In order to further align its policies with the international community standards and personal data protection best practices, the Vietnamese authorities have recently released a significant Decree covering key elements on data security. The contents of the Decree may apply to a vast number of businesses active in or doing business with Vietnam, thus we advise international investors to peruse it carefully and take necessary actions to comply with its requirements.
After more than four years from the release of the 2018 Law on Cybersecurity, the guiding Decree of this law, Decree 53 was finally promulgated on 15th of August 2022, and is dated effective as of 1st of October 2022. In the following article, we seek to delineate specific components of the Decree which relate to investors and enterprises doing business in Vietnam, offering practical insights and interpretations.
Compulsory data to be stored in Vietnam
In its broad narrative, Decree 53 covers topics related to the cybersecurity of the Vietnamese national information systems, processes, procedures, and duties of the governmental entities. In addition to these, the Decree provides several noteworthy takeaways dedicated to enterprises/private entities doing business in Vietnam.
Specifically, domestic and foreign enterprises providing services on telecommunications networks, services on internet and value-added services in Vietnam’s cyberspace which collect, analyse or process private information or data about their users or data created by their users in Vietnam (Regulated Industries), are required to store 3 types of data in Vietnam:
- Data on personal information of the users in Vietnam
- Data created by users in Vietnam: service account name, service usage time, credit card information, email address, registered network address (IP) last login, logout, registered phone number associated with the account or data
- Data on the relationship/activities of users in Vietnam: friends, groups with which the user connects or interacts
To clarify, the Regulated Industries are defined by laws as below:
|Services on telecommunications networks||
|Service on Internet||
|Value-added services in cyberspace||Value-added telecommunications services, including:
However, the above definitions are still broad and can be understood in different ways without further guidance from the authorities. Thus, enterprises operating in areas related to Regulated Industries should carefully consider whether they are within the scope of Decree 53/2022/ND-CP.
The authorities refer to the types of data mentioned above as Localised Data. The law does not regulate the “form” of data storage; thus, enterprises will decide about the form in which the relevant data will be stored in Vietnam.
Which enterprises are subject to storing Localised Data in Vietnam
Domestic and foreign companies operating within Regulated Industries are both impacted by the localisation of data mentioned in this Decree and are required to store the Localised Data in Vietnam. Specifically, the enterprises affected by this requirement refer to:
- Domestic companies – include locally owned and foreign owned companies in Vietnam, which operate within the regulated industries, and which collect, analyze or process private information or data about their users or data created by their users in Vietnam, and
- Certain foreign companies (established in and by the law of a foreign country) which undertake specific activities in Vietnam, or which are notified by the authorities.
The obligation to store data is not automatic to all foreign companies in the mentioned industries which undertake business in Vietnam, but arises when ALL 3 conditions below are met:
1) Foreign enterprises undertake activities in Vietnam related to the following 9 fields:
- Telecommunications services
- Storing and sharing data in cyberspace
- Providing national or international domain names to service users in Vietnam
- Service providers of online payments; payment intermediaries
- Transport connectivity services through cyberspace
- Social networks and social media
- Online video games
- Services providing, managing or operating other information in cyberspace in the form of messages, voice calls, video calls, email, online chat, and
2) There is a written decision by The Minister of Public Security on storing data and placing a branch or representative office in Vietnam. The enterprises which receive the written decision from the authorities will have a 12-month timeframe to fulfill these data storage requirements and register their branch/representative office, and
3) These foreign enterprises’ services are used to carry out violations with regard to cybersecurity, and fail to coordinate, prevent, investigate and handle that violation upon a written request by the Ministry of Public Security. Under failure of conduct due to force majeure events, foreign enterprises are required to notify the Vietnamese authorities within 3 working days and prepare a remedial plan in less than 30 days period.
When do foreign enterprises need to register a Branch or a Representative Office in Vietnam under Decree 53
Where a foreign entity undertaking business activities in Vietnam does not meet ALL 3 of the above requirements concomitantly, they may not be required to comply with the data storage regulations or open a formal presence in country.
The obligation to register a Branch or a Representative Office in Vietnam applies to foreign enterprises which meet ALL the 3 specific conditions of Localised Data storage mentioned above. Foreign enterprises are required to maintain the official presence in Vietnam through a Branch or Representative office until the services are no longer provided in Vietnam and there are no operations within the country.
The procedures for establishing a Branch or Representative Office are covered in commercial and enterprise laws and other relevant regulations in the Vietnamese regulatory system.
When do the localised data storage obligations commence and what is the term?
- Domestic enterprises (locally or foreign owned) in Vietnam which are required to comply with the data storage requirements are required to comply with the Decree 53 from the application date on 1st October 2022
- Foreign enterprises will be required to comply with the Decree 53 obligations from the date the enterprise receives the data storage request from the authorities. The Localised Information is required to be stored in Vietnam a minimum of 24 months from the time the enterprise receives the data storage request from the authorities
Decree 53 covers a broad range of data storage conditions and requirements for public and private entities in Vietnam and entails clear compliance requirements for foreign enterprises without a formal presence in Vietnam which undertake business activities in country. As these conditions are specific and, in many cases, intertwined with the provisions of the 2018 Law on Cybersecurity, we advise investors to peruse in details the key points of the Decree and undertake a thorough review process to further understand how these apply to their operational model.
If you need any assistance with these or any other matters relevant for international investors in Vietnam, our experts are ready to work with your company to ensure you understand how the above will apply to your specific situation in Vietnam.
Contact our teams for expert support and further information on Decree 53, cybersecurity or data storage regulations for an enterprise in Vietnam:
Phuong Vo – Head of Incorporation, Licensing and Secretarial Services – firstname.lastname@example.org
Matthew Lourey – Managing Partner – email@example.com