1. Protecting personal data in labor recruitment and management
Article 25 of the Law on Personal Data Protection 2025 clearly states specific requirements and responsibilities for relevant agencies, organizations and individuals, as follows:
- Responsibilities in labor recruitment:
Agencies, organizations and individuals are only required to provide information for recruitment purposes, in accordance with the provisions of law. This information is only used for recruitment purposes and other purposes as agreed by law.
The information provided must be processed in accordance with the provisions of law and must have the consent of the candidate.
In case of no recruitment, the information of the candidate must be deleted or canceled, unless otherwise agreed with the candidate.
- Responsibilities in managing and using workers:
Agencies, organizations and individuals must comply with the provisions of the Law on Data Protection, laws on labor, employment and other relevant legal provisions.
The personal data of employees must be stored within the prescribed time limit by law or by agreement.
When terminating the contract, the personal data of the employee must be deleted or canceled, unless agreed or otherwise regulated by law.
- Processing personal data using technology in labor management:
Only technological and technical measures in accordance with legal regulations can be applied, ensuring the rights and interests of personal data subjects, and workers must be aware of these measures.
personal data collected from technological and technical measures that are not in accordance with the law must not be processed or used.
2. Handling violations of the law on personal data protection from January 1, 2026
According to Article 8 of the Law on Personal Data Protection 2025, handling violations of the law on personal data protection includes:
(1) Organizations and individuals who violate the provisions of the Law on Personal Data Protection 2025 and other legal provisions related to personal data protection may be subject to administrative sanctions or criminal prosecution; if they cause damage, they must be compensated according to the provisions of law.
(2) The handling of administrative violations in the field of personal data protection shall be implemented in accordance with the provisions of Clauses 3, 4, 5, 6 and 7, Article 8 of the Law on Personal Data Protection 2025 and the law on handling administrative violations.
(3) The maximum penalty for administrative violations for the act of buying and selling personal data is 10 times the revenue from the violation; in case there is no revenue from the violation or the fine is calculated according to the revenue from the violation, lower than the maximum fine prescribed in Clause 5, Article 8 of the Law on Personal Data Protection 2025, the fine will be applied according to the provisions of Clause (5).
(4) The maximum penalty for administrative sanctions for organizations that violate the regulation on translating cross-border personal data is 5% of the organization's revenue of the previous year; in case there is no revenue of the previous year or the penalty calculated according to revenue is lower than the maximum penalty as prescribed in Clause (5)), the fine as prescribed in Clause 5, Article 8 of the Law on Personal Data Protection 2025.
(5) The maximum fine for administrative sanctions for other violations in the field of personal data protection is 3 billion VND.
(6) The maximum fine prescribed in Clauses (3) and (4) shall be applied to an organization; an individual committing the same violation shall be subject to a maximum fine of one-half of two of the fine for an organization.
(7) The Government shall prescribe a method for calculating revenue from the implementation of violations of the law on personal data protection.
