EMPLOYER'S RESPONSIBILITIES REGARDING EMPLOYEE DATA

In the context of the Fourth Industrial Revolution, alongside the robust development of information technology, artificial intelligence (AI), and digital platforms, personal data has increasingly become a crucial resource in corporate governance and operations. Consequently, the personal information of employees, which is inextricably linked to their privacy rights and legitimate interests, demands a high level of protection.

In response to the requirements of ensuring human rights and data safety in the current digital environment, Vietnamese law has gradually perfected the legal framework on personal data protection, especially with the Law on Personal Data Protection effective from January 01, 2026. Accordingly, the responsibility to protect personal data in labor relations is no longer merely an internal governance issue but has become a mandatory legal obligation, contributing to building transparent, sustainable labor relations aligned with the demands of the digital economy.

I. What are personal data and personal data processing

1. Personal data

Personal data, as defined by law, is understood as data information inherently associated with a specific human being and identified in digital form or other various forms of information. It can be understood that personal data appears in the form of symbols, writing, numbers, images, sounds, or similar forms in the electronic environment.

Accordingly, personal data is classified into 02 categories: basic personal data and sensitive personal data.

• Basic personal data includes last name, first name, date of birth, gender, place of permanent residence, nationality, image, phone number, personal legal document number, personal tax identification number, social insurance number, marital status, information on family relationships, ... and other information that is associated with or helps identify a specific human being.

(Legal basis: Clause 2, Article 2 of the 2025 Law on Personal Data Protection and Article 3 of Decree No. 356/2025/ND-CP - effective from January 01, 2026)

• Sensitive personal data refers to data inherently associated with an individual's privacy rights which, when infringed upon, will directly affect the legitimate rights and interests of that individual, such as political views, religious views, health status according to medical records, information on racial or ethnic origin, data on crimes and criminal offenses, and other data stipulated by law as specific and requiring necessary security measures.

(Legal basis: Clause 3, Article 2 of the 2025 Law on Personal Data Protection and Article 4 of Decree No. 356/2025/ND-CP)

2. Personal data processing

This refers to operations that directly or indirectly impact personal data through activities such as collecting, recording, analyzing, confirming, storing, rectifying, disclosing, combining, accessing, retrieving, revoking, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.

Similarly, in the relationship between an enterprise and an employee, depending on the enterprise's personal data processing activities and from the perspective of other subjects, an enterprise may play multiple roles such as Personal Data Controller; Personal Data Processor; Personal Data Controller-cum-Processor; and Third Party. Depending on the role, there will be different rights and obligations.

II. What are the enterprise's responsibilities in processing employees' personal data

When an enterprise conducts activities such as storing or analyzing candidates' recruitment profiles, storing employee information to fulfill tax and insurance obligations, and other information to serve employee management tasks, such operations are considered personal data processing. Therefore, it is evident that the enterprise not only plays a decisive role but also bears direct responsibility for the entire personal data processing cycle in accordance with legal regulations.

1. Complying with principles of personal data processing and protection under legal regulations.

The employee herein acts as the data subject who has the right to be informed about activities related to the processing of their personal data. When an enterprise collects, stores, and processes employees' personal data, it must be appropriate, relevant to the purpose, limited to the necessary scope, and based on the employee's clear awareness and consent, unless otherwise prescribed by law. Furthermore, the enterprise must bear corresponding responsibilities depending on its role as a Personal Data Controller, Personal Data Processor, Personal Data Controller-cum-Processor, or Third Party.

Legal basis: Article 3, Point a, Clause 1, Article 4, Article 9, and Article 37 of the 2025 Law on Personal Data Protection

2. The enterprise must not commit prohibited acts in personal data protection.

The enterprise has an obligation to strictly comply with legal regulations throughout the processing of employees' personal data. This is reflected in prohibited acts such as using information to infringe upon the legitimate rights and interests of employees, applying unauthorized technological or technical measures to collect or exploit data, as well as obstructing the supervision and protection activities of competent state agencies. Besides, any form of exploiting data processing to commit other illegal acts is strictly prohibited. The law particularly emphasizes and severely penalizes serious violations, including using the personal data of others or allowing others to use one's data for illegal purposes, illegally buying and selling data, or misappropriating, intentionally disclosing, or leaking personal information. These regulations form a solid legal barrier, placing the responsibility on enterprises to protect the privacy and data safety of employees.

Legal basis: Article 7 of the 2025 Law on Personal Data Protection

3. Applying personal data protection measures throughout the processing cycle

The enterprise is responsible for synchronously applying appropriate organizational, technical, and managerial measures to ensure the safety and security of employees' personal data from the onset and throughout the processing cycle. The processing of personal data, especially through technological and technical measures in the recruitment, management, and employment of labor, must only be conducted when in accordance with the law, ensuring the legitimate rights and interests of data subjects, and on the basis of the employees' clear awareness of and consent to such measures. The enterprise should also pay attention to deleting or destroying the personal data of employees in the event they no longer work at the enterprise, or retaining the data within the time limit prescribed by law or by agreement.

In addition, the enterprise must not process or use personal data collected through technological or technical measures contrary to legal regulations, and must coordinate with competent state agencies in personal data protection efforts when requested in accordance with regulations.

Legal basis: Article 25 of the 2025 Law on Personal Data Protection

4. The enterprise must bear legal liability arising from personal data processing.

Enterprises that violate regulations on protecting employees' personal data will bear comprehensive legal liability. This liability is classified depending on the nature and severity of the violation, including administrative, civil, and even criminal liability. If the data processing activity causes actual damages, the enterprise is obligated to compensate the employee in strict accordance with the law.

Enterprises should particularly note that the maximum fine for administrative violations in the field of personal data protection can be up to 03 (three) billion VND. This is a very severe penalty, reflecting the State's consistent stance on strengthening personal data protection in the current context of digital transformation. Therefore, enterprises must be extremely cautious during the collection, storage, and processing of personal data, while strictly and fully complying with legal regulations on personal data protection to mitigate legal risks and ensure stable and sustainable production and business operations.

Legal basis: Article 8 of the 2025 Law on Personal Data Protection

In the digital era, processing employees' personal data is no longer a secondary activity or an internal procedure of an enterprise but has become a core component of modern corporate governance. How an enterprise collects, uses, and protects personal data not only reflects its level of legal compliance but also demonstrates its governance culture, social responsibility, and ability to adapt to new legal standards. Investing in a secure, transparent data management system that respects employees will not only help enterprises avoid severe legal sanctions but also build trust, enhance competitiveness, and foster sustainable development in the context of the digital economy and increasingly perfected legal frameworks.

DL PINNACLE LAW FIRM LLC