ESG (Environmental, Social, and Governance) is a set of criteria used to assess a company’s performance based on three aspects: environmental impact, social responsibility and governance standards. For Vietnamese enterprises today, ESG is not only a growing expectation from international investors, but also a vital tool to promote sustainable growth, attract capital and manage risks effectively. In the era of digital transformation, ESG compliance is also reflected in how transparently and responsibly companies protect personal data – an increasingly core component of a company’s sustainable development strategy. Complying with personal data protection policies in line with legal regulations not only helps businesses reduce legal risks, but also reinforces the trust of customers and partners, thereby creating a solid foundation for long-term growth.
1. The relationship between ESG and personal data protection
The ESG corporate governance framework and personal data protection play an essential role in building a sustainable and responsible enterprise. Notably, Circular No. 13/2023/TT-BKHDT issued by the Ministry of Planning and Investment includes the protection of information, including personal data, as an important criterion in evaluating a company’s ESG model. It highlights that complying with legal regulations on personal data is no longer just an administrative obligation, but a reflection of corporate governance capacity, business ethics and operational transparency.
Personal data protection is now regulated under Decree No. 13/2023/ND-CP on the protection of personal data, effective from April 17th, 2023. The Decree emphasizes individuals’ privacy rights and corporate responsibility in data processing, which aligns with ESG’s development direction. Therefore, integrating data protection into ESG is not only in line with current global trends but also a practical tool for demonstrating internal control and regulatory compliance, thereby enhancing a company’s reputation and competitive advantage in the global digital economy.
2. Ensuring personal data protection in corporate governance
To establish a transparent corporate environment, boards of management and governance must develop effective information disclosure policies. For public and listed companies, disclosure is not only a legal obligation under the Securities Law and guiding regulations, but also a measure of governance capability and corporate credibility in the market. Strengthening disclosure practices is also a key principle of the Corporate Governance Code of Best Practices issued by the State Securities Commission, providing guidance for public and listed companies. Besides, Circular No. 96/2020/TT-BTC issued by the Ministry of Finance guides disclosure regulations in the securities market, helping orient companies toward better governance.
Under this Circular, personal data such as national ID numbers, valid passport, contact address, permanent residence, phone/fax numbers, email, securities account numbers, depository account numbers, bank accounts, and foreign investor identification codes may be required during disclosures. However, as most of these are sensitive personal data, their disclosure must comply with principles for protecting sensitive personal information.
According to Decree 13/2023/ND-CP, organizations must implement organizational and technical measures for data processing and comply with other legal obligations. Specifically, they must develop and promulgate internal policies on data protection that clarify the principles, procedures, roles, and responsibilities of relevant departments. This ensures that all data-related activities, from collection, storage, access, and sharing to transfer, are properly managed and consistently enforced. This framework enhances transparency and accountability in data governance.
Furthermore, organizations are required to adopt data protection standards appropriate to their sector, business activities, and the nature of the data processed. For example, companies in finance, healthcare, or technology, which often deal with large volumes of sensitive data, must apply technical measures such as data encryption, access control, cybersecurity monitoring, and regular evaluations of technical systems to minimize unnecessary disclosures and reduce the risk of data breaches. In addition, practices such as pre-processing cybersecurity checks, and the irreversible deletion or destruction of devices containing personal data, are also encouraged.
Vietnam’s data protection regulation assigns specific responsibilities to personal data controllers, including:
- Implementing appropriate organizational, technical, and security measures to demonstrate lawful data processing activities and reviewing and updating such measures as needed;
- Recording and storing records of personal data processing activities;
- Notifying violations related to personal data protection in accordance with Article 23 of Decree 13;
- Selecting suitable personal data processors with clearly defined duties and ensuring that these parties also adopt proper protection measures;
- Ensuring data subjects’ rights as outlined in Article 9 of Decree 13;
- Taking responsibility for damages caused by personal data processing;
- Cooperating with the Ministry of Public Security and other competent authorities in protecting personal data and providing necessary information for investigation and enforcement actions.
3. Introduction to Personal Data Protection Services by Apolat Legal
As businesses increasingly seek to integrate ESG into their sustainability strategies, many aspire to align with international best practices while also complying with Vietnam’s personal data protection regulations. This dual goal often creates confusion in actual implementation, from interpreting regulations and designing internal processes to assessing risks and completing legal documentation.
Apolat Legal understands these challenges and is committed to supporting enterprises through specialized legal services that help meet both compliance and ESG strategy objectives. With a strong foundation in corporate law, technology, information security, and data privacy, as well as hands-on experience across various sectors, Apolat Legal offers a comprehensive range of services, including:
- Legal advice on personal data protection regulations;
- Compliance assessments for organizations and individuals;
- Development and implementation of compliance plans suitable for each client’s specific conditions;
- Support in resolving issues related to personal data security;
- Internal training on personal data protection for employees;
- Preparation of Data Protection Impact Assessments (DPIAs);
- Notification of data processing activities and cross-border transfers of personal data.
Throughout the advisory process, Apolat Legal remains dedicated to identifying and mitigating legal risks associated with personal data activities. Protecting and enhancing client interests is always our foremost mission and commitment.
Relating posts
- ESG in corporate governance: the board of directors’ responsibilities and legal risks
- Data Processing And Security
- Due diligence on personal data protection in M&A transactions
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
