1. Introduction
Part One and Part Two of this Series of Articles analyzing Vietnamese legal regulations on the appointment of a department or personnel for personal data protection (“DPO”) have provided a preliminary overview of the following issues: subjects eligible for appointment, circumstances giving rise to the responsibility to appoint a DPO, the quantity of DPOs to be appointed, and the competency standards for the appointed DPO under the General Data Protection Regulation of the European Union (“GDPR”) and Vietnamese Laws on Personal Data Protection (including Decree 13/2023/ND-CP and the Law on Personal Data Protection 2025).
In addition to the matters addressed in Part One and Part Two, the appointment process as well as the rights and obligations of the DPO constitute crucial legal issues that the Personal Data Controller and Personal Data Processor must consider to ensure compliance with legal regulations regarding DPOs.
Part Three, which serves as the concluding part of this Series of Articles, will compare and contrast the regulations of the GDPR and Vietnamese laws based on the following criteria: (i) DPO Appointment Process; and (ii) Rights and obligations of the DPO.
2. Regulations on DPOs under the GDPR and Vietnamese Laws on Personal Data Protection
2.1. DPO Appointment Process
Neither the GDPR nor Vietnamese Laws on Personal Data Protection provide detailed regulations on the order and procedures for appointing a DPO. Consequently, the Controller and Processor are granted full discretion to proactively decide on the process for designating a department or personnel for personal data protection in accordance with the internal personnel appointment procedures stipulated in the enterprise’s internal legal instruments, such as the Charter, internal regulations, and policies (e.g., the Personal Data Protection Policy) of the Personal Data Controller and Personal Data Processor.
Although not explicitly prescribed by law, the outcome of the designation process is typically recorded in a Decision on the designation/appointment of a department or personnel for personal data protection (“Decision on DPO Designation”). The Decision on DPO Designation is a critical legal document, as it serves as a mandatory component of the Dossier for Impact Assessment of Personal Data Processing and the Dossier for Impact Assessment of Cross-Border Transfer of Personal Data. Furthermore, Data Subjects and partners of the Personal Data Controller and Personal Data Processor may request the provision of this document as a means to verify and assess the level of compliance with personal data protection regulations by the Data Controller and Data Processor.
The GDPR and Vietnamese Laws on Personal Data Protection also do not explicitly regulate the minimum content requirements for a Decision on DPO Designation. In practice, given the DPO’s role as the contact point for competent state agencies, Data Subjects, and related parties, the Decision on DPO Designation may include: general descriptive information regarding the department and personnel for personal data protection (e.g., clearly specifying the responsible department or personnel, and their position/job title within the organization); contact details (e.g., telephone number, email, correspondence address) of said department and personnel; and the specific rights and obligations assigned to them.
In summary, the Personal Data Controller and Personal Data Processor are entitled to proactively determine the DPO appointment process and may document this process within their internal legal instruments. Concurrently, the Data Controller and Data Processor should note the requirement to establish and archive the Decision on DPO Designation, as this constitutes a vital legal document for administrative procedures with competent state agencies and serves as evidence of compliance with personal data protection laws.
2.2. Rights and Obligations of the DPO
2.2.1. GDPR
The GDPR establishes statutory rights and obligations in Articles 38 and 39. Generally, the DPO is responsible for being involved, properly and in a timely manner, in all issues relating to the protection of personal data of the Personal Data Controller and Personal Data Processor (Article 38.1 of the GDPR).
Notably, Article 38 of the GDPR contains provisions aimed at guaranteeing the independence of the DPO. Specifically, Article 38.3 stipulates that the Controller and Processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks, and that the DPO shall not be dismissed or penalized by the Controller or the Processor for performing his or her tasks. Furthermore, the DPO may fulfill other tasks and duties, provided that such tasks and duties do not result in a conflict of interest with the data protection role (Article 38.6 of the GDPR).
2.2.2. Vietnamese Laws on Personal Data Protection
Regarding the rights and obligations of the DPO, Article 30.1.b of Decree 13 stipulates only in a general manner: “A department and personnel with the function of personal data protection shall be designated within the agency, organization, or enterprise to ensure the implementation of regulations on personal data protection.” Meanwhile, the LPDP 2025 does not detail the rights and obligations of the DPO, leaving this matter to be regulated by documents guiding the LPDP 2025, such as decrees and circulars (Article 33.3 of the LPDP 2025).
2.2.3. Preliminary Conclusion
In summary, unlike the GDPR, Vietnamese Laws on Personal Data Protection have not yet specifically stipulated the rights and obligations of the DPO.
3. General Conclusion
In conclusion, this Series of Articles has provided a preliminary comparison of the regulations on the appointment of a Department or Personnel for Personal Data Protection under the General Data Protection Regulation of the European Union and Vietnamese Laws on Personal Data Protection based on the following criteria: (i) subjects eligible for appointment, (ii) circumstances giving rise to the responsibility to appoint a DPO, (iii) quantity of DPOs to be appointed, (iv) standards for the appointed DPO, (v) appointment process, and (vi) rights and obligations of the DPO. The similarities and differences between the GDPR and Vietnamese Laws on Personal Data Protection are summarized in the table below:
| Criteria | GDPR | Vietnamese Laws on Personal Data Protection |
| Subjects eligible for appointment | From the effective date of the LPDP 2025 (01 January 2026), the GDPR and Vietnamese Laws on Personal Data Protection will have corresponding provisions regarding the conditions for subjects who can be designated or appointed as a DPO. Specifically, agencies and organizations may (i) appoint internal staff; or (ii) engage/enter into a service contract with organizations or individuals providing personal data protection services to hold the DPO role. | |
| Circumstances requiring DPO appointment | The GDPR stipulates cases of: (a) mandatory DPO appointment under Article 37.1; and (b) DPO appointment under Article 37.4 (voluntary or mandated by Member State’s national laws). | (a) Decree 13 stipulates that the Controller, Processor, and Controller-Processor must designate a department and personnel for personal data protection where sensitive personal data is processed.
(b) The Law on Personal Data Protection 2025 stipulates that the Controller, Processor, and Controller-Processor must designate a department and personnel for personal data protection in all cases. |
| Quantity of DPOs to be appointed | The Controller and Processor may need to appoint only one (01) individual to become its DPO. | The quantity of DPOs to be appointed has not been clearly stipulated. |
| Standards for the appointed DPO | Article 37.5 of the GDPR and Article 33.2 of the LPDP 2025 have regulated the standards for DPOs in a general manner. The details of these standards will be specifically stipulated in the laws of Member States (for the GDPR) and legal normative documents guiding implementation (for the LPDP 2025). | |
| Process of DPO Appointment | The Personal Data Controller and Personal Data Processor are entitled to proactively decide on the DPO appointment process and may record this process in their internal legal documents.
Regarding Vietnamese Laws on Personal Data Protection, the Data Controller and Data Processor need to establish and archive the Decision on DPO Designation, as this is an important legal document for administrative procedures with competent state agencies and serves as evidence of compliance with legal regulations on personal data protection. |
|
| Rights and obligations of the DPO | The GDPR stipulates statutory rights and obligations in Articles 38 and 39. | The rights and obligations of the DPO have not been specifically stipulated. |
Date Written: 20/12/2025
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
