The protection of personal data is becoming a more and more urgent legal issue, especially in the current era of digital technology development. Vietnam, besides gradually developing to integrate with the general trend of the times, is also having to solve a difficult problem to protect the right to privacy and the right to access personal data of individuals in general and employees in particular. In order to integrate deeply and effectively, the Government and enterprises must have equal moves between economic benefits and adequate protection of human rights for employees. This article analyzes the legal framework for employees’ privacy and personal data access rights in Vietnam.
An overview of employee’s right to privacy and the right to access personal data.
The right to privacy is mentioned in the Universal Declaration of Human Rights (UDRH) that: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” and affirmed in the International Covenant on Civil and Political Rights (ICCPR).[1] In Vietnam, the right to privacy is reflected in the Constitution and the Civil Code 2015, in particular, private life, personal and family secrets, honour and reputation of all individuals are inviolable and protected by law.[2]
Regarding the right of access by the data subject specified in Article 15 of the General Data Protection Regulation (GDPR) issued by the European Commission effective from 2018, this framework applies to organizations in all member-states and has implications for businesses and individuals across Europe, and beyond,[3] in particular, “the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, access to the personal data and the purposes of the processing, the recipients whom the personal data were disclosed, etc”.
Accordingly, the right to access personal data is an essential part of privacy, demonstrating a significant role in determining the autonomy of each individual and the stable foundation of the community. Within the development of industrial revolution 4.0, commercially exploited personal data has become a special commodity, not only that, many enterprises innovating and increasing the application of technology in the transportation process require the collection of personal data from employees to monitor employee’s work, establish an online platform for internal communication, and minimize their liability in some cases. On the other hand, personal data breaches are becoming more and more large-scale, sophisticated and unpredictable. Therefore, protecting the privacy and personal data of employees is extremely urgent and must go hand in hand with the economic development of each business.
Regulations on the right to privacy and the right to access personal data of employees in Vietnam.
Vietnam still does not have a separate regulation to protect personal data for citizens in general and employees in particular, which is regulated in many specialized legal documents, causing conflicting situations and overlap when applicable.[4] Specifically, the Labor Code 2019 and all the guiding documents do not stipulate the right to privacy and the right to access to personal data of employees as well as sanctions to handle violations.[5] Hence, if there is an act of violation on the right to privacy and the right to access personal data of employees, the competent state agencies will consider it on a case-by-case basis and decide on a legal basis involving the Civil Code, the Law on Cyberinformation security, the Law on Information Technology and other relevant legal documents.
At the beginning of 2021, the Ministry of Public Security submitted to the Government a Draft Decree on personal data protection including 06 chapters, 30 articles regulating the definition and classification of personal data; conditions and procedures for process, protecting and handling violations of personal data; responsibility to protect personal data of agencies, organizations and individuals.[6] In general, the Draft Decree of the Ministry of Public Security has the receptiveness from some points in the GDPR of the European Union.
Accordingly, enterprises must inform employees about the type of data to be processed, the purpose of processing, and the third parties to whom the personal data were disclosed, thus the enterprise must have appropriate notification processes and procedures to ensure the privacy of employees during the working process. As per the internal work linked with a third party such as accounting and tax services, the enterprise, through the service contract, must tighten the terms to ensure that the third party must also comply with the protection of workers’ privacy. Furthermore, the Draft Decree also provides employees with the right to access personal data, specifically the right to agree or disagree with data processing by enterprises; request correction, view, provide copies of data; terminate the processing; delete or close the data that has been collected; etc.
The Draft Decree also requires enterprises in the mentioned process to ensure compliance with security principles and confidentiality principles. Therefore, enterprises should only store the personal data of employees for a certain period and terminate them at the end of labour contracts as well as regularly maintain data security mechanisms to minimize risks in case of information leakage. Regarding sanctions, the Draft stipulates the highest administrative penalty up to 100 million VND or 5% of total revenue, for example, the enterprise does not apply technical measures and establish regulations on the protection of personal data or have repeated violations.
In conclusion, the promulgation of this Draft Decree has partly helped Vietnam to solve the problem of personal data in the current context and and is expected to effectively protect the right to privacy and access information of employees in the promising period of digital economic integration. From the perspective of enterprises, their responsibility for the right to privacy and the right to access employee’s personal data is enhanced and emphasized, so it is necessary to take timely actions such as issuing policies or updating regulations to meet the provisions of the Decree expected to be issued later this year. As for employees, individuals must have a sense of self-protection of personal data, preventing acts of infringing upon their privacy and personal data access rights./.
* Lists of Reference
– Harvard Law School, “Module III – Privacy in the Workplace”, [https://cyber.harvard.edu/privacy/module3.html].
– Hong LM, Dung DT, “The current status of the law on protection of personal information and some recommendations” [http://antoanthongtin.vn/chinh-sach-chien-luoc/thuc-trang-phap-luat- ve-bao-ve-thong-tin-cannhan-va-mot-so-kien-ng-hi-106122].
– Ministry of Public Security, “Draft Decree on Personal Data Protection”, [http://www.bocongan.gov.vn/vanban/Pages/van-ban-moi.aspx?ItemID=519].
– Que diem, “Privacy Rights Under International Conventions and Vietnamese Laws”, [https://quediem.org/2018/12/07/tai-lieu-quyen-rieng-tu-duoi-cong-uoc -quoc-te-valuat-phap-viet-nam/].
– Nguyen Huu Phuoc, “Protecting Personal Data of Employees – Businesses Need to Be Careful” [https://luatsunguyenhuuphuoc.com/bao-ve-du-lieu-ca-nhan-nguoi-lao-dong-doanh -hiep-can-luu-y/].
[1] Que diem, “Privacy Rights Under International Conventions and Vietnamese Laws”, [https://quediem.org/2018/12/07/tai-lieu-quyen-rieng-tu-duoi-cong-uoc -quoc-te-valuat-phap-viet-nam/] (Last accessed on 9th Sep, 2021).
[2] Article 21 of the Constitution and Article 38 of the Civil Code 2015.
[3] Phuoc, NH, “Protecting Personal Data of Employees – Businesses Need to Be Careful” [https://luatsunguyenhuuphuoc.com/bao-ve-du-lieu-ca-nhan-nguoi-lao-dong-doanh -hiep-can-luu-y/] (Last accessed on 9th Sep, 2021).
[4] Hong LM, Dung DT, “The current status of the law on protection of personal information and some recommendations” [http://antoanthongtin.vn/chinh-sach-chien-luoc/thuc-trang-phap-luat- ve-bao-ve-thong-tin-cannhan-va-mot-so-kien-ng-hi-106122] (Last accessed on 9th Sep, 2021).
[5] Phuoc, NH, ibid., 1.
[6] Ministry of Public Security, “Draft Decree on Personal Data Protection”, [http://www.bocongan.gov.vn/vanban/Pages/van-ban-moi.aspx?ItemID=519] (Last accessed on 9th Sep, 2021).