Personal data processing impact assessment

Enterprises performing personal data processing activities, such as collection, recording, archive, editing, copying, accessing, or encryption,… are required to make a dossier for personal data processing impact assessment (DPIA). The specific content of the DPIA will vary depending on the enterprise’s role in the personal data processing process.

Data Controllers and Data Processors must establish and maintain a dossier of their (DPIA) from when they begin processing personal data.

Data subject consent is applied for all activities in the personal data processing process. Data subject consent is only valid when the data subject voluntarily and knowingly agrees to the following:

• The types of personal data processed;
• The purposes for which the personal data are processed;
•  The organization or individual that is processing the personal data;
• The rights and obligations of the data subject.

For cases where the enterprise is the Personal Data Controller, Personal Data Controller, and Processor, the Data Processing Impact Assessment (DPIA) dossier should include the following:

• Information and contact details of the Personal Data Controller, Personal Data Controller and Processor;
• Full name and contact details of the organization assigned to perform the personal data protection task and the data protection officer of the Personal Data Controller, Personal Data Controller, and Processor;
• Purpose of personal data processing;
• Types of personal data processed;
• Organizations or individuals that receive personal data, including organizations or individuals outside of Vietnam;
• Cases of personal data transfer abroad;
• Personal data processing time; expected time to delete or destroy personal data (if any);
• Description of the personal data protection measures applied;
•  Assessment of the impact of personal data processing; potential consequences and unwanted damages, risk mitigation or elimination measures, and harm.

For cases where the enterprise is the Data Processor makes and archives a DPIA dossier when entering a contract with the Personal Data Controller, the DPIA dossier of the Data Processor shall include:

• Information and contact details of the Personal Data Processor;
• Full name and contact details of the organization assigned to perform the personal data protection task and the Data Protection Officer of the Personal Data Processor;
• Purpose of personal data processing;
• Description of the processing activities and the categories of personal data processed under the contract with the Personal Data Controller;
• Personal data processing time; expected time to delete or destroy personal data (if any);
• Cases of personal data transfer abroad;
• General description of the personal data protection measures applied;
• Potential consequences and unwanted damages, risk mitigation or elimination measures, and harm.

Remark: The Personal Data Processing Impact Assessment dossier is established in writing and has legal value for the Personal Data Controller, Personal Data Controller and Processor, or Personal Data Processor. It should always be available for inspection and assessment by the Ministry of Public Security.

Procedures

Traders, organizations, and individuals can notify the Ministry of Industry and Trade about the establishment of a mobile e-commerce sales app through the e-commerce management portal at http://online.gov.vn/.