Personal data protection has become a crucial legal concern in the context of the rapid development of electronic transactions. The draft Personal Data Protection Law has specified regulations regarding personal data protection in various circumstances. However, the protection of employee’s personal data remains inadequately defined. This article aims to provide readers with a clearer understanding of personal data protection for employees within a corporate.
1. Basic issues regarding the personal data protection of employee
Personal data refers to information in the form of symbols, text, numbers, images, sounds, or other similar formats within an electronic environment, which is associated with a specific individual or helps identify a specific individual.
- Employee: Recognized as a “data subject,” meaning an individual whose personal data is reflected in the information collected. This includes both Vietnamese and foreign individuals.
- Employer: Identified as the “Controller and Processor of Personal Data,” referring to an organization or individual that determines the purpose, means, and directly processes personal data.
Pursuant to Clause 7, Article 2 of Decree No. 13/2023/ND-CP: “Processing of personal data involves one or more activities affecting personal data, including collection, recording, analysis, confirmation, storage, modification, disclosure, combination, access, retrieval, recall, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction, or other related actions.”
Employees are entitled to fundamental rights as stipulated in Article 9 of Decree No. 13/2023/ND-CP, including the following: the right to be informed; the right to consent; the right to access; the right to withdraw consent; the right to erase data; the right to restrict data processing; the right to data provision; the right to object to data processing; the right to file complaints, denounce violations, and initiate lawsuits; the right to request compensation for damages; the right to protection.
2. Issues Related to the Collection and Storage of Employee’s Personal Data
Collection of Employees’ Personal Data
Prior to signing a labor contract, employees are obligated to provide accurate information to the employer, including their full name, date of birth, gender, place of residence, educational qualifications, vocational skills, health status certification, and other details directly related to the execution of the labor contract as required by the employer. Such information falls within the scope of basic personal data as defined in clause 3 Article 2 of Decree No. 13/2023/ND-CP.
The provision of basic personal data during the contract negotiation phase is voluntary and consented to by the employee based on the employer’s request. However, employees are not entitled to know the purposes or types of data being processed, according to labor laws. Pursuant to Decree No. 13/2023/ND-CP, employees can only consent if they are clearly informed of the details stipulated in Clause 2, Article 11 of the Decree. Moreover, employers are obligated to notify employees about personal data processing activities. Therefore, prior to entering into a labor contract, the employer should notify the employee of the following and obtain their consent:
- The types of personal data being processed;
- The purpose of processing personal data;
- The organizations or individuals involved in processing personal data;
- The rights and obligations of the data subject;
- The methods of processing;
- Potential unintended consequences or damages;
- The start and end times of data processing.
Thus, before signing the labor contract, the employer should issue a detailed notification addressing personal data protection and obtain the employee’s written consent. Alternatively, a commitment document containing the elements should be agreed upon by both parties.
3. Regarding the personal data protection of employer in surveillance activities
In labor relations, the protection of personal data in the context of employment differs significantly from other legal relationships. The protection of a data subject’s personal data often involves other parties. For instance, in the case of camera surveillance, if a single employee does not consent to the collection of images via surveillance cameras, the employer may be unable to proceed.
Furthermore, employers currently manage business operations and human resources using email systems with proprietary domains, which typically include: (i) individual email accounts for each employee, (ii) departmental email accounts, and (iii) corporate-wide email accounts. For individual accounts, each employee is provided with a unique password and uses the account independently for work purposes. However, not all email content pertains strictly to work-related activities, as employees may use the accounts for personal purposes. Monitoring the personal communications within these accounts by the employer is inconsistent with legal provisions, particularly Article 38 of the 2015 Civil Code, which states: “Correspondence, telephone communications, telegrams, electronic databases, and other forms of personal information exchange are guaranteed safety and confidentiality. The opening, monitoring, or seizure of correspondence, telephone communications, telegrams, electronic databases, and other forms of personal information exchange may only be conducted in cases stipulated by law”. Current legal instruments lack explicit provisions permitting employers to monitor employees’ personal communications within the scope of work.
Under the 2019 Labor Code, employees are subject to the management, supervision, and direction of the employer. This provision can be interpreted to mean that within the workplace and during working hours, employees are under the employer’s oversight, including matters such as personal images or private messages within email accounts provided by the employer. However, Decree No. 13/2023/ND-CP stipulates that employee, as individuals, have the right to personal data protection and must be informed and consent to any data collection activities.
Consequently, employers are obligated to notify employees about surveillance activities to ensure compliance with current personal data protection regulations. Additionally, employers may include personal data protection provisions in collective bargaining agreements to formalize the terms of workplace surveillance.
4. Legal Consequences for Employers in Violating Personal Data Protection Obligations
4.1 Compensation for Damages
Employees have the right to claim compensation from employers for violations related to the processing of personal data. Such claims for damages fall within the scope of the 2015 Civil Code, the 2019 Labor Code, and Decree No. 13/2023/ND-CP. The basis for employer liability includes breaches occurring within the scope of the labor contract, personal data protection agreements, and actions outside the scope of the labor contract.
4.2 Administrative Penalties
Pursuant to Articles 84 and 85 of Decree No. 15/2020/ND-CP, employers may face administrative penalties for violations involving the processing of personal data:
a. Violations of regulations on the collection and use of personal information:
“1. A fine ranging from VND 10,000,000 to VND 20,000,000 shall be imposed for any of the following violations:
a) Collecting personal information without the data subject’s consent regarding the scope and purpose of the collection and use of such information;
b) Providing personal information to a third party after the data subject has requested the cessation of such provision.
2. A fine ranging from VND 40,000,000 to VND 60,000,000 shall be imposed for any of the following violations:
a) Using personal information for purposes other than those agreed upon at the time of collection, or without the data subject’s consent;
b) Providing, sharing, or disseminating personal information collected, accessed, or controlled to third parties without the consent of the data subject;
c) Illegally collecting, using, disseminating, or trading personal information belonging to others.”
b. Violation of regulations regarding the updating, modification, and cancellation of personal information
“1. A fine ranging from VND 10,000,000 to VND 20,000,000 shall be imposed for:
a) Failing to notify the data subject after deleting stored personal information;
b) Failing to implement appropriate measures to protect personal information due to technical issues.
2. A fine ranging from VND 20,000,000 to VND 30,000,000 shall be imposed for any of the following violations:
a) Failing to update, modify, or delete stored personal information as requested by the data subject, or failing to provide the data subject with access to self-update, modify, or delete their personal information;
b) Failing to delete stored personal information after the purpose of use has been fulfilled or the retention period has expired.
3. A fine ranging from VND 30,000,000 to VND 50,000,000 shall be imposed for:
a) Failing to implement prescribed management or technical measures to protect personal information.”
See more:
1/ Shape Personal data protection organization services under the draft law on personal data protection
2/ Personal data processing impact assessment
3/ A brief overview of Vietnam’s legal framework on Personal Data Protection
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
