Regulations on personal data protection in labor supervision and recruitment according to the draft law on personal data protection

I. Introduction 

On July 17, 2024, the Government issued Decree No. 13/2023/ND-CP on personal data protection (“Decree 13”). After a period of practical implementation, Decree 13 has had positive impacts in implementing policies related to personal data protection. However, this is only a decree document, not a law document, so there is a need for a principled legal document, contributing to complete legal regulations related to personal data protection. Therefore, the Ministry of Public Security is in the process of developing a draft Personal Data Protection Law (“Draft Law”) to overcome the limitations of Decree 13, and at the same time complete and arrange the legal corridor in the field of personal data protection. This article will focus on analyzing some personal data protection regulations in labor supervision and recruitment according to the Draft Personal Data Protection Law.

II. Some outstanding regulations on personal data protection for the supervision of labor and labor recruitment under the Draft Law

Accordingly, Article 26 of the Draft Law proposes regulations on personal data protection in labor supervision and recruitment, including the following noteworthy contents:

1. Information that employees are required to provide

Employers are only required to provide information in the publicly available recruitment list or employee profile. According to Clause 2, Article 16 of the Labor Code  2019, employees are required to provide honest information to the enterprise about their full name, date of birth, gender, place of residence, education level, professional skills, health status confirmation and other issues directly related to the conclusion of the labor contract that the enterprise requires. Leaving open other issues directly related to the conclusion of the labor contract leads to many enterprises requiring employees to provide personal information and data that are somewhat unrelated to the employee’s work. This is considered an extremely important new point to limit the need for employees to provide unnecessary information, and protecting their privacy rights.

2. Regulations on personal data processing and employee consent

The information provided in the employee profile is processed in accordance with the provisions of law and must have the consent of the data subject. As mentioned above, the Labor Code 2019 stipulates that employees are obliged to provide certain information to businesses. However, it seems that it is very difficult for employees to control how businesses process employees’ personal data. With the provisions of the Draft Law, businesses are responsible for processing personal data in accordance with regulations, and must obtain the consent of employees for all personal data processing activities including collection, storage, analysis, transfer to third parties, and transfer of data abroad. This provision enhances the responsibility of businesses in processing personal data, while ensuring that information processing is transparent, as well as resolving problems for businesses when implementing Decree 13. In addition, the Draft Law also contributes to clarifying the application of regulations on personal data protection in the labor sector, an issue that has not been specifically mentioned before and has caused many difficulties in Decree 13.

3. Data processing requirements in case of updates to the global employee database system

When personal data of employees is updated to the global employee database system: (i) The legal entity collecting and processing personal data must prove that the collection and processing of data is legal; and (ii) The data subject is responsible for the legality of the information provided by him/her. This regulation aims to require businesses and employees to coordinate in controlling and processing personal data. In addition, it forces businesses to be responsible for implementing appropriate organizational and technical measures as well as safety and security measures to prove that data processing activities have been carried out in accordance with the provisions of law. At the same time, it forces employees to be responsible for the information they provide, helping to ensure accuracy, transparency as well as improve the effectiveness of the state’s labor management. 

4. Processing of personal data relating to foreign employers

Foreign companies that recruit and process personal data of Vietnamese employees living and working in Vietnam must do the following specific things: (i) Comply with the provisions of the law on personal data protection in accordance with Vietnamese law; (ii) Have a document, agreement, or contract with an investment company in Vietnam on the processing of personal data of employees; and (iii) Provide the investment company in Vietnam with a copy of the data on Vietnamese employees living and working in Vietnam to comply with the provisions of the law when necessary. It can be seen that this provision of the Draft Law is appropriate and urgent in the context of trade liberalization and global economic integration today when a large number of Vietnamese employees are working remotely for foreign companies. This provision requires foreign enterprises to comply with personal data protection regulations under Vietnamese law to protect the rights of Vietnamese workers.

III. Responsibilities of enterprises to comply with personal data protection regulations in labor supervision and recruitment 

To enhance the protection of personal data, businesses have the obligation to implement methods such as: (i) assigning data processing rights to each individual and department at the workplace, especially those who manage the business, (ii) implementing appropriate organizational and technical measures and safety and security measures, assigning tasks to departments with the function of protecting personal data, designating personnel in charge of protecting personal data and exchanging information about the department and individuals in charge of protecting personal data with the Personal Data Protection Agency, and (iii) improving the effectiveness of internal control and compliance control in the business.

Secondly, enterprises also need to implement external protection measures to prevent violations from organizations and individuals outside the enterprise. Enterprises need to coordinate with foreign enterprises (if any) to process personal data of Vietnamese employees in accordance with regulations, disseminate regulations on personal data protection according to Vietnamese law, clarify the rights and obligations of the subjects in the data processing for foreign companies to recruit and process personal data of Vietnamese employees living and working in Vietnam.

Thirdly, the requirement to appoint at least one technology expert and one legal expert can be outsourced from suppliers to allow for flexibility. However, the business must provide evidence that these employees have met the recruitment criteria to properly perform those functions. However, there are exceptions to this requirement that micro, small and medium enterprises and start-ups are exempt from the data protection department requirement for the first two years of operation. All other requirements must be complied with within the same timeframe as larger businesses. However, it is important to note that the Draft Law stipulates that micro, small and medium enterprises and start-ups directly engaged in personal data processing services are not exempt from this.

If a business discovers that personal data of workers have been leaked, they will have a 72-hour period to notify the authorities of the incidents. This is a safeguard introduced under Decree 13 and this quick response time is intended to ensure prompt action is taken against potential data security breaches. Businesses could be fined between VND10 million and VND70 million if they fail to notify within the prescribed period. To further encourage compliance, the Draft Law introduces a reliability rating system based on their level of compliance. Businesses could receive ratings such as “highly reliable” or “reliable” based on their data protection practices.

IV. Notes when implementing personal data protection responsibilities in monitoring and recruitment of employees

A key issue in implementing personal data protection responsibilities in relation to monitoring and recruitment of employees is the potential power imbalance between employees and businesses when obtaining consent to process their data. This power imbalance refers to situations such as the possibility of an employee being dismissed, or of the employer making things difficult if they refuse. Furthermore, the Draft Law stipulates that silence or non-response by the data subject is not considered consent. Therefore, without appropriate information and guidance in the Draft Law, ambiguities may arise in the workplace regarding employee consent. It is therefore important to note that for the purposes of processing personal data under the Draft Law, silence by an employee when the employer has asked for the employee’s consent is not considered consent.

These issues therefore imply that it is necessary to ensure a full understanding of the concepts of coercion, implied and explicit consent by employers and employees. The employee’s consent must be given by an affirmative act that creates a clear, specific indication of consent, such as: in writing, verbal affirmation, by ticking a consent box, through text message, by selecting technical consent settings or by another act that demonstrates this. In the simplest way, enterprises should express the employee’s consent by directly obtaining the employee’s opinion in the employment contract. This would allow businesses, at best, to be proactive in mitigating the power imbalance that exists when obtaining consent to process personal data from employees – especially if it is of a sensitive nature. 

V. Conclusion

As Vietnam moves towards stronger personal data protection frameworks, businesses must recognise the important balance between leveraging technology to achieve operational efficiency and protecting the rights of employees. The Draft Law’s requirements for consent, lawful data processing and establishing data protection roles are steps designed to embed privacy into business culture. However, practical challenges remain, particularly in addressing inherent power imbalances that can undermine employees’ autonomy in providing consent.

To address these complex issues, organizations must prioritize transparency and employee training on personal data protection to foster an environment of trust and compliance. Proactively adapting to these regulatory changes not only protects employees, but also positions businesses favorably in the evolving digital landscape. By fulfilling these responsibilities, companies in Vietnam can enhance their reputation, mitigate risks, and contribute to a robust data protection ecosystem that is ethically sound, aligned with international standards, and is attractive to foreign businesses.

ADK VIETNAM LAWYERS