Procedures to Protect Personal Data as per Regulations
As the volume of personal information of individuals in the digital space continues to increase, the occurrence of errors and personal data breaches becomes increasingly unavoidable. The consequences of data breaches are often unpredictable. Therefore, safeguarding personal data has become an essential need in the global digital economy. In Vietnam, after the Cybersecurity Law addressed the issue of protecting personal information in cyberspace, Decree 13/2023/ND-CP was issued as a specific legal document to comprehensively and officially protect personal data. With this decree, individuals have more rights in managing personal data within the territory of Vietnam, such as the right to know, to be provided with information about data processing activities, the right to complain, the right to demand compensation for damages, etc. To ensure that personal data is legally protected, individuals, organizations, and enterprises need to perform mandatory administrative procedures related to the purpose of processing personal data according to the provisions of Decree 13/2023/ND-CP.
Types of Personal Data Protected by Law
Protecting personal data involves preventive measures, detection, and handling activities related to personal data breaches as prescribed by law. Personal data refers to information in the form of symbols, writing, numbers, images, sounds, or similar forms in electronic environments associated with a specific individual or assisting in identifying a specific individual. The subject of personal data is the individual reflected in the data. Personal data is divided into two types: basic personal data and sensitive personal data.
According to Article 2, Clause 3, basic personal data includes: last name, middle name, first name, other names if any, date, month, year of birth, year of death or missing, gender, place of birth, place of birth registration, place of residence, temporary residence, current residence, hometown, contact address, nationality, image, phone number, identity card number, personal identification number, passport, driver’s license, vehicle registration number, tax code, social insurance number, health insurance card etc.
Sensitive data is explained in Clause 4, Article 2 of Decree 13/2023/ND-CP: Sensitive data is data linked to an individual’s privacy rights, the infringement of which directly affects the rights and legitimate interests of that person. For example: political views, religion, health status, personal life, ethnic origin, race, genetic characteristics, sexual orientation, criminal data, location, customer information of credit institutions etc.
Activities Related to Personal Data
Activities related to personal data include many activities, but primarily the following:
Processing personal data: According to Clause 7, Article 2 of Decree 13/2023/ND-CP, processing personal data is one or more activities affecting personal data, such as: collection, recording, analysis, confirmation, storage, editing, disclosure, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data, or other related actions. Automated processing of personal data is a form of processing personal data carried out electronically to evaluate, analyze, predict the activities of a specific individual, such as: habits, preferences, reliability, behavior, location, trends, capabilities, and other cases. Processing of personal data requires the consent of the data subject, except for certain cases as stipulated by law such as processing personal data for the purpose or request of competent state agencies, in emergency cases, and serving the activities of state agencies as stipulated by law. Depending on the purpose of data processing, data will have appropriate retention periods.
Assessment of the impact of processing personal data: Article 24 stipulates that Data Controllers, Data Processors, Data Controllers and Processors are required to prepare and keep records of the impact assessment of processing personal data from the time of commencing personal data processing and always be available to serve the inspection and evaluation activities of the Ministry of Public Security. The impact assessment record of processing personal data must be submitted to the Ministry of Public Security (Cybersecurity and High-tech Crime Prevention Department) within 60 days from the date of processing personal data. Any updates or supplements to the impact assessment records of processing personal data when there are changes to the content of the submitted records must be reported to the Ministry of Public Security.
Transfer of personal data abroad: This is an activity using cyberspace, devices, electronic means, or other forms to transfer personal data of Vietnamese citizens to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process personal data of Vietnamese citizens, including: organizations, enterprises, individuals transferring personal data of Vietnamese citizens to organizations, enterprises, management departments abroad for processing purposes agreed upon by the data subject; processing personal data of Vietnamese citizens by automatic systems outside the territory of the Socialist Republic of Vietnam of the data controller, data controller and processor, or data processor, consistent with the purposes agreed upon by the data subject. According to Article 25 of Decree 13/2023/ND-CP, the party transferring personal data of Vietnamese citizens abroad must prepare records of an impact assessment on processing personal data, records of impact assessment of transferring personal data abroad, and send them to the Ministry of Public Security in accordance with regulations, as well as always being available to serve inspection and evaluation activities of the Ministry of Public Security.
Procedures to Protect Personal Data According to Legal Regulations
In parallel with activities related to personal data are the necessary procedures to establish security for data. There are 5 main procedures related to protecting personal data:
Procedure for notifying violations of regulations on protecting personal data: This is carried out when violations of regulations on protecting personal data are detected. Data Controllers, Data Controllers and Processors must notify the Ministry of Public Security (Cybersecurity and High-tech Crime Prevention Department) no later than 72 hours after the occurrence of the violation. In case of notification after 72 hours, the reason for the late notification must be provided. Procedure:
Step 1: Organizations, individuals access the National Data Protection Portal or download Form 03 issued together with Decree 13/2023/ND-CP when violations of regulations on protecting personal data are detected. In case the National Data Protection Portal is not available, contact directly the A05 Department.
Step 2: Organizations, individuals provide information as instructed on the National Data Protection Portal or declare according to Form 03 issued together with Decree 13/2023/ND-CP.
Step 3: Organizations, individuals send notification information through the National Data Protection Portal or send the completed form to the Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security.
Step 4: The Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security responds with information on the results of the notification of violations of regulations on protecting personal data.
Procedure for preparing and sending records of impact assessment of processing personal data: Data Controllers, Data Controllers and Processors, Data Processors, prepare and keep records of the impact assessment of processing their personal data from the time of commencing personal data processing. Procedure:
Step 1: Organizations, individuals access the National Data Protection Portal or download Form 04 issued together with Decree 13/2023/ND-CP.
Step 2: Organizations, individuals provide information as instructed on the National Data Protection Portal or declare according to Form 04 issued together with Decree 13/2023/ND-CP.
Step 3: Organizations, individuals send notification information through the National Data Protection Portal or send the completed form to the Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security.
Step 4: The Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security responds with information on the results of preparing records of impact assessment of processing personal data.
Procedure for notifying changes in the content of the impact assessment records of processing personal data. This procedure is carried out in case there are updates or supplements to the impact assessment records of processing personal data when there are changes to the content of the records submitted to the Ministry of Public Security. Procedure:
Step 1: Organizations, individuals access the National Data Protection Portal or download Form 05 issued together with Decree 13/2023/ND-CP.
Step 2: Organizations, individuals provide information as instructed on the National Data Protection Portal or declare according to Form 05 issued together with Decree 13/2023/ND-CP.
Step 3: Organizations, individuals send notification information through the National Data Protection Portal or send the completed form to the Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security.
Step 4: The Cybersecurity and High-Tech Crime Prevention Department under the Ministry of Public Security provides feedback on the result of the preparation of the assessment dossier on the impact of personal data processing.
Procedure for notifying changes in the content of the impact assessment records of processing personal data: This procedure is carried out in case there are updates or supplements to the impact assessment records of processing personal data when there are changes to the content of the records submitted to the Ministry of Public Security. Procedure:
Step 1: Organizations or individuals access the National Data Protection Portal or download Form 05 issued together with Decree 13/2023/ND-CP.
Step 2: Organizations or individuals provide information as instructed on the National Data Protection Portal or declare according to Form 05 issued together with Decree 13/2023/ND-CP.
Step 3: Organizations or individuals send the records through the National Data Protection Portal or send the completed form regarding the Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security.
Step 4: The Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security responds with information on the results of notifying changes in the content of the impact assessment records of processing personal data.
Procedure for preparing and sending records of impact assessment of transferring personal data abroad: Self-performed process:
Step 1: Organizations or individuals access the National Data Protection Portal or download Form 06 issued together with Decree 13/2023/ND-CP.
Step 2: Organizations or individuals provide information as instructed on the National Data Protection Portal or declare according to Form 06 issued together with Decree 13/2023/ND-CP.
The content of the impact assessment records of transferring personal data abroad is specified in Article 25(2) of Decree No. 13/2023/ND-CP.
Step 3: Organizations or individuals send the records through the National Data Protection Portal or send the completed form regarding the Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security.
Step 4: The Cybersecurity and High-tech Crime Prevention Department, Ministry of Public Security responds with information on the results of preparing records of impact assessment of transferring personal data abroad.
Procedure for amending the content of the assessment dossier on the transfer of personal data abroad. This procedure must be carried out by the Data Exporter when there are changes, updates, or additions to the assessment dossier on the transfer of personal data abroad. Procedure:
Step 1: The organization or individual accesses the National Portal on Personal Data Protection or downloads Form No. 05 issued together with Decree No. 13/2023/NĐ-CP.
Step 2: The organization or individual provides the information according to the instructions on the National Portal on Personal Data Protection or completes Form No. 05 issued together with Decree No. 13/2023/NĐ-CP.
Step 3: The organization or individual submits the dossier via the National Portal on Personal Data Protection or sends the completed dossier containing information to the Cybersecurity and High-Tech Crime Prevention Department under the Ministry of Public Security.
Step 4: The Cybersecurity and High-Tech Crime Prevention Department under the Ministry of Public Security provides feedback on the results of amending the content of the assessment dossier on the transfer of personal data abroad.
Awareness of the importance of protecting personal data and thorough understanding of legal regulations on procedures and methods for implementing measures to protect personal data are fundamental issues that businesses need to pay attention to.
We will continue to explore further topics in upcoming articles. Please do not forget to follow and update more useful information on our website. Contact us for more detailed guidance: info@letranlaw.com