Nguyen Huu Phuoc Esq. – Phuoc & Partners Law Company Limited
In the context of the rocketing integration of Vietnam into the economy of the developing countries through free trade agreements signed and taken into effect in the recent time with regard to Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), Free Trade Agreement (FTA) with the European Union, along with the fact that the European Union, has promulgated the General Data Protection Regulation (“GDPR”), taken into effect in May 2018, requesting enterprises of not only members of the European Union but also those from the countries which are outside its border need to comply with regulations on the method of collecting personal information, data storage locations, types of data allowed to share. Moreover, it is the fact that Vietnam has never enacted a specilised law particularly stipulating the protection of both individuals’ personal data in general and employee data in enterprises in particular. To catch up with the world’s trends of protecting the personal data, the Ministry of Public Security has recently drafted and released the Draft Decree on data protection of individuals to consult Ministries, State agencies and people during the period from 09 February 2021 to 09 April 2021. If enacted by the Government, this Draft Decree will both ensure the operation of e-Government has been developed by the Government during the recent time, and also guarantee the legality with regard to the implementation of the protection of personal data in Vietnam.
There are no specilised laws to govern at the moment
In fact, personal data protection is not considered as the new legal subject over the world as well as in Vietnam. Internationally, Article 17 of the International Covenant of United Nations’ General Assembly concerning civil and political rights taken into effect on 23 March 1976, in which Vietnam is a member, stipulated that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence. In most developed countries, this issue is regarded to be immensely important and has its laws to govern as a result.
In Vietnam, as mentioned above, personal data protection is still not governed by specilised laws but by scattered provisions in legal documents at different levels from the Constitution, Laws, Decrees and there is no consistency in identifying violations among these legal documents. Accordingly, the Constitution 2013 stipulates that everyone has the right to inviolate private life, personal secrets and family secrets, and other relevant information protected by the laws. Under the Constitution, the general law that is the Civil Code, which stipulates that “private life, personal secrets, family secrets is inviolability and protected by the laws”. Regarding specific laws, a typical example is Law on Cyber Information Security which stipulates that personal information is data associated with the identification of a particular person. Any organisations or individuals that process the personal information are responsible for ensuring cyber information security for the ones they are processing, and they must formulate and publicize measures to handle and protect the personal information. Personal information-processing organisations and individuals only collect personal information after the personal information subjects agree on the scope and purpose of such collection and use; – shall not provide, share, distribute any personal information collected, accessed, controlled for third parties,…, the personal information subject has the right to request organisations or individuals processing personal information to provide his or her personal information that organisations or individuals have collected and stored. However, the Law on Cyber Information Security currently only provides for the protection of personal information in the cyberspace environment but have not yet expanded to other areas.
Regarding sanctions of violations, any violations that infringe on the personal data can be sanctioned under the forms of forced compensation for damages, fined for administrative violations or will be prosecuted for criminal liability, depending on the nature and severity of the danger and consequences caused by the violations. Concerning administrative liabilities, Decree 98/2020/ND-CP prescribing penalties for administrative violations against regulations on commerce, production and trade in counterfeit and prohibited goods, and protection of consumer rights has stipulated the an administrative fine, ranging from VND40,000,000 to VND60,000,000 for a number of violations committed by organisations as follows: “a) Collecting personal information of consumer without consumers without the prior consent of the information subject; b) Setting up a default mechanism forcing consumers to agree to their personal information being shared, disclosed or used for advertising and other commercial purposes; c) Using consumer personal information in contravention of the purpose and scope announced”. Concerning criminal liability prosecution, the Criminal Code stipulates that “Infringement upon secret information, mail, telephone, telegraph privacy or other means of private information exchange of other” can face up-to-3-year imprisonment as a penalty. The Criminal Code also stipulates that “Illegal provision or use of information on computer networks or telecommunications networks” will face the highest penalty of 7-year imprisonment. Nevertheless, these two types of crimes have not specifically and directly regulated the current violations of law on personal data protection.
In the context of digital transformation and the advent of new forms of technologies which are rapidly taking place recently over the world in general and in Vietnam in particular, it has comprehensively altered the way that Enterprises handle the personal data of the employees. The application of new forms of network infrastructure, using applications on smartphones (Apps) at the workplaces has allowed a large amount of the personal data of the employees to be collected and connected by the enterprises within a reasonable time in extremely low cost of use. Applications (Apps) specialising in systematic data collection and processing can remotely monitor the employees, creating significant challenges to personal data protection and employee privacy. Whereas, unfortunately, in the labour area, the Labour Code 2019 took into effect on 01 January 2021 and its guiding legal instruments do not provide any detailed guidance on the personal data protection of the employees and the sanction to handle violations. Hence, at the moment, to protect the personal data of the employees based on each circumstance as the Civil Code, the Law on Cyber Information Security, the Law on Information and Technology and several other guiding legal documents for each specific area are often quoted by competent State authorities to handle the violations when they are detected and denounced.
The Draft of the new Decree
The Draft Decree will exert a significant impact on the enterprises from its effective date of 01 December 2021. According to this, obligations and responsibilities of the enterprises will be enhanced concerning collecting, using and protecting the personal data of the employees, especially the sensitive ones protected by the laws. The Draft Decree also assists in creating a legal framework for the employees to complain, sue, and sanction any violating enterprise.
In order to unify the approach, identify and protect the personal data as well as sanction violations, the Draft Decree on the protection the personal data has recently been consulted. According to this, the Draft Decree has clarified what constitutes “Personal Data”, classified personal data (i.e. basic personal data (for example permanent address, marital status…) and sensitive personal data (for example sexual status, hereditary,)). In particular, sensitive personal data could only be handled after the employees have registered with the Personal Data Protection Committee. For the first time, the definition such as: “Data subject”. “Personal Data Processor”, “Third Parties”, “Processing Personal Data” has been defined so clearly that they could be effortlessly identifiable.
In the labour area, specifically in the recruitment matter in enterprises, the Draft Decree necessitates some of the specific information regarding processing personal data that shall be provided by enterprises for a candidate before personal data of the candidates is collected and processed including the type of personal data is processed; purpose of the processing; which object is allowed to process, share the personal data; the condition for transferring, sharing the personal data from enterprises to third party (if any). Therefore, before collecting the personal data of the candidates, the enterprises should make public notice on the recruitment website of the enterprises as well as sending a private email to each candidate to guarantee his or her privacy right.
As for the internal assignment related to the personal data of the employees, any enterprise which uses services of third parties, such as providers of recruitment service, payroll, accounting, tax to handle personal data of employees, it is necessary to ensure that in the service contracts between the parties there will be a provision that those third parties must comply with the provisions on personal data protection of the employees in the process of performing assigned works under the service contracts signed with the enterprises.
Besides, the Draft Decree also allows the employees to have quite a few rights related to their personal data: – agree or disagree for the enterprises to handle the personal data: – request the enterprises to modify, review, provide copy version of the personal data, terminate the process of handling the personal data; – restrict the right to access the personal data; – terminate the disclosure or allow the enterprises to access the personal data; and – erase or close the personal data collected. Hence, as the controller of the personal data of employees, the enterprises are obligated to notify the employees regarding which personal data of the employees will be collected by the enterprises, the purpose of the collection, how the personal data will be used, when the personal data use is terminated. This notice may be delivered to the employees by locating the notice in the internal labour regulations or employee handbooks of the enterprises, hanging the notice on the noticeboards located at the workplaces or posting on the internal Intranet of the enterprises.
Subsequently, the Draft Decree also requests that the enterprises shall protect the personal data of the employees in the procedure of processing data (security and confidentiality principles in 8 principles of personal data protection). Accordingly, the personal data shall be protected by the enterprises with appropriate technical measures such as de-identity, encryption, anti-virus or archiving, backing up, extracting and protecting the employees’ processing personal data history. The enterprises must regularly check security measures to ensure they have complied with the obligation to protect the personal data of the employees. The enterprises are also indirectly recommended to store only the personal data of the employees for the time needed to complete the jobs that the enterprises are entitled to collect or as required by law. The enterprises shall adopt the policies to retain the personal data of the employees in order to be able to reasonably account for why the enterprises must retain the personal data of the employees. Additionally, the employees have the right to know about their personal data that the enterprises have collected in their profiles and request the enterprises to modify them if any of them incorrect. What will happen to the personal data of the employees when labour contracts are terminated also needs to be specified in the human resource rules such as the employee handbooks or internal labour regulations of the enterprises, for example.
Furthermore, the enterprises shall organise periodic training sessions for the employees about personal data protection policies for the employees to access the relevant information needed regarding this subject to collaborate and cooperate with the enterprises in terms of protecting their personal data reasonably and ensuring the compliance with the applicable laws.
According to the regulations of personal data protection, the enterprises shall establish a body playing a role of protecting the personal data of the employees such as Division of Information and Technology as well as appoint a personnel to take over personal data such as the personnel of Human Resource Department. Besides, the enterprises shall issue regulations regarding receiving and replying to the requests or complaints of the employees arising relate to the protection of the personal data of the employees, such as the enterprises have to set up procedures and orders to respond to the employees’ requests and complaints within a reasonable time and can be extended further if the complaints are more complicated.
The State’s monitor on personal data protection of employees
To protect the personal data in general and the personal data of the employees in particular, the Personal Data Protection Committee is expected to be soon established, directly under the Government, whose headquarters is located at the Department of Cyber Security and High-Tech Crime Prevention and Control (Ministry of Public Security) with the following functions: enhancing awareness about the personal data protection; providing consulting services, technical support, the management or other special services related to personal data protection; advising the Government on all issues related to the personal data protection…. The Personal Data Protection Committee can have the right to consider the complaints as well as inspect, examine, and sanction the personal data protection in the enterprises but not more than twice/year unless there are grounds to determine violations of regulations on personal data protection. The Enterprises and the employees are bound to promptly report violations of personal data when they know about the violations as well as coordinate with the Personal Data Protection Committee in the process of handling the violations related to the personal data protection activities of the employees.
Concerning sanction of violations, the Draft Decree clearly stipulates about “sensitive data” of the employees and the rate of the administrative fine is very high, up to 100 million VND or 5% of the total profit of the revenue applied to any enterprise that has the repeated violations causing great consequences, and in some cases, criminal prosecution and additional penalties are imposed.
In conclusion, from the enterprise’s perspective, after the Draft Decree is enacted and took into effect, the bottom line is to draft and enact comprehensively and promptly appropriate policies and procedures for personal data protection of the employees, to be conscious of strictly complying with the provisions on personal data protection and sanctions against the violating personnel as well as organise periodic training on the personal data protection of the employees. The enterprises can now also be examined and inspected on the personal data protection of the employees and will be subjected to a number of significant administrative penalties or criminal liabilities, depending on the severity of the violations. From the employees’ perspective, as the subject of the personal data, the employees are now required to take responsibility for protecting their personal data as well as their accuracy.
 Article 23 of the Constitution
 Article 38.1 of the Civil Code
 Article 16 and Article 17 of Law on Cyber Information Security 2015
 Article 4.4.b and Article 65.4 of Decree 98/2020/ND-CP dated 26 August 2020 of the Government
 Article 159 of Criminal Code
 Article 288 of Criminal Code