Pursuant to Clause 9, Article 2 of Decree No. 13/2023/ND-CP on Personal Data Protection, Personal Data Processing Activities are defined as one or more actions affecting personal data, such as collection, recording, analysis, confirmation, storage, modification, publication, combination, access, retrieval, recall, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction, or any other related actions.
At the initiation of personal data processing, the Data Controller (including entities or individuals who determine the purpose and means of personal data processing), the Data Processor (including entities or individuals conducting data processing on behalf of the Data Controller through a contract or agreement), as well as the Data Controller and Processor (including entities or individuals who both determine the purpose, means, and directly process personal data), are mandated to prepare and maintain their personal Data Processing Impact Assessment Dossier from the commencement of data processing. This is to facilitate the management, inspection, and evaluation functions of the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security and other competent authorities in managing personal data protection.
Accordingly, the preparation and maintenance of a personal Data Processing Impact Assessment Dossier constitute a common and essential obligation as stipulated under Vietnamese law on personal data protection. This article aims to provide an overview of the dossier components and the procedural steps required for preparing and maintaining the personal data processing impact assessment dossier that organizations and individuals in the roles of Data Controllers, Data Processors, and Data Controllers and Processors are required to comply with.
1. The Personal Data Processing Impact Assessment Dossier
- Components of the Personal Data Processing Impact Assessment Dossier:
The Personal Data Processing Impact Assessment Dossier of Data Controllers and Data Controllers and Processors
In accordance with Clause 1, Article 24 of Decree No. 13/2021/ND-CP, the Personal Data Processing Impact Assessment Dossier of Data Controllers and Data Controllers and Processors shall include:
a) Information and contact details of the Data Controller or the Data Controller and Processor;
b) Name and contact details of the organization assigned to perform personal data protection duties and the personal data protection officer of the Data Controller or Data Controller and Processor;
c) The purpose of personal data processing;
d) Types of personal data being processed;
e) The organizations or individuals receiving personal data, including those located outside the territory of Vietnam;
f) Cases of cross-border data transfers;
g) Data processing duration and the anticipated timeframe for data deletion or destruction (if applicable);
h) Description of the personal data protection measures applied;
i) An assessment of the impact of personal data processing; potential unintended consequences or damages, and measures to mitigate or eliminate such risks.
The Personal Data Processing Impact Assessment Dossier of Data Processors
As stipulated in Article 24.2 of Decree No. 13/2021/ND-CP, Data Processors are required to prepare and maintain a Personal Data Processing Impact Assessment Dossier when entering into contracts with Data Controllers. The Personal Data Processing Impact Assessment Dossier for Data Processors must include:
a) Information and contact details of the Data Processor;
b) Name and contact details of the organization assigned to perform data processing duties and the personnel carrying out data processing of the Data Processor;
c) A description of processing activities and types of personal data being processed under contract with the Data Controller;
d) Data processing duration and anticipated timeframe for data deletion or destruction (if applicable);
e) Cases of cross-border data transfers;
f) General description of the personal data protection measures applied;
g) Potential unintended consequences or damages, along with measures to mitigate or eliminate such risks.
- Format of the Personal Data Processing Impact Assessment Dossier: The components of the Personal Data Processing Impact Assessment Dossier must be documented in writing, with legal validity provided by the Data Controller, Data Controller and Processor, or Data Processor.
- Timing for Preparing and Submitting the Personal Data Processing Impact Assessment Dossier: The Personal Data Processing Impact Assessment Dossier must be available at all times for inspection and evaluation by the Ministry of Public Security. A primary copy of the dossier should be submitted to the Department of Cybersecurity and High-Tech Crime Prevention within 60 days from the commencement of data processing, in accordance with Form No. 04 as attached in the Annex to this Decree.
2. Procedural steps for preparing and maintaining the Personal Data Processing Impact Assessment Dossier
Step 1: The Data Controller, Data Processor, and Data Controller and Processor shall access the National Portal on Personal Data Protection (as announced by the Ministry of Public Security – https://baovedlcn.gov.vn) or download Form No. 04 issued under Decree No. 13/2023/ND-CP.
Step 2: The Data Controller, Data Processor, and Data Controller and Processor shall provide information as guided on the National Portal on Personal Data Protection (as announced by the Ministry of Public Security) or complete Form No. 04 as issued under Decree No. 13/2023/ND-CP.
The contents of the personal data processing impact assessment dossier are regulated under Clause 1, Article 24 of Decree No. 13/2023/ND-CP for Data Controllers and Data Controllers and Processors, and under Clause 2, Article 24 of Decree No. 13/2023/ND-CP for Data Processors (Forms D24-DLCN-01, D24-DLCN-02, and D24-DLCN-03).
Step 3: Submit the completed dossier via the National Portal on Personal Data Protection (as announced by the Ministry of Public Security) or submit the filled-out dossier to the Department of Cybersecurity and High-Tech Crime Prevention, Ministry of Public Security.
Step 4: The Department of Cybersecurity and High-Tech Crime Prevention will respond with an assessment of the dossier, providing feedback on its compliance or necessary adjustments.
In conclusion, preparing a personal data processing impact assessment dossier is a legally mandated obligation for Data Controllers, Data Processors, and Data Controllers and Processors to ensure compliance with the Vietnamese regulations on personal data protection. Adhering fully and accurately to the requirements of this dossier not only safeguards the rights of data subjects but also provides a foundation for regulatory authorities to conduct monitoring and inspection, ensuring safety and transparency in data processing activities.
See more:
1/ A brief overview of Vietnam’s legal framework on Personal Data Protection
2/ Navigating Consent Requirements in Data Privacy Regulations: A Guide for Businesses in Viet Nam
3/ E-commerce in Vietnam: The responsibilities of foreign companies for data privacy
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Intellectual Property Rights and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
