ISSUE OF OCTOBER 2022 – DATA STORAGE AND ESTABLISHMENT OF BRANCHES OR REPRESENTATIVE OFFICES IN VIETNAM OF DOMESTIC AND FOREIGN ENTERPRISES

Dear Valued Clients,

On August 15^th 2022, The Government issued Decree 53/2022/ND-CP (“Decree 53”), effective from October 1^st 2022, detailing several provisions of the Cybersecurity Law in which the storage of data and establishment of branches or representative offices in Vietnam of domestic and foreign enterprises are also prescribed.

In this Legal Update, we would like to summarize and clarify provision on storage of data and establishment of branches or representative offices in Vietnam of domestic and foreign enterprises in accordance with Decree 53.

1.        Data subject to storage in Vietnam

Article 26 of Decree 53 requires following types of data to be storaged in Vietnam:

(i)       Data on the personal information of service users in Vietnam;

(ii)      Data created by service users in Vietnam: Account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone numbers in association with the accounts or data;

(iii)     Data on the relationships of service users in Vietnam: friends and groups whom users have connected or interacted with.

 2.        Subjects obligated to store data in Vietnam

(i)       Enterprises established or registered for establishment under Vietnamese law and having their head office in Vietnam (domestic enterprises) must store the types of data mentioned in Section 1 of this Legal Update in Vietnam[1].

(ii)      Enterprises established or registered for establishment under foreign law (foreign enterprises) conducting business in Vietnam in the following sectors must store the types of data mentioned in Section 1 of this Legal Update in Vietnam in case the service provided by such enterprises is used to commit violations[2] against the laws on cybersecurity[3]:

• Telecommunications services;
• Storing and sharing of data in the cyberspace;
• Providing national or international domain names for service users in Vietnam;
• E-commerce; online payment;
• Payment intermediary;
• Services of connection and transportation in the cyberspace;
• Social media and social communication;
• Online games;
• Services of providing, managing, or operating other information in the cyberspace in forms of messages, calls, video calls, emails, and online chatting.

In case of inability to comply with the laws on cybersecurity due to force majeure, foreign enterprises shall notify the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security within 03 working days to verify the authenticity of such force majeure and shall have 30 working days to adopt remedial methods[4].

3.        Notes for enterprises on other requirements of data storage

Apart from the above requirements for storing data in Vietnam, domestic and foreign enterprises should take note of the following general criteria:

If enterprises inadequately collect, utilize, analyze, and handle data in accordance with the Section 1 of this Legal Update, they shall cooperate with the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam to confirm and proceed to store the types of data that are currently being collected, utilized, analyzed, and handled.

If enterprises proceed to additionally collect, utilize, analyze, and handle data in accordance with the Section 1 of this Legal Update, they shall cooperate with the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam to supplement such data in the list of data subject to storage in Vietnam[5].

4.        Forms of storing data in Vietnam

Decree 53 does not provide any specific requirements but instead allow enterprises, domestic or foreign ones, to decide their form of data storage in Vietnam[6].

5.        Order and procedures of requesting data storage and the establishment of branches or representative offices of foreign enterprises in Vietnam

Decree 53 has clarified the above order and procedures as follows[7]:

• The Minister of Public Security of Vietnam shall issue decisions on the request for data storage and the establishment of branches or representative offices in Vietnam;
• The Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam shall provide notifications and guidelines, monitor, supervise, and urge enterprises to implement requests for data storage and the establishment of branches or representative offices in Vietnam while notifying relevant agencies to implement state management functions within their authority;
• Within 12 months from the issued date of the decisions of the Minister of Public Security of Vietnam, enterprises conducting business in the above-mentioned fields shall complete the data storage and the establishment of branches or representative offices in Vietnam.

Order and procedures for the establishment of branches or representative offices in Vietnam shall comply with the regulations of the laws on business, commerce, enterprises, and other relevant regulations[8].

6.        The period for data storage and the establishment of branches or representative offices of foreign enterprises in Vietnam

The period for data storage shall begin when the enterprises receive the request for data storage until the end of such request. The mandatory storage period is 24 months.

The period for the establishment of branches or representative offices in Vietnam shall start when the enterprises receive the request for the establishment of branches or representative offices in Vietnam until the enterprises terminate their operation in Vietnam or the regulated service is no longer available in Vietnam.

7.        Sanctions

Enterprises that fail to comply with the provisions of Decree 53 on storage and establishment of branches or representative offices in Vietnam shall be handled in accordance with the laws depending on the nature and level of the violation[9]. However, currently, the sanctioning regulations related to this matter have not yet taken effect, but have only been specified in the Draft Decree on sanctioning of administrative violations in the field of cyber security. Specifically, Article 37.2 and Article 5 of this Draft Decree stipulate a fine ranging from VND 160,000,000 to VND 200,000,000 for one of the following acts: Failure to store data, establishing a branch or representative office in Vietnam according to the Clause 3, Article 26 of the Law on Cybersecurity.

As usual, we hope you find this Legal Update helpful and look forward to working with you in the upcoming time.

Kind regards,

ENT Law LLC

The full version of this Legal Update can be found here.

—————————————————–

[1] Article 2.11, Article 26.2 of Decree 53.

[2] Violations are those which have been notified and requested by the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security for cooperation, prevention, investigation, and handling in writing but fail to comply or incompletely comply with such documents or prevent, obstruct, disable, or nullify the effect of cybersecurity protection measures performed by cybersecurity protection forces.

[3] Article 2.12, Article 26.3 of Decree 53.

[4] Article 26.3(b) of Decree 53.

[5] Article 26.4 of Decree 53.

[6] Article 26.5 of Decree 53.

[7] Article 26.6 of Decree 53.

[8] Article 26.7 of Decree 53.

[9] Article 26.8 of Decree 53.