In practice, many businesses still approach potential customers through data lists that are purchased, exchanged, or obtained from external sources. From a commercial perspective, this may be seen as a way to expand the customer base. However, from a compliance standpoint, the risk does not lie only in the content of the call or the method of outreach—it begins with the origin of the data itself.

A list of phone numbers, emails, or contact details may appear “ready to use” for sales activities. But if the business does not know where the data came from, for what purpose it was collected, how it was obtained, and whether it has been lawfully shared, then using such a list may introduce risk from the very first step.

A commonly overlooked point is that by using externally sourced data, businesses may be inheriting the compliance risks of the data provider. The less traceable the data source, the more difficult it becomes for the business to demonstrate that its use is justified and subject to appropriate internal controls.

A practical tip for sales and compliance teams:

If the business is considering using externally sourced data, it should establish an external lead source review checklist in advance, rather than assessing the dataset solely based on its commercial effectiveness.

Mini-checklist:

• Clearly identify the origin and method of creation of the dataset;

• Review the original purpose for which the data was collected;

• Verify whether the data has been shared with third parties in a lawful manner;

• Limit or avoid use if the data source cannot be minimally verified;

• Require internal approval before using purchased data for tele-sales.

  
  

In customer outreach activities, the issue is not only “how to call,” but also “where the data comes from and whether it should be used at all.”

Legal reference: 

Law on Personal Data Protection No. 91/2025/QH15 and its implementing regulations, particularly provisions on data processing principles, transparency, third-party data sharing, and the responsibilities of data-processing organizations.

CTA: A practical checklist for reviewing external lead sources is available below:

https://docs.google.com/document/d/1nRZahJvWES8V32TghY8fUBsCWJneNGe0/edit?usp=sharing&ouid=111237192658253291602&rtpof=true&sd=true

💌 Next Article:Intra-Group HR data sharing: “Internal” does not mean risk-free

-------------------------------

Article: Prepared by LLVN.

Image: LLVN

-------------------------------

𝐂𝐨𝐧𝐭𝐚𝐜𝐭 𝐮𝐬

Website: www.lawlink.com

Instagram: lawlink.vietnam

Facebook: Lawlink Vietnam

Phone: +84 908107788

Address: Unite 22.02, Aqua 1, Vinhomes Golden River, No. 2 Ton Duc Thang, HCM