Data Localisation & Strategies for Ensuring National Cybersecurity in Vietnam


On 15 August 2022, the Vietnamese Government adopted Decree No. 53/2022/ND-CP (“Decree 53“) detailing certain articles of Law No. 24/2018/QH14 on Cybersecurity (“Law on Cybersecurity“) after more than three years of drafting and consideration. Decree 53 will become fully effective on 1 October 2022. Decree 53, which contains long-awaited regulations, will allow Vietnamese authorities to enforce, among others, the requirements on data localisation and commercial presence under the current Law on Cybersecurity, that may have a major impact on operations of both onshore and offshore enterprises in the near future.

Data that must be stored in Vietnam

  • Data on personal information of service users in Vietnam; 
  • Data generated by service users in Vietnam, including account name, duration of service usage, credit card information, email address, network (IP) address of the latest log-in and log-out, registered phone number associated with the account or data; and 
  • Data on the relationships of service users in Vietnam, including friends and groups with which users connect or interact. 

The retention period is set at a minimum of 24 months from the time an enterprise receives a storage request from the Vietnamese government until such request expires.

Entities that store data in Vietnam

Domestic enterprises. It seems that domestic enterprises in various industries may generally be required to store the above data in Vietnam. Domestic enterprises are those established under Vietnamese laws and have head offices in Vietnam (including foreign-invested enterprises).

Offshore enterprises. Such requirement may only be triggered to an offshore enterprise in case: 

  • It is doing business in Vietnam in 10 sectors as stipulated by Decree 53*; and 
  • It has not taken proper measures to deal with breaches of the Vietnamese laws on cybersecurity as requested by the competent authority. 

Moreover, an offshore enterprise may be required to set up and maintain a branch or representative office until it ceases to conduct business in Vietnam or provide the regulated services in Vietnam. 

An offshore enterprise would have 12 months from the date the competent authority issues a written requirement to fulfil data storage in Vietnam and establish a branch or representative office in Vietnam. In the event of a force majeure, this term can be extended for an extra 30-working-day period with prior consent from the authority.

Security measures implemented by Vietnamese authorities

Decree 53 provides for various measures that the Vietnamese authorities may implement to deal with illegal activities in cyberspace in Vietnam, such as inspecting and assessing illegal activities, requesting disclosure of data, requesting removal of information, and suspending or terminating information system operations or withdrawing domain names.

In summary, in the internet-focused world today, data is widely considered one of the most valuable resources. In the last decade, it seems that data localisation has become a major policy concern in various nations, including Vietnam. The issuance of this new Decree 53 may help to protect information of citizens and residents in Vietnam and give local governments and regulators the jurisdiction to call for the data when required.

About the Author

Vi Dang
RHTLaw Vietnam
+84 28 3820 6448

Vi Dang is a Partner at RHTLaw Vietnam. Her areas of expertise include capital market, IPO, corporate and commercial transactions in M&A and corporate compliance/governance in relation to a wide range of industries from manufacturing, commercial services to healthcare and trading.

* Including (i) telecom services; (ii) services of data storage and sharing in cyberspace (cloud storage); (iii) supply of national or international domain names to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; (x) services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.

Thank you! Your subscription has been confirmed. You'll hear from us soon.