In the digital era, personal data is likened to the "oil" of an enterprise, bringing tremendous competitive advantage. But at the same time, it is also a "ticking time bomb" if not properly managed and protected. Specifically, the emergence of new legal frameworks on privacy protection has completely changed the operational methods of businesses in Vietnam.
With the Personal Data Protection Law (PDPL) officially passed and taking effect from January 1, 2026 (upgraded from Decree 13/2023/ND-CP), administrative sanctions have been tightened more than ever. At this time, the Human Resources (HR) department – which holds a massive amount of data – is facing immense compliance pressure.
The habit of "indefinitely storing" records of candidates and former employees is no longer a sign of administrative carefulness, but constitutes a legal violation with huge potential financial risks. This in-depth article from ALTAS Law will analyze in detail the HR record storage process under the PDPL, helping businesses both comply with the law and optimize internal operations.
Guide to storing and deleting HR records according to PDPL 2025 standards helps businesses optimize HR.
1. The Big Picture of the Data Protection Legal Framework (PDPL)
Before diving deep into HR operations, we need to clearly understand the legal context that businesses are facing. The transition from a Decree to a Law level marks a turning point in state management thinking regarding the digital space.
1.1. The emergence of the Personal Data Protection Law (PDPL)
The PDPL (Personal Data Protection Law) is the first comprehensive legal document in Vietnam regulating the protection of privacy and personal data in the digital era. The law was passed by the National Assembly on June 26, 2025, and officially takes effect from January 1, 2026, replacing and inheriting regulations from the previous Decree 13/2023/ND-CP.
This upgrade not only standardizes terminology but also adds many stricter monitoring mechanisms, bringing Vietnam closer to international standards such as Europe's GDPR (General Data Protection Regulation). All organizations and individuals (domestic and foreign) involved in processing the data of Vietnamese citizens fall under its governing scope. (According to the Law Library).
1.2. Data classification according to new standards
The Law divides personal data into two core groups, requiring different security measures:
- Basic personal data: Includes full name, date of birth, gender, nationality, phone number, address, ID card/Citizen ID number, personal tax code, marital status...
- Sensitive personal data: This is the group that needs "ironclad" protection, including: health status (medical records), biometric characteristics (fingerprints, iris, face), political views, religion, sexual orientation, criminal data, location data, and financial/banking data.
1.3. New power of the "Data Subject"
Citizens (including candidates and employees) are now empowered with strong rights regarding their own data:
- The right to be informed (what information the company is holding, what it is doing with it).
- The right to consent or withdraw consent at any time.
- The right to access and request correction of inaccurate data.
- The right to request data deletion (The right to be forgotten).
- The right to object to data processing for advertising/marketing purposes.
2. Why is the Human Resources (HR) Department the "Epicenter" of Compliance?
When applying the PDPL to the corporate environment, the HR department no longer simply performs the tasks of paper management, timekeeping, or payroll. They officially become Personal Data Controllers/Processors.
2.1. The volume and nature of data held by HR
From the time a candidate submits a CV until an employee resigns (and even years later), HR continuously collects, stores, and processes information. They not only keep ID cards/Citizen IDs, but also health check-up certificates (sensitive data), timekeeping fingerprints (biometrics), bank account information (financial data), and information about dependents (spouse/children).
This makes HR the department bearing the highest legal risk in the event of a leak.
2.2. Three core principles HR must comply with
To avoid crossing the line of violation, all HR processes must revolve around 3 principles:
- Consent: Data may only be collected and processed when the employee has been transparently informed and given written consent.
- Purpose Limitation: Only collect information truly necessary for the employment relationship. (E.g.: Hiring an accountant does not permit asking them to provide their personal web browsing history or religion).
- Storage Limitation: Data must not be stored permanently. When the purpose is fulfilled (e.g.: an employee resigns and the storage period under Accounting law expires), the data must be safely destroyed.
3. Four Legal Pillars in HR Data Processing
To avoid risks of fines and lawsuits, businesses need to build an HR management system based on the following 4 solid legal pillars.
Pillar 1: Legal Basis for data processing
Many businesses mistakenly believe that the "Labor Contract" is an exemption card, allowing HR to freely collect any information. In reality, the PDPL requires stricter measures:
- Consent is king: There must be a physical document or electronic form verifying voluntary, specific consent. Employees must know exactly what the company stores, where it's stored, for how long, and who it's transferred to.
- Exceptions not requiring consent: Businesses are only allowed to process data without asking for permission in rare cases:
- Fulfilling statutory obligations (such as paying Taxes, Social Insurance, Trade Union dues).
- Protecting life and health in emergencies (e.g.: providing blood type to a hospital when an employee has a workplace accident).
- Serving investigation requests from competent state agencies.
Pillar 2: Data Protection Impact Assessment (DPIA/TIA) Dossier
The Data Protection Impact Assessment (DPIA) is a heavy and mandatory legal obligation for all businesses.
- Establishment and retention: Businesses must prepare a DPIA right from the moment they start processing data.
- Reporting to authorities: One original copy of the DPIA dossier must be sent to the Department of Cyber Security and High-Tech Crime Prevention (A05) - Ministry of Public Security within 60 days. (Reference source: Ministry of Public Security's Web Portal).
- Content: The dossier must describe in detail the types of data collected, purposes, storage procedures, and most importantly, technical solutions to prevent hackers and insider data theft.
Pillar 3: Strict Management of "Sensitive Data"
Sensitive data requires a second layer of defense.
- Separate consent: An employee signing a Labor Contract does not mean they allow the company to take their fingerprints. A separate consent form is needed, clearly emphasizing that the collection of biometric data is strictly for timekeeping.
- Appointing personnel (DPO): Businesses (especially large-scale ones) are required to appoint a Data Protection Officer (DPO) and report the DPO's contact information to the Ministry of Public Security.
Pillar 4: Cross-border Transfer
If your company is an FDI enterprise or uses cloud-based HR software (SaaS) with servers located overseas (like Workday, SAP, Oracle, Zoho):
- You must prepare an additional Cross-border Data Transfer Impact Assessment Dossier.
- The overseas parent company might be the storage entity, but the legal entity in Vietnam still bears the highest legal responsibility if a leak occurs regarding Vietnamese citizens.
4. Penalty Risks and Consequences of PDPL Violations
The new law is not just a paper deterrent. Sanctions are designed to "hit hard on the wallets" of organizations that neglect security.
4.1. Massive administrative fines
- Violating regulations on trading, leaking data: Fines can be up to 10 times the violating revenue or a fixed fine of up to 3 billion VND depending on the nature.
- Violating illegal cross-border data transfer: The fine can reach 5% of the enterprise's total revenue in the previous financial year. (Reference figures from relevant draft sanction regulations).
Errors such as failing to prepare a DPIA dossier or failing to notify upon a cyberattack (within 72 hours) also face fines of hundreds of millions of VND.
4.2. Daily "fatal" mistakes of HR
Many HR professionals violate the PDPL every day without knowing it through habits like:
- Careless internal sharing: Taking photos of payroll lists, phone numbers, bank accounts of the entire company and sending them into common Zalo/Skype group chats without passwords.
- Using old CVs without permission: Taking a candidate's CV submitted 2 years ago and giving it to another partner for recruitment consideration.
- Signing loose Outsource contracts: Hiring a third party to organize Teambuilding or provide Payroll services and sending them all HR data without a "Data Confidentiality Commitment" clause (NDA & Data Processing Agreement).
5. Solving the Dilemma: To Store or To Delete?
Faced with strict regulations, HR needs a strategy to classify and process each specific group of records.
5.1. Managing records of unsuccessful candidates (Talent Pool)
Many companies have a habit of gathering tens of thousands of CVs into a "candidate data warehouse" for gradual use. However, when a candidate submits a CV for the "Marketing Executive" position, the purpose is strictly limited to that recruitment drive. At the end of the drive, if not hired, the purpose is fulfilled, and that CV must be deleted.
- The legally compliant way: You want to keep the CV? Redesign the Application Form. Add a tick box (unchecked by default): "I agree to let the Company store my profile for 12 months for the purpose of consideration for suitable positions in the future."
- In the Rejection Email: Embed the content: "We would like to keep your information for 6 months to connect when an opportunity arises. If you do not agree, we will proceed to delete your profile within 72 hours."
5.2. Records of resigned employees and legal conflict
When an employee resigns and requests to exercise the "Right to be forgotten" (delete all data). What should HR do?
This is the intersection between the PDPL, Labor Law, and Accounting Law.
- Data THAT MUST NOT BE DELETED (Must be stored): Documents related to tax finalization, social insurance, labor contracts, original payrolls. According to the Accounting Law, these documents usually must be stored for 5 - 10 years for inspection purposes. HR has the right to refuse the employee's deletion request for this data group based on the grounds of "Fulfilling legal obligations".
- Data THAT MUST BE DELETED: Information that no longer has legal value after resignation, such as: timekeeping fingerprints, personal images stored on internal systems, self-declared resumes, periodic health check results. This group needs to be periodically deleted.
6. A 5-Step Roadmap to Standardize HR Record Storage to PDPL Standards
To support business owners and Chief Human Resources Officers (CHROs) in rapid implementation, ALTAS Law proposes the following practical 5-step roadmap:
3-step roadmap for collecting, storing, and deleting HR data according to Decree 13.
Step 1: Data Mapping & Inventory
You cannot protect what you do not know you have. The HR department must coordinate with IT to review everything:
- What paper documents are being kept in locked cabinets?
- What files are stored on personal Google Drive, OneDrive accounts of recruiters?
- What information are software systems recording?
Create a detailed inventory identifying where data flows from, who accesses it, and where it is stored.
Step 2: Establish a Data Retention Policy
Issue an internal document stipulating the "lifespan" limit of each type of document.
- Example: Failed candidate CVs: Store for a maximum of 6 months. Copies of resigned employee IDs: Destroy after 1 year. Original payrolls: Store for 10 years.
Upon expiration, the system or person in charge must proceed with destruction.
Step 3: Standardize Consent Forms
- Review and update the HR department's entire system of forms.
- Add a Data Confidentiality Appendix to current Labor Contracts.
- Develop a clear "Privacy Notice" for employees.
- Create a separate permission form for biometric data collection.
Step 4: Apply technical measures and safe destruction
- For paper records: Must be stored in locked cabinets. Clear decentralization (only C&B or HR Manager has the key). When destroying, a paper shredder must be used; absolutely do not throw them intact into the trash.
- For digital records: Access decentralization. Training HR does not have the right to view payrolls. Apply encryption to files containing sensitive data. The system must have a Log to record who downloaded or edited files. Delete digital data using overwriting software so it cannot be recovered.
Step 5: Internal Training
No matter how good the technology is, it's useless if people lack awareness. Periodic training for the HR team and middle managers is mandatory. All personnel need to understand that: Leaving a candidate's CV on a desk or sending a payroll list via unencrypted Zalo is a breach of labor discipline and a serious legal violation.
7. ALTAS Corp – Your Legal Partner in the Digital Era
Complying with PDPL 2026 is not just about dealing with fines, but an opportunity for businesses to clean up their systems, optimize operational processes, and build a solid employer brand reputation. An organization that respects its personnel's data will attract the best talents.
Altas Law's legal compliance and personal data protection consulting services.
With profound corporate legal consulting experience, ALTAS Law (under ALTAS Corp) provides a "Legal Compliance & Data Protection" solution package tailor-made for each business:
- System Audit: Comprehensive review and assessment of the current PDPL compliance level of the HR department and the entire company.
- Document Drafting: Building a complete set of legally standard procedures, consent forms, Internal Labor Regulations, and NDAs.
- DPIA Dossier Execution: Representing the business in preparing and submitting the Data Processing Impact Assessment Dossier to the Cyber Security Department (Ministry of Public Security).
- Solution Consulting: Coordinating with technology partners to set up systems for decentralization, automatic and secure data storage, and deletion.
Do not wait until a data leak occurs or a penalty notice arrives from authorities to take action. Proactively build a legal barrier to protect the enterprise's greatest asset: Human Data.
HCM City Office: 5th Floor, 37 Ky Con, Nguyen Thai Binh Ward, District 1.
Hanoi Office: 12th Floor, Mipec Tower, 229 Tay Son, Dong Da District.
Bac Ninh Office: 4th Floor, Duong Tuan Building, 09 Le Thai To, Vo Cuong Ward.
Website: altas.vn
Email: contact@altas.vn
![[LEGAL UPDATE] Voluntary Tax Correction Without Penalties: A Game-Changer in Vietnam’s Tax Administration](thumbs/210x144x1/upload/news/legal-update-j-jan2025-11-9753.png "[LEGAL UPDATE] Voluntary Tax Correction Without Penalties: A Game-Changer in Vietnam’s Tax Administration")
![[LEGAL UPDATE] An Introduction to Vietnam's New Banking Sandbox Mechanism: Decree 94/2025/NĐ-CP](thumbs/210x144x1/upload/news/legal-update-j-jan2025-2-8926.png "[LEGAL UPDATE] An Introduction to Vietnam's New Banking Sandbox Mechanism: Decree 94/2025/NĐ-CP")
