Notification of personal data protection violation

The protection of personal data is an essential requirement in the context of digitalization and the increasing risk of violations against the rights and legitimate interests of data subjects. Personal data protection measures must go beyond preventive actions and include an effective and timely mechanism for detecting and handling violations. To establish a responsive framework and ensure accountability among relevant parties in the event of a breach, Article 23 of Decree No. 13/2023/ND-CP on Personal Data Protection provides detailed provisions regarding the notification of violations. This legal provision not only enhances the effectiveness of legal enforcement but also establishes a robust oversight mechanism, contributing to the safeguarding of individuals’ and organizations’ rights against personal data risks. This article briefly introduces key legal matters regarding the obligation to notify violations, including the identification of responsible entities, the required contents of a notification, and the process of receiving and addressing such notifications. 

1. Entities responsible for Notification 

Pursuant to Article 23 of Decree No. 13/2023/ND-CP, two main groups of entities are obligated to notify violations of personal data protection regulations:

(1) Data Controllers, Data Processors, and Data Controllers cum Processors; 
(2) Other organizations and individuals. 

1.1 Data Controllers, Data Processors, and Data Controllers cum Processors: 

• A Data Processor must notify the Data Controller as soon as possible upon detecting a violation of personal data protection regulations. Accordingly, the Data Processor is not responsible for directly notifying the competent regulatory authority but is instead required to immediately notify the Data Controller or the Data Controller cum Processor when a violation is identified. This limitation reflects the fundamental role of the Data Processor, which operates solely under contractual terms and instructions from the Data Controller without independent decision-making authority over the processed data;

• Upon receiving notification from a Data Processor, or upon independently detecting a violation, the Data Controller and Data Controller cum Processor must fulfill the obligation to notify the competent regulatory authority of the violation. In addition to submitting a notification, these entities must:

• • Prepare an official record documenting the occurrence of personal data protection violation;

• • Cooperate with the Ministry of Public Security (Cybersecurity and High-Tech Crime Prevention Department) to address the violation. 

1.2 Other Organizations and Individuals 

Article 23 of Decree No. 13/2023/ND-CP extends the obligation to report personal data protection violations beyond organizations directly involved in data processing and control, including other organizations and individuals who detect such violations. This provision establishes a multi-stakeholder oversight mechanism, enhancing transparency and strengthening the protection of data subjects’ rights. Accordingly, organizations and individuals are responsible for reporting a personal data protection violation upon discovering any of the following: 

• Acts violating legal provisions on personal data; 

• Processing of personal data for improper purposes, contrary to the original agreement between the data subject and the Data Controller or Data Controller cum Processor, or in violation of legal regulations; 

• Failure to ensure or properly implement the rights of data subjects;

• Other cases as prescribed by law. 

2. Contents of a Violation Notification 

A personal data protection violation notification must include the following: 

• Description of the nature of the violation, including the time, location, nature of the act, involved organizations or individuals, types of personal data affected, and the scope of the data involved;

• Contact details of the designated data protection officer or the responsible organization/individual for handling the violation; 

• Assessment of potential consequences and damages arising from the personal data protection violation; 

• Description of remedial measures taken to address and mitigate the effects of the violation. 

If it is not feasible to provide a comprehensive notification immediately, the notification may be submitted in phases, ensuring that critical information is reported as soon as it becomes available. 

3. Competent Authority Receiving the Notification 

Notifications of personal data protection violations are received, processed, and addressed by the Cybersecurity and High-Tech Crime Prevention Department of the Ministry of Public Security. If the notification is submitted by a Data Controller or a Data Controller cum Processor, it must be sent to the Cybersecurity and High-Tech Crime Prevention Department within 72 hours of detecting the violation, following the format specified in Form No. 03 in the Annex to Decree No. 13/2023/ND-CP. In cases where notification is submitted after the 72-hour period, the responsible entity must provide a justification for the delay.  

4. Notification Procedure 

According to the guidance published on the Public Service Portal of the Ministry of Public Security, the procedure for reporting a personal data protection violation is as follows: 

• Step 1: The notifying organization or individual shall access the National Personal Data Protection Information Portal (as announced by the Ministry of Public Security) or download Form No. 03 (Form 3a for organizations, Form 3b for individuals) issued with Decree No. 13/2023/ND-CP upon detecting a violation. 

• Step 2: The notifying organization or individual shall provide the required information as instructed on the National Personal Data Protection Information Portal or complete Form No. 03 as prescribed.

• Step 3: The completed notification shall be submitted electronically through the National Personal Data Protection Information Portal (as announced by the Ministry of Public Security) or physically to the Cybersecurity and High-Tech Crime Prevention Department, Ministry of Public Security. 

• Step 4: The Cybersecurity and High-Tech Crime Prevention Department, Ministry of Public Security, shall acknowledge receipt of the notification and provide feedback regarding its processing. 

5. Processing Timeline 

The Cybersecurity and High-Tech Crime Prevention Department, Ministry of Public Security, shall process the notification within ten (10) business days from the date it acknowledges receipt of the personal data protection violation notification. 

Conclusion 

The notification mechanism for personal data protection violations, as prescribed in Decree No. 13/2023/ND-CP, establishes a clear legal framework to ensure accountability and enhance the effectiveness of personal data protection measures. By identifying specific entities responsible for notification, detailing the required contents of a notification, and defining the reporting and processing procedures, this regulation creates a robust oversight mechanism, mitigating risks and strengthening safeguards for data subjects. However, for this framework to be effectively implemented in practice, close coordination among Data Controllers, regulatory authorities, and other stakeholders is essential to ensure transparency, timely response, and strict compliance with personal data protection regulations.

See more:

1/ New legal framework for data management in Vietnam

2/ Regulations on the protection of employees’s personal data

3/ Shape Personal data protection organization services under the draft law on personal data protection

Share: