November 8, 2023
The introduction of Decree No. 13/2023/ND-CP on Protection of Personal data (“the Decree”) has substantially altered the responsibilities of enterprises and organizations related to personal data protection, including the obligation to assess the impact of personal data processing.
Here are some important contents on the data protection impact assessment (DPIA) that every company needs to contemplate for serious implementation from July 1, 2023.
“Personal data” (PD) refers to information associated with an individual or information that can be used to identify an individual; such as names, gender, personal identification number, political opinions, personal location and so on.
“Personal data processing” refers to one or multiple activities that have an impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, tracing, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.
DPIA is a process of identifying possible risks from the processing of personal data, assessing the impact of such activities as well as the consequences and estimated damage if the risks occur; concurrently providing appropriate measures to protect PD and to avoid or reduce/eliminate the identified risks.
Yes.
DPIA is a compulsory obligation imposed by the Decree on the PD controller[1] and the PD Controller-cum-Processor[2] (hereinafter referred to as the Controller); as well as the PD processor[3] when executing a contract with the Controller.
With regard to the scope of PD and PD processing activities specified in the Decree, it can be affirmed that most enterprises and organizations in Vietnam would have to carry out DPIA.
From the time of beginning of the processing of PD, enterprises, organizations and individuals must draft and store their dossiers on assessment of impact of personal data processing throughout the process. The Decree does not regulate the time limit of the dossier storage, however, with the requirement that “the dossier on assessment of impact of personal data processing shall be always available in order to serve the inspection and assessment by the Ministry of Public Security”, it is conceivable that the DPIA dossiers are required to be stored indefinitely.
The assessment must be presented in the form of a dossier according to Form No. 04 in the Appendix of the Decree.
The DPIA dossier must be established in writing and is legally valid to ensure the validity of the assessing process. Legitimately valid documents could be understood as being issued by the legal representative of the enterprise or organization.
For the Controller, the required contents include:
(i) Contact information and details of the Controller and the employee assigned to protect PD;
(ii) Processing purposes;
(iii) Types of personal data to be processed;
(iv) Data-receiving organization or individual;
(v) Cases of oversea transfer of personal data;
(vi) Duration of processing of personal data; estimated time of deletion or destruction of personal data (if any);
(vii) Description of measures for protecting personal data;
(viii) Assessment of the impact of personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.
For the PD Processor, the contents of the DPIA dossier are comparable to the aforementioned dossier of the Controller, except for the information about data recipient and processing purposes (which are decided by the Controller); however, the description of the processing of personal data under the contract with the Controller is additionally required.
Yes.
Enterprises shall send 01 authentic copy of the DPIA dossier to the Ministry of Public Security (the Department of Cyber security and Hi-tech Crime Prevention) within 60 days from the date of processing of PD. The state agency shall make assessment of the submitted dossier and, in case the dossier is not complete and accurate according to regulations, the enterprise would be requested to supplement and/or complete the dossier.
When there is any change to the contents submitted, the enterprises shall report the amended contents to the Ministry of Public Security (Department of Cyber security and Hi-tech Crime Prevention) according to Form No. 05 in the Appendix of the Decree.
The Decree stipulates that agencies, organizations and individuals that commit violations against regulations on the protection of personal data, depending on the severity of their violations, may be disciplined, or face administrative penalties or criminal prosecution. Currently, although there are no specific penalties for the breach of DPIA regulations, with reference to previous drafts, the expected sanction could be severe, having a direct and significant impact on the business results of the enterprise.
Therefore, starting to prepare and compile the DPIA dossier is an urgent task that most enterprises need to complete before July 1, 2023 in order to avoid possible legal risks./.
If you need further support, please contact us for further assistance!
PrivacyCompliance provides solutions to ensure personal data compliance, assess the impact of personal data processing (DPIA), build impact assessment records, cross-border transfer of personal data.
PrivacyCompliance
#data #PIA #DPIA #personal data #Decree13 #compliance #privacylaw #dataprotection #Vietnam
[1] “Personal Data Controller” refers to an organization or individual that decides the purposes and means of processing personal data.
[2] “Personal Data Controller-cum-Processor” refers to an organization or individual that jointly decides the purposes and means, and directly processes personal data.
[3] “Personal Data Processor” refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.
Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]
Learn more
Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]
Learn more
E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]
Learn more