1. Is personal information personal data?
According to Article 2 (3) of Decree No. 13/2023/ND-CP, basic personal data includes:
– Full name, middle name and birth name, other name (if any);
– Date of birth; day, month, year of death or missing;
– Gender;
– Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
– Nationality;
– Personal pictures;
– Phone number, ID number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
– Marital status;
– Information about family relationships (parents, children);
– Information about the personal digital account; personal data reflecting activities, history of activities on cyberspace;
– Other information related to a specific person or helping to identify a specific person that is not specified in Clause 4 of this Article.
Thus, personal information and personal data are two closely related concepts. Personal information is generally considered part of personal data. Personal information refers to any information relating to a particular person, including name, address, phone number, date of birth, personal picture, and any information that can be used to identify or identify that person. Personal data, in a broader concept, includes personal information as well as any type of data relating to a particular person. This can include information about online behavior, financial information, health information, geographic data, and more.
2. Personal data impact assessment
According to Article 24 of Decree No. 13/2023/ND-CP, the assessment of the impact of personal data processing is regulated as follows:
“1. The Personal Data Controller and the Personal Data Controller-cum-Processor shall make and store their dossiers on assessment of the impact of personal data processing from the time of starting to process personal data.
A dossier on the assessment of the impact of personal data processing includes:
a) Contact information and details of the Personal Data Controller and the Personal Data Controller-cum-Processor;
b) Name and contact details of the organization or employee assigned to protect the personal data of the Personal Data Controller and the Personal Data Controller-cum-Processor;
c) Processing purposes;
d) Types of personal data to be processed;
dd) Data-receiving organization or individual, including the organization or individual that is located or lives outside the territory of the Socialist Republic of Vietnam;
e) Cases of outbound transfer of personal data;
g) Duration of processing of personal data; estimated duration of deletion or destruction of personal data (if any);
h) Description of measures for protecting personal data;
i) Assessment of the impact of personal data processing; undesirable consequences and damage that may occur, and measures for reducing or removing such consequences and damage.
2. The Personal Data Processor shall make and store the dossier on the assessment of the impact of personal data processing in case the Personal Data Processor executes a contract with the Personal Data Controller. A dossier on the assessment of the impact of personal data processing of the Personal Data Processor includes:
a) Contact information and details of the Personal Data Processor;
b) Name and contact details of the organization or employee assigned to protect the personal data of the Personal Data Processor;
c) Description of processing of personal data and types of personal data to be processed under a contract with the Personal Data Controller;
d) Duration of processing of personal data; estimated duration of deletion or destruction of personal data (if any);
dd) Cases of outbound transfer of personal data;
e) General description of measures for protecting personal data;
g) Undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.
3. The dossier on the assessment of the impact of personal data processing of the Personal Data Controller, the Personal Data Controller-cum-Processor, or the Personal Data Processor specified in Clause 1 and Clause 2 of this Article shall be made in writing that is valid.
4. The dossier on the assessment of the impact of personal data processing shall be always available to serve inspection and assessment by the Ministry of Public Security and the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) shall receive 01 authentic copy according to Form No. 04 in the Appendix of this Decree within 60 days from the date of processing of personal data.
5. The Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) shall make an assessment and request the Personal Data Controller, the Personal Data Controller-cum-Processor, and the Personal Data Processor to complete their dossiers on assessment in case the assessment is not complete and accurate according to regulations.
6. The Personal Data Controller, the Personal Data Controller-cum-Processor, and the Personal Data Processor shall update and amend their dossiers on assessment of the impact of personal data processing when there is any change of contents submitted to the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) according to Form No. 05 in the Appendix of this Decree.”
3. Outbound transfer of personal data
According to Article 25 of Decree No. 13/2023/ND-CP, the Outbound transfer of personal data is regulated as follows:
- A Vietnamese citizen’s personal data shall be transferred abroad in case the Sender makes a dossier on the assessment of the impact of the outbound transfer of personal data and carries out the procedures specified in Clauses 3, 4, and 5 of this Article. The senders include the Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor, and the Third Party.
- A dossier on the assessment of the impact of the outbound transfer of personal data includes:
+ Contact information and details of the Sender and the Receiver;
+ Full name and contact details of an organization or individual under the Sender involved in sending and receiving a Vietnamese citizen’s personal data;
+ Description and explanation about objectives of the processing of a Vietnamese Citizen’s personal data after the personal data is transferred abroad;
+ Description and clarification of the type of personal data to be transferred abroad;
+ Description and explanation about the observance of regulations on the protection of personal data in this Decree, detailed measures for protecting personal data;
+ Assessment of the impact of personal data processing; undesirable consequences and damage that may occur, and measures for reducing or removing such consequences and damage.
+ Consent of the data subject according to regulations in Article 11 of this Decree when he/she is informed of the mechanism for feedback and complaint in case of arising problems or requests;
+ Document that shows obligations and responsibilities between the Senders and the Receivers for processing of a Vietnamese Citizen’s personal data.
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data Processing And Security and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
