When a company transfers personal data of Vietnamese citizens (such as employee data) overseas, the service provider must create a Personal Data Transfer Impact Assessment Dossier. The transfer of data overseas is considered compliant if the following conditions are met:
- Submit 01 original copy of the application to the Department of Cyber Security and Prevention of High-Tech Crimes under the Ministry of Public Security within 60 days from the date of personal data processing;
- Notice to the Department of Cyber Security and High-Tech Crime Prevention under the Ministry of Public Security on the transfer of data and contact details of the responsible organization and individual in writing after the data transfer has been completed.
Data transferors which transfer data abroad include Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor, and Third Party.
*Notes: In addition to establishing and submitting dossiers to the Ministry of Public Security, enterprises must also store the Personal Data Transfer Abroad Impact Assessment Dossier. Accordingly, the Personal Data Transfer Impact Assessment Dossier must always be available to serve the inspection and evaluation activities of the Ministry of Public Security (according to Clause 3, Article 25 of Decree 13/2023).
Cases of suspension of personal data transfer abroad
The data transferor must stop transferring personal data abroad if any of the following circumstances occur:
- Upon discovery that the transferred personal data is being used for activities that violate the interests or national security of the Socialist Republic of Vietnam;
- The party transferring data abroad does not: (i) Complete the Personal Data Transfer Impact Assessment Dossier in cases where the dossier is incomplete and does not comply with the requirements of the Ministry of Public Security; (ii) Update and supplement the Personal Data Transfer Impact Assessment Dossier when there are changes to the content of the dossier submitted to the Ministry of Public Security;
- An incident of leakage or loss of personal data of Vietnamese citizens occurs.
Procedures
| Process | Detailled description |
| Step 1 |
The data transferor shall submit one original copy of the dossier to the Department of Cyber Security and Crime Prevention under the Ministry of Public Security within 60 days from the date of personal data processing in accordance with Form No. 06 of the Appendix to Decree No. 13/2023/NĐ-CP. |
| Step 2 |
After the data transfer is successful, the data transferor shall notify the Department of Cyber Security and High-Tech Crime Prevention under the Ministry of Public Security in writing about the data transfer and the contact details of the responsible organization or individual. |
| Step 3 |
The Ministry of Public Security (Department of Cyber Security and Prevention and Combating High-Tech Crimes) evaluates and requests the Data Transfer Party to complete the Personal Data Transfer Impact Assessment Dossier when the file is incomplete and does not comply with regulations. |
