Data storage according to the provisions of the Cybersecurity Law

Many companies operating in Vietnam are concerned about the feasibility and legality of using server or hosting services provided by foreign entities, as well as how to ensure data storage complies with the provisions of the Cybersecurity Law.

1. Businesses operating in Vietnam are allowed to use foreign server/hosting services

With the advancement of information technology, backing up and securing data against cyberattacks of all scales has become crucial. As a result, many businesses choose to use server or hosting services to ensure long-term data safety, save costs, and quickly recover data in undesirable situations.

The Cybersecurity Law 2018, effective from January 1, 2019, does not prohibit businesses from using server or hosting services provided by foreign entities. This aims to support businesses in seeking reputable service providers with high security and reasonable costs, especially when domestic IT infrastructure is still limited.

The Vietnamese government has a responsibility to ensure the safety of the national information system and cybersecurity, especially as cyberattacks become increasingly common and sophisticated, threatening national security and the safety of information systems, business data, and particularly, citizens’ personal data. Thus, certain requirements concerning data storage and data transfer abroad have been established.

2. Data Storage and Data Transfer Abroad

When a company uses foreign hosting services, it is clear that data storage abroad is inevitable. The ultimate purpose of using hosting services is to ensure the safety, backup, and recovery of data in all situations. However, companies need to be aware of the following limitations:

Domestic and foreign companies providing telecommunications services, Internet services, and enhanced services in cyberspace in Vietnam (hereinafter referred to as “Telecommunications Enterprises”) that collect, exploit, analyze, and process data on personal information, user relationship data, and data created by users in Vietnam must store this data in Vietnam for a minimum of 24 months, according to Article 26 of the Cybersecurity Law 2018.

According to this regulation, businesses not providing telecommunications, Internet, or enhanced services are not allowed to store any data, including personal data. For clarity, we categorize data into two types: personal data and other data:

Other Data:

Businesses can store this data anywhere based on their decisions to ensure data safety, as this is the primary goal of seeking server or hosting services. However, data related to the safety of the national information system must be closely monitored and protected.

Personal Data:

In accordance with the regulations of Decree 13/2023/ND-CP on personal data protection, businesses need to be aware of the following:

• Businesses must inform data subjects at least once before processing personal data regarding the purpose, type of personal data, processing methods, information about organizations or individuals related to the data processing purpose, potential consequences or damages, and the duration of data processing;
• Maintain a Data Processing Impact Assessment file when acting as a Data controller or Data controller and processor;
• Telecommunications enterprises, as defined above, must store users’ personal data in Vietnam for a minimum of 24 months, including: personal information, account details, service usage time, credit card information, email addresses, IP addresses for the last login or logout, registered phone numbers associated with the account or data, and user relationships;
• Other businesses must store personal data in Vietnam and, when needing to transfer personal data abroad for storage or other purposes, must carry out the relevant procedures for transferring data abroad, specifically:
  • Preparing and maintaining a Cross-Border Data Transfer Impact Assessment file
  • and submitting one original copy of this file to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) within 60 days of initiating personal data processing.
  • After the data is successfully transferred, a notification must be sent to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention).

Regulations on Data Storage and Transfers:

Thus, when servers are located abroad, businesses can transfer other data abroad for storage. However, for personal data, companies must ensure compliance with the requirements regarding the timing of data transfer abroad (after 24 months for Telecommunications Enterprises) and the procedures outlined in Decree 13/2023/ND-CP.

3. Remarks for Foreign Businesses on Data Storage

Foreign businesses (including FDI companies established in Vietnam and foreign companies established and operating abroad) operating in the following areas must store personal data of service users in Vietnam for a minimum of 24 months, similar to Telecommunications Enterprises:

• Telecommunications services;
• Data storage and sharing on cyberspace;
• Provision of national or international domain names to users in Vietnam;
• E-commerce;
• Online payment;
• Payment intermediaries;
• Cyber-transportation services;
• Social networks and social media;
• Online gaming;
• Provision, management, or operation of other information on cyberspace via messaging, voice calls, video calls, email, or online chatting.

These foreign businesses must establish a branch or representative office in Vietnam when:

1. the services provided by the business are used to commit violations of the law regarding cybersecurity;
2. they have been notified by the Cybersecurity and High-Tech Crime Prevention Department of the Ministry of Public Security and requested to cooperate, prevent, investigate, or handle the situation in writing; but
3. they do not comply, comply insufficiently, or obstruct, hinder, nullify, or render ineffective the cybersecurity protection measures implemented by the specialized forces for cybersecurity.

4. Conclusion

Thus, the requirements regarding the location and duration of personal data storage only apply to businesses operating in telecommunications, internet services, and enhanced services in cyberspace in Vietnam. Regarding the collection, processing, and/or transfer of personal data abroad, Vietnamese law imposes requirements to ensure data safety but does not prohibit the use of hosting services provided by foreign entities or the transfer and storage of data abroad. PLF hopes this article clarifies the concerns of businesses regarding the above issues.

At PLF Law Firm

Vietnam’s Cybersecurity Law presents complex legal challenges for businesses operating in the country. We assist businesses in achieving complete adherence to data retention requirements.

At PLF, we also provide a comprehensive service for “Doing Business“, assisting businesses with a wide range of legal needs, from Company Formation, Licensing to Labor & Employment. 

Contact PLF Law Firm today via email at inquiry@plf.vn or +84913 902 906 or Zalo | Viber | WhatsApp to receive a free 30-Initial Minute Consultation.

Article completion date: October 1st, 2024.

PLF Law Firm