Notification of changes to the personal data processing impact assessment dossier

In the event of any changes to the contents of the personal data processing impact assessment dossier previously submitted to the Ministry of Public Security, the Personal Data Controller, Personal Data Controller-cum-Processor, or Personal Data Processor must update and supplement such dossier by carrying out the procedure for notification of changes to the personal data processing impact assessment dossier. The following article provides readers with detailed information on this matter in accordance with the current legal regulations.

Illustrative

1. Legal Basis for Personal Data Protection

– Decree 13/2023/ND-CP on protection of personal data.

2. What is Personal Data? What is Personal Data Processing?

2.1 What is Personal Data?

Pursuant to the provisions in Clause 1, Article 2 of Decree 13/2023/ND-CP, the definition of personal data is as follows:

“1. Personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data.”

Accordingly, pursuant to Clause 3 and Clause 4, Article 2 of Decree 13/2023/ND-CP, personal data includes:

General personal data:

– Last name, middle name and first name, other names (if any);

– Date of birth; date of death or going missing;

– Gender;

– Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;

– Nationality;

– Personal image;

– Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;

– Marital status;

– Information about the individual’s family relationship (parents, children);

– Digital account information of the individual; personal data that reflects activities and activity history in cyberspace;

– Other information associated with an individual or used to identify an individual other than that specified in Clause 4, Article 2 of Decree 13/2023/ND-CP.

Sensitive personal data refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests, including:

– Political and religious opinions;

– Health condition and personal information stated in health record, excluding information on blood group;

– Information about racial or ethnic origin;

– Information about genetic data related to an individual’s inherited or acquired genetic characteristics;

– Information about an individual’s own biometric or biological characteristics;

– Information about an individual’s sex life or sexual orientation.

– Data on crimes and criminal activities collected and stored by law enforcement agencies;

– Information on customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;

– Personal location identified via location services.

2.2 What is Personal Data Processing?

Based on the provisions in Clause 7, Article 2 of Decree 13/2023/ND-CP, the concept of Personal Data Processing is defined as follows:

“7. Personal data processing refers to one or multiple activities that impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.”

Thus, personal data processing is understood as one or multiple activities that impact personal data, such as: collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction, or other relevant activities.

3. Procedure for Notifying Change to Personal Data Processing Impact Assessment Dossier

Pursuant to the provisions in Clause 6, Article 24 of Decree 13/2023/ND-CP, the Personal Data Controller, the Personal Data Controller-cum-Processor, and the Personal Data Processor shall update and amend their Personal Data Processing Impact Assessment Dossier when there is any change in the content of the dossier previously submitted to the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention). The dossier includes:

– Dossier for Individuals:

a. Notification of Change to Dossier Content (for individuals) – 01 original copy according to Form No. 05b in the Appendix attached to Decree 13/2023/ND-CP;

b. Personal Data Processing Impact Assessment Dossier (for the Personal Data Controller, Personal Data Controller-cum-Processor) – 01 original copy according to Form D24-DLCN-01;

c. Personal Data Processing Impact Assessment Dossier (for the Personal Data Processor) – 01 original copy according to Form D24-DLCN-02;

d. Personal Data Processing Impact Assessment Dossier (for the Third Party) – 01 original copy according to Form D24-DLCN-03;

e. Other documents and records related to the supplementation of the dossier.

– Dossier for Organizations:

a. Notification of Change to Dossier Content (for organizations) – 01 original copy according to Form No. 05a in the Appendix attached to Decree 13/2023/ND-CP;

b. Personal Data Processing Impact Assessment Dossier (for the Personal Data Controller, Personal Data Controller-cum-Processor) – 01 original copy according to Form D24-DLCN-01;

c. Personal Data Processing Impact Assessment Dossier (for the Personal Data Processor) – 01 original copy according to Form D24-DLCN-02;

d. Personal Data Processing Impact Assessment Dossier (for the Third Party) – 01 original copy according to Form D24-DLCN-03;

e. Other documents and records related to the supplementation of the dossier.

See detailed procedure at: Procedure for notification of change to personal data processing impact assessment dossier.

4. Personal Data Protection Measures

Personal data protection measures are stipulated in Clause 2, Article 26 of Decree 13/2023/ND-CP, including:

– Management measure adopted by an organization or individual related to processing of personal data;

– Technical measure adopted by an organization or individual related to processing of personal data;

– Measure adopted by a competent state management authority according to regulations in this Decree and relevant law;

– Investigation and procedure measures adopted by a competent state authority;

–  Other measures as prescribed by law.For any inquiries or consultation needs related to the service of implementing the procedure for the latest Notification of change to personal data processing impact assessment dossier and other relevant legal services, please kindly contact CBI Law Firm for support.