EMPLOYERS’ RESPONSIBILITIES FOR PERSONAL DATA PROTECTION IN RECRUITMENT, MANAGEMENT, AND EMPLOYMENT UNDER THE PERSONAL DATA PROTECTION LAW 2025

Introduction

In the course of business operations, recruitment, management, and employment of employees constitute one of the areas involving the generation and processing of a substantial volume of personal data, including a significant amount of sensitive personal data. With the Personal Data Protection Law 2025 (Law No. 91/2025/QH15) officially taking effect from 1 January 2026, a new legal framework has been established, imposing stringent requirements on enterprises with respect to the collection, processing, and protection of employees’ personal data. Accordingly, employers’ responsibilities are no longer limited to compliance with traditional labour law obligations, but are extended to the obligation to protect personal data rights throughout the entire lifecycle of the employment relationship. Against this background, what specific legal obligations are imposed on enterprises in recruitment, management, and employment under the Personal Data Protection Law 2025?

I. New perspectives on personal data protection in employment relationships

The 2025 Law on Personal Data Protection introduces Article 25, which specifically governs the protection of personal data in the recruitment, management and use of employees (“Employees”) across different stages of the employment relationship. In particular:

(i) Article 25.1 provides that during the recruitment process, employers may only request job applicants to provide information that is necessary and relevant to the recruitment purpose. The processing of applicants’ personal data may only be carried out on the basis of their consent. In addition, personal data of unsuccessful applicants must be deleted or destroyed, unless otherwise agreed by the parties.

(ii) Article 25.2 stipulates that during the management and use of Employees, employers must concurrently comply with the 2025 Law on Personal Data Protection, labour and employment laws, and other relevant legal regulations. Employees’ personal data may only be retained for the duration prescribed by law or pursuant to a lawful agreement and, as a general principle, must be deleted or destroyed upon termination of the labour contract.

In addition, Article 25.3 provides that the processing of Employees’ personal data collected through technological or technical measures in labour management must comply with legal regulations, ensure the lawful rights and interests of Employees, and be conducted on the basis that Employees are notified in advance. The processing and use of personal data collected through unlawful measures are strictly prohibited.

Accordingly, Article 25 of the 2025 Law on Personal Data Protection establishes a direct legal basis for determining enterprises’ responsibilities in protecting Employees’ personal data, serving as a foundation for the detailed analysis of compliance obligations and risks in the following sections.

II. Specific responsibilities of enterprises at each stage of the employment relationship

2.1 During the recruitment stage

a. Scope of data collection and data protection obligations in recruitment

Pursuant to Article 25.1 of the 2025 Law on Personal Data Protection, enterprises may only request job applicants to provide information that directly serves the recruitment purpose, in compliance with legal regulations, and may not use such personal data for other purposes unless a lawful agreement has been entered into with the applicant.

In practice, applicants’ personal data may exist in various forms, including digital data (such as electronic CVs, recruitment emails, audio/video recordings of interviews) and physical data (such as paper files and interview records). Regardless of the form, all such information constitutes personal data and must be fully protected by enterprises throughout the recruitment process. Notably, under Article 25.1(c) of the 2025 Law on Personal Data Protection, enterprises are required to delete or destroy the personal data of unsuccessful applicants, unless otherwise agreed with the applicants themselves. Accordingly, the default or indefinite retention of applicants’ dossiers without explicit consent is no longer compliant with legal requirements.

b. Retention periods and obligations to delete or destroy recruitment records

Current laws do not prescribe a uniform retention period applicable to all recruitment records; however, such retention must comply with the principles of “purpose limitation” and “storage limitation” under Article 3 of the 2025 Law on Personal Data Protection. Accordingly, once the recruitment purpose for a specific position has been fulfilled, enterprises must delete or destroy applicants’ dossiers, unless the applicant has lawfully consented to a new processing purpose.

In practice, retention periods for recruitment records may be classified as follows: (i) for unsuccessful applicants with no agreement on continued retention, enterprises should only retain the dossiers for a reasonable period (typically no more than 4–6 months from the end of the recruitment process) for administrative, explanatory or incidental handling purposes; (ii) for potential candidates, enterprises may continue to retain dossiers only with the applicant’s explicit consent, with a recommended retention period of 12 to a maximum of 16 months; and (iii) for successful applicants, recruitment dossiers become part of personnel files and are retained in accordance with labour, accounting, tax and archival regulations.

In all cases, default, indefinite retention or retention not linked to a specific processing purpose poses a significant risk of violating personal data protection laws.

2.2 During the management and employment of employees

Once the employment relationship is established, the scope of personal data processing by enterprises expands considerably, encompassing data used for human resources management, payroll, insurance, performance evaluation and labour discipline.

At this stage, enterprises must retain personal data only for the necessary period, as prescribed by law or pursuant to a lawful agreement with Employees. Any expansion of the scope of data retention or extension of retention periods beyond legitimate management needs may be deemed inconsistent with personal data protection principles.

In addition, the 2025 Law on Personal Data Protection imposes stringent requirements on the collection and processing of personal data through technological or technical measures, such as electronic timekeeping systems, surveillance cameras or performance monitoring software. Under Article 25.3, enterprises may only implement such measures when Employees are fully informed and clearly aware of their application, and must ensure that such measures do not infringe upon Employees’ lawful rights and interests. The processing of data collected through unlawful technological measures is strictly prohibited.

2.3 Upon termination of the employment relationship

Upon termination of the labour contract, the general principle under the 2025 Law on Personal Data Protection is that enterprises must delete or destroy Employees’ personal data. This requirement aims to prevent the continued retention and use of personal data once the processing purpose tied to the employment relationship no longer exists.

However, enterprises may continue to retain Employees’ personal data in certain circumstances, including: (i) where there is a clear agreement with the Employee to retain data for specific purposes such as post-employment benefits, issuance of employment confirmations or dispute resolution; or (ii) where sector-specific laws mandate retention periods, such as under accounting, tax or labour regulations. Even in such exceptional cases, enterprises must continue to comply with personal data protection principles, including limiting the scope of retained data, ensuring data security, and deleting or destroying data promptly upon expiry of the lawful retention period to mitigate legal risks.

III. Legal risks and compliance recommendations for enterprises

3.1. Legal risks arising from violations of personal data protection obligations

Failure to comply with obligations to protect the personal data of applicants and Employees, particularly the obligation to delete or destroy personal data under Article 25 of the 2025 Law on Personal Data Protection, may expose enterprises to significant legal risks.

Pursuant to Article 8 of the 2025 Law on Personal Data Protection, depending on the nature, severity and consequences of the violation, enterprises may be subject to administrative penalties of up to VND 3 billion. Notably, where violations involve unlawful cross-border transfers of personal data, penalties may reach up to 5% of the enterprise’s revenue in the immediately preceding fiscal year. In serious cases, enterprises and relevant individuals may also face criminal liability or be required to compensate data subjects for damages, including not only material losses but also harm to reputation, dignity and employment opportunities.

Beyond direct legal sanctions, violations of personal data protection obligations may also give rise to labour disputes and reputational damage. Acts such as public disclosure of salary tables, performance evaluations or health records; sharing personnel information with third parties without consent; or exchanging “blacklists” of candidates within HR communities may all be deemed unlawful processing of personal data, even if conducted for internal management or risk prevention purposes.

3.2. Practical compliance recommendations

To mitigate legal risks arising from violations of personal data protection obligations and to ensure full compliance with the 2025 Law on Personal Data Protection, enterprises should adopt a proactive, systematic and lifecycle-based approach to personal data protection throughout the employment relationship, rather than relying on ad hoc responses when incidents arise, including:

(i) Reviewing and adjusting recruitment and HR management processes: Identifying categories of personal data permitted to be collected for each position, industry and processing purpose. Any collection, retention or use of personal data exceeding legitimate needs or lacking adequate notice to applicants and Employees should be eliminated.

(ii) Issuing internal regulations on personal data lifecycle management: Clearly defining circumstances and timelines for deleting or destroying personal data of unsuccessful applicants and Employees upon termination of employment. Where data retention continues, written agreements with data subjects should specify the purpose, scope and duration of processing.

(iii) Establishing data retention and deletion/destruction policies: Determining retention periods for each category of personnel data and recruitment records, and implementing periodic review and deletion/destruction mechanisms. Data deletion/destruction should be conducted securely, in a controlled manner and rendered irrecoverable to prevent data leakage or unauthorized use.

(iv) Enhancing transparency through personal data protection agreements: Developing personal data protection agreements and/or privacy notices for applicants and Employees, clearly specifying data collection purposes, processing scope and retention periods from the recruitment stage, and designing separate consent mechanisms for retaining applicant records for future recruitment opportunities.

(v) Raising internal compliance awareness: Organizing training and guidance for HR personnel, managers and Employees on personal data protection obligations in recruitment and labour management.

In the long term, protecting Employees’ personal data is not merely a legal compliance requirement, but also a measure of corporate governance culture and respect for human rights. Proper implementation and compliance with obligations under the 2025 Law on Personal Data Protection will help enterprises build employee trust, enhance employer branding and minimize legal risks in human resources management.

In the context of the 2025 Law on Personal Data Protection having taken effect, personal data protection in recruitment, management and use of Employees has become a core compliance requirement for all enterprises. Article 25 clearly establishes key obligations, particularly with respect to limits on data collection, transparency in processing, control of retention periods and timely deletion or destruction of data. Accordingly, enterprises should promptly standardize HR processes, establish internal data governance mechanisms and enhance compliance awareness across their organizations.

ADK VIETNAM LAWYERS