In today’s digital age, personal data has become a valuable asset, and protecting it is a major responsibility for businesses. Decree 13/2023/ND-CP (“Decree 13”) was introduced to regulate personal data processing and set out clear guidelines on businesses’ obligations to safeguard employees’ personal data. 

According to Article 4 of Decree 13/2023/ND-CP, agencies, organisations, and individuals who violate personal data protection regulations may face disciplinary actions, administrative fines, or criminal charges, depending on the severity of the violation. 

Let’s examine the key provisions that businesses need to pay attention to, as well as the benefits Decree 13/2023/ND-CP brings to both employees and businesses. 

1. Employees’ Rights under Decree 13

According to Article 9 of the Decree, employees have several important rights concerning their personal data: 

  • Right to Be Informed about Data Processing Activities: Employees have the right to be informed about how their personal data is being processed by the business and must be notified before any data processing begins. 
  • Right to Consent and Withdraw Consent: Employees have the right to agree or disagree to allow the business to process their personal data and may withdraw any prior consent, except where otherwise provided by law. 
  • Right to Access: Employees have the right to request access to their personal data for viewing, editing, or requesting modifications, except where restricted by law. 
  • Right to Complain, Report, Sue, and Seek Compensation: Employees may complain, report, or take legal action if the business violates personal data protection regulations, and they can seek compensation for any damages incurred. 
  1. Businesses’ Responsibilities

Before processing employees’ personal data, businesses must comply with strict requirements under Articles 11 and 13 of the Decree: 

  • Notification and Obtaining Consent: Businesses must provide a one-time notification and obtain clear consent from employees. Consent is only valid if the employee is fully informed and voluntarily agrees, understanding the type of data, purpose of processing, involved parties, and their rights and obligations. 
  • Silence Is Not Consent: An employee’s silence or non-response cannot be interpreted as consent. This requires businesses to implement transparent and clear notification procedures. 
  1. Regulations on Transferring Personal Data Abroad

When transferring the personal data of Vietnamese employees abroad, in addition to the personal data impact assessment report required under Article 24 of the Decree, businesses must prepare an impact assessment report on the overseas data transfer in accordance with Article 25 of the Decree. This report must be submitted to the Ministry of Public Security within 60 days from the start of data processing. 

  1. Benefits of Decree 13 for Businesses

Decree 13 not only establishes legal obligations but also requires businesses to adjust their data processing procedures and policies transparently and appropriately. 

In turn, Decree 13 brings certain positive impacts for businesses: 

  • Personal Data Protection: Ensures that employees’ data is not processed unlawfully. 
  • Clear Accountability: Enhances the sense of responsibility in both businesses and employees concerning data handling. 
  • Legal Foundation: Provides a basis for handling labour discipline and claiming compensation for personal data breaches. 

Conclusion 

Decree 13/2023/ND-CP is a significant step forward in personal data protection in Vietnam. Businesses should prioritise compliance with the Decree’s provisions to safeguard employees’ rights and avoid legal risks.