Work related to personal information protection that must be carried out by users based on Decree 13/2023/ND-CP
- Ho Thi Y NhiI
On April 17, 2023, the Vietnamese government issued Decree 13/2023/ND- on personal information protection, the first in Vietnam. CP (hereinafter referred to as “Cabinet Order 13”) was issued. Decree 13 came into effect on July 1, 2017, and sets out a series of obligations, particularly for foreign companies, with the aim of protecting personal information that they manage and process. This report focuses on employers’ obligations to protect workers’ personal information.
Employers will collect and store basic personal information and sensitive information of workers from the time they hire them and conclude a labor contract. According to Decree 13, foreign companies/representative offices of foreign companies/foreign companies.
A branch of a company (hereinafter referred to as a “company”) is a worker’s personal information controller 1 or information manager/processor 2. On the other hand, in the case of a subsidiary branch or representative office of a Vietnamese company, it is not considered to be an information controller or a manager/processor as it does not have the right to determine the purpose and means of personal information. Companies, as information managers or information managers/processors, must fulfill the following obligations.
1.Obligation to create internal regulations regarding personal information protection
According to Decree 13, personal information managers are obligated to implement appropriate measures aimed at protecting personal information, including the creation of internal regulations. This provision applies not only to workers under labor contracts, but also to employees undergoing vocational training, apprenticeships, apprenticeships, probationary periods, temporary workers, and other persons under the management of companies.
This internal regulation regarding personal information protection is required to clearly state the content that needs to be implemented based on Cabinet Order 13. Companies should include the following in their internal regulations, depending on their business content and scale:
・Types of workers’ personal information collected and processed by companies and collection/processing methods
・Purpose of processing personal information of workers
・Principles of personal information processing
・Overseas transfer of personal information (if any)
・Period of personal information processing
・Worker rights and obligations
・Corporate rights and obligations
This internal policy shall be established at the company’s headquarters and throughout the company for the purposes of personal information protection and inspection and evaluation activities (if any) of the Ministry of Public Security.
The information must be stored appropriately so that it can be viewed by staff.
2. Obligation to prepare and maintain an impact assessment report regarding personal information processing and overseas transfer of personal information
a. Impact assessment report for personal information processing
The impact assessment report for personal information processing is prepared in accordance with the form issued by the Ministry of Public Security, and the main contents are the information processing activities of companies regarding the rights of information subjects, the economy, society, administrative procedures, legal systems, and interests of information subjects. Include an impact assessment. Companies are obliged to prepare this impact assessment on the date of processing personal information.
After preparing the personal information processing impact assessment report, the enterprise shall keep it in the office for inspection by the Ministry of Public Security and submit it to the Ministry of Public Security’s Cybersecurity and High-tech Crime Prevention Bureau (hereinafter referred to as “A05”) within 60 days from the date of processing of the personal information. ), one original copy must be sent to For companies that processed personal information before the entry into force of this Decree, the deadline for submitting an impact assessment is within 60 days from the effective date of Decree 13 (July 1, 2023), according to the guidance on Decree 13 by the Ministry of Public Security. stipulated. Regarding the format for submitting documents to A05, companies can choose to submit in person, by mail or online (as of September 13, 2023, the website for online applications is not yet complete).
b.Impact assessment report regarding overseas transfer of personal information
Foreign companies also need to be careful when transferring Vietnamese nationals’ personal information overseas. Offshore transfer of personal information refers to the transfer of personal information of Vietnamese citizens to locations beyond Vietnam’s borders (overseas organizations, processing personal information of Vietnamese nationals (including when transferred to a company or administrative department) or at a location beyond Vietnam’s borders.
Companies that transfer personal information overseas are required to prepare an impact assessment report in accordance with the Ministry of Public Security’s form. At the same time, one original copy must be sent to A05 of the Ministry of Public Security, as well as the above-mentioned personal information processing impact assessment report.
3. Agreement with workers regarding personal information processing and notification before information processing
According to Decree 13, companies must obtain consent from workers for all activities in the personal information processing process, such as collection, recording, storage, and editing, except in some special cases. Workers’ consent should be in written form, digital data, email, or other formats so that it can be used as evidence. Therefore, it is preferable for companies to draw up agreements regarding personal information processing and obtain written consent from workers. In addition, companies are also obliged to inform workers (once only) about the purpose for which their personal information will be used before processing it.
4. Obligations for companies that manage and process sensitive information
Sensitive information is information related to an individual’s privacy, such as medical history, criminal information, or ethnic origin.
It is about information. Companies usually manage and process sensitive information of workers, but in addition to applying the basic personal information protection measures mentioned above, they may also designate a department and person in charge of personal information protection. Mandatory. However, this obligation is exempted for small, medium, and micro-sized companies and emerging/start-up companies that have been established within two years. The definition of small, medium, and micro enterprises is as follows.
[Definition of small and medium-sized enterprises]
|Business content||Micro enterprise||Small business||Medium sized company|
|Agriculture, forestry and fisheries, industry and construction business||・Workers: 10 or less
・Annual total revenue: 3 billion
VND or less
|・Workers: 100 or less
・Annual total revenue: 50 billion VND or less
|・Workers: 200 or less
・Annual total revenue: 2,000 million VND or less
|Trade and service business||・Workers: 10 or less
・Annual total revenue: 10 billion VND or less
|・Workers: 50 or less
・Annual total revenue: 100 billion VND or less
|・Workers: 100 or less
・Annual total revenue: 3,000 million VND or less
Source: Created by the author based on materials
5. Obligations in the event of violation of laws and regulations regarding personal information protection
If a company discovers a violation of personal information protection laws, it must notify the Ministry of Public Security’s A05 within 72 hours after the violation occurs according to the form attached to Decree 13. If notification is for more than 72 hours, the reason for the delay in notification must be included. At the same time, the company shall establish a record of violations and work with A05 to address such violations.
The above are some of the main obligations of companies under Decree 13 on the management and processing of workers’ personal information. Companies need to take immediate action to comply with the law and ensure compliance. On the other hand, the provisions of Cabinet Order 13 have been in effect for a short time, and the content has become general information. In practical matters, management
Much information remains undisclosed even after confirmation with legal authorities. We would like to share information on the appropriate interpretation of Decree 13 and how to put it into practice as soon as it is updated.
*This article is translated by Yarakuzen.
1 “Personal information controller” is a legal entity or individual who determines the purpose and means of processing personal information.
2 “Personal information manager/processor” is a business entity or individual who determines the purpose and means of processing personal information and directly processes personal information.