When entering into contracts with vendors, businesses often spend significant time negotiating service scope, performance standards, and confidentiality obligations. However, when the service relationship comes to an end, a critical question is often overlooked: what happens to the personal data that the vendor has accessed or processed?

If the contract does not clearly define exit mechanisms, businesses may face multiple risks. Data may continue to be stored on the vendor’s systems longer than necessary, access accounts may not be deactivated in a timely manner, copies of data may remain in backup environments, or the business may lack sufficient evidence that the data has been returned, deleted, or that processing has ceased.

Therefore, compliance in vendor relationships is not only about onboarding—it is equally about offboarding. A proper service termination process should, at a minimum, address three key questions: which data must be returned, which must be deleted, and how the business can verify that post-termination data handling has been properly controlled.

A practical tip for contract owners:

Businesses should standardize a vendor offboarding data checklist and integrate it into contract closure or vendor transition processes.

Mini-checklist:

• Identify what types of data the vendor currently holds;

• Review contractual obligations regarding data return, deletion, or confirmation of deletion;

• Disable the vendor’s access to systems and related accounts;

• Request evidence or confirmation that post-termination data handling has been completed;

• Maintain internal records documenting completion of data offboarding steps.

In many cases, the risk does not begin when data is shared with a vendor—but when the contract ends and the data lifecycle is not properly closed.

Legal reference:

 Law on Personal Data Protection No. 91/2025/QH15 and its implementing regulations, particularly provisions on purpose limitation, data retention, responsibilities of parties in data processing, and ensuring personal data security.

CTA:

We have prepared a practical vendor offboarding data checklist. The download link is available below:

https://drive.google.com/file/d/1dBxQbKIF8vAJHZkxcvrCiHE-pBX6zzrL/view?usp=sharing

💌 Next Article: What should employers do to protect personal data when an employee leaves?

-------------------------------

Article: Prepared by LLVN.

Image: LLVN

-------------------------------

𝐂𝐨𝐧𝐭𝐚𝐜𝐭 𝐮𝐬

Website: www.lawlink.com

Instagram: lawlink.vietnam

Facebook: Lawlink Vietnam

Phone: +84 908107788

Address: Unite 22.02, Aqua 1, Vinhomes Golden River, No. 2 Ton Duc Thang, HCM