Decree No. 13/2023/ND-CP, issued by the Government on 17 April 2023, regulates personal data protection (“Decree 13”) effective from 01 July 2023. It stipulates that relevant entities when processing personal data/transferring data abroad must compile a Dossier on assessing the impact of personal data processing (“AIPDP Dossier”) and a Dossier on assessing the impact of international transfer of personal data (“AIITPD Dossier”).
In this article, BLawyers Vietnam introduces some notes and our experience in supporting our clients in compiling these types of dossiers.
1. Objects to compile the AIPDP Dossier and AIITPD Dossier
1.1. AIPDP Dossier
According to the provisions of Decree 13, entities engaging in personal data processing must compile and maintain an AIPDP Dossier including:
- Personal data controller means an individual or organization deciding on the purpose or method of processing personal data (the “Controller”);
- Personal data processor means an individual or organization engaged in data processing on behalf of the Controller through a contract or agreement with the Controller (the “Processor”); and
- Personal data controlling and processing entity means an individual or organization engaged in both of the above simultaneously (the “Controlling and Processing Entity”).
1.2. AIITPD Dossier
The party transferring Vietnamese citizens’ data abroad must compile an AIITPD Dossier (the “Transferor”). The party transferring data may be the Controller, the Controlling and Processing Entity, the Processor, or the third party.
2. Notes on procedures to submit an AIPDP Dossier and AIITPD Dossier
2.1. From the time of starting the processing of personal data, the Controller, the Controlling and Processing Entity and the Processor must compile and submit the AIPDP Dossier to the Department of Cyber Security and Hi-tech Crime Prevention under the Ministry of Public Security (the “A05”). Accordingly, the A05 will assess the AIPDP Dossier and request the Controller, the Controlling and Processing Entity and the Processor to complete the AIPDP Dossier if it is not complete as prescribed.
2.2. If transferring Vietnamese citizens’ data abroad, the Transferor must compile the AIITPD Dossier and submit it to the A05. Accordingly, the Transferor will use the A05’s assessment as a basis to complete the AIITPD Dossier.
2.3. The parties must ensure that the AIPDP Dossier and AIITPD Dossier are always available to serve the inspection and assessment of the A05. Updates and supplements of the dossiers when there are changes in the content of the documents are sent to the A05.
2.4. In particular, within 60 days from the date of starting the processing of the personal data, the parties must send an original copy of the AIPDP Dossier and/or AIITPD Dossier to the A05 directly, by online submission at the National Information Portal of Personal Data or by post office.
3. BLawyers Vietnam’s experience in supporting our client in compiling the two sets of dossiers mentioned above
Among BLawyers Vietnam’s clients requesting our legal services related to protecting personal data and processing personal data, one case involved a foreign investor from Singapore (“Parent Company”) that established and owned 100% capital of a company in Ho Chi Minh City, Vietnam (“Subsidiary Company”). The investor wanted BLawyers Vietnam to prepare the AIPDP Dossier and AIITPD Dossier according to Decree 13.
The Parent Company and the Subsidiary Company engages in personal data processing as follows: The Subsidiary Company collects the employee’s data (i) to fulfill the employer’s obligations to state agencies such as tax authorities and social insurance agencies; and (ii) to transfer the personal data to the Parent Company’s internal information system in Singapore for human resource management. The Parent Company processes the personal data of the Subsidiary Company’s employees for human resources management, information posts on the Parent Company’s social media, etc.
Accordingly, BLawyers Vietnam supported the Parent Company and the Subsidiary Company in compiling and completing the following documents to submit to the competent authority, including:
- Personal data protection policy for the Subsidiary Company in Vietnam;
- Personal data processing agreement between the Parent Company and the Subsidiary Company;
- AIPDP Dossier for the Parent Company and the Subsidiary Company; and
- AIITPD Dossier to the Parent Company and the Subsidiary Company.
In summary, from 01 July 2023, relevant parties when processing personal data need to pay attention to fulfilling their obligations in compiling and sending the assessment dossiers to the Ministry of Public Security according to regulations to mitigate related legal risks.
The above is not official advice from BLawyers Vietnam. If you have any questions about the above content, please feel free to contact us via email at firstname.lastname@example.org. We will be happy to hear from you.
Date: 20 October 2023
Writers: Linh Nguyen and Tinh Nguyen