REPORT ON PERSONAL DATA PROCESSING, WHAT ARE THE RESPONSIBILITIES OF ENTERPRISES?

Personal data processing is the process of collecting, recording, analyzing, confirming, storing, editing, publishing, copying, sharing, transmitting, providing, transferring, etc. information related to personal, including basic personal data such as name, address, phone number…; or sensitive personal data such as identification numbers, credit card numbers, or health data… The relevant organization must ensure that the personal data that is the subject of processing is protected safely and right way; strictly comply with the law, which includes the responsibility to report on the personal data processing during implementation.

1.         The objects who are responsible for protecting personal data

Objects requiring compliance with regulations on personal data protection include Vietnamese and foreign agencies, organizations and individuals directly participating or related to personal data processing activities in Vietnam. Specifically:

–           Personal Data Controller refers to an organization or individual that decides purposes and means of processing personal data.

–           Personal Data Processor refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.

–           Personal Data Controller-cum-Processor refers to an organization or individual that jointly decides purposes and means, and directly processes personal data.

–           Third Party refers to an organization or individual other than the data subject, Personal Data Controller, Personal Data Processor, and Personal Data Controller-cum-Processor that is permitted to process personal data.

2.         Impact assessment of personal data processing

a.         Implementation of impact assessment of personal data processing:

The Personal Data Controller and the Personal Data Controller and Processor prepare and maintain a Record on impact assessment of personal data processing. Time of implementation: from the moment when personal data processing begins.

The Personal Data Processor shall prepare and maintain a Personal Data Processing Impact Assessment Record in case of performance of a contract with the Personal Data Controller.

b.         Reporting responsibilities:

Records on impact assessment of personal data processing are established in writing and have legal validity according to regulations and must always be available to serve the inspection and assessment activities of the Ministry of Public Security and sent to competent state agencies complying with the prescribed form. Implementation period: within 60 days from the date of personal data processing.

3.         Outbound transfer of personal data

a.         Implementation of outbound transfer of personal data:

A Vietnamese citizen’s personal data shall be transferred abroad in case where the Sender makes a dossier on assessment of impact of outbound transfer of personal data and carries out the procedures specified by laws. The senders include the Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor and the Third Party.

b.         Requirements for dossier of assessment of impact of outbound transfer:

A dossier on assessment of impact of outbound transfer of personal data shall be always available in order to serve inspection and assessment by the Ministry of Public Security.

The Sender shall send dossier of the assessment to the competent state agencies according to the prescribed Form within 60 days from the date of processing of personal data.

c.         Reporting responsibilities:

The data transfer party shall notify the competent state agency in writing about the data transfer and contact details of the organization or individual in charge after the data transfer is successful.

The party implementing outbound transfer needs to update and supplement the Dossier on assessment of impact of outbound transfer when there is a change in the content of the submitted dossier. Time to complete the application is 10 days from the date of request.

d.         Inspection of outbound transfer of personal data:

Based on the specific situation, the Ministry of Public Security decides to inspect on the transfer of personal data abroad:

–           01 time/year; or

–           When detecting violations of legal regulations on personal data protection; or allow incidents of exposure or loss of personal data of Vietnamese citizens to occur.

>> VIOLATIONS OF FOREIGN WORKERS IN VIETNAM, SOME COMMON ACTS https://linconlaw.vn/violations-of-foreign-workers-in-vietnam-some-common-acts/

>> PROCEDURE ON IMPORTED FUNCTIONAL FOODS ANNOUCEMENT https://linconlaw.vn/procedure-on-imported-functional-foods-annoucement/

4.         Notice on violation of regulations on personal data protection

a.         Responsibility to notify:

–           The Personal Data Controller and the Personal Data Controller and Processor notify the competent state agency no later than 72 hours after the violation occurs. If notification is made after 72 hours, the reason for late notification must be included.

–           The Personal Data Processor must notify the Personal Data Controller as quickly as possible after becoming aware of a violation of personal data protection regulations.

–           Notification may be given every time a piece of information is available.

b.         Notification cases:

–           Violations are detected;

–           Personal data is processed for unintended purposes or against theoriginal agreement between the data subject and the Personal Data Controller, the Personal Data Controller-cum-Processor or in contravention of regulations of law;

–           The data subject’s rights are not protected or not properly exercised;

–           Other cases as prescribed by laws.