Challenges in processing administrative procedures under the Decree on Personal Data Protection
Decree 13/2023 on Personal Data Protection (Decree 13/2023) has generated significant excitement among legal experts in Vietnam. Recently, that excitement has been met with the harsh reality of difficulties even in carrying out basic administrative procedures under Decree 13/2023. Specifically, in July 2023, the Ministry of Public Security (MPS) published requirements regarding the content of impact assessment reports for the processing of personal data and impact assessment reports for the cross-border transfer of personal data.
The level of detail and analysis required to prepare these reports is very stringent. For example, the MPS requires these reports to include the following information and documents:
· Detailed information about the department and the individual responsible for personal data protection, including the establishment decision and regulatory documents defining the authority of the personal data protection department;
· Detailed information about the data processor or relevant data controller;
· Details regarding the types of personal data to be collected and processed;
· Details regarding consent and the method of obtaining such consent;
· The volume of personal data to be processed, including the volume and number of data subjects involved;
· A description of how personal data is protected, including the relevant organizational and technical structures;
· The impact analysis includes both quantitative and qualitative analyses, positive and negative impacts, measures to mitigate negative impacts, an analysis of the current situation, impacts on data subjects’ rights, economic impacts, social impacts, and impacts on administrative and legal procedures; and
· A description of the methods for collecting feedback on the impact analysis and how that feedback will be addressed.
It seems that a person would need special training and education to be able to complete these documents. And the BCA has full authority to require companies to redo their impact assessments.
