts

Key legal concepts businesses need to know when processing personal data

Click-wrap and browse-wrap consent under personal data protection laws of Vietnam
Criminal liability for violations of Vietnamese law on personal data protection

Criminal liability for violations of Vietnamese law on personal data protection
Bảo vệ dữ liệu cá nhân

The connection between ESG and personal data protection in the digital age

Notification of personal data protection violation

Consent of personal data subjects in cyberspace
Trách nhiệm của doanh nghiệp khi kiểm soát và xử lý dữ liệu cá nhân

Regulations on the protection of employees’s personal data

Conditions and Procedures for Licensing Electronic Information Portals Providing Social Network Services under Decree No. 147/2024/ND-CP

Regulations on social media under decree 147/2024/ND-CP

Legal framework for ESG assessment and sustainable business practices in Vietnam

Shape Personal data protection organization services under the draft law on personal data protection

New legal framework for data management in Vietnam

Related Legal news

Quy định cấp phép mang vũ khí, công cụ hỗ trợ vào, ra lãnh thổ Việt Nam

Latest regulations on the licensing for carrying weapons and support tools into and out of the territory of Viet Nam in 2025
legal normative document

Principles for determining the validity of a document detailing when the instructed document expires
health supplememt

Regulations on the declaration of supplemented food in case of the draft of amended decree No.15 is passed

Vietnam passes law on digital technology industry

Announcement of electronic identification for foreigners at the immigration office of HCMC

Regulations on tax administration for households and individuals doing business on e-commerce platforms

Announcement Of electronic identification for agencies, organizations

Important notes for businesses when state agencies rearrange administrative units

Find out how we can help your business

Legal Retainer

Intellectual Property

Business and Investment

SEND AN ENQUIRY



     Send Contact
    Call Us
    Zalo
    dau tu nuoc ngoai vao vietnam

    Contact Us

    If you are a client, please get in touch with your Apolat Legal contact directly.



      dau tu nuoc ngoai vao viet nam

      Contact Us

      If you need to update the latest legal newsletter, please leave us an email.