Cross-border data transfer – for a seamless flow of data

Decree 13/2023/ND-CP on the Protection of Personal Data (“Decree”) has finally been issued with many completely new regulations designed to protect personal data and control the “flow” of personal data, as well as set obligations that every business must comply with. In particular, an issue that businesses are especially concerned about is the regulation on controlling the transfer of personal data across borders. Here is an overview of the regulations that businesses are required to comply with from July 1, 2023:

What is personal data, personal data processing?

Personal data is information that is tied to a particular person or helps to identify a particular person. Some examples of personal data include full name, date of birth, nationality, phone number, photo, place of residence, etc. Personal data includes basic and sensitive data. Processing of personal data is defined as one or more activities affecting personal data which may include: collection, recording, analysis, confirmation, storage, correction, disclosure, association, access, retrieval, encryption, decryption, copy, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions.

What is cross-border data transfer?

The Decree stipulates that the transfer of personal data abroad is the use of cyberspace, equipment, electronic means, or other forms of transferring personal data of Vietnamese citizens (not applicable to personal data of foreigners) to a location outside the territory of Vietnam or use a location outside the territory of Vietnam to process personal data of Vietnamese citizens, including:

1. Organizations, enterprises, and individuals transferring personal data of Vietnamese citizens to overseas organizations, enterprises and management departments for processing in accordance with the purposes agreed upon by the data subject;

(Example: Company A in Vietnam collects data about the user’s name, phone number, email, address and send this information via the internet to company B in a foreign country for company B to process the data and send back the statistics for company A to use)

2. Processing personal data of Vietnamese citizens by automatic systems located outside the territory of the Socialist Republic of Vietnam of the Data Controller, the Data Controller-cum-Processor, the Data Processor in accordance with the purposes agreed to by the data subject.

(Example: Company A – not based in Vietnam, operates a website on the internet that collects data of Vietnamese citizens directly through the website and processes the data using a server located abroad)

Is there any procedure for transferring personal data abroad?

Yes.

All individuals and organizations, when transferring personal data abroad, must carry out the following procedures:

1. Prepare a cross-border personal data transfer impact assessment dossier (Data Transfer Dossier) and submit it to the Department of Cybersecurity and High-Tech Crime Prevention (A05);
2. Carry out the transfer of personal data abroad;
3. Supplement the Data Transfer Dossier at the request of A05 if the dossier is incomplete;
4. After transferring the data, send a written notice to A05 about the data transfer and contact details of the organization or individual in charge;
5. Update and supplement the Data Transfer Dossier when there is a change in the contents of the dossier sent to A05.

What does the Data Transfer Dossier include?

The Data Transfer Dossier includes the following contents:

1. Information and contact details of the Party transferring the data and the Party receiving personal data of Vietnamese citizens;
2. Full name and contact details of the organization or individual in charge in the Party transferring the data related to the transfer and receipt of personal data of Vietnamese citizens;
3. Describe and explain the objectives of the processing activities of Vietnamese citizens’ personal data after being transferred abroad;
4. Describe and clarify the types of personal data being transferred abroad;
5. Describe and clearly show compliance with regulations on personal data protection in this Decree, detailing the personal data protection measures applied;
6. Assess the impact of the processing of personal data, potential consequences, unwanted damage, and measures to reduce or eliminate such risk or harm;
7. The consent of the data subject as prescribed in Article 11 of this Decree on the basis of clearly knowing the feedback and complaint mechanism when problems or requests arise;
8. Have a document showing the binding responsibilities between organizations and individuals transferring and receiving personal data of Vietnamese citizens for the processing of personal data.

Do state agencies conduct checks on the implementation of regulations on data transfer abroad?

Yes.

Based on the specific situation, the Ministry of Public Security will decide to check the transfer of personal data abroad once a year. However, extraordinary inspections can be performed in case of detecting violations of the provisions of the law on the protection of personal data, or the disclosure or loss of Vietnamese citizens’ personal data.

What are the risks of not complying with regulations on cross-border data transfer?

The first risk when not complying with the above regulations on cross-border data transfer is that the party transferring data abroad will have to stop transferring data abroad, disrupting business operations.

The Decree also stipulates that depending on the level of violation, enterprises can be sanctioned at different levels from administrative to criminal. It is expected that the Vietnamese Government will soon issue detailed regulations on specific sanctions for each violation. In the spirit of the previous drafts, administrative sanctions can be very strict and greatly affect the finances of the business.[1]

PrivacyCompliance

#Decree13 #personaldata #crossborder #dossier #privacy #impactassessment

[1]According to previous drafts, the highest fine can be up to 5% of the annual revenue of the violating enterprise/organization.