You've found the perfect offshore team in Vietnam. The day rates are competitive, the technical profiles are strong, the first sprint goes smoothly. Then your DPO asks the question that kills the mood: "What about the GDPR?"
It's the most common B2B objection I hear from French CTOs and heads of engineering. It's a fair concern. But in 90% of cases, the GDPR isn't the blocker: it's the lack of contractual and technical structure. The European regulation has never prohibited outsourcing outside the EU. It requires a framework. Let me show you exactly what that framework looks like.
- ⚖️ GDPR compatible: the regulation allows offshore work as long as a contractual framework (SCCs) is in place.
- 🔒 Technical measures: encryption, compartmentalised access, and regular audits are mandatory.
- 📝 IP assigned to the client: code ownership and NDAs must be written into the contract.
- 🇻🇳 Vietnam stepping up: the country has strengthened its intellectual property protections in 2026.
Does the GDPR really prohibit offshore development?
The short answer: no. The GDPR (General Data Protection Regulation, in force since 25 May 2018) nowhere says "you cannot outsource outside Europe." What it says is that the data controller remains responsible, even when a third party processes data on their behalf.
According to the CNIL, any European company that uses a processor outside the EU must ensure that the level of data protection is "essentially equivalent" to that guaranteed by European law. The offshore provider isn't exempt from the rules: it applies them within the framework set by the contract.
Why do people confuse offshore with GDPR risk?
The confusion comes from a shortcut. Many B2B decision-makers assume that any data transfer outside the EU is prohibited. That's wrong. The GDPR explicitly provides mechanisms to govern these transfers: European Commission adequacy decisions, standard contractual clauses (SCCs), or binding corporate rules (BCRs).
Vietnam does not benefit from an adequacy decision (unlike Japan or South Korea). That means an additional framework is required, not that it's impossible. According to the guide published by advancia-teleservices.com, the provider is bound by GDPR obligations as soon as the contract includes the appropriate safeguards.
Poorly structured offshore is risky. Well-structured offshore is compliant.
What are the penalties for non-compliance?
The figures are clear: up to €20 million or 4% of global annual turnover, whichever is higher. In 2025, the CNIL issued 87 penalties totalling €55 million. This isn't theoretical: enforcement is increasingly targeting non-EU processors, including in software development.
Data transfers outside the EU: the concrete safeguards
When you outsource development to Vietnam, the question isn't "will data flow?" but "which data, with what protections?" A web or mobile development project can work perfectly well without exposing any personal data to the offshore team.
How do you govern a data transfer outside the EU?
The standard mechanism is standard contractual clauses (SCCs) approved by the European Commission in June 2021. These clauses are embedded directly in the service contract. They define the obligations of the processor (the offshore provider) and those of the data controller (your company).
According to scalemycrew.com, best practice involves providing a development environment with no real user data, creating test accounts with no access to sensitive information, and restricting access to only what is needed for the engagement.
In practical terms, here are the technical measures to put in place:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Compartmentalised access per environment (dev, staging, production)
- Access logging with full traceability
- Regular audits (quarterly at minimum) of the provider's practices
- Pseudonymisation or anonymisation of test datasets
| Security measure | Unstructured offshore | Structured offshore (SCCs + measures) | Trend |
|---|---|---|---|
| Standard contractual clauses | Missing | Embedded in the contract | ↑ mandatory |
| Data encryption | Partial or absent | TLS 1.3 + AES-256 | ↑ standard |
| Access compartmentalisation | Single shared environment | Separate dev / staging / prod | ↑ critical |
| Provider audit | Never | Quarterly at minimum | ↑ CNIL requirement |
| Test data | Real production copy | Anonymised / synthetic | ↑ best practice |
SOURCE: CNIL, European Commission (SCCs June 2021) · Updated 06/2026
If your offshore provider can't tick every one of those boxes, the problem isn't the country: it's the provider. To better understand how to structure your offshore software development in Vietnam, start with the contractual framework before talking tech.
Intellectual property and source code: who owns what?
This is the second major objection. You pay for 18 months of development, and at the end of the contract, who owns the code? Without an explicit clause, the answer might surprise you.
Who owns the code in offshore development?
Under French law, the principle is straightforward: unless there is an express assignment, the author of the code retains their rights. If your contract doesn't mention intellectual property assignment, the offshore provider remains the legal owner of the code they produced for you.
Vietnam strengthened its intellectual property legislation in 2026, further aligning its framework with international standards (Berne Convention, WTO TRIPS agreements). This works in favour of European clients: IP assignment clauses inserted into a contract governed by French law are recognised and enforceable.
Which contractual clauses are essential?
Here are the five clauses I consider non-negotiable in any offshore development contract:
Full IP assignment: all source code, technical documentation, and assets created during the engagement are assigned to the client, with no restriction on territory or duration.
NDA (non-disclosure agreement) signed by each team member individually, not just by the provider company.
Data security clause describing the technical measures (encryption, access controls, logging) and notification obligations in the event of an incident.
Processing rules compliant with the GDPR (purpose limitation, retention period, onward sub-processing prohibited without prior approval).
Reversibility clause guaranteeing the complete return of all code, data, and documentation at the end of the engagement, with certified deletion on the provider's side.
Well-structured offshore IT services companies include these clauses in their standard contracts. Those that refuse to discuss them are sending you a clear warning sign.
What I put in place at GoLive Software
I've been managing a team of senior developers in Vietnam for several years. GDPR and IP aren't FAQ topics for me: they're contractual commitments I make to every client.
How does GoLive secure its clients' data?
At GoLive Software, code and intellectual property are assigned to the client from the moment the contract is signed. Every developer on the team signs an individual NDA. Access is compartmentalised by environment: a developer working on the front end has no access to the production database.
I use private Git repositories with two-factor authentication, secrets managers for API keys, and test environments that run on synthetic data. No real personal data ever touches the Vietnamese team's machines.
This isn't paranoia. It's the minimum standard for working with clients who handle sensitive data (B2B SaaS, fintech, healthtech). And it's precisely this framework that makes offshore development in Vietnam safer than a local freelancer without a structured contract.
"The risk is never the country. It's the absence of a contractual and technical framework."
Vincent Roye, June 2026
How do you verify an offshore provider's reliability?
Before signing, ask your prospective provider these five questions:
- Show me your NDA template and IP assignment clauses.
- How do you compartmentalise access between dev, staging, and production?
- What security certifications do you hold (ISO 27001, SOC 2)?
- How do you handle data deletion at the end of a contract?
- Do you accept regular third-party security audits?
A provider that answers these five points clearly is a structured provider. The ones you should avoid in 2026 are those that dodge the question or point you to a generic document.
The real risk isn't Vietnam
After eight years running offshore teams, I hold a firm conviction: the provider's country of operation is a red herring. I've seen Parisian agencies with no NDA, European freelancers committing secrets in plaintext to public GitHub repos, and French IT service companies unable to produce a processing register.
The global IT outsourcing market is projected to reach $591 billion in 2025 according to Statista, with a CAGR of 8.28% through 2029. That growth makes the compliance question even more pressing. Companies that structure their offshore operations today are getting ahead of the curve.
My model is simple: Vietnam + senior developers + AI + a solid contractual framework. The GDPR doesn't hinder that equation. It validates it, provided you play by the rules of SCCs, encryption, and IP assignment.
If you're a CTO or head of engineering and GDPR compliance is your last reason for not outsourcing, ask the right questions to the right provider. The answer will surprise you: a well-structured offshore operation protects your data better than a local provider who has never opened the regulation.
Frequently asked questions
Is offshore development compatible with the GDPR?
Yes. The GDPR does not prohibit data processing outside the EU. It requires a framework: standard contractual clauses (SCCs), technical measures (encryption, compartmentalised access), and documented processing activities. A structured offshore provider can be fully compliant.
How do you govern a data transfer outside the EU?
The primary mechanism is embedding the standard contractual clauses (SCCs) approved by the European Commission into the service contract. These clauses define the processor's obligations and the data controller's rights. They must be backed by concrete technical measures: AES-256 encryption, environment-restricted access, logging, and quarterly audits.
Who owns the source code in an offshore contract?
Without an explicit assignment clause, the provider remains the owner of the code under French law. The contract must include a full intellectual property assignment to the client, with no restriction on duration or territory. At GoLive Software, this assignment is built into the contract from day one.
Which contractual clauses are essential with an offshore provider?
Five clauses are non-negotiable: full IP assignment, an individual NDA for each team member, a data security clause with detailed technical measures, processing rules compliant with the GDPR, and a reversibility clause for the return of all code at the end of the engagement.
How do you verify that a provider in Vietnam complies with the GDPR?
Ask to see the NDA template and IP assignment clauses, check the compartmentalisation of access between environments, enquire about certifications (ISO 27001, SOC 2), require a data deletion protocol at the end of the contract, and plan for third-party security audits. A provider that answers these questions without hesitation is a reliable provider.
Vidéos YouTube
Articles & ressources
- Sécurité des données et externalisation offshore · rouge-hexagone.com
- Externalisation offshore et conformité RGPD · advancia-teleservices.com
- RGPD et externalisation offshore : comment rester conforme ? · scalemycrew.com
- Développement de logiciels offshore en 2025 : répondre aux préoccupations en matière de sécurité · weblineindia.com
- Comment sécuriser un recrutement offshore : risques, conformité et RGPD · talenteum.com
