EOR data privacy Vietnam comes down to one question before any payroll runs: who controls the employee data, and on what written terms. The direct answer is that in an EU-to-Vietnam EOR setup, your company is usually the data controller and the EOR is the data processor, so a signed data processing agreement must be in place before any employee data moves. Vietnam’s own rules sit under the Personal Data Protection Law (Law No. 91/2025/QH15) and Decree 356/2025/ND-CP, both effective January 1, 2026, while EU obligations follow the GDPR. Map the data terms against the Sunbytes EOR service as you plan the hire.
TL;DR
- The EU client typically acts as the data controller, while the Vietnam EOR serves as the data processor under a signed Data Processing Agreement (DPA).
- Employee data transfers between the EU and Vietnam must comply with both GDPR (Articles 28 and 46) and Vietnam’s PDPL and Decree 356, effective January 1, 2026.
- Before transferring candidate or payroll data, ensure the DPA, transfer mechanism, lawful basis, and access controls are fully approved and documented.
How Vietnam PDPL and Decree 356 affect EOR employee data
EOR data privacy Vietnam rests first on local law. Vietnam’s Personal Data Protection Law and Decree 356/2025/ND-CP govern any processing of a Vietnamese resident’s personal data, including processing by foreign entities, from January 1, 2026. The framework replaced Decree 13/2023/ND-CP and raised data protection from decree level to statutory law, with an expanded list of sensitive data that now expressly includes bank account details and images of identity documents (Decree 356/2025/ND-CP update).
For an EOR hire, this means the provider must process payroll, contract, and statutory data on a lawful basis, honour data subject rights, keep a record of processing, and notify the authority of a qualifying breach within the statutory deadline. Penalties are material: cross-border transfer breaches can reach up to 5% of the prior year’s revenue or VND 3 billion, about EUR 100,000, whichever is higher (Tilleke and Gibbins). A PDPL EOR Vietnam review therefore confirms the lawful basis, the rights process, and the transfer route before data moves. Treat the exact transfer route and breach timeline as items to verify with counsel, not as settled facts.
The EOR data flow: what employee data moves and when
EOR data privacy Vietnam becomes concrete once you map the data flow. Employee data moves through five stages in an EOR setup, from candidate screening to ongoing employment, and each stage needs its own control rather than one blanket consent. Mapping the flow first is what lets HR, legal, and IT agree on where the risk sits before payroll runs. The table below is the version to walk through with your EOR before any data is shared.
| Stage | Data shared | Who holds it | Control needed |
|---|---|---|---|
| Candidate and offer | Name, CV, contact, ID document | Client and EOR | Minimisation, privacy notice |
| Contract setup | ID, address, bank, dependants, tax code | EOR as processor | Signed DPA, lawful basis |
| Payroll run | Salary, bank details, deductions | EOR and payroll system | Access control, encryption |
| Statutory filing | Social Insurance and PIT identifiers | EOR and authorities | Legal obligation basis |
| Ongoing employment | Leave, performance, benefits | Client and EOR | Retention limits, rights handling |
GDPR Article 28 and Article 46 in an EU-to-Vietnam EOR setup
GDPR still applies when an EU establishment decides why and how employee data is processed, even though the work and the EOR sit in Vietnam. The EOR acting on your documented instructions is a processor, so GDPR Article 28 requires a data processing agreement with defined processor obligations before data is shared. Because Vietnam is not on the EU adequacy list, the transfer itself relies on GDPR Article 46 safeguards, in practice the standard contractual clauses plus a transfer assessment and any supplementary measures. Your company stays the accountable controller, which is why the DPA and the transfer mechanism are reviewed before onboarding, not after. This is GDPR employer of record Vietnam practice in one line: controller accountability does not move to the provider.
Avoid treating a vendor claim of compliance as the transfer mechanism itself. For the wider provider view, the EOR in Vietnam complete guide sets the context, and the transfer decision should still be confirmed with counsel.
Cross-border transfer: how the Vietnam and EU rules stack
A single EU-to-Vietnam HR transfer can trigger two regimes at once, so map both before employee data moves rather than treating one as a substitute for the other. On the Vietnam side, Decree 356 requires a Data Transfer Agreement that covers the points in its Article 7, including the transfer purpose, data categories, retention period, legal basis, the responsibilities of each party, and breach coordination, plus a cross-border transfer impact assessment unless an exemption applies (Decree 356/2025/ND-CP update). Cross-border HR management and employee-data cloud storage are among the cases that may be exempt from the impact assessment, although the transfer agreement and the lawful basis still apply.
On the EU side, the transfer relies on GDPR Article 46 safeguards, in practice standard contractual clauses with a transfer impact assessment and any supplementary technical measures, because Vietnam is not on the adequacy list. A separate cybersecurity localisation rule under Decree 53/2022 can also touch some services, so the safe sequence is to confirm the Vietnam basis, the EU mechanism, and any localisation duty with counsel before onboarding. Treat employee data transfer Vietnam as a two-sided check, not a one-line clause.
What the EOR DPA must say before employee data is shared
An EOR DPA must define roles, data, safeguards, and exit terms in writing before any employee data moves, because a signed contract is the evidence an auditor and a regulator will ask for. The checklist below is the minimum an EOR DPA Vietnam review should confirm clause by clause. Treat any clause that is verbal only as missing.
| DPA clause | What it must specify |
|---|---|
| Roles | Names the controller (your company) and the processor (the EOR), with documented instructions |
| Data categories | Lists basic and sensitive data processed, including bank, ID, and payroll data |
| Purpose and lawful basis | Limits processing to employment, payroll, and statutory purposes |
| Retention and deletion | States retention periods and deletion or return at contract end |
| Access controls | Role-based access, encryption, and logging for payroll and identity data |
| Sub-processors | Lists sub-processors and requires approval and equivalent terms |
| Cross-border transfer | Names the mechanism: GDPR Article 46 SCCs plus the Vietnam data transfer agreement |
| Breach notification | Sets the notice window and the coordination duties between processor and controller |
| Audit rights | Gives the controller the right to audit or receive evidence on request |
| Return and deletion at exit | Returns or deletes data on termination and confirms it in writing |
Before payroll data moves, review the DPA, access controls, and transfer path. Sunbytes can walk your HR, legal, and IT teams through the EOR data flow before onboarding starts, and if you are still comparing providers, the best Employer of Record services overview shows what strong data terms look like.
Employee consent, notices, and audit trail
Employees should receive a clear privacy notice and the company should keep the evidence that supports each processing activity, because under both the PDPL and the GDPR the burden of proof sits with the controller. The notice should name the controller and the EOR as processor, the purposes, the lawful basis, the cross-border transfer, and the data subject rights to access, correct, object, delete, and withdraw consent. As evidence, retain the signed DPA, the transfer documentation, the record of processing, and any consent records, so a vendor due diligence or a regulator request can be answered quickly. Where you are choosing between providers on these points, how to choose the right EOR service sets out what to verify first.
Handling data subject and breach requests in an EOR setup
EOR data privacy Vietnam is tested most in two moments: a data subject request and a breach. When an employee exercises a right or a breach occurs, the controller stays accountable and the processor acts on instructions and cooperates, so agree the runbook before either event happens. For data subject rights, an employee can ask to access, correct, object to, or delete their data, or withdraw consent, and the EOR as processor routes the request to your company and helps fulfil it inside the statutory window. For a breach, the EOR should detect and classify the incident, notify your company without undue delay, and support notification to the authority within the statutory deadline, while your company decides on notifying affected employees.
The practical test is whether the EOR can show a documented process for both, not just a clause that says it will cooperate. A provider that can produce a rights-handling workflow and a breach runbook is far easier to defend in an audit (DLA Piper Vietnam).
Security evidence: ISO 27001, access control, payroll data handling
Privacy terms only hold when security controls back them, so an EOR data protection Vietnam review should ask for evidence, not assurances. Request an ISO 27001 certificate or an equivalent, a role-based access policy that limits who can see payroll and identity data, encryption in transit and at rest, and access logging. Payroll data handling should follow data minimisation, so the EOR holds only what statutory filing and payment require. Tie each control back to the matching DPA clause, and confirm the operational side against EOR compliance in Vietnam.
Vendor due diligence: the evidence to score before you sign
Turn the DPA and the security claims into a scored checklist, so procurement compares providers on the same evidence rather than on marketing. Each line below should have a document behind it, and a provider that cannot produce one is a pause, not a maybe. This is the EOR data protection Vietnam check that belongs in the contract stage, not after onboarding.
| Evidence | Why it matters | Pass condition |
|---|---|---|
| Signed DPA with Article 28 clauses | Sets processor obligations in writing | Provided and signed before data moves |
| ISO 27001 certificate or equivalent | Shows a managed security baseline | Current certificate, named scope |
| Sub-processor list and approval | Controls onward data sharing | List supplied, change approval required |
| Access control and encryption policy | Limits who sees payroll and ID data | Role-based access, encryption in transit and at rest |
| Breach runbook and notice window | Proves the provider can react in time | Documented steps and a stated window |
| Transfer mechanism | Covers the cross-border path | SCCs plus a Vietnam data transfer agreement |
How Sunbytes handles EOR data privacy
Sunbytes treats EOR data privacy in Vietnam as an operational control, not a document, with a signed data processing agreement, defined access controls, and an audit trail before onboarding starts. As the processor for EU clients, Sunbytes works to GDPR Article 28 terms, supports the Article 46 transfer mechanism your counsel selects, and operates Vietnam payroll under ISO 27001 controls, with a named owner reachable inside the 4 to 5 hour Netherlands to Vietnam overlap. The Dutch headquarters gives EU buyers a familiar accountability line for a Vietnam data setup.
Review your Vietnam EOR data flow before employee data is shared.
Why Sunbytes?
Founded in the Netherlands in 2011, Sunbytes has delivered more than 300 client projects across 20+ countries. Our delivery hub in Ho Chi Minh City gives us direct knowledge of Vietnam’s labor market, payroll rules, and regulatory environment.
Our three service pillars support EOR contract clarity at every stage:
- Payroll and employment operations you can verify: Through Accelerate Workforce Solutions, we deliver payroll on time, onboarding in 2 to 4 weeks, and offboarding within 24 hours, with the SHUI and PIT evidence your contract should require.
- Data handling aligned to your DPA: Through CyberSecurity Solutions, we apply access controls and security practices that support the GDPR Article 28 terms in your agreement, with ISO 27001 certification.
- Technical teams can scale without employment administration becoming the bottleneck: Through Digital Transformation Solutions, we support companies building and expanding Vietnam-based delivery teams while Accelerate Workforce Solutions manages employment, payroll, and compliance obligations.
FAQs
In a standard EU-to-Vietnam setup, the EOR is the data processor and your company is the controller, because your company decides why and how employee data is processed. The EOR processes payroll, contract, and statutory data on your documented instructions. Confirm the roles in the DPA, since a provider acting beyond instructions can change its status.
Yes. GDPR follows the EU controller’s processing decisions, so it applies even though the EOR and the work sit in Vietnam. You need a GDPR Article 28 data processing agreement and an Article 46 transfer mechanism, because Vietnam is not on the EU adequacy list. Confirm the mechanism with counsel rather than relying on a vendor compliance claim.
An EOR DPA should define controller and processor roles, the data categories, the purpose and lawful basis, retention and deletion, access controls, sub-processors, the cross-border transfer mechanism, breach notification, audit rights, and return or deletion at exit. Each clause should be written, not verbal. Treat any missing clause as a reason to pause before sharing data.
Yes, with the right safeguards. The EU side relies on GDPR Article 46 standard contractual clauses plus a transfer assessment, and the Vietnam side adds a data transfer agreement under Decree 356, although cross-border HR management may be exempt from the separate transfer impact assessment. Verify the exemption and the mechanism with counsel before data moves.
Ask for the signed DPA, an ISO 27001 certificate or equivalent, the sub-processor list, the access control policy, the breach notification process, and the transfer documentation. These map directly to PDPL and GDPR obligations and to employee data transfer Vietnam controls (DLA Piper Vietnam). A provider that can produce them quickly is itself a positive signal.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
