Ecovis Global > Vietnam cybersecurity law: Data localisation requirement for digital service providers
Vietnam cybersecurity law: Data localisation requirement for digital service providers
3. November 2022
The Vietnamese government has clarified certain articles of the Cybersecurity Law 2018. This includes, for example, which data is subject to the localisation obligation, or in which cases a branch office is to be established. Decree no. 53/2022/ND-CP (the “Decree”) came into force on 1 October 2022.
The Decree was issued in the context of the Vietnamese government’s measures to improve cyber safety and security against the backdrop of increasing cross border e-commerce and digital services. Article 26 of the Decree sets out several notable requirements for both domestic and foreign digital service providers.
Data subject to mandatory localisation requirements in Vietnam
The new Decree specifies three types of data that are subject to localisation requirements:
The personal data of service users in Vietnam
Data generated by service users in Vietnam (i.e., account name, duration of service use, credit card information, email, IP address, registered telephone number etc.)
Data on the relationships of service users in Vietnam (i.e., friends and groups with whom the users connect or interact)
The minimum period for data storage is at least 24 months from the date of receiving the data localisation request.
Digital investors must comply strictly with cybersecurity regulations. We can support you in this. Nghia Tran, Partner, ECOVIS AFA VIETNAM, Da Nang City, Vietnam
Entities required to perform data storage
Data localisation requirements are compulsory for all Vietnamese service providers (including foreign-invested entities) and foreign enterprises doing business in Vietnam in the following areas:
Storing and sharing data in cyber services
Providing national or international domain names to service users in Vietnam
Online payment, or payment intermediary services
Online transportation connectivity services
Social networks and social media
Online video games
Providing, managing, or operating other information services in cyberspace in the form of messages, voice calls, video calls, email, and online chat
Requirement of local presence – setting up a branch office may be necessary
In addition, overseas suppliers providing the above services to the Vietnamese market may be required to establish a branch or representative office in Vietnam in the following cases:
The services are used to commit acts which violate the law on network security and have received a written notice from the Department of Cybersecurity and High-Tech Crime Prevention within the Ministry of Public Security, but the provider has not (fully) complied
Providers perform acts of preventing, obstructing, disabling, or invalidating network security protection measures implemented by the competent authorities
In the event of force majeure leading to an entity failing to conduct the required cybersecurity measures, it must not only notify the relevant authorities but also find another solution within 30 days, explain the Ecovis experts.