Major effects on companies' business activities from the government's regulations on personal data protection

HM&P Law Firm
Resources
    Major effects on companies' business activities from the government's regulations on personal data protection
    Posted on: 13/05/2024

    The Ministry of Public Security is in the final stage of drafting the Draft Decree on regulating administrative measures in the field of cybersecurity (“Draft Decree”) before submitting it to the Government for promulgation. The Draft Decree is proposed to take effect on 01 June 2024.

    The aforementioned legal document includes numerous acts that are considered administrative violations of various laws related to the cybersecurity sector. In particular, the Draft Decree sets out the administrative measures for personal data protection violations provided for in Decree 13/2023/ND-CP ("Decree 13").

    The fact that the regulations within Decree 13 remain unclear leads to obstacles in the application, promulgation of a decree to establish the administrative measures for violations of data protection regulations and will create great pressure on companies to comply with Decree 13 on personal data protection.

    The following news will bring our valued clients some notable points of the draft Decree on Administrative Measures for the Cybersecurity Sector, specifically for violations of data protection matters.

    1. Wide scope of application

    Considering the provisions of the Draft Decree, any act that violates the provisions of Decree 13 has a corresponding sanction, and there are measures to be imposed for the following violations:

    No.

    Violations

    1

    Violations of data protection principles (Article 3 Decree 13)

    2

    Infringing the rights of personal data subject (Article 9 Decree 13)

    3

    Violations of regulations on the consent of data subject (Article 11 Decree 13)

    4

    Violations of regulations on the consent-withdrawal (Article 12 Decree 13)

    5

    Violations of the obligation to send a notice of personal data processing (Article 13 Decree 13)

    6

    Violations of regulations on personal data provision (Article 14 Decree 13)

    7

    Violations of regulations on personal data adjustment (Article 15 Decree 13)

    8

    Violations of regulations on storage, deletion, and disposal of personal data (Article 16 Decree 13)

    9

    Violations of regulations on the processing of personal data collected from sound or image recording in the public (Article 18 Decree 13)

    10

    Violations of regulations on personal data protection in marketing, product presentation, or advertising business (Article 21 Decree 13)

    11

    Violations of regulations on collection, transfer, and illegal sale of personal data (Article 22 Decree 13)  

    12

    Violations of regulations on notification of violations against personal data protection regulations (Article 23 Decree 13)

    13

    Violations of impact assessment of personal data processing (Article 24 Decree 13)

    14

    Violations of regulations on outbound transfer of personal data (Article 25 Decree 13)

    15

    Violations of measures to protect personal data (Article 26 Decree 13)

     

    2. Some notable violations

    Among the acts of violation of personal data protection regulations, some notable acts are clearly defined obligations that companies must fulfill under Decree 13/2023/ND-CP, including:

    Firstly, for violations of the regulations on the consent of the data subject

    Companies will be subject to an administrative sanction if the processing of personal data is not consented by the data subject, unless otherwise provided by law; or the data subject's consent is not clearly expressed by documents, voice, or by ticking the box, message consent syntax, selection of consent technical settings, or by any other action that demonstrates such consent. The fine for the above violations ranges from VND 20 million to VND 40 million. The above violations are easy to commit because enterprises regularly collect personal data from many subjects, such as employees, customers, or business partners. The lack of solutions to legally obtain personal data poses a potential risk of being sanctioned.

    Secondly, regarding the provisions on withdrawal of consent

    According to Article 12 of Decree 13, if a data subject withdraws his/her consent, the data controller, data processor, data controller cum processor or the third party must stop processing the personal data or order the relevant parties to stop processing the personal data. The above obligation can be easily violated, especially when companies have to process a large number of personal data of employees, customers or business partners when such individuals withdraw their consent by terminating employment relationships or contracts. Continuing to process personal data after withdrawal of consent will result in a fine of VND 50 million to VND 100 million.

    Thirdly, when enterprises engage in marketing, product presentation or advertising business

    The level of administrative penalties is relatively high if the company commits a violation. Specifically, if the illegally collected personal information of customers is used to conduct marketing, product presentation, and advertising business, enterprises may be fined from VND 140 million to VND 200 million. In particular, if the violation is repeated for the second time or more, a fine of up to 5% of the total revenue of the previous fiscal year may be imposed.

    Fourthly, regarding the failure to conduct administrative procedures such as the impact assessment of personal data processing or the outbound transfer of personal data.

    Accordingly, if a company is the data controller or the data controller cum processor fails to prepare or keep the personal data processing impact assessment dossier from the time of commencing the personal data processing; or fails to send the original copy to the Ministry of Public Security (Department of Cyber Security and High-tech Crime Prevention and Control) in accordance with Form 04 attached to the Appendix of Decree 13 within 60 days from the date of commencing the personal data processing; or fail to comply with the request to correct and complete the personal data processing impact assessment dossier of the Ministry of Public Security (Department of Cyber Security and High-tech Crime Prevention and Control), enterprises may be fined from VND 140 million to VND 200 million. The same measure will also be imposed for failure to carry out the administrative procedure for the outbound transfer of personal data. In addition, the fine may be increased if the failure to conduct administrative procedures results in the leakage, loss or outbound transfer of personal data. At present, the Ministry of Public Security has developed and put into operation the National Personal Data Protection Portal (https://baovedlcn.gov.vn/), which is a website for conducting administrative procedures on personal data protection, such as impact assessment of personal data processing, outbound transfer of personal data.

    In addition to the violations that we expect to be common, as described above, companies may commit many other personal data protection violations under Decree 13. In order to minimize the risk of being sanctioned with severe measures under the Draft Decree, we believe that companies should focus on reviewing and developing internal rules on the protection of personal data, while at the same time promptly carrying out the necessary administrative procedures with the competent authorities as required by law.