Obligations of parties involved in personal data processing under Decree 13/2023/ND-CP
In the era of information, personal data has increasingly become a valuable asset, leading to the need to protect this information strictly. With the issuance of Decree No. 13/2023/NĐ-CP (“Decree 13“), Vietnam has established a comprehensive legal framework for the obligations and responsibilities of parties involved in processing personal data. This framework aims to ensure the safety, security, and transparency in each information processing step. The Decree not only emphasizes the role of data controllers and processors but also upholds the data subjects’ rights and protections.
This article will analyze in depth the specific obligations that Decree 13/2023/ND-CP has set out, thereby clarifying the requirements that Vietnamese law places on organizations and individuals regarding the processing of personal data.
1. Parties involved in Personal Data Processing
Personal data is considered a core resource, but it is also a privacy issue for the owner. Therefore, clarity regarding the roles and responsibilities of the parties involved in data processing is essential when engaging in any commercial transactions or collaborations. Based on the provisions of Decree 13, we identify the parties involved in the processing of personal data as follows:
Data Controller: The data controller is the organization or individual determines the purposes and means of processing personal data. They are responsible for setting processing standards and policies, ensuring the data is appropriate for the given context and complies with current legal regulations. The Data Controller is not only legitimately responsible for how information is collected, used, and protected, but also must ensure transparency throughout the process.
Data Processor are organizations or individuals that process personal data on behalf of a data controller. They operate under contracts or agreements and must strictly adhere to the instructions and regulations set by the data controller. The role of a data processor typically performance activities such as collecting, storing, analyzing, and protecting data.
Data Controller and Processor are individuals or organizations that determine the purposes and means of data processing and directly engage in processing activities. This requires a strict internal management system to ensure data processing complies with information security and privacy standards.
Third parties are organizations and individuals, other than the Data Subject, Data Controller, or Data Processor, authorized to process Personal Data based on the Data Subject’s consent or as part of a legal agreement. Third parties may include service providers, business partners, and other entities authorized to perform specific activities related to Personal Data.
The interactions between these parties need to be regulated strictly and transparently, ensuring that all data processing complies with the law while protecting the rights and privacy of data subjects. Clear delineation of responsibilities between stakeholders is key to building trust and maintaining the security of personal data in any organization.
2. What is a Personal Data Processing Notice?
In Decree 13/2023/ND-CP, Article 13 is an important part of regulating the obligation to notify the processing of personal data. Accordingly, notification to data subjects about the processing activities of their data is mandatory and must be carried out before such activities take place. This ensures transparency and allows users to clearly understand the purposes and means of processing their personal information.
However, there are special cases where this notification is not necessary as follows:
- When the individual has been fully informed and voluntarily agrees to all aspects of the personal data processing process before providing their data. This includes that they have been informed in detail about the purpose and manner of processing and that they have confirmed their consent in accordance with the terms specified in the Decree.
- In cases where personal data is processed by competent state agencies, for the purpose of serving the operational activities of the state agency in accordance with legal regulations.
The obligation to notify belongs to the Data Controller and the Data Processor, which are the entities that have the authority to decide on and directly process personal data. The clarity of these regulations not only protects the rights of data subjects but also strengthens the legitimacy and professionalism of personal data management and processing, builds trust, and ensures legal compliance in all activities related to personal data.
3. What to do when a party notices a violation of personal data protection regulations
Pursuant to regulations, upon detection of any personal data protection violation, Data Controllers and Data Processors must immediately notify the Ministry of Public Security, specifically the Department of Cyber Security and Crime Prevention using Information Technology, no later than 72 hours after the violation is discovered. This not only demonstrates the urgency and importance of handling violations but also emphasizes the significance of close coordination with law enforcement agencies to ensure that the consequences of violations are minimized most effectively.
On the other hand, the Data Processor shall also be responsible for promptly notifying the Data Controller of any breaches of which it becomes aware. This will not only help to reinforce a rapid response system to incidents but also ensure transparency and accountability between the parties involved.
The above regulations demonstrate Vietnam’s commitment to establishing a stabilized legal framework that encourages collaboration between relevant organizations and individuals with the state, thereby laying a solid foundation for personal data protection in the current digital age. These measures not only significantly enhance data security and safety but also reflect the government’s deep concern for individual privacy, an increasingly crucial factor in modern society.
4. Responsibilities of parties related to personal data
Within the legal framework of personal data protection, the responsibilities of agencies, organizations, and individuals are clearly and strictly defined, ranging from implementing security measures to coordinating with state agencies to ensure the security of personal data in all processing activities.
The Data Controller is responsible for applying technical and organizational measures to ensure the legality of data processing activities. In particular, storing data processing logs not only serves for inspection and monitoring but is also an important tool in detecting and reporting violations. These regulations serve not only to protect data but also to strengthen accountability, requiring the Data Controller to select an appropriate Data Processor and ensure the rights of the data subject, specifically:
- Implement appropriate organizational, technical, and security measures to demonstrate that data processing activities comply with personal data protection laws. Review and update these measures as needed.;
- Record and store system logs of personal data processing;
- Notify violations of regulations on personal data protection according to regulations;
- Select a Personal Data Processor with a clear task and only work with personal Data Processors with appropriate safeguards;
- Ensuring Data Subjects’ rights in accordance with Article 9 of Decree No.13/2023/ND-CP;
- Data Controllers shall be responsible to Data Subjects for any damages caused by the processing of Personal Data;
- Data Controllers shall cooperate with the Ministry of Public Security and other competent authorities in the protection of Personal Data, and provide information to assist in the investigation and handling of violations of the legal provisions on Personal Data protection.
Decree 13 clearly outlines the responsibilities of the Data Processor, as follows:
- Only receive personal data after having a contract or agreement on data processing with the Personal Data Controller;
- Process personal data in accordance with the contract or agreement signed with the Personal Data Controller;
- Fully implement personal data protection measures specified in this Decree and other relevant legal documents;
- The Party processing personal data is responsible to the data subject for damages caused by the processing of personal data;
- Delete and return all personal data to the Personal Data Controller after finishing data processing;
- Coordinate with the Ministry of Public Security and competent state agencies in protecting personal data, providing information to serve the investigation and handling of violations of legal regulations on personal data protection.
Responsibilities of the Data Controller and Processor, fully implement the regulations on the responsibilities of the Personal Data Controller and the Personal Data Processor.
Responsibilities of Third Parties, Fully comply with all data processing obligations as outlined in this Decree.
Responsibilities of relevant organizations and individuals:
- Have measures to protect your personal data, and be responsible for the accuracy of the personal data you provide.
- Implement regulations on personal data protection in this Decree.
- Promptly notify the Ministry of Public Security of any violations related to personal data protection activities.
- Coordinate with the Ministry of Public Security in handling violations related to personal data protection activities.
As analyzed above, it is evident that the utmost stringency is applied to ensure the safety, security, and legal compliance of all activities involving personal data. By reinforcing the responsibilities of each party, from Data Controllers to Data Processors, the decree not only enhances the protection of data subjects but also contributes to building a vibrant, transparent, and secure environment in the digital age. The certainty and transparency not only ensure legal compliance but also serve as a solid foundation for the sustainable and effective development of every organization and individual in modern society.
Time of writing: 18/07/2024
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- New Regulations on Cashless Payment Activities
- Latest updates 2024 on conditions for Foreign investors doing tourism services in Vietnam
- Summary of questions by foreign investors when restaurant business in Vietnam
- Which information of employees is understood as personal data?