Personal data processing impact assessment

Update day: June 12 , 2024

Personal data processing impact assessment

Enterprises performing personal data processing activities, such as collection, recording, archive, editing, copying, accessing, or encryption,… are required to make a dossier for personal data processing impact assessment (DPIA). The specific content of the DPIA will vary depending on the enterprise’s role in the personal data processing process.

Data Controllers and Data Processors must establish and maintain a dossier of their (DPIA) from when they begin processing personal data.

Data subject consent is applied for all activities in the personal data processing process. Data subject consent is only valid when the data subject voluntarily and knowingly agrees to the following:

  • The types of personal data processed;
  • The purposes for which the personal data are processed;
  •  The organization or individual that is processing the personal data;
  • The rights and obligations of the data subject.

For cases where the enterprise is the Personal Data Controller, Personal Data Controller, and Processor, the Data Processing Impact Assessment (DPIA) dossier should include the following:

  • Information and contact details of the Personal Data Controller, Personal Data Controller and Processor;
  • Full name and contact details of the organization assigned to perform the personal data protection task and the data protection officer of the Personal Data Controller, Personal Data Controller, and Processor;
  • Purpose of personal data processing;
  • Types of personal data processed;
  • Organizations or individuals that receive personal data, including organizations or individuals outside of Vietnam;
  • Cases of personal data transfer abroad;
  • Personal data processing time; expected time to delete or destroy personal data (if any);
  • Description of the personal data protection measures applied;
  •  Assessment of the impact of personal data processing; potential consequences and unwanted damages, risk mitigation or elimination measures, and harm.

For cases where the enterprise is the Data Processor makes and archives a DPIA dossier when entering a contract with the Personal Data Controller, the DPIA dossier of the Data Processor shall include:

  • Information and contact details of the Personal Data Processor;
  • Full name and contact details of the organization assigned to perform the personal data protection task and the Data Protection Officer of the Personal Data Processor;
  • Purpose of personal data processing;
  • Description of the processing activities and the categories of personal data processed under the contract with the Personal Data Controller;
  • Personal data processing time; expected time to delete or destroy personal data (if any);
  • Cases of personal data transfer abroad;
  • General description of the personal data protection measures applied;
  • Potential consequences and unwanted damages, risk mitigation or elimination measures, and harm.

Remark: The Personal Data Processing Impact Assessment dossier is established in writing and has legal value for the Personal Data Controller, Personal Data Controller and Processor, or Personal Data Processor. It should always be available for inspection and assessment by the Ministry of Public Security.

Procedures

Traders, organizations, and individuals can notify the Ministry of Industry and Trade about the establishment of a mobile e-commerce sales app through the e-commerce management portal at http://online.gov.vn/.

Process Detailled description
Step 1  

Prepare a complete set of applications

Step 2  

Submit the dossier: Within 60 days from the date of personal data processing, the enterprise must submit the dossier to the Ministry of Public Security.

Step 3  

Response

The Department of Cyber Security and Crime Prevention using High Technology, Ministry of Public Security will assess and request the completion of the personal data processing impact assessment dossier if it is incomplete or does not meet the regulations.

The requester must update and supplement the Personal Data Processing Impact Assessment Dossier when there are changes in the content submitted to the Ministry of Public Security according to Form No. 05 of Decree No. 13/2023/NĐ-CP.

LIST OF DOCUMENTS

  • Notification of submitting a personal data processing impact assessment dossier according to Form No. 04a of the Appendix issued with Decree No. 13/2023/NĐ-CP (form for organizations)
  • Personal data processing impact assessment dossier (for the personal data controller, data controller, and data processor) or personal data processing impact assessment dossier (for the data processor)
  • Copy of enterprise registration certificate, the decision on the establishment, or ID card/passport of the dossier owner.
  • Copy of the decision or related documents regarding the assignment of the personal data protection department of the dossier owner.
  • Copy of related contracts for personal data processing with relevant parties.
  • Copies of other documents…

COMMITMENT TO SERVICES

On time

All that we do will be planned specifically in terms of time and content. You can control what we do, and the time to completion, and in all cases, we help you maintain the enterprise’s compliance with the deadlines with competent authorities and employees.

Exactly

We commit to the accuracy of the contents of consultation, established documents, and services we provide to customers. We aim to provide you with a safe and effective legal solution for your business operations.

Security

We establish a confidentiality commitment with you, so information about the enterprise, human resources, finance, etc., and other contents related to enterprises and investors will only be disclosed with your consent or in accordance with the laws of Vietnam.

SERVICE PERFORMANCE PROCESS

Assign

CDLAF assigns designated personnel responsible for ensuring information security, ensuring that only assigned individuals have the right to access information and handle client communication.

Collect information and prepare the service contents

Assigned personnel are responsible for collecting clients information, reviewing regulations and preparing service content.

Control the quality

The Board of Lawyers and Counsels reviews the service content prepared by the assigned personnel before it is sent to clients for their review.

Clients’ approval

Clients review and approve the service content prepared by CDLAF.  When requested, meetings are held to explain the prepared content.

Completion

Personnel responsible for service completion directly implement it at the competent authority (if required). They also monitor the progress, report the results, and hand them over to clients.

After-service support

Guide clients to perform necessary tasks related to the delivered results and provide updates on changes in legal regulations.

REASONS FOR CHOOSING CDLAF’S SERVICES

  • We provide you with effective and comprehensive legal solutions, help you save your money, maintain compliance in the enterprise, and simplify all legal issues when doing business in Vietnam;
  • As a law firm established in Vietnam, we have close relationships and knowledge of working methods, and policies of competent authorities, which facilitates you when operating in Vietnam;
  • CDLAF Lawyers have held many important positions in law firms, banks, financial enterprises, foreign enterprises. Therefore, our lawyers provide students with the legal regulations as well as the actual solutions and opinions of competent authorities, see more about human resources.
  • The system of forms about enterprise, labor, tax, etc. available and constantly updated will be provided as soon as customers request.

Contact Us

Are you confused? If you want to discuss your problem more specifically, let us help you, please fill in the information in the table below and send it to us. A free 45-minute consultation email or meeting will be arranged to help you better understand your problem solving problem.

    FAQ QUESTIONS: Personal data processing impact assessment

    How long is the work permit valid?
    In which cases will the Work Permit be revoked?
    What are the conditions for foreign workers to be allowed to work in Vietnam?
    In which cases are foreign investors considered technical workers?
    In which cases can foreign workers come to Vietnam to work as experts?

    Our partners

    Associations

    error: Content is protected !!