LEGAL NEWS: OBLIGATION TO DO ASSESSMENT OF IMPACT OF PERSONAL DATA PROCESSING UNDER REGULATIONS OF DECREE NO. 13/2023/ND-CP

On 17/4/2023, the Government issued Decree No 13/2023/NĐ-CP regarding protection of personal data. Accordingly, from 01/7/2023, both Personal Data Controller and Personal Data Controller-cum-Processor have to make and store their dossiers on assessment of impact of personal data processing from the time of starting to process personal data and send to The Ministry of Public Security to support the assessment.

In accordance with this Decree “Personal data processing refers to one or multiple activities that impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities”. Of which, Personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences in electronic environment associated with an individual or used to identify an individual, such as: full name; date of birth; gender; personal image; phone number; ID Card number,….

Currently, personal data processing is conducted popularly in many fields, including: medical, insurance, commerce, … and human management of businesses. As you can see, most enterprises perform at least one of personal data processing activities in human management, such as collection, storage, transmission of personal data of their staff, … In addition, some foreign-owned companies often transmit personal data overseas to the Investors. Thus, under Clause 11, Article 2 Decree 13/2023/NĐ-CP, business is normally referred to as Personal Data Controller-cum-Processor.

According to Article 24 of this Decree, the enterprises (the Personal Data Controller-cum-Processor) are obligated to make and store their dossier on assessment of impact of personal data processing from the time of starting to process personal data; at the same time, within 60 days from the date of processing personal data, enterprises have to send the dossier to the Ministry of Public Security (Department of Cyber​​ Security and Hi-tech Crime Prevention). If business transfer personal data overseas, they are obligated to make and store their dossier on assessment of impact of outbound transfer of personal data and send the dossier to the Ministry of Public Security (Department of Cyber​​Security and Hi-tech Crime Prevention) within 60 days from the date of processing personal date.

In conclusion, from 01/7/2023, most enterprises are responsible for making and storing the dossier on assessment of impact of personal data processing; Additionally, some businesses that transfer personal data overseas have to make and store the dossier on assessment of impact of outbound transfer of personal data.

To support the Clients and business to make and store the above-mentioned kinds of dossiers, AMI kindly to send you two Forms as below:

The dossier on assessment of impact of personal data processing

The dossier on assessment of impact of outbound transfer of personal data

Best Regards./.