I - Introduction
Article 50 of the 2024 Notarization Law stipulates that the signing of notarized documents must be photographed and archived. Accordingly, notarial practice organizations (NPOs) will collect image data of: The requester of notarization; The notary public; Witnesses/interpreters.
Under Clause 1 Article 2 of the 2025 Personal Data Protection Law, such images constitute personal data, and the notarial practice organization is, by default, a Personal Data Controller.
As the image collection is a mandatory legal requirement, it may fall under an exception to the consent obligation under Article 9 of the 2025 Personal Data Protection Law. However, for all other obligations, notarial practice organizations must still fully comply with the principles set forth in the Law.
II - Key Personal Data Protection Principles That Must Be Observed and Complied With
-
Ensuring the Scope of Collection, Processing, and Storage Duration
According to the principle that personal data may only be collected and processed for clear, specific, and lawful purposes, and that such data must be accurate, updated, and stored for a duration appropriate to its processing purpose (unless otherwise provided by law):
NPOs must ensure that images/videos are used solely for authenticating and archiving notarization activities and not for marketing, training, or third-party sharing (unless required by law).
The intended purpose must be clearly stated in internal documents and in notifications provided to data subjects.
The retention period must comply with the legal requirements: 30 years for real estate transactions, 10 years for other types.
After the retention period, data must be safely deleted or destroyed using technical measures.
-
Implementing Comprehensive Measures to Protect Personal Data
Personal data must be protected by institutional, technical, and human-centered measures:
NPOs must implement appropriate security and organizational controls, including: Data encryption (image/video); Role-based access restrictions; Regular backups and incident response protocols; Internal data protection policies, regularly reviewed and updated; Staff training programs to raise awareness and skills regarding customer data protection.
-
Personal Data Processing Impact Assessment Obligation: A Legal Responsibility for NPOs
Under Article 21.1 of the 2025 Personal Data Protection Law, as a Personal Data Controller, an NPO must:
Prepare a Personal Data Processing Impact Assessment (PDPIA) dossier
Submit one original copy to the Personal Data Protection Authority within 60 days from the date data processing (e.g., image/video collection) begins.
The PDPIA is only required once for the organization’s lifetime operations but must be updated if there are changes in purpose, process, or data scope.
Examples of updates include: Switching from photography to video; Changing storage infrastructure; Expanding system functions.
Under Clause 4, Article 21, the authority may inspect and request supplements if the PDPIA is incomplete. Failure to prepare or update the PDPIA may be treated as an administrative violation, subject to penalties or suspension of processing operations.
III - DataTrust CE – Your Strategic Partner for Seamless Data Protection Compliance
ALTAS LAW is pleased to introduce DataTrust Compliance Edition (DataTrust CE), a leading software solution developed by our esteemed partner, VNDS.
DataTrust CE is more than just software; it is a strategic solution engineered to streamline and simplify your personal data protection compliance journey, particularly regarding the mandatory Personal Data Protection Impact Assessment (DPIA) dossier. It empowers your organization to accurately complete this essential documentation, ensuring full alignment with regulatory requirements and significantly mitigating legal risks.
.png)
.jpg)
.jpg)
IV - Handling of Violations by Notarial Practice Organizations in Breach of Personal Data Protection Regulations
According to Clause 1, Article 8 of the 2025 Personal Data Protection Law, if an organization or individual violates the provisions of this Law, they may, depending on the nature, severity, and consequences of the violation, be subject to administrative penalties or criminal prosecution. If the violation causes damage, the violator must provide compensation in accordance with civil law (e.g., disclosure of notarization photos resulting in harm to the honor or personal reputation of a client).
For acts of trading personal data: While uncommon in notarial practice, if a notarial office exchanges, shares, or provides notarization photos/videos to a third party in violation of the law, the act may be considered “personal data trading”. Penalty: Up to 10 times the revenue earned from the violation (Article 8.3, 2025 Personal Data Protection Law).
For other violations in the field of personal data protection: Maximum administrative fine: VND 3 billion.
V - Recommendations for Notarial Practice Organizations
Based on the above analysis provided by ALTAS, notarial practice organizations are advised to:
-
Prepare notification materials for clients participating in notarization procedures. This includes preparing a concise notice about photo/video recording and posting it at the document reception area.
-
Develop internal policies and regulations regarding the processing of images/videos: including procedures for storage, access, and deletion.
-
Establish and maintain compliance documentation, such as access logs, deletion logs, and lists of individuals responsible for managing personal data.
-
Provide regular training for notaries and staff regarding legal provisions on personal data protection.
HOW ALTAS CAN ASSIST YOU:
ALTAS LAW is uniquely positioned to assist your business in navigating these complex administrative reforms. We offer a comprehensive suite of legal and business services designed to provide seamless support during this transition period:
-
Personal Data Protection Impact Assessment: Our collaboration with technology partner VNDS allowing us to provide clients with both the necessary legal guidance and access to effective technical tools to ensure comprehensive compliance.
-
Accounting and Tax Services: We also offer accounting and tax services to help your business manage the financial implications of these reforms, including tax planning, reporting, and compliance.
-
Licensing & Regulatory Compliance: We will meticulously review your existing licenses and permits, advise on necessary amendments or renewals, and guide you through the process of obtaining any new approvals. Our team will also ensure your compliance with all relevant regulatory changes.
![[LEGAL UDATE DECEMBER 2024] DECREE NO. 117/2024/ND-CP](thumbs/210x144x1/upload/news/phong-hanh-chinh-nhan-su-8930.webp "[LEGAL UDATE DECEMBER 2024] DECREE NO. 117/2024/ND-CP")
![[LU 12.2024] DECREE 125/2024/ND-CP](thumbs/210x144x1/upload/news/aaron-burden-1zr3wnstnvy-unsplash-7173.jpg "[LU 12.2024] DECREE 125/2024/ND-CP")
![[LEGAL NEWSLETTER OCTOBER, 2024] DECREE NO. 118/2024/NĐ-CP](thumbs/210x144x1/upload/news/pexels-artempodrez-8519083-4571.jpg "[LEGAL NEWSLETTER OCTOBER, 2024] DECREE NO. 118/2024/NĐ-CP")
