Legal Update | Guidance on Submitting Soft Copies of Personal Data Protection Impact Assessment Dossiers

Recently, the Department for Receiving and Returning Administrative Procedure Results on Personal Data Protection issued guidance on the submission of soft copies of the Personal Data Processing Impact Assessment Dossier and/or the Cross-border Personal Data Transfer Impact Assessment Dossier.

Under the guidance, organizations and enterprises are required to submit the dossier in a .ZIP compressed file to the following email address: dulieucanhan@cschd.mps.gov.vn.

To ensure that the receipt, processing, and appraisal of the dossier are conducted effectively, organizations and enterprises should prepare all required dossier components in PDF format, arrange them in the prescribed order, and name the files consistently in accordance with the guidance.

Specifically, the dossier should include the following main groups of documents:

1. Submission notice for the Impact Assessment Dossier, with the file name structured as TB-ĐGTĐ-xulyDLCN for the Personal Data Processing Impact Assessment Dossier, or 1.TB-ĐGTĐ-chuyenDLCNxbg for the Cross-border Personal Data Transfer Impact Assessment Dossier.
2. Impact Assessment Dossier, with the file name structured as HSMau10-ĐGTĐ-xulyDLCN for the Personal Data Processing Impact Assessment Dossier, or 2.HSMau9-ĐGTĐ-chuyenDLCNxbg for the Cross-border Personal Data Transfer Impact Assessment Dossier.
3. Documents relating to the personal data protection department/personnel or DPO. Depending on the specific case, this group of documents may include the decision on establishment, appointment, and assignment of the personal data protection department or personnel, with file names such as QĐ-BP-DPO or 3.QĐ-NS-DPO; service agreements with a personal data protection organization/individual, with file names such as 3.HĐ-TC-DPO or 3.HĐ-CN-DPO; and documents evidencing the DPO’s qualifications, such as a confirmation of work experience, certificates, or training certificates on personal data protection, with file names such as 3.GXN-NS-DPO or 3.GCN-NS-DPO.
4. Personal data protection policy and related policies, including policies on the retention, deletion, and destruction of personal data and other relevant internal regulations. File names may be structured as CS-BVDLCN, 4.CS-Luutru-xoa-huyDLCN, or 4.CS-….
5. Consent forms for personal data processing, applicable to employees, customers, or other groups of data subjects, depending on the organization’s or enterprise’s personal data processing activities. File names may be structured as BM-NLD-dongy, 5.BM-KH-dongy, or 5.BM-KH-….
6. Agreements/contracts on personal data processing or transfer with relevant parties, including contracts, contract appendices, personal data processing agreements, or cross-border personal data transfer agreements. File names may be structured as HĐ-xulyDLCN-[partner name]/template, 6.PLHĐ-xulyDLCN…, or 6.TT-chuyenDLCNxbg….
7. System diagrams and personal data processing flow diagrams, with file names structured as SĐ-Hethong… or 7.SĐ-luongxuly….
8. Other supporting appendices, including other agreements with customers or relevant parties regarding personal data processing or cross-border personal data transfer. File names may be structured as PL-….

Based on the above guidance, please note that the submission of the soft-copy dossier not only requires the preparation of the correct Impact Assessment Dossier template, but also requires ensuring the completeness, consistency, and coherence of the supporting documents, including DPO-related documents, internal policies, consent forms, agreements with relevant parties, system diagrams, and personal data processing flow diagrams.

Therefore, before submitting the dossier, organizations and enterprises should carefully review the dossier components, file format, document order, and file naming convention to reduce the risk of being requested to supplement or clarify the dossier during the receipt, processing, and appraisal process.