Vietnam cybersecurity law: Data localisation requirement for digital service providers

The Vietnamese government has clarified certain articles of the Cybersecurity Law 2018. This includes, for example, which data is subject to the localisation obligation, or in which cases a branch office is to be established. Decree no. 53/2022/ND-CP (the “Decree”) came into force on 1 October 2022.

The Decree was issued in the context of the Vietnamese government’s measures to improve cyber safety and security against the backdrop of increasing cross border e-commerce and digital services. Article 26 of the Decree sets out several notable requirements for both domestic and foreign digital service providers.

Data subject to mandatory localisation requirements in Vietnam

The new Decree specifies three types of data that are subject to localisation requirements:

1. The personal data of service users in Vietnam
2. Data generated by service users in Vietnam (i.e., account name, duration of service use, credit card information, email, IP address, registered telephone number etc.)
3. Data on the relationships of service users in Vietnam (i.e., friends and groups with whom the users connect or interact)

The minimum period for data storage is at least 24 months from the date of receiving the data localisation request.

Digital investors must comply strictly with cybersecurity regulations. We can support you in this.

Nghia Tran, Partner, ECOVIS AFA VIETNAM, Da Nang City, Vietnam

Entities required to perform data storage

Data localisation requirements are compulsory for all Vietnamese service providers (including foreign-invested entities) and foreign enterprises doing business in Vietnam in the following areas:

• Telecommunications services
• Storing and sharing data in cyber services
• Providing national or international domain names to service users in Vietnam
• E-commerce
• Online payment, or payment intermediary services
• Online transportation connectivity services
• Social networks and social media
• Online video games
• Providing, managing, or operating other information services in cyberspace in the form of messages, voice calls, video calls, email, and online chat

Requirement of local presence – setting up a branch office may be necessary

In addition, overseas suppliers providing the above services to the Vietnamese market may be required to establish a branch or representative office in Vietnam in the following cases:

• The services are used to commit acts which violate the law on network security and have received a written notice from the Department of Cybersecurity and High-Tech Crime Prevention within the Ministry of Public Security, but the provider has not (fully) complied
• Providers perform acts of preventing, obstructing, disabling, or invalidating network security protection measures implemented by the competent authorities

In the event of force majeure leading to an entity failing to conduct the required cybersecurity measures, it must not only notify the relevant authorities but also find another solution within 30 days, explain the Ecovis experts.

For further information please contact:

Nghia Tran, Partner, ECOVIS AFA VIETNAM, Da Nang City, Vietnam
Email: Nghia.Tran@ecovis.com.vn