1. Introduction
The first article of the Series of Articles analyzing Vietnamese legal regulations on the appointment of a department or personnel for personal data protection (“DPO”) briefly introduced contents related to the subjects eligible for appointment and the circumstances giving rise to the obligation to appoint under the General Data Protection Regulation of the European Union (“GDPR”) and Vietnamese laws on personal data protection (including Decree 13/2023/ND-CP and the Law on Personal Data Protection 2025).
To establish a compliance mechanism for data protection regulations regarding DPO appointments, compliance does not stop at the issues of who to appoint or when to appoint. Indeed, agencies, organizations, and enterprises must also consider issues regarding the quantity and conditions of personnel assuming the role of DPO.
Continuing the above Series of Articles, this second Article will compare the regulations of the GDPR and Vietnamese laws based on two criteria: (i) Quantity of DPOs; and (ii) Competency standards, requirements for professional qualifications, legal knowledge, and practical skills necessary for a DPO.
2. Regulations on DPOs under the GDPR and Vietnamese PDP Laws
2.1. Quantity of DPOs that may be appointed
2.1.1. GDPR
Regarding the quantity of DPOs that may be appointed, the GDPR clearly stipulates that the Controller or Processor may need to appoint only one (01) individual (“shall designate a data protection officer”) to hold the role of DPO for the Controller or Processor under Articles 37.1, 37.2, 37.3, and 37.4 of the GDPR. This applies even in cases where the Controller or Processor is a group of undertakings comprising multiple subsidiaries; the Controller or Processor may designate a single DPO for the entire group (Article 37.2 of the GDPR).
2.1.2. Vietnamese Laws on Personal Data Protection
Unlike the GDPR, Vietnamese Laws on Personal Data Protection do not specifically stipulate the quantity of DPO personnel that may be appointed. Vietnamese Laws on Personal Data Protection only stipulate in a general manner the appointment of a “department or personnel for personal data protection” (Article 28.2 of Decree 13 and Article 33.2 of the LPDP 2025). Accordingly, Vietnamese Laws on Personal Data Protection have not clearly stipulated the following issues:
- The quantity of DPOs that the Controller or Processor may appoint, especially in the case of appointing a personal data protection department. Specifically, there is a view that stemming from the term “department”, the Controller or Processor must appoint at least two (02) DPOs or more, as a “department” must be constituted by at least two (02) personnel or more;
- Whether the Controller or Processor (i) must appoint both a department and personnel for personal data protection, or may need only to (ii) appoint personnel for personal data protection or a department for personal data protection.
- In the author’s view, regardless of the interpretation, the Controller or Processor must also appoint at least one (01) DPO to ensure the implementation of personal data protection obligations of the agency, organization, or enterprise and to ensure the agency, organization, or enterprise always has at least one point of contact with Data Subjects, Competent State Agencies, and other third parties in cases upon request or as prescribed by law.
2.1.3. Preliminary Conclusion
In summary, regarding the issue of the quantity of DPOs that may be appointed, Vietnamese Laws on Personal Data Protection differ from the GDPR. While the GDPR clearly stipulates that the Controller or Processor may need to appoint only one (01) personnel for personal data protection, Vietnamese Laws on Personal Data Protection have not clearly stipulated how many DPOs the Controller or Processor must appoint. Furthermore, whether the Controller or Processor must simultaneously appoint both a department and personnel for personal data protection, or whether the Controller or Processor may need only to appoint personnel for personal data protection or a department for personal data protection.
2.2. Standards for the Appointed DPO
2.2.1. GDPR
According to Article 37.5 of the GDPR, the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 of the GDPR.
The GDPR does not clearly state which specific criteria constitute professional qualities, and the GDPR leaves it to the laws of Member States to regulate this issue in detail.
2.2.2. Vietnamese Laws on Personal Data Protection
Decree 13 has not specifically stipulated the standards that individuals or organizations must ensure to be appointed to the role of DPO. From the time the LPDP 2025 takes effect, Article 33.2 of the LPDP 2025 emphasizes that the designated departments or personnel must have sufficient capacity for personal data protection. Regarding specific capacity conditions, the LPDP 2025 has not specifically regulated this issue, and it is possible that in the coming time, documents guiding the implementation of the LPDP 2025 will regulate and guide this content in detail.
2.2.3. Preliminary Conclusion
In summary, Article 37.5 of the GDPR and Article 33.2 of the LPDP 2025 have regulated the standards for DPOs in a general manner. The details of these standards will be specifically stipulated in the laws of Member States (for the GDPR) and legal normative documents guiding implementation (for the LPDP 2025).
3. Conclusion for Part 2
The analysis above show that between the GDPR and Vietnamese laws on personal data protection, there are certain differences, especially the regulations on the quantity of DPOs that may be appointed.
Specifically, regarding the issue of the quantity of DPOs, the GDPR clearly stipulates and demonstrates high flexibility with the mechanism that the Controller or Processor may need to appoint only one (01) DPO (also applicable to the entire Group comprising multiple subsidiaries, affiliates, multinational companies, etc.). Conversely, Vietnamese laws are leaving open the interpretations of the “department” and “personnel” models, creating legal uncertainty in the issue of the quantity of DPOs.
Regarding the conditions of the DPO, both the GDPR and Vietnamese legal regulations have regulated the standards for DPOs in a general manner. The details of these standards will be specifically stipulated in the laws of Member States (for the GDPR) and legal normative documents guiding implementation (for the LPDP 2025).
Related post
- Regulations on the appointment of a department and personnel for personal data protection under the European union’s general data protection regulation and Vietnamese Laws on Personal Data Protection (Part 1)
- Criminal liability for violations of Vietnamese law on personal data protection
Date Written: 20/11/2025
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
