AI is quickly becoming a standard feature of workplace operations across Vietnam. From automated hiring systems to productivity monitoring platforms, businesses are embracing AI tools to improve efficiency and reduce costs. But beneath the surface lies a growing compliance risk: these tools often collect, process, and store personal and sensitive employee data triggering strict obligations under Vietnamese law.

With Decree No. 13/2023/ND-CP of the Government dated April 17, 2023 on Personal Data Protection (Decree 13) now in effect, employers must evaluate whether their AI deployments are fully compliant. This article explores how AI is impacting workplace data privacy and outlines the legal risks and responsibilities that come with it.

What Workplace AI Really Tracks and Why That’s a Legal Issue

Many businesses underestimate how much employee data their AI tools actually process. These systems often collect:

• Biometric data (e.g., facial recognition for attendance)
• Behavioral data (e.g., mouse movement, typing patterns, emotional analysis)
• Location tracking (e.g., GPS data from mobile devices)
• Performance profiling (e.g., predictive analytics on productivity or engagement)

While these features may offer valuable business insights, they often fall under the definition of sensitive personal data under Vietnamese law requiring explicit consent and strict security safeguards.

Decree 13: What Vietnam’s Data Protection Law Says About Employee Data

Vietnam’s first comprehensive data protection regulation, Decree 13/2023/ND-CP, came into force in 01, July 2023. It applies to any organization that collects or processes personal data including in employment settings.

Key requirements include:

• Valid legal basis: Employers must either obtain clear, informed consent or show contractual/legal necessity.
• Transparency: Employees must be informed about what data is collected, why, how it will be used, and who it may be shared with.
• Sensitive data rules: Biometric, health, location, and behavioral data require separate, explicit consent.
• Employee rights: Access, rectify, delete, and restrict the use of their data.

Failure to comply can result in administrative penalties and reputational damage.

5 Common Ways Workplace AI Violates Vietnamese Privacy Law

Businesses deploying AI in HR, operations, or management should watch for these common violations:

1. Using third-party tools without reviewing privacy safeguards: Many cloud-based AI tools collect employee data, but vendors may not meet Vietnamese legal standards.
2. Monitoring workers employees without valid consent: Installing facial recognition cameras or keystroke monitoring without employee’s clear opt-in violates both labor and data laws. 
3. Bundled or vague consent forms: Consent must be purpose-specific. A single checkbox for all purposes is no longer valid.
4. Storing sensitive data without adequate encryption or controls: Potentially exposing highly confidential information about individuals’ health, behaviors, or risk profiles
5. Lack of transparency on AI decision-making: Employees must understand how algorithmic tools affect evaluations, shift assignments, or discipline.

Are You Liable for AI Systems Built by Vendors?

Yes. Under Decree 13, data controllers (employers) remain legally accountable for the collection and processing of personal data, even when those tasks are outsourced to third-party vendors or AI service providers. This is a critical compliance blind spot for many companies that rely on cloud-based software, recruitment platforms, or monitoring systems developed and operated by external providers.

If your vendor’s AI system handles employee data on your behalf, you must treat that vendor as a data processor and take active steps to ensure compliance:

• Conduct due diligence on their privacy practices and track record.
• Sign a Data Processing Agreement (DPA) that clearly allocates responsibilities, processing purposes, and security obligations.
• Ensure data localization and lawful cross-border data transfers, especially if the vendor stores data outside of Vietnam.
• Require regular audits or reporting to confirm adherence to Vietnamese data protection requirements.
• Obtain clear employee consent before enabling any vendor system that accesses, analyzes, or transmits personal data.

Importantly, if a vendor fails to protect data or violates privacy obligations, your company may still be liable before Vietnamese regulators. Relying on contractual disclaimers or vendor assurances is not enough, employers must actively manage these relationships through legal oversight and technical controls.

How to Legally Use AI in Vietnam’s Workplaces

To reduce legal exposure, companies using AI tools that affect employees should:

• Conduct a Data Protection Impact Assessment (DPIA) for any AI system processing sensitive data
• Obtain separate, explicit consent for each category of data
• Train HR, IT, and compliance teams on the regulations of Decree 13
• Localize employee data where required or use approved cross-border protocols
• Audit all AI vendors and tools for privacy compliance

Proactive steps now can prevent disputes, investigations, and fines later.

AI is Inevitable but Privacy Violations Are Not

AI-driven workplace tools are here to stay. But if deployed carelessly, they expose businesses to significant legal risks under Vietnam’s tightening data protection regime.

By embedding data governance into your digital transformation strategy and treating employee data as a compliance priority, you can unlock the benefits of AI without sacrificing privacy or legal standing.