Dear Value Client and Partner,
Kindly be informed that recently, Decree on Personal Data Protection (“Decree 13/2023/ND-CP” or “Decree 13”) was passed by Vietnam’s Ministry of Public Security on 07 June 2023 and shall take effect from 01 July 2023.
Pursuant to this Decree, the companies related to personal data arising from Vietnam is required to implement some following compliance works:
- Notice and get the acceptance from your all of employees if the Company have been implementing to collect, analyse, process, store, share or abroad transfer with any personal data of employees such as: name, DOB, gender, permanent/temporary residence address, contact number, ID/passport, bank account number, salary and bonus, marital status, politics views, religion views, medical record,…
- Build and internally publish the Information security policy of the Company. Upon the Information security policy is completed and applied, the Company assigns a person in charge of such protection tasks.
- Prepare an data processing impact assessment (“DPIA”); and data transfer impact assessments (“DTIAs”) in case of having the abroad transfer;
- Prepare within 60 days from the date of collecting, analysing, storing, sharing or abroad transferring the personal data;
- Submit to the Ministry of Public Security for their review and comments;
- In case of having any changes compared to the submitted DPIA/DTIAs, it is required to submit the updated to the competent authority;
- In case of abroad transfer, the Company is also obligated to report the result to the competent authority upon successful transferring;
- The Company must archive these DPIA and DTIAs ready for inspection activities of competent authority. The inspection is extraordinary, but at least once a year.
- In addition, in case the Company provides support services related to collect, analyse, process, store, share or abroad transfer with the personal data of the employees from other clients, the Company should review the service contracts to amend/supplement terms of contracts (if any) in order to be compliance with Decree 13;
Kindly be noted that micro-enterprises, small enterprises, medium-sized enterprises and start-up enterprises can be entitled to choose to be exempted from regulations on assignation of person in charge of such protection for the first 2 years from the date of establishment.
Currently, the National System of Personal Data Protection as well as the templates for notifications and registrations is being completed by the competent authority, hence, it may intend to officially announce the detail guidelines and practices for enterprises in the near future.
Notwithstanding, as your activities can be related to personal data arising from Vietnam, we would like to recommend that your Company should aware and conduct the above-mentioned necessary works to ensure the compliance with requirements of Decree 13.