NEW DECREE REGARDING PERSONAL DATA PROTECTION – WHAT IS THE LEGAL ISSUES THAT THE ENTERPRISES SHOULD PAY ATTENTION TO WHEN PROCESSING EMPLOYEE DATA?
On 17 April 2023, the Government issued Decree No. 13/2023/ND-CP regulating the personal data protection (“Decree 13”). Decree 13 will come into effect from 1 July 2023. Some notable provisions of Decree 13 are as follows:
- Basic personal data includes: surname, middle name and birth name, other names (if any); date, month, year of birth; date, month, year of death or disappearance; gender; place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address; nationality; personal image; phone number, identity card number, personal identification number, passport number, driving license number, license plate number, personal tax identification number, social insurance number, health insurance card number; marital status; information about family relationships (parents, children); information about an individual’s digital account; personal data reflecting activities or history of activities in cyberspace; and other information attached to a specific person or helping to identify a particular person that is not sensitive personal data as defined by law.
The collection, recording, analysis, confirmation, storage, editing, publicity, combination, access, retrieval, withdrawal, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data or other actions related to information collection, storage, sharing and editing personal data of candidates, employees in the recruitment process, human resource management is considered as processing personal data and requires the consent of the data subject.
The data subject’s consent must be clearly expressed in writing, voice, checking into the consent box, syntax for consent via message, selecting consent technical settings or through another action that demonstrates this. The data subject’s consent must be expressed in a format that can be printed, reproduced in writing, including in electronic form or a verifiable format. Besides, the silence or non-response of the data subject is not considered as consent.
The enterprises may consider developing a separate personal data processing agreement or adding personal data processing clauses into the labour contracts or the annex to the labour contracts to enter into with the employees. The consent of the employees as the data subject is valid only if the data subject voluntarily and is aware of the following: the type of personal data processed; the purpose of processing personal data; organisations and individuals entitled to process personal data; and the rights and obligations of data subjects.
- Purchasing and selling personal data is prohibited in all forms and may be resulted in labour disciplinary actions, administrative sanctions, or criminal prosecution under the law.The enterprises should promulgate and update the internal labour regulations or the non-disclosure agreements on prohibiting the purchase, sale and sharing of personal data information as a basis for handling labour discipline and compensation for damages (if any) in case of violations.
- In case of transferring personal data of Vietnamese citizens abroad, the Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor, and Third Party must prepare an Impact Assessment Dossiers on the transfer of personal data abroad.The Impact Assessment Dossiers on the transfer of personal data abroad must always be available for inspection of the Ministry of Public Security.
 Article 2.3 Decree 13/2023/ND-CP
 Article 2.7 and Article 11.1 Decree 13/2023/ND-CP
 Articles 2.8, 11.3 and 11.5 Decree 13/2023/ND-CP
 Article 11.6 Decree 13/2023/ND-CP
 Điều 3.4 và Điều 4 Nghị định 13/2023/NĐ-CP
 Article 3.4 and Article 4 Decree 13/2023/ND-CP
 Điều 25 Nghị định 13/2023/NĐ-CP
 Article 25 Decree 13/2023/ND-CP