Share

Cart

Your shopping cart doesn't have any products yet!!

Go for a walk

We are a localized enterprise service platform in Vietnam.

share

Spotlight on the Law on Cybersecurity in Vietnam and Decree 53

  • Sep 07, 2022
  • Compliance Insights

In order to further align its policies with the international community standards and personal data protection best practices, the Vietnamese authorities have recently released a significant Decree covering key elements on data security. The contents of the Decree may apply to a vast number of businesses active in or doing business with Vietnam, thus we advise international investors to peruse it carefully and take necessary actions to comply with its requirements.

After more than four years from the release of the 2018 Law on Cybersecurity, the guiding Decree of this law, Decree 53 was finally promulgated on 15th of August 2022, and is dated effective as of 1st of October 2022. In the following article, we seek to delineate specific components of the Decree which relate to investors and enterprises doing business in Vietnam, offering practical insights and interpretations.

Compulsory data to be stored in Vietnam

In its broad narrative, Decree 53 covers topics related to the cybersecurity of the Vietnamese national information systems, processes, procedures, and duties of the governmental entities. In addition to these, the Decree provides several noteworthy takeaways dedicated to enterprises/private entities doing business in Vietnam.

Specifically, domestic and foreign enterprises providing services on telecommunications networks, services on internet and value-added services in Vietnam’s cyberspace which collectanalyse or process private information or data about their users or data created by their users in Vietnam (Regulated Industries), are required to store 3 types of data in Vietnam:

  • Data on personal information of the users in Vietnam
  • Data created by users in Vietnam: service account name, service usage time, credit card information, email address, registered network address (IP) last login, logout, registered phone number associated with the account or data
  • Data on the relationship/activities of users in Vietnam: friends, groups with which the user connects or interacts

To clarify, the Regulated Industries are defined by laws as below:

Services on telecommunications networks
  • “Telecommunications services”: the service of sending, transmitting, receiving or processing of information between two users or within a group of users of telecommunications services, including basic service and value-added service, and
  • “Services that apply in telecommunications”: the service using telecommunications transmission lines or networks to provide application services in the domains of information technology, radio or television broadcasting, commerce, finance, banking, culture, information, health care, education and other domains.
Service on Internet
  • “Internet services” is a form of telecommunications services, including Internet access service (the services that allow Internet users to access the Internet) and Internet connection services (the service that allows Internet service providers and telecommunications service providers to connect with each other to share Internet load), and
  • “Services that provide content via the Internet”
Value-added services in cyberspaceValue-added telecommunications services, including:

  • Electronic mail services
  • Voice Mail Service
  • Added value fax services
  • Internet access service
  • Added value telecommunication services as prescribed by the Ministry of Information and Communications

However, the above definitions are still broad and can be understood in different ways without further guidance from the authorities. Thus, enterprises operating in areas related to Regulated Industries should carefully consider whether they are within the scope of Decree 53/2022/ND-CP.

The authorities refer to the types of data mentioned above as Localised Data. The law does not regulate the “form” of data storage; thus, enterprises will decide about the form in which the relevant data will be stored in Vietnam.

Which enterprises are subject to storing Localised Data in Vietnam

Domestic and foreign companies operating within Regulated Industries are both impacted by the localisation of data mentioned in this Decree and are required to store the Localised Data in Vietnam. Specifically, the enterprises affected by this requirement refer to:

  • Domestic companies – include locally owned and foreign owned companies in Vietnam, which operate within the regulated industries, and which collect, analyze or process private information or data about their users or data created by their users in Vietnam, and
  • Certain foreign companies (established in and by the law of a foreign country) which undertake specific activities in Vietnam, or which are notified by the authorities.

The obligation to store data is not automatic to all foreign companies in the mentioned industries which undertake business in Vietnam, but arises when ALL 3 conditions below are met:

1) Foreign enterprises undertake activities in Vietnam related to the following 9 fields:

  • Telecommunications services
  • Storing and sharing data in cyberspace
  • Providing national or international domain names to service users in Vietnam
  • E-commerce
  • Service providers of online payments; payment intermediaries
  • Transport connectivity services through cyberspace
  • Social networks and social media
  • Online video games
  • Services providing, managing or operating other information in cyberspace in the form of messages, voice calls, video calls, email, online chat, and

2) There is a written decision by The Minister of Public Security on storing data and placing a branch or representative office in Vietnam. The enterprises which receive the written decision from the authorities will have a 12-month timeframe to fulfill these data storage requirements and register their branch/representative office, and

3) These foreign enterprises’ services are used to carry out violations with regard to cybersecurity, and fail to coordinate, prevent, investigate and handle that violation upon a written request by the Ministry of Public Security. Under failure of conduct due to force majeure events, foreign enterprises are required to notify the Vietnamese authorities within 3 working days and prepare a remedial plan in less than 30 days period.

When do foreign enterprises need to register a Branch or a Representative Office in Vietnam under Decree 53

Where a foreign entity undertaking business activities in Vietnam does not meet ALL 3 of the above requirements concomitantly, they may not be required to comply with the data storage regulations or open a formal presence in country.

The obligation to register a Branch or a Representative Office in Vietnam applies to foreign enterprises which meet ALL the 3 specific conditions of Localised Data storage mentioned above. Foreign enterprises are required to maintain the official presence in Vietnam through a Branch or Representative office until the services are no longer provided in Vietnam and there are no operations within the country.

The procedures for establishing a Branch or Representative Office are covered in commercial and enterprise laws and other relevant regulations in the Vietnamese regulatory system.

When do the localised data storage obligations commence and what is the term?

  • Domestic enterprises (locally or foreign owned) in Vietnam which are required to comply with the data storage requirements are required to comply with the Decree 53 from the application date on 1st October 2022
  • Foreign enterprises will be required to comply with the Decree 53 obligations from the date the enterprise receives the data storage request from the authorities. The Localised Information is required to be stored in Vietnam a minimum of 24 months from the time the enterprise receives the data storage request from the authorities

Closing

Decree 53 covers a broad range of data storage conditions and requirements for public and private entities in Vietnam and entails clear compliance requirements for foreign enterprises without a formal presence in Vietnam which undertake business activities in country. As these conditions are specific and, in many cases, intertwined with the provisions of the 2018 Law on Cybersecurity, we advise investors to peruse in details the key points of the Decree and undertake a thorough review process to further understand how these apply to their operational model.

If you need any assistance with these or any other matters relevant for international investors in Vietnam, our experts are ready to work with your company to ensure you understand how the above will apply to your specific situation in Vietnam.

 

We use cookie to improve your online experience. By continuing to browse this website, you agree to our use of cookie.

Cookies

Please read our Terms and Conditions and this Policy before accessing or using our Services. If you cannot agree with this Policy or the Terms and Conditions, please do not access or use our Services. If you are located in a jurisdiction outside the European Economic Area, by using our Services, you accept the Terms and Conditions and accept our privacy practices described in this Policy.
We may modify this Policy at any time, without prior notice, and changes may apply to any Personal Information we already hold about you, as well as any new Personal Information collected after the Policy is modified. If we make changes, we will notify you by revising the date at the top of this Policy. We will provide you with advanced notice if we make any material changes to how we collect, use or disclose your Personal Information that impact your rights under this Policy. If you are located in a jurisdiction other than the European Economic Area, the United Kingdom or Switzerland (collectively “European Countries”), your continued access or use of our Services after receiving the notice of changes, constitutes your acknowledgement that you accept the updated Policy. In addition, we may provide you with real time disclosures or additional information about the Personal Information handling practices of specific parts of our Services. Such notices may supplement this Policy or provide you with additional choices about how we process your Personal Information.


Cookies

Cookies are small text files stored on your device when you access most Websites on the internet or open certain emails. Among other things, Cookies allow a Website to recognize your device and remember if you've been to the Website before. Examples of information collected by Cookies include your browser type and the address of the Website from which you arrived at our Website as well as IP address and clickstream behavior (that is the pages you view and the links you click).We use the term cookie to refer to Cookies and technologies that perform a similar function to Cookies (e.g., tags, pixels, web beacons, etc.). Cookies can be read by the originating Website on each subsequent visit and by any other Website that recognizes the cookie. The Website uses Cookies in order to make the Website easier to use, to support a better user experience, including the provision of information and functionality to you, as well as to provide us with information about how the Website is used so that we can make sure it is as up to date, relevant, and error free as we can. Cookies on the Website We use Cookies to personalize your experience when you visit the Site, uniquely identify your computer for security purposes, and enable us and our third-party service providers to serve ads on our behalf across the internet.

We classify Cookies in the following categories:
 ●  Strictly Necessary Cookies
 ●  Performance Cookies
 ●  Functional Cookies
 ●  Targeting Cookies


Cookie List
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Functional Cookies
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

How To Turn Off Cookies
You can choose to restrict or block Cookies through your browser settings at any time. Please note that certain Cookies may be set as soon as you visit the Website, but you can remove them using your browser settings. However, please be aware that restricting or blocking Cookies set on the Website may impact the functionality or performance of the Website or prevent you from using certain services provided through the Website. It will also affect our ability to update the Website to cater for user preferences and improve performance. Cookies within Mobile Applications

We only use Strictly Necessary Cookies on our mobile applications. These Cookies are critical to the functionality of our applications, so if you block or delete these Cookies you may not be able to use the application. These Cookies are not shared with any other application on your mobile device. We never use the Cookies from the mobile application to store personal information about you.

If you have questions or concerns regarding any information in this Privacy Policy, please contact us by email at . You can also contact us via our customer service at our Site.