Decree No. 13/2023/ND-CP which takes effect on July 01, 2023, sets up a number of things to do for enterprises to protect personal data protection for employees.
- 1. Supplement the regulations on collecting and processing employee information
- 2. Supplement/update forms that permit personal data processing
- 3. Update regulations on the prohibition of purchasing or selling personal data
- 4. Appoint individuals and departments for the protection of sensitive personal data
- 5. Personal data processing impact assessment
1. Supplement the regulations on collecting and processing employee information
In accordance with Clause 3, Article 2, Decree No. 13/2023/ND-CP, the major contents in the labor contract such as full name, day, month and year of birth, gender, place of birth, place of birth registration, place of permanent residence, Citizenship, identity card or passport in accordance with the law provisions of Article 21, Labor Code 2019 are employee's personal data.
Even in some cases, the employees can supplement a number of information as follows: Data on crimes and criminal acts that are collected and stored by law enforcement agencies; Information on inherited or acquired genetic characteristics...and this is sensitive personal data in accordance with Clause 4, Article 2, Decree No. 13/2023/ND-CP.
Enterprises must be responsible for informing all the applicants, and the recruiter shall process the personal data (collection, storage..) before other procedures in accordance with the legal provisions prescribed in Article 13 of this Decree.
Accordingly, the notification of personal data processing includes:
- Processing purposes;
- To-be-used personal data categories relating to the processing purposes;
- Means of processing;
- Information about other organizations or individuals related to the processing purposes;
- Unexpected consequences and damages likely to occur;
- Time for starting and completing the processing of data.
Therefore, the enterprise must supplement all the provisions in the probationary contract, labor contract, and appendices (scope of personal data protection; purpose and scope of personal data procession; enterprise's responsibilities in personal data protection...)
2. Supplement/update forms that permit personal data processing
Pursuant to Article 11, Decree No. 13/2023, enterprises must have the consent of a data subject for all activities in the process of personal data processing, (unless otherwise provided in Article 17).
Personal data processing means one or more operations that are performed on personal data, such as collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, retrieval, withdrawal, encryption, decryption, copy, sharing, transmission, provision, transfer, erasure, destruction of personal data or other relevant operations.
The consent of a data subject must be explicitly and specifically expressed in written form, by voice, by ticking the “yes” box, typing “yes” syntax in a text message, selecting “yes” technical settings, or through another action.
In case of a dispute, the responsibility to prove the data subject’s consent rests with the personal data controller or personal data controlling and processing party. Enterprises should build or update forms for employees to mark or confirm by written form to use personal data.
Note: The silence or non-response from the data subject is not considered consent.
3. Update regulations on the prohibition of purchasing or selling personal data
In accordance with Clause 4, Article 3, Decree No. 13/2023/ND-CP, Personal data may not be purchased or sold in any form (unless otherwise provided for by law).
Agencies, organizations, and individuals that violate regulations on personal data protection shall, depending on the severity of their violations, be disciplined, administratively sanctioned, or criminally handled under regulations.
Therefore, enterprises must build/update the labor regulations on the prohibition of purchasing, selling, and sharing personal data as the basis for handling labor discipline and compensation for damage (if any) in case of violations.
4. Appoint individuals and departments for the protection of sensitive personal data
One of the ways for protection of sensitive personal data is prescribed in Article 28, Decree No. 23/2023:
2. Must designate a department with the function of protecting personal data, appoint personnel in charge of personal data protection and exchange information about the department and person in charge of personal data protection with the agency in charge of personal data protection. In the case that the controller, controlling and processing entity, processor and the third party shall permanently erase personal data.
Accordingly, enterprises must appoint individuals and departments for the protection of sensitive personal data.
Note:
Micro-, small- and medium-sized enterprises and startup enterprises may choose to be exempt from the implementation of regulations on the appointment of individuals and divisions in charge of personal data protection within the first 2 years from the date of their establishment (Clause 2, Article 43, Decree 13).
5. Personal data processing impact assessment
Pursuant to Article 24, Decree No. 13/2023, personal data controllers or personal data controlling and processing parties shall compile and keep their dossiers of impact assessment of personal data processing from the time of commencement of personal data processing of the Ministry of Public Security.
At the same time, the transferor shall send an original dossier, made according to Form No. 04 in the Appendix to this Decree, within 60 days, from the date of starting processing personal data to the Ministry of Public Security.
Besides, foreign-invested enterprises in general and foreign-invested enterprises that operate under the model of the parent company and affiliated company must pay attention to the case of transferring personal data of Vietnamese citizens abroad.
Accordingly, The transferor shall send an original dossier, made according to Form No. 06 in the Appendix to this Decree, within 60 days, from the date of starting processing personal data to the Ministry of Public Security (the Department of Cyber Security and Hi-tech Crime Prevention).Here are 5 things to do for personal data protection in accordance with Decree No. 13/2023/ND-CP.