Ho Truong Vy - Lawyer, Ho Chi Minh City Bar Association |
We refer to the definition of personal data (PD) processing and understand that it includes collecting, recording, analysing, confirming, storing, editing, publicising, combining, assessing, retrieving, revoking, encrypting, decoding, copying, sharing, transmitting, supplying, transferring, deleting, and destruction of PD or other related actions. Although Decree 13 provides no definition of “recording”, our understanding of “audio and video recording” would be put on this wording. The full name and photographs of an individual are classified under Decree 13 as basic PD.
From a legal perspective, the said recording may be considered an activity of PD processing in the form of “recording”, and valid consent is therefore required. Taking into consideration specific requirements for the data subject’s consent as stated in Article 11, it is understood that the implied consent “by attending this meeting, you consent to being recorded” is unlikely valid consent.
Personnel responsible
Article 28 provides specific requirements for protection of sensitive PD. Of those requirements, the establishment of a department responsible for protection and the appointment of personnel to oversee this function are required. Further, it is necessary to communicate information on the department and the appointed individual(s) in charge of PD protection with the specialised agency responsible for overseeing such protection.
When it comes to the appointment of the personnel in charge of PD protection, there may have some questions regarding the interpretation of this requirement. In particular, whether the appointment in question should be understood in a broad sense, including the appointment of an external person on the basis of a service contract, or in a more restricted sense, referring only to the appointment of an internal employee.
The interpretation of this requirement may vary depending on the specific context and legal framework in place. Here are some thoughts for consideration.
Licensing: Issuing guiding regulations that require the service provider to be licensed or accredited specifically for providing PD protection services.
Expertise and experience: Providing guidance on the qualifications, expertise, and experience that the service provider should possess to effectively carry out PD protection responsibilities.
Legal entities versus individuals: Clarifying whether the service provider should be an individual or a legal entity such as a company in providing PD services.
Compliance with other regulations: Ensuring that the appointment of an external service provider aligns with other regulations like the law on commerce, law on enterprises, and any other relevant laws or industry-specific regulations.
Detailed guidance that addresses the above considerations would provide clear-cut answers, and help organisations and enterprises understand the requirements for external service providers.
Specific requirements
Decree 13 is silent on specific qualifications and expertise for the personnel in charge of PD protection. On the one side, it offers flexibility for the agencies, organisations and enterprises in appointing the personnel in charge based on their specific needs.
On the other side, the absence of specific requirements may result in potential challenges and unexpected circumstances. Some of those concerns include conflicts of interest and non-compliance with PD protection regulations due to a dearth of expertise and qualities of the personnel in charge.
When an employee takes on the dual role of PD protection and other responsibilities within the organisation, it could create a conflict of interest or even impair the execution of duties of the department and employee in charge of PD protection.
Also, without specific requirements for expertise and qualities, there may lead to a risk of non-compliance with related regulations. In general, the personnel responsible for PD protection may have in-depth understanding of data protection regulations and best practices, expertise in data protection, technical competence related to data security and IT systems, and communication as well as collaboration in working with different stakeholders like cross-functional departments, data subjects and data protection authorities. Lack of expertise and necessary skills may result in inadequate protection of PD, potential data breaches, or non-compliance with legal obligations.
Consequently, it is necessary to incorporate specific and minimum requirements for expertise and qualities of the personnel in charge into the upcoming guidance. The guidance can set a benchmark for organisations and enterprises to demonstrate the competency of the appointed personnel in charge of PD protection in line with local, regional and global standards.
What is more, it is worth considering a proper transitional period for training and educating the personnel qualified for such protection. This transitional period allows organisations and enterprises to provide necessary training, resources, and support to make sure that the appointed personnel are eligible and competent to fulfill their duties.
Regulators, associations, enterprises, and the public have gone the extra mile to issue this decree. While it provides a foundation, the issuance of additional guidance is of the essence to assist in preparation and compliance.
Nuts and bolts of new personal data decree Last month the government in Vietnam finally issued Decree No.13/2023/ND-CP on personal data protection (PDP). The decree will take effect from July; however, micro, small, and medium-sized enterprises as well as startups (excluding data processing companies) are optionally exempted for two years. |
Vietnam working hard to protect personal data The Government’s Steering Committee for Human Rights has issued a plan on communications activities towards the 75th anniversary of World Human Rights Day (December 10), heard a press conference in Hanoi on May 18. |
New requirements to shore up personal data protection The forthcoming legal framework on personal data protection means all domestic and foreign organisations processing personal information must handle sensitive individual personal information in a proper manner. |
Data protection heads digital banking efforts Vietnamese authorities have been busy at work dismantling an illicit information network involving bank employees, as local lenders prioritise data protection and digital infrastructure for customer privacy and growth. |
What the stars mean:
★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional