WORKSHOP ON ADDRESSING CHALLENGES WHEN COMPLYING WITH DECREE 13/2023/ND-CP

Decree 13/2023/ND-CP (“Decree 13”) on personal data protection has been in effect for over a year. However, foreign invested enterprises in Vietnam are still facing massive difficulties in preparing and submitting the impact assessment report for data processing or cross-border data transfer. Understanding the challenges frequently encountered, Asia Legal collaborated with the Human Resources of Thang Long Industrial Zone (“GA-HR/TLIP”) to host a workshop addressing compliance issues related to Decree 13/2023/ND-CP.

From the perspectives of Lawyer Vinh Luu and Lawyer Phong Tran, the workshop emphasized the importance of defining the scope, limitations, and purposes of personal data processing before undertaking any related activities. The principles that need to be followed according to Decree 13 were also organized into an easily accessible order, linked to all aspects of personal data processing of enterprises, from collecting, classifying, storing, to extracting, providing, deleting, and disposing of personal data. Additionally, the workshop provided an overview of the draft Decree on administrative penalties for violations in personal data protection, identified the potential risks and helped the foreign invested enterprises in establishing a compliance roadmap prior to the enactment of the Law on Personal data protection.

Recently in May 2024, the Ministry of Justice has published the draft Decree on administrative penalties in cybersecurity, which provided preliminary guidance on the acts of “Violations of personal data protection principles”. Some violations directly related to the business activities include: processing personal data exceeding the declared scope and purpose; failing to notify data owner; failing to prove that customer data was collected from business activities, etc. with administrative fines ranging from 10 to 100 million VND and up to 3-5% of the total revenue from the previous fiscal year in Vietnam.

Personal data is a valuable asset for every enterprise. The more customers and partners an enterprise have, the larger the volume of personal data it processes, and thus, the responsibility to protect such personal data must also be escalated. However, the main challenge that foreign invested enterprises often encounter is not clearly understanding for what reason personal data needs to be processed, and how the results of processing personal data impact daily business activities. This challenge is made even more complicated by the fact that dealing with personal data is a daily routine of Vietnamese, and sharing, rumoring, judging about information attached to a specific individual is deeply ingrained in Vietnamese culture and customs.

When it comes to preparing and submitting impact assessment reports related to personal data processing, foreign invested enterprises often choose to maximize the scope and purpose of personal data processing, which leads to difficulties in demonstrating the appropriateness of their information systems, technology infrastructures, databases, and the reasonableness of applying protection and security measures. Conversely, if the enterprises narrow the scope and purpose of personal data processing, they will need to make procedural updates to the Ministry of Public Security each time new types of personal data shall be processed, protection and security measures changed, or internal terms and conditions for data processing are altered.

Only by defining the scope and purposes of personal data processing from the beginning can help enterprises assess their passive ability to control and effectively exploit personal data or consider engaging third-party services for data processing, they can also determine the need for specialized technology means and equipment to collect personal data, analyze the potential risks, develop financial plans, estimate costs and expenses in order to set up a roadmap to comply with Decree 13.

The principles shared at the workshop, along with practical experiences and cases study, served as a reference for foreign invested enterprises in Thang Long Industrial Park when developing their own compliance roadmap for Decree 13 as well as preparing for the upcoming Law on Personal Data Protection. The success of the workshop has further strengthened the relationship between GA-HR/TLIP and Asia Legal, providing a solid motivation for Asia Legal to continue assisting and providing legal solutions to foreign invested enterprises in Thang Long Industrial Park.

You May Also Like