On July 1st, 2023, Decree No. 13/2023/ND-CP issued by the Government on April 17th, 2023 on personal data protection officially came into effect (“Decree 13”).
Decree 13 not only regulates a relatively comprehensive personal data system but also fully demonstrates the roles, rights, and obligations of relevant agencies, organizations, and individuals in protecting personal data. In this article, TNTP will present an analysis and assessment of the impact of Decree 13 on personal data protection for the business.
1. Some notable contents in Decree 13 affecting the business
a. Personal data information of the employee at the business
According to Article 21 of the Labor Code 2019, the mandatory information of the labor contract belongs to the basic personal data of the employee pursuant to Clause 3 Article 2 of Decree 13. However, the process of employing and managing the employee may occur the case that the business requires the employee to provide additional information such as political view; religious view, health status and personal life recorded in medical records exceot blood type; information about sexual life, sexual orientation, racial origin, ethnic origin of individual,… and these are sensitive personal data according to Clause 4 Article 2 of Decree 13. Therefore, the business needs to be responsible for protecting that information during the process of managing and employing their labours if they do not want to be legally processed.
b. The activities of collecting and processing of personal data of employees at the business
The activities of collecting, recording, analyzing, verifying, storing, modifying, disclosing, combining, accessing, retrieving, withdrawing, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, and destroying personal data or other related actions related to personal data of candidates and employees in the recruitment and personnel management process are considered as processing personal data and require the consent of the data subject according to Clause 7 and Clause 8 Article 2 of Decree 13.
Personal data can only be processed for the purposes for which the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, and the Third Party registering, declaring the processing of personal data. The collected personal data must be appropriate and within the scope and purpose of processing according to Clause 3 and clause 4 Article 3 of Decree 13.
The consent of the data subject must be clearly and specifically expressed by writting, voice, ticking in the consent box, consent syntax through message, selecting technical consent setting, or through any other action that demonstrates this. The consent of the data subject must be expressed in a format that can be printed, copied in writting, including electronic form or a verifiable form according to Clause 3 and Clause 5 Article 11 of Decree 13.
Furthermore, according to Article 17 of Decree 13, the employee has the right to consent or not consent to the processing of their personal data, except in the following cases:
– Emergency situations requiring immediate processing of relevant personal data to protect the life, and health of the data subject or others;
– Disclosure of personal data according to the provisions of law;
– Processing of data by competent state agencies in emergency situations;
– Fulfilling the obligation under the contract between the data subject and the business as prescribed by law;
– Serving the activities of state agencies as regulated by specialized laws.
2. Responsibilities of the business according to Decree 13
a. Notification of personal data processing
According to the regulations in Article 13 of Decree 13, the processing of personal data (collection, storage,…) must be notified to the data subject before proceeding. The notification must include the contents specified in Clause 2 Article 13. Similar to the consent of the employee, the notification of data processing must be expressed in a format that can be printed, copied in writing, including in electronic form or in a verifiable form.
b. Assessment of the impact of personal data processing and assessment of the impact of transferring data abroad
According to the regulations in Article 24 of Decree 13, from the start of data processing, the business and related parties have the obligation to establish and retain documents of the assessment of the impact of personal data processing and must ensure that they are always available to serve the inspection and assessment activities of the Ministry of Public Security.
According to the regulations in Article 25 of Decree 13, in case of transferring personal data of Vietnamese citizens abroad (for example, when transferring information of Vietnamese personnel to the holding company abroad), the business must establish documents of the assessment of the impact of transferring personal data abroad and carry out procedures as specified in Clause 3, 4, and 5 of Article 25. This is particularly important for business with foreign investment in general and business with foreign investment operating under the cross-ownership model, holding company – subsidiary company in particular.
3. Sanction for violation of personal data protection regulations
According to the provisions in Article 4 of Decree 13, any violations of the business regarding the protection of personal data of the employee, depending on the severity, may be subject to administrative sanctions or in more serious manner, criminal sanctions.
The buying and selling of personal data are prohibited in any form (except where otherwise provided by law) and may be subject to disciplinary action, administrative sanction, or criminal sanction as stipulated in Clause 4 Article 3 and Article 4 of Decree 13.
The above is an article titled “The impact assessment of Decree No. 13/2023/ND-CP on personal data protection for the business”. If you have any issues to discuss, don’t hesitate to get in touch with TNTP for timely support.