Personal Data Protection in Recruitment

Personal Data Protection in Recruitment is receiving special attention, especially in the context of new laws being enacted on this issue. Compliance with data security and transparency responsibilities helps businesses build solid trust with candidates and enhance their position in the volatile labor market. The following article provides information on these responsibilities.

What is personal data?

According to Clause 1, Article 2 of the Law on Personal Data Protection 2025, personal data is digital data or information in other forms that identifies or helps identify a specific human being, including: basic personal data and sensitive personal data. Personal data after de-identification is no longer considered personal data. This classification helps determine the appropriate level of protection.

1. Basic Personal Data: According to Article 3 of Decree 356/2025/ND-CP, basic personal data includes:

• Surname, middle name, birth name, other names (if any);
• Date of birth; date of death or missing;
• Gender;
• Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
• Nationality;
• Personal image;
• Phone number, personal identification number, passport number, driver’s license number, license plate number;
• Marital status;
• Information on family relationships (parents, children, spouse);
• Information on personal digital accounts.

2. Sensitive Personal Data: Based on Clause 3, Article 2 of the Law on Personal Data Protection 2025, sensitive personal data is associated with individual privacy; infringement will directly affect the legitimate rights and interests of the subject. According to Article 4 of Decree 356/2025/ND-CP, this includes:

• Data revealing racial or ethnic origin;
• Political, religious, or philosophical beliefs;
• Information on private life, personal secrets, family secrets;
• Health status;
• Biometric data, genetic characteristics;
• Data revealing sexual life or sexual orientation;
• Criminal data collected/stored by law enforcement agencies;
• Location determined via positioning services;
• Login information/passwords for electronic identity accounts; images of ID cards/Citizen ID cards;
• Financial data (bank accounts, card info, transaction history, credit info, etc.);
• Data tracking behavior and usage of telecommunications services, social networks, and online media;
• Other personal data required by law to be kept confidential.

>>>See more: List of Sensitive Personal Data Effective from January 1, 2026

Data subject rights

The personal data subject is the person reflected by the personal data. Based on Clause 1, Article 4 of the Law on Personal Data Protection 2025, data subjects have the following rights:

• To know about the processing of their personal data;
• To consent, not consent, or withdraw consent for data processing;
• To view, edit, or request editing of personal data;
• To request the provision, deletion, or restriction of processing; to object to processing;
• To complain, denounce, sue, and request compensation for damages;
• To request competent agencies or related organizations to implement protection measures.

The responsibility of agencies, organizations, and individuals to protect personal data in labor recruitment

According to Clause 1, Article 25 of the Law on Personal Data Protection 2025, the responsibilities of agencies, organizations, and individuals in recruitment are strictly regulated:

1. Limitation of Collection: Only request information serving the recruitment purpose in accordance with the law; provided information must only be used for recruitment purposes and other purposes as agreed upon.
2. Consent and Processing: Information provided must be processed according to the law and must have the consent of the candidate.
3. Deletion Obligation: Must delete or destroy the information provided by the candidate in case of non-recruitment, unless otherwise agreed with the candidate.

>>>See more: Confidentiality agreements between company and employee

Personal data protection measures

Decree 356/2025/ND-CP details measures to implement the Law on Personal Data Protection 2025:

• Finance, Banking, Credit Information: Must notify the specialized agency and data subject within 72 hours after detecting a leak or loss of sensitive data (Article 8).
• Big Data Processing: Must apply encryption and anonymization during transfer; use strong authentication (multi-factor); and perform continuous monitoring to detect abnormal behavior (Article 9).
• AI and Metaverse: Establish monitoring mechanisms for AI systems regarding algorithm reliability and stability; prevent the abuse of AI/Metaverse for infringing on national security or social order (Article 10).
• Blockchain: Only use secure encryption/hashing algorithms; do not store personal data directly on the blockchain unless de-identified or hashed (Article 11).
• Cloud Computing: Data must be encrypted at rest and in transit, accompanied by strict access decentralization (Article 12).

Long Phan Consulting provides consulting services on the responsibility of agencies and organizations to protect personal data in labor recruitment

Long Phan Consulting Company provides consulting services on personal data protection in recruitment, helping clients build a professional, safe candidate profile management process that strictly complies with current laws. We structure our support into the following key area:

• Providing advice and support to businesses on matters related to protecting personal data of agencies and organizations during employee recruitment;
• Providing advice on how employers can mitigate the consequences of violating personal data security regulations.
• Assisting in drafting and finalizing clauses related to personal data protection in employment contracts;
• Authorized representatives submit documents and carry out administrative procedures related to labor on behalf of the enterprise.

Frequently Asked Questions about the Personal Data Protection in Recruitment

Below, Long Phan Consulting Company provides some frequently asked questions regarding the responsibility of agencies and organizations to protect personal data during the recruitment process. We invite interested clients to refer to this information:

What is the maximum penalty of a percentage of the preceding year’s revenue for a personal data breach?

According to Clause 4, Article 8 of the Personal Data Protection Law 2025, the maximum fine for administrative violations by organizations that violate regulations on cross-border personal data transfer is 5% of the organization’s revenue in the preceding year.

If there is no revenue from the immediately preceding year, or if the penalty calculated based on revenue is lower than the maximum penalty stipulated in Clause 5, Article 8 of the Law on Personal Data Protection 2025, then the penalty as stipulated in Clause 5, Article 8 of the Law on Personal Data Protection 2025 shall apply.

Are businesses required to delete employees’ personal data after terminating their contracts?

Clause 2, Article 25 of the 2025 Law on Personal Data Protection stipulates the responsibility of agencies, organizations, and individuals in managing and employing workers to protect personal data. Accordingly, after terminating a contract, the enterprise has the responsibility to:

• Comply with the provisions of this Law, labor and employment laws, data laws, and other relevant legal provisions;
• Employees’ personal data must be stored for the period prescribed by law or by agreement;
• Personal data of employees must be deleted or destroyed upon termination of the contract, except in cases where otherwise stipulated by agreement or law.

How many actions related to personal data are strictly prohibited?

According to Article 7 of the 2025 Law on Personal Data Protection, there are seven prohibited acts related to personal data, including:

• Processing personal data to oppose the Socialist Republic of Vietnam, affecting national defense, national security, social order and safety, and the legitimate rights and interests of agencies, organizations, and individuals.
• Hindering the protection of personal data.
• Exploiting personal data protection activities to commit illegal acts.
• Processing personal data in violation of the law.
• Using another person’s personal data, or allowing others to use one’s own personal data to commit acts that violate the law.
• Buying and selling personal data, except as provided otherwise by law.
• Appropriating, intentionally disclosing, or causing the loss of personal data.

Is the data protection department liable for compensation in the event of a breach?

According to Article 37 of the 2025 Law on Personal Data Protection, the party controlling personal data mustbearThe data processing unit is responsible to the data subject for damages caused by the processing of personal data. The data processing unit is also responsible to the data controller and the data controller/processor for damages caused by the processing of personal data. The role of the data protection department is to advise and monitor to prevent breaches. However, if individuals within this department intentionally violate regulations or act irresponsibly, resulting in serious consequences, they may be held liable according to the company’s internal regulations and applicable laws.

What is the penalty for fraudulent advertising practices in job recruitment?

According to Clause 3, Article 8 of Decree 12/2022/ND-CP, which regulates violations in recruitment and labor management, if an employer engages in fraudulent advertising to recruit workers for the purpose of exploitation or forced labor, but not to the extent of criminal prosecution, they will be subject to administrative penalties ranging from VND 50,000,000 to VND 75,000,000.

Note: According to Clause 1, Article 6 of Decree 12/2022/ND-CP, the above-mentioned fines are for individuals. The fine for organizations is twice the fine for individuals.

Conclusion

Compliance with data protection regulations is not only a responsibility but also a measure of corporate reputation in the labor market. Long Phan Consulting Company commits to accompanying clients in building a safe, transparent, and professional recruitment system. Please contact our experts via Hotline 1900636389 for in-depth advice.