Corporate Responsibilities for Processing Personal Data and Precautions

Enterprises in the role of managers, collect, control, supervise, and process employees’ personal data to manage and enter.  This means that the enterprise is not only performing the functions of the Personal Data Controller but also the Data Processor, deciding the means of data processing, and creating initiative and responsibility in the process of managing personal information.  This also means forcing enterprises to comply, ensure transparency, fairness, and safety in the management of employees’ personal information, and strictly implement the provisions of Decree 13/2023/ND-CP on personal data processing.  Corporate responsibilities in handling personal data and the following considerations for how businesses help businesses understand how to do the right thing! 

Corporate responsibilities for employees’ personal data 

Enterprises collect and store the employee’s personal data to serve the conclusion of labor contracts.  The collection and storage are carried out on the system platform of the enterprise. The enterprise will play a decisive role in the processing of the employees’ personal data. Therefore, businesses are not limited to deciding on the purposes and means of processing personal data but also have direct responsibility for carrying out these activities. 

Firstly, comply with the principles of personal data protection: Comply with the law.  Data subjects have the right to know about activities related to the processing of their personal data.  Personal data collected must be appropriate and limited to the scope and purposes to be processed, updated, and supplemented in accordance with the purposes of the processing, stored for some time suitable to the purpose, and responsible for compliance with the prescribed data processing principles. 

Secondly, it is forbidden to perform prohibited acts in personal data protection such as: Processing personal data contrary to the provisions of the law on personal data protection, creating information and data against the State of the Socialist Republic of Vietnam, affecting national security, social order and safety, legitimate rights and interests of other organizations and individuals, obstructing personal data protection activities of competent agencies, abusing personal data protection activities to violate the law. 

Third, enterprises must apply personal data protection measures in accordance with the law right from the beginning and throughout the processing of personal data. To comply with the provisions of the law on personal data protection and participate in preventing and combating violations of regulations on personal data protection.  Coordinate with the Ministry of Public Security and competent state agencies in personal data protection and provide information for investigation and handling of violations of the law on personal data protection. 

Fourth, the enterprise simultaneously performs the responsibilities of the Personal Data Processor, the Personal Data Controller, and the Processor.  As the controller and processor of personal data of employees, the enterprise is responsible for implementing organizational and technical measures, appropriate safety and security measures to demonstrate that data processing activities have been carried out in accordance with the provisions of the law on personal data protection,  review and update these measures as necessary; Record and store system logs of personal data processing; Notify violations of regulations on personal data protection, and Ensure the rights of data subjects according to regulations. 

Fifth, take legal responsibility for sanctioning administrative violations and criminal penalties depending on the level of violation of personal data protection regulations. Delete, and return all personal data after the end of data processing. Take responsibility for data subjects for damage caused by processing personal data and for compensation if any loss occurs. 

Enterprises enforce the responsibility to protect employees’ personal data 

In order to fulfill the responsibility to protect employees’ personal data, in compliance with Decree 13/2023/ND-CP, enterprises need to carry out the following tasks: 

Complete data collection and information processing of employees.  Enterprises review, supplement, and adjust documents, agreements, contracts with customer requirements, and information of employees.  In some cases, workers may have to provide additional information such as Data on crimes and criminal acts collected and stored by law enforcement agencies; information about genetic traits… are sensitive personal data according to Clause 4 Article 2 of Decree 13/2023/ND-CP. Additionally, supplement the provisions in the probationary contract, labor contract, annex to the labor contract the above contents.  However, the provision of information must have the consent of the data subject, except for the cases of Article 17 of Decree 13/2023/ND-CP. The data subject’s consent must be expressed in text, or voice, by ticking the consent box, message consent syntax, selecting consent technical settings, or another action expressing consent.  The data subject´s consent is valid only when the data subject voluntarily and clearly knows the contents of the data type, the rights of the data subject, and the purpose and organization of data processing.  When there is a dispute, the enterprise is obliged to prove the consent of the employee or recruitment candidate, so the enterprise needs to develop or update the content of the form for the candidate or employee to mark or confirm in writing the permission to use personal data. 

Develop and promulgate internal regulations to protect personal data. Enterprises need to base their units, services, and business products on the practical situation of their units, services, and business products to develop internal regulations, appropriate processes, coordination between departments, and appropriate technical measures to protect personal data.  Update and add to the Internal Labor Regulations prohibiting the purchase, sale, and sharing of personal data information as a basis for handling labor discipline and compensation if any, in case of violations.  According to Article 4, in case of violation of regulations on personal data protection, depending on the extent, the violating agency, organization, or individual may be disciplined, administratively sanctioned, or otherwise penalized according to regulations.  

Establish a dedicated department to protect sensitive personal data.  According to Article 28 of Decree 13/2023/ND-CP, enterprises need to appoint a department with sensitive personal data protection functions, the head of personal data protection to perform tasks at the enterprise to comply with regulations on personal data protection.  This department is in charge of exchanging information with the Specialized Personal Data Protection Authority and informing the data subject of the processing of sensitive personal data of the data subject. 

Profiling an impact assessment of the processing of personal data. The dossier shall be sent to the Department of Cyber Security and High-tech Crime Prevention and Control.  Any enterprise that conducts at least 01 activity in the data processing process must establish, store notify, and send a dossier of impact assessment of personal data processing as prescribed in Article 24 of this Decree. In addition, foreign-invested enterprises in general and foreign-invested enterprises operating under the model of mother-child companies should pay special attention to the case of transferring personal data of Vietnamese citizens abroad.  Accordingly, in addition to making an impact assessment dossier on personal data transfer abroad, enterprises must also make an impact assessment dossier on personal data transfer abroad and send 01 original dossier to the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security according to form No. 06 in the Appendix of this Decree during 60 days from the date of processing of personal data.  Impact assessment dossiers on the transfer of personal data abroad must always be available for inspection and evaluation activities of the Ministry of Public Security. When there is a change or addition, a dossier documenting the impact assessment of transferring personal data to foreign countries must be created.  

Considerations when implementing personal data protection responsibilities 

Personal data is an important starting resource of the digital transformation process, organizations and individuals are responsible for strictly complying with regulations and principles of personal data processing. Some of the following issues should be noted: 

Ensure compliance with data protection principles.  The processing of personal data should ensure data protection principles such as only personal data must be processed in accordance with the registered purpose, the declaration on personal data processing and collection must be appropriate and limited to the scope and purpose to be processed, do not buy or sell personal data in any form, unless otherwise provided for by law.  

Strictly comply with regulations on the rights and obligations of data subjects.  Employee consent is a prerequisite for businesses to comply.  The employee’s consent is valid until otherwise decided or when requested in writing by a competent state agency. The employee has the right to withdraw his/her consent.  The enterprise must cease and request the relevant organizations and individuals to stop the data processing of the data subject who has withdrawn consent.  The silence or non-response of the data subject is not considered consent.  Therefore, enterprises should sign this agreement separately with the employee from the moment the employee joins the company in the form prescribed by law.  

Notification of violations of regulations on personal data protection.  In case of detecting violations of personal data protection regulations, enterprises must notify the Department of Cyber Security and Hi-tech Crime Prevention and Control of the Ministry of Public Security no later than 72 hours after the violation occurs. In case of notification after 72 hours, it must be accompanied by the reason for late or late notification. It is necessary to work closely with relevant departments and authorities to ensure that information related to the processing of personal data is available when necessary to support investigations and handle violations as stipulated in Article 38 of Decree 13/2023/ND-CP. This not only enhances transparency but also highlights the importance of protecting personal information in an increasingly digital and interconnected environment. 

Seek consent from data subjects when disputes arise.  When there are conflicting issues related to personal data, enterprises should seek the consent of data subjects through dialogue and negotiation. These are effective mechanisms suitable for departments or enterprises with large labor sizes to inform and reach consensus with individuals and collectives. 

Some notes are set out to help businesses fulfill their responsibilities to protect the personal data of employees through this article. 

Let’s dig deeper in the next following articles.  Don’t forget to follow and update more useful information on our website.  Please contact us for more detailed instructions: