Datenschutz und Cybersecurity

Vietnamse Data Localisation Requirements have become effective

At a glance…

The 2018 Cybersecurity Law regulated (in Article 26.3) that domestic and overseas service providers who carry out activities of collecting/exploiting/analysing/processing certain types of data on telecom networks, internet and value-added services in Vietnam’s cyberspace must store such data in Vietnam for a specified period of time. Moreover, such overseas service providers must have branches or representative offices (RO) established in Vietnam.

On 15 August 2022, the Vietnamese Government issued Decree 53/2022/ND-CP detailing a number of articles of the 2018 Cybersecurity Law, and which sets out the requirements for such local data storage and local presence requirements. Decree 53 has become effective on 1 October 2022.

In detail…

Key points of these requirements include:

1. Local data storage requirements for local entities:
Decree 53 requires all local service providers (including foreign invested enterprises established under Vietnamese laws) who carry out activities of collecting/exploiting/analysing/processing certain types of data (as listed below) on telecom networks, internet and value-added services in Vietnam’s cyberspace to store such data in Vietnam. It is understood that this requirement will be mandatory from the effectiveness of Decree 53, i.e. 1 October 2022.

2. Types of data subject to local storage in Vietnam:
There are three types of data subject to local storage in Vietnam, comprising:

  • personal data of service users in Vietnam;
  • data generated by service users in Vietnam, including;
    • account name of service user
    • time of service use
    • credit card information
    • email address
    • network address (IP) of most recent login/log out
    • registered phone number associated with the account or data; and
  • data on the relationships of service users in Vietnam, including: friends and groups with which users connect or interact.

3. Local data storage and local presence requirements for overseas entities:

  • Overseas entities which (i) hold data subject to local storage (as mentioned above) and (ii) do business in Vietnam in the following sectors:
    • telecommunications;
    • storing and sharing data in cyberspace;
    • providing national or international domain names to service users in Vietnam;
    • e-commerce;
    • online payments;
    • payment intermediaries;
    • transport connectivity services through cyberspace;
    • social networks and social media;
    • online video games; and
    • services providing/managing/operating other information in cyberspace in the form of messages, voice calls, video calls, email, online chat.

may be required to store data and to have a presence in Vietnam.

  • It is understood from Article 26.3.(a) of Decree 53 that local data storage and local presence requirements will be triggered upon a request from the Public Security Minister. Such request would be issued on the bases that:
    • the services provided by the overseas entity have been used by the service users to commit acts of violating the Cybersecurity Law; and
    • the Department of Cybersecurity and High-Tech Crime Prevention (an authority under the Ministry of Public Security) has sent a written notice to an entity requesting coordination, prevention, investigation and handling of such violation acts, but the entity fails to (entirely) comply.
  • Based on the above, although the wording in Article 26.3.(a) is not entirely clear, the local data storage and presence requirements only apply to overseas entities if all four of the above conditions are met.
  • Within 12 months from the date the Public Security Minister issues a request, the overseas entities that receive the request will need to establish a presence in Vietnam in the form of branch/RO and store the data in Vietnam. The data storage period is computed from the time of receipt of the request until the time specified in the request, with a minimum period of 24 months.