In the current era of strong digitalization, personal data protection has become one of the top topics of concern, especially since Decree 13/2023/ND-CP was issued. For employees, personal information not only determines their position and income level at a certain degree, but also affects their privacy and personal safety. Therefore, with the appearance of Decree 13, many enterprises face pressure from employees when receiving and storing employees’ personal data. What employee information is considered personal data? This question not only concerns managers, and lawyers but also employees themselves to ensure the rights of employees and enterprises in an increasingly technological and connected working environment.

This article will list the basic types of information that fall under the employees’ personal data. Thereby, helping readers understand the rights and obligations related to personal data protection.

1. What is personal data

Personal data, a concept that has become extremely important in the digital age, includes all types of information stored in the form of symbols, text, figures, images, sounds, or similar forms in the electronic environment. The distinguishing feature of personal data is its ability to be associated with a specific individual, allowing that person to recognize or confirm their identity. There are two main categories: basic personal data and sensitive personal data. Basic personal data includes information such as name, address, and phone number, while sensitive personal data includes information about health, finances, race, political opinions, or biometric characteristics, requiring a higher level of security due to their sensitive nature.

2. Classify types of personal data

In today’s world, classifying and understanding personal data is a key factor in protecting individual privacy. Personal data is not just basic information but can also extend to more details, such as sensitive personal data, capable of revealing many important and private aspects of an individual.

Basic personal data is information necessary to determine an individual’s identity, including:

• Full name and other names, if any;
• Date of birth; and information related to death or disappearance events.
• Gender and place of birth;
• Information about permanent residence, temporary residence, and other contact addresses;
• Nationality and marital status;
• Personal identification information such as phone number, ID card, passport, and other financial identifiers;
• Personal images and information about family relationships.

Sensitive personal data commonly involves information that can deeply affect an individual’s legal rights and interests if disclosed such as:

• Political views, religion, and health information do not include blood type;
• Genetic data and specific biological characteristics such as fingerprints and facial recognition;
• Information about personal life that is extremely sensitive such as sex life;
• Criminal behavior data or data collected by law enforcement agencies;
• Detailed client information on financial institutions and banks;
• Personal location across devices and applications.

The way these types of personal data are collected, stored, and processed poses legal and ethical challenges and requires strict security measures to ensure the safety of the data subject. Organizations and individuals when accessing and using this data need to strictly comply with relevant legal regulations to avoid violating privacy rights, leading to serious legal consequences. This is also the reason why we believe the Vietnamese Government is taking steps to complete the legal framework to regulate the reception – processing – storage – destruction of personal data as well as building mechanisms for cases where individuals and organizations use personal data without the permission of the owner.

3. Issues that employers need to pay attention to when processing employees’ personal data

In the context of strong and growing digitalization, the handling of personal data has become an essential aspect of human resource management. However, this requires businesses to strictly comply with legal regulations to ensure workers’ rights and not violate the provisions of Decree 13. Below are the main issues that employers should note:

• Notify employees about the processing of personal data: According to Decree 13/2023/ND-CP, before collecting or processing data, enterprises must notify employees of the purpose, processing methods, parties involved, personal data collected, processing times and potential consequences. Not only is this notification a legal requirement, it also helps build a relationship of trust and transparency with employees.
• Ensure the employee’s consent: The employee’s consent needs to be clearly confirmed through forms such as text, voice, electronic or other clear consent operations. This consent must include detailed information about the type of data processed, the purposes, parties involved and employee rights. It is important that this consent can be withdrawn at any time, and the withdrawal process must be simple and transparent.
• Responsibility to delete or destroy data when necessary: ​​According to regulations, employees have the right to request deletion or destruction of personal data in many cases such as data that is no longer needed, or when consent is withdrawn. Enterprises must ensure that data deletion processes comply with the law and that data is not retained for longer than is necessary or for the agreed purpose.
• Data storage and protection: Data storage must ensure high security, using appropriate technical and organizational measures to protect data from unauthorized access, loss or damage. Businesses need to have clear policies and procedures in place to protect this data, including when processed by third parties.
• Handling violations: Violations of personal data protection regulations can lead to enterprises facing a number of sanctions from competent authorities. To reduce these risks, enterprises must build internal disciplinary forms for individuals and departments responsible for storing the company’s personnel data, and we believe that they should be specified in the company’s internal labor regulations.

Through this article, we can see that determining and understanding what employee information is considered personal data is an essential element in protecting privacy and ensuring information security. information for workers in the modern working environment. Organizations and enterprises need to be fully aware of their responsibilities in collecting, processing, and protecting employees’ personal data and need to take appropriate measures to comply with relevant legal regulations. In this way, it not only builds trust and peace of mind for employees but also contributes to the sustainable and effective development of the business itself. Protecting personal data is not only a legal obligation but also an essential measure to enhance the competitiveness and reputation of businesses in the global labor market.

Time of writing: 18/07/2024

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer  at  info@cdlaf.vn

You can refer for more information:

• New Regulations on Cashless Payment Activities
• Latest updates 2024 on conditions for Foreign investors doing tourism services in Vietnam
• Summary of questions by foreign investors when restaurant business in Vietnam