Personal data protection in recruitment: key takeaways from the regulatory developments in Vietnam

Yonggeun Bae

Bae, Kim & Lee, Hanoi

yonggeun.bae@bkl.co.kr

Ujin Ahn

Bae, Kim & Lee, Seoul

ujin.ahn@bkl.co.kr

Anh Dung Tran

Bae, Kim & Lee, Hanoi

anhdung.tran@bkl.co.kr

Collecting a candidate’s personal data (via the receipt and examination of their CV) is generally the beginning of any employment engagement. Employers tend to collect more and more information about the candidate in order to carry out a comprehensive review of such potential employees, before deciding whether they are the right person for the position. However, Vietnam is now perfecting its regulations on personal data protection and, in the coming days, the collection of a candidate’s personal information might have to follow a strict procedure.

Currently, Decree 13/2023/ND-CP (‘Decree 13’), which has been effective from 1 July 2023, is the main legal framework governing all personal data protection activities in Vietnam. Nevertheless, personal data protection requirements applicable to employment, including the recruitment phase, have not been expressly addressed by Decree 13. In this regard, in September 2024, Vietnamese legislators prepared and published a draft version of the Law on Personal Data Protection for public consultation, which contains specific provisions regarding recruitment (the ‘Draft PDP Law’). Therefore, once approved (the law is expected to be passed in May 2025 and effective from January 2026), the Draft PDP Law will be the ultimate legal instrument that regulates, among other things, companies’ personal data protection obligations in regard to recruitment-related activities. Violations of the Draft PDP Law could be subject to the risk of administrative penalties and even criminal liability. In other words, companies should be aware of the provisions of the Draft PDP Law, as well as its implications in the context of the need for companies to overhaul their recruitment processes for compliance purposes.

The applicants’ key rights

When applying for a vacant position, applicants voluntarily provide their personal information to companies that are recruiting. However, this does not mean that such companies can freely hold, process and use such information. Under the Draft PDP Law, the applicants must be notified before their personal data is processed and contents of the notification in such a case should include, inter alia: (1) the type, purpose and method of processing; (2) the identity of any third party that the personal data could be transferred to; and (3) the timing of the processing (including storage) (the ‘Notice for Processing Personal Data’).[1] The Notice for Processing Personal Data, to be delivered to applicants, must be in a form that is printable and potentially reproduced in writing, including in electronic or verifiable format.[2]

In addition, such companies are required to put in place a mechanism so that the applicant can express and withdraw their consent (such mechanism should be capable of being printed or reproduced in writing, which can be in electronic format) and ensure that the applicants are informed of any potential consequences and damage resulting from the withdrawal of their consent (for example, their application may not be reviewed and processed further if the applicant withdraws their consent for processing personal data according to the delivered Notice for Processing Personal Data).[3]

The consent of applicants is only valid if it is provided based on a voluntary basis and such applicants have clear knowledge of: (1) the type of personal data that will be processed; (2) the purposes of the personal data processing; (3) the identity of any third party that their personal data could be transferred to; and (4) the applicant’s related rights and obligations (the ‘Consent Conditions’).

Personal data to be processed during the recruitment process

For recruitment purposes, companies should only collect personal data necessary for the purposes of evaluating a candidate’s appropriateness for the vacancy, including contact information, educational background, work experience and professional qualifications, etc. Companies should not collect sensitive personal data, such as information about the candidate’s sexual orientation or biometric/biological characteristics, since this data is not necessary and relevant to recruitment. Furthermore, the Draft PDP Law expressly restrains companies from inquiring about information related to applicants beyond that indicated in publicly disclosed recruitment information.[4] 

In particular, in order to collect a CV from potential candidates, there are  different ways for companies to obtain a CV. Typical scenarios are as follows:

• direct collection: an applicant may send their CV to the email address of the company, upload their CV through the company’s official website or submit a physical CV to the human resources department in person. In this case, the company should ensure that the Consent Conditions are fully satisfied and that the consent of the applicant has been obtained lawfully; and

• collection via third parties: companies may collect applicants’ CVs from third parties, such as recruitment agencies, and online recruitment platforms, such as job-advertising websites/mobile apps. The company should make sure that such third parties collect the personal data of applicants in compliant manner. In the case where a company engages a recruitment agency to promote recruitment advertisements and to directly collect the CVs of applicants on the company’s behalf, under the Draft PDP Law, the company and the service provider could be considered as the personal data controller and the personal data processor, respectively.[5] Accordingly, they are required to enter into a contract with regard to data collection and data sharing. In this contract, the company should require that the third party: (1) only collect personal data once the contract is legally executed; (2) fully implement measures for protecting personal data as prescribed by the laws in Vietnam; and (3) delete or return all the relevant personal data to the company after the recruitment process has been completed.[6]

In addition, it is very common during the recruitment process that a reference check is conducted to verify the claims made and learn more about a potential candidate. The reference check usually involves communication with the candidate’s direct supervisors or superiors in regard to their previous employment. The focus of such a reference check is likely on professionality related information, such as job performance, activities and various job-related competencies. Since the Draft PDP Law generally provides that ‘information associated with an individual or used to identify an individual’ could be regarded as personal data[7], a prudent approach would involve obtaining the applicant’s consent before conducting the reference check.

For certain specialist recruitment, a medical examination is a normal requirement. However, under the Draft PDP Law, personal data related to health information is regarded as sensitive personal data. Accordingly, for compliance purposes, companies and recruitment agencies should obtain further specific consent for the collection and processing of such personal data related to healthcare and should apply specific measures to protect such sensitive personal data as prescribed by the law.[8]

The cross-border transfer of personal data

Under the Draft PDP Law, the parent company, subsidiaries and affiliates of a holding group are independently responsible for adhering to the applicable personal data protection obligations and consent granted for the processing of personal data that is given to a specific company will not amount to consent given to all the other entities in such a group.[9] In the recruitment context, especially for managerial positions in foreign-invested companies, the recruitment process may trigger the need for the transfer of personal data of the applicants from subsidiaries in Vietnam to offshore parent companies for further review and decision-making. Despite the fact that this situation is not expressly addressed in the Draft PDP Law, in such case, the applicant must be given notice of such personal data transfer and provide their consent prior to any transfer of data.

The Draft PDP Law does not expressly require any prior regulatory approval for the cross-border transfer of personal data. Instead, the Draft PDP Law requires companies that are the transferors of personal data overseas to prepare and retain an impact assessment dossier on the cross-border personal data transfer (a ‘Transfer Impact Assessment’), which includes, among other things, a description and explanation of the objectives of the personal data processing involving the data of Vietnamese citizens after being transferred abroad, the consent of the relevant citizens and a written agreement on the data transfer with the overseas recipient. The Transfer Impact Assessment must be available for inspection and assessment by a specialised agency within Vietnam’s Ministry of Public Security. An original version of the Transfer Impact Assessment must be submitted to the specialised agency within 60 days from the date of processing the personal data of the applicants. As a result of its review, the specialised agency may request that the companies conducting the cross-border data transfer update the submitted Transfer Impact Assessment if it is incomplete or not compliant with the regulations. Upon successfully conducting the cross-border transfer of personal data, the specialised agency must be notified of the same.[10]

Storage of applicants’ personal data

According to the current regulations in Decree 13, the storage of applicants’ personal data could become a complicated compliance-related matter. Under the Draft PDP Law, personal data should be stored for a period of time that is appropriate for the purpose of the processing, unless otherwise provided by law.[11] However, the Labor Code 2019 and the Law on Employment 38/2013/QH13, as well as the related guiding instruments, do not include any information on the time limit for a company to store the personal data of unsuccessful applicants once the recruitment process has been completed.

According to the Law on Archies 2011 (01/2011/QH13) and Circular 10/2022/TT-BNV, which are currently effective, companies in Vietnam are required to be able to retrieve documents on recruitment (including electronic documents) for a period from five to 10 years (the ‘Document Archive Period’). Nonetheless, it is unclear as to whether the storage of personal data of unsuccessful applicants collected during the recruitment process would be subject to the Document Archive Period, since the Law on Archives will be replaced as of 1 July 2025. The updated law appears to no longer impose any mandatory requirements on document retrieval in regard to private organisations in general and foreign-invested companies in particular.[12]

As the storage of personal data and the retrieval of recruitment documents might involve overlapping requirements to some extent, the development of Vietnam’s laws in this regard will need to be updated to take this into account. However, to mitigate compliance risks, the company that is recruiting should keep an eye on the progress of the law, as well as proactively address other relevant issues.