1. Individuals Providing Personal Data Protection Services
Pursuant to Article 15 of Decree No. 356/2025/ND-CP, provisions on individuals providing personal data protection services (2026) are as follows:
(1) An individual providing personal data protection services is a person who meets the competency requirements specified in Clause (2) and is engaged by an agency or organization as personnel responsible for personal data protection.
(2) Such individuals must satisfy the following competency requirements:
- Hold at least a college-level degree or higher;
- Have a minimum of 03 years of professional experience (from the date of graduation) in one of the following fields: legal affairs, personal data processing, cybersecurity, data security, risk management, or compliance control;
- Have received specialized training and advanced professional development in legal knowledge and professional skills relating to personal data protection.
(3) Agencies or organizations wishing to engage individuals for personal data protection services shall:
- Assess the individual’s competency conditions as specified in Clause (2);
- Enter into a contract for the use of personal data protection personnel;
- Publicly disclose information about such personnel to data subjects and relevant parties.
(4) Individuals providing personal data protection services shall have the following responsibilities:
- Perform services strictly within the scope and duties set out in the contract or agreement;
- Not abuse their service provision to commit unlawful acts;
- Delete or destroy personal data processed during the course of service provision upon completion of the contract, in accordance with applicable laws.
2. Organizations Providing Personal Data Protection Services
Pursuant to Article 16 of Decree No. 356/2025/ND-CP, provisions are as follows:
Organizational requirements
An organization providing personal data protection services must:
- Be an entity or enterprise with functions, duties, or business lines in technology, legal services, or consultancy in technology or legal matters, engaged by agencies or organizations to advise on compliance with personal data protection regulations and to perform personal data protection tasks under agreement;
- Have at least 03 personnel who fully satisfy the competency requirements set out in Clause 2, Article 15 of Decree No. 356/2025/ND-CP;
- Have experience in providing products or services related to security, cybersecurity, information technology, standards assessment, or consultancy on personal data protection.
Capability dossier
The organization must prepare a capability dossier demonstrating its ability to provide personal data protection services and submit it to client agencies or organizations.
Such dossier must include:
- Business lines and areas of operation;
- Scale, scope, and experience in service provision;
- Service policies;
- Standards, qualifications, and competencies of personnel;
- Supporting documents and relevant evidence.
Engagement procedures
Agencies or organizations requiring such services shall:
- Review the capability dossier;
- Enter into a service contract and a personal data processing agreement with the service provider;
- Publicly disclose information about the service provider to data subjects and relevant parties.
Additional provisions
- Depending on their needs, agencies or organizations may simultaneously appoint internal personal data protection personnel or units and engage external individuals or organizations providing such services.
- Based on the agreement with the hiring entity, the service provider shall perform the functions of a personal data protection unit for that entity.
Responsibilities of service-providing organizations
Organizations providing personal data protection services must:
- Perform services strictly in accordance with the scope and duties set out in the contract or agreement;
- Not misuse their service provision to commit unlawful acts;
- Delete or destroy personal data processed during service provision upon completion of the contract, in accordance with applicable laws.
Responsibilities of Organizations Providing Personal Data Processing Services
Pursuant to Article 23 of Decree No. 356/2025/ND-CP (2026):
Organizations providing personal data processing services shall:
(1) Fully comply with legal provisions on personal data protection, including the responsibilities and obligations of data controllers, controller-processors, and data processors.
(2) Establish a risk management framework for personal data protection appropriate to the services provided.
(3) Conduct periodic assessments of compliance status and trustworthiness in personal data protection at least once per year.
(4) Apply standards and technical regulations related to data security, personal data protection, and cybersecurity.
(5) Establish internal regulations defining the organization’s responsibilities and authority in personal data processing.
(6) Ensure that personal data is processed for proper purposes; limit collection, transfer, and storage in accordance with legal requirements; and prevent unauthorized access, collection, use, disclosure, or similar risks in data processing activities.
(7) Where acting as a data processor, require the data controller to obtain consent from data subjects in accordance with the law prior to service provision, ensuring that data subjects are informed of the types of personal data processed, the purposes of processing, and the identity of the service provider.
(8) Carry out organizational identity verification in accordance with laws on electronic identification and authentication.
____________________________________________________________________________________________________________
📞 CONTACT LEGAL CONSULTANT:
TLA Law is a leading law firm with a team of highly experienced lawyers specializing in criminal, civil, corporate, marriage and family law, and more. We are committed to providing comprehensive legal support and answering all your legal questions. If you have any further questions, please do not hesitate to contact us.
1. Lawyer Vu Thi Phuong Thanh, Ha Noi Bar Association
Email: vtpthanh@tlalaw.vn
2. Lawyer Tran My Le, Ha Noi Bar Association
Email: tmle@tlalaw.vn
Vo Thi Van Khanh