Since July 1, 2023, the effective date of Decree No.13/2023/ND-CP, the establishment and storage of dossier on assessment of impact of personal data processing have become one of the important obligations of enterprises. According to the regulation in the Decree, these dossiers must always be available to serve the inspection and assessment activities of the Ministry of Public Security.
However, due to the novelty of this issue, many enterprises still do not fully understand the importance of personal data impact assessment and encounter difficulties in carrying out related procedures. According to the definition in Article 2, Clause 7 of Decree No. 13/2023/ND-CP, personal data processing includes a series of activities such as collection, recording, analysis, verification, storage, modification, disclosure, combination, access, retrieval, erasure, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data/other related actions.
Thereby, it can be seen that the majority of enterprises nowadays carry out at least one of these activities, with the most typical and widespread being the activities of information collection, storage and sharing (signing employment contracts with employees or contracts with partners, transfer the information to the third party such as tax department, social insurance department,…) An enterprise can play the role of the Data Controller, Data Controller and Processor, or Data Processor according to Clauses 9, 10, 11 of Article 2 of Decree No. 13/2023/ND-CP. Therefore, any enterprise involved in at least one activity in the data processing process must establish, maintain, and submit a dossier on assessment of impact of personal data processing to the Ministry of Public Security as prescribed in this Decree.
Especially for businesses operating in sectors where personal data is a significant resource playing a important role in generating profits such as e-commerce, banking, advertising, cloud computing, data analysis, strategic management consulting, ... compliance with these regulations must be implemented promptly and rigorously. According to Article 4 of Decree No. 13/2023/ND-CP, authorities, organizations, and individuals violating the provisions on personal data protection may be disciplined, administratively fined, or criminally prosecuted as prescribed. The Government has also drafted a decree on administrative sanctions in the field of cybersecurity, which governs on administrative violations in the field of personal data protection.
Accordingly, for more serious violations such as processing personal data for marketing and advertising activities without the consent of the data subject, buying and selling personal data, or failing to submit a personal data processing impact assessment report to the competent authorities, there is a possibility of being fined up to 5% of the total annual revenue of the preceding fiscal year in Vietnam, along with additional forms of punishment and/or other remedial measures.
SBLAW is aware that the decree on administrative sanctions in this field is expected to be issued by June 2024. Understanding the importance of establishing, storing, and submitting a dossier on assessment of impact of personal data processing and aiming to minimize legal risks in the operation of enterprises, SB Law, as one of the leading law firms in providing legal services related to this field, is pleased to introduce to our customers a package of legal services including:
1. Consultancy on legal issues related to the establishment, storage, and submission of a dossier on assessment of impact of personal data processing
2. Drafting A dossier on assessment of impact of personal data processing
3. Registering A dossier on assessment of impact of personal data processing.
Please contact SB Law for specific advice on the above legal service package.
>>