Conditions for an enterprise to be granted a Business License include: (i) Meet market access conditions in international treaties to which Vietnam is a member; (ii) Have a financial plan to carry out the activity applying for a Business License; (iii) No overdue tax debt in case it has been established in Vietnam for 1 year or more.

Note that in case the foreign investor does not belong to a country or territory participating in an International Treaty to which Vietnam is a member, the enterprise applying for a license will need to meet additional criteria: (i) Compliance with the provisions of specialized laws; (ii) Consistent with the level of competition of domestic enterprises in the same field of operation; (iii) Ability to create jobs for domestic workers; (iv) Ability and level of contribution to the state budget.

• Explanation of the conditions for granting the corresponding Business License according to regulations;
• Business plan: Describes the content and methods of implementing business activities; presents business plans and market development; labor needs; Evaluates the socio-economic impact and efficiency of the business plan;
• Financial plan: Report on business performance results on the basis of audited financial statements of the most recent year in case established in Vietnam for 01 year or more; explanation of capital, capital sources, and capital mobilization plans; Attached are financial documents;
• The business situation of buying and selling goods and activities directly related to buying and selling goods; The financial situation of the foreign-invested economic organization as of the time of application for a Business License.
• Documents of Tax authority proving no overdue tax debt.
• The copies of Enterprise registration certificate; Investment registration certificate for projects selling and buying goods and activities directly related to buying and selling goods (if any).

Procedure of implementing:

Step 1. Prepare documents

Enterprises need to evaluate the feasibility of applying for a Business License by considering the industry, financial capacity, and policies of the competent authority.

Step 2. Submit and process business license applications

Submit directly or by post to the licensing agency (depending on each case);

In case the conditions are met, the Licensing Agency issues a Business License to carry out business activities. For some special occupations, before licensing, the Department of Industry and Trade will seek opinions from the Ministry of Industry and Trade

Step 3. Receive the result

If the dossier is approved, the enterprise will receive a Business License as a result. When receiving a business license, the business will need to check the information on the license to ensure that the recorded information matches the business’s initial requirements.

• Name of trader, organization, individual;
• Business registration number of the trader or establishment decision number of the organization or personal tax code of the individual;
• Business/activity field;
• Address of the head office of the trader, organization, or permanent residence address of the individual;
• Contact information.

Step 2: Within 03 working days, traders, organizations, and individuals receive results from the Ministry of Industry and Trade via a registered email address regarding one of the following contents:

• If the account registration information is complete, traders, organizations, and individuals will be granted an account to log into the system and proceed to Step 3;
• If account registration is refused or additional information is requested, traders, organizations, and individuals must re-register or supplement information as requested.

Step 3: After being granted an account to log into the system, traders, organizations, and individuals log in, select the Notify Sales e-commerce website function, and declare information according to the form.

Step 4: Within 03 working days, traders, organizations, and individuals receive feedback from the Ministry of Industry and Trade via the registered email address about one of the following contents:

• Confirm complete and valid declared information;
• Indicates that the declared information is incomplete or invalid. At that time, traders, organizations and individuals must return to Step 3 to re-declare or supplement information as required.

Step 5: Confirm notification

Notification confirmation time: 03 working days from the date of receipt of complete and valid notification documents from traders, organizations and individuals.

When confirming the notice, the Ministry of Industry and Trade will send traders, organizations and individuals via registered email address a code to attach to the sales e-commerce website, shown as the approved symbol. When selecting this icon, users are directed to the corresponding notification information section of traders, organizations and individuals at the E-commerce Activities Management Information Portal.

• Website allows participants to open booths to display and introduce goods or services;
• Website allows participants to open accounts to carry out the process of entering into contracts with customers;
• The website has a buying and selling section, which allows participants to post information about buying and selling goods and services;
• Social networks have one of the regulated forms of activity listed above and participants directly or indirectly pay fees for carrying out those activities.

Establishing and operating an e-commerce trading floor will have differences between the forms of operation as well as differences between the website owners, accordingly, the legal procedures to register the operation of the e-commerce trading floor where the owner is a Vietnamese enterprise will be simpler than if the owner is a foreign-invested enterprise.

Step 2: Within 03 working days, traders and organizations receive results from the Ministry of Industry and Trade via a registered email address;

Step 3: After being granted an account to log into the system, traders and organizations log in, select the function Register website providing e-commerce services, declare information according to the form and attach registration documents according to regulations.

Step 4: Within 07 working days, traders and organizations receive feedback from the Ministry of Industry and Trade via a registered email address;

Step 5: After receiving notice confirming the complete and valid dossier, traders and organizations send to the Ministry of Industry and Trade (Department of E-commerce and Information Technology) the complete registration dossier (paper copy) according to regulations.

Step 6: Confirm registration

Registration confirmation time: 05 working days from the date of receiving the complete and valid paper registration dossier. Upon confirmation of registration, the Ministry of Industry and Trade will send traders and organizations via registered email address a code to attach to the website providing e-commerce services, shown as a registration icon. When selecting this icon, users are directed to the corresponding registration information of traders and organizations at the E-commerce Activities Management Portal.

In the case of using a sales app to trade goods and services on the list of conditional goods and services, enterprises must fully comply with legal regulations on the business conditions of those goods and services. They must also publish on the digital app, the date of issue, and place of issue of the certificate of eligibility for business in cases where the law requires a certificate of eligibility for business.

Traders must develop measures to protect consumer rights in e-commerce activities on mobile apps and establish contracts and online payment mechanisms.

Required Documents:

• Enterprise information: The copy of the Enterprise Registration Certificate (Enterprise name, tax code, address of head office, legal representative, phone number, email, etc.)
• App information: App name, Storage location or app download location, Types of goods and services introduced on the app. 

The notification procedure is carried out in the following steps:

Step 1: Register a system login account

Bước 2: Account confirmation

Within 3 working days, Enterprise will receive a result from the Ministry of Industry and Trade via the registered email address with one of the following contents:

• If the account registration information is complete, the enterprise will be granted a system login account and proceed to Step 3;
• If the account registration is rejected or requires additional information, the enterprise must re-register or provide additional information as requested.

Step 3: Declare and scan the notification dossier for the sales app

After being granted a system login account, enterprises, organizations, and individuals log in, select the “Notify e-commerce website for sales” function, and declare information according to the form.

Step 4: The Ministry of Industry and Trade responds to the procedure

Within 3 working days, the enterprise will receive a response from the Ministry of Industry and Trade via the registered email address.

Personnel: For personnel responsible for managing information content: At least one person responsible for managing information content must be a Vietnamese citizen or a foreigner with a temporary residence card issued by a competent authority with a remaining validity of at least 6 months in Vietnam at the time of application; there must be a department responsible for managing information content.

For technical personnel: The technical management department must have at least one person who meets the requirements for managing the website network and information security and safety skills.

Domain names:

Domain names must comply with regulations on the management and use of Internet resources. For international domain names, there must be confirmation of legitimate domain name use.

Technique: The technical equipment system must meet the following requirements: Store the user account information… for at least 02 years; Receive and process warnings of violation information from users; Have a backup plan to ensure safe, continuous operation and recovery in case of incidents, except in cases of force majeure as prescribed by law; At least one server system must be located in Vietnam; Perform registration and store personal information of members; Implement user authentication; Establish a mechanism to warn members when posting content that violates the regulations (filter).

Implement measures to ensure information security, cybersecurity, and information management:

There is an agreement to provide and use appropriate social network services which is posted on the social network’s homepage;

Ensure that users must agree to the agreement to use social network services online to be able to use the services and utilities of the social network;

A coordination mechanism must be in place to remove content that violates prohibited acts within no later than 3 hours of self-detection or upon request from the Ministry of Information and Communications or the licensing authority (in writing, by phone, or by email);

Implement measures to protect the confidentiality of user’s personal information;

Ensure users’ right to decide whether to allow the collection of their personal information or to provide it to other organizations, businesses, or individuals.

• Application for a Social Network Establishment License;
• A valid copy includes a copy issued from the original or a certified copy or a copy collated with the original of one of the following documents: Enterprise Registration Certificate, Investment Registration Certificate, Decision on Establishment (or valid copy of Certificate, other valid equivalent license issued before the effective date of the Investment Law No. 67/2014/QH13 and the Enterprise Law No. 68/2014/QH13), Operation charter (for associations and unions);
• The Decision on Establishment or Operation charter must have functions and tasks suitable for the field of information exchange on social networks;
• Operation plan with signature and seal of the head of the organization or enterprise requesting the license, including the following main contents: Types of services; Scope; Areas of information exchange; Personnel organization plan, technical information management, and financial management to ensure the operation of social networks is appropriate;
• The social network service provision and usage agreement must include at least the following content: Prohibited content for exchange and sharing on social networks; Rights and responsibilities of social network service users; Rights and responsibilities of organizations and enterprises establishing social networks; Handling mechanism for members who violate the social network service provision and usage agreement; Warnings to users about the risks of storing, exchanging, and sharing information on the network; Mechanism for resolving complaints and disputes between social network members with the organization or enterprise that established the social network or with other organizations or individuals; Disclose whether or not personal data of service users is collected and processed in the agreement on the provision and use of social networking services; Personal information protection policy, private information of social network service users.

Process:

Applications for licenses can be submitted directly, by post, or online to the Ministry of Information and Communications (Department of Radio, Television and Electronic Information).

Within 30 days from the date of receipt of a valid application, the Ministry of Information and Communications shall review and issue a license in accordance with Form No. 26 of Appendix I attached to Decree 72/2013/ND-CP. In case of refusal, the Ministry of Information and Communications shall issue a written reply stating the reasons.

The parties registering software copyright include the direct creator of the product and the copyright owner. Authors and copyright owners include Vietnamese organizations and individuals; Foreign organizations and individuals with works published for the first time in Vietnam and not yet published in any other country, or with works also published in Vietnam within thirty days after publication for the first time in another country; and foreign organizations and individuals with works which are protected in Vietnam pursuant to an international treaty on copyright of which the Socialist Republic of Vietnam is a member.

Required documents:

• Software copyright registration declaration;
• Legal information of the software copyright owner (may include Citizen Identity Card, Enterprise Registration Certificate, Establishment Decision, or other relevant documents depending on the case);
• Legal information of the software creator (author);
• Printed copy of the software source code with complete author and copyright owner identification information;
• CDs must contain all software information such as source code, interface, etc.;
• Author’s declaration;
• Consent of co-authors and co-copyright owners (if the work has co-authors and co-copyright owners);
• – Assignment decision if the copyright owner is a legal entity;
• Power of attorney if the applicant for copyright registration is an authorized person;
• Other documents as required in each specific case;

Documents must be in Vietnamese. If in another language, they must be translated into Vietnamese.

Authors and copyright owners can apply directly or authorize other individuals or organizations to submit it to the Copyright Office or its representative offices in Ho Chi Minh City and Da Nang.

• Authors, copyright owners, and related rights owners who are Vietnamese individuals or organizations, foreign individuals permanently residing in Vietnam, or foreign organizations with headquarters, representative offices, or branches in Vietnam can apply directly or through their legal representatives in Vietnam.
• Authors, copyright owners, and related rights owners who are foreign individuals not permanently residing in Vietnam or foreign organizations without headquarters, representative offices, or branches in Vietnam must apply directly through the Level 4 online public service portal or through authorization to copyright and related rights consulting and service organizations in Vietnam.

Step 2: Copyright Office Processes the Application

The Copyright Office will review, classify, and examine the validity of the application within 01 month from the date of receipt of the application.

If the application is not valid, the Copyright Office will notify the organization or individual to amend or supplement the application.

The deadline for correcting the application is 01 month from the date of receipt of the notification.

Step 3: Copyright Office Issues the Certificate

If all the required documents are valid, within 15 working days, the competent authority will be responsible for granting the Certificate of Copyright Registration.

Data Controllers and Data Processors must establish and maintain a dossier of their (DPIA) from when they begin processing personal data.

Data subject consent is applied for all activities in the personal data processing process. Data subject consent is only valid when the data subject voluntarily and knowingly agrees to the following:

• The types of personal data processed;
• The purposes for which the personal data are processed;
• The organization or individual that is processing the personal data;
• The rights and obligations of the data subject..

Remark: The Personal Data Processing Impact Assessment dossier is established in writing and has legal value for the Personal Data Controller, Personal Data Controller and Processor, or Personal Data Processor. It should always be available for inspection and assessment by the Ministry of Public Security.

Notification of submitting a personal data processing impact assessment dossier according to Form No. 04a of the Appendix issued with Decree No. 13/2023/NĐ-CP (form for organizations)

Personal data processing impact assessment dossier (for the personal data controller, data controller, and data processor) or personal data processing impact assessment dossier (for the data processor)

Copy of enterprise registration certificate, the decision on the establishment, or ID card/passport of the dossier owner.

Copy of the decision or related documents regarding the assignment of the personal data protection department of the dossier owner.

Copy of related contracts for personal data processing with relevant parties.

Copies of other documents…

Step 2: Submit the dossier

Within 60 days from the date of personal data processing, the enterprise must submit the dossier to the Ministry of Public Security.

Step 3: Response

The Department of Cyber Security and Crime Prevention using High Technology, Ministry of Public Security will assess and request the completion of the personal data processing impact assessment dossier if it is incomplete or does not meet the regulations.

The requester must update and supplement the Personal Data Processing Impact Assessment Dossier when there are changes in the content submitted to the Ministry of Public Security according to Form No. 05 of Decree No. 13/2023/NĐ-CP.

• Submit 01 original copy of the application to the Department of Cyber Security and Prevention of High-Tech Crimes under the Ministry of Public Security within 60 days from the date of personal data processing;
• Notice to the Department of Cyber Security and High-Tech Crime Prevention under the Ministry of Public Security on the transfer of data and contact details of the responsible organization and individual in writing after the data transfer has been completed.

Data transferors which transfer data abroad include Personal Data Controller, Personal Data Controller and Processor, Personal Data Processor, and Third Party.

In addition to establishing and submitting dossiers to the Ministry of Public Security, enterprises must also store the Personal Data Transfer Abroad Impact Assessment Dossier. Accordingly, the Personal Data Transfer Impact Assessment Dossier must always be available to serve the inspection and evaluation activities of the Ministry of Public Security (according to Clause 3, Article 25 of Decree 13/2023).

Cases of suspension of personal data transfer abroad

The data transferor must stop transferring personal data abroad if any of the following circumstances occur:

Upon discovery that the transferred personal data is being used for activities that violate the interests or national security of the Socialist Republic of Vietnam;

The party transferring data abroad does not: (i) Complete the Personal Data Transfer Impact Assessment Dossier in cases where the dossier is incomplete and does not comply with the requirements of the Ministry of Public Security; (ii) Update and supplement the Personal Data Transfer Impact Assessment Dossier when there are changes to the content of the dossier submitted to the Ministry of Public Security;

An incident of leakage or loss of personal data of Vietnamese citizens occurs.

• Information and contact details of the Data Transferor and the Recipient of personal data of Vietnamese citizens;
• Full name and contact details of the organization or individual responsible for the Data Transferor involved in the transfer and receipt of personal data of Vietnamese citizens;
• Description and explanation of the purpose of the processing activities of personal data of Vietnamese citizens after being transferred abroad;
• Describe and clarify the types of personal data transferred overseas;
• Describe and demonstrate compliance with the personal data protection regulations in this Decree, detailing the personal data protection measures applied;
• Assess the impact of personal data processing; potential consequences, undesirable damages, and measures to minimize or eliminate such risks and harms;
• Consent of the data subject in accordance with Article 11 of Decree 13/2023/NĐ-CP, based on a clear understanding of the feedback and complaint mechanism in case of incidents or arising requests;
• Having a document demonstrating the binding, responsibility between organizations and individuals transferring and receiving personal data of Vietnamese citizens regarding the processing of personal data.

After completing the dossier preparation, the enterprise implements the approval process as follows:

Step 1: The data transferor shall submit one original copy of the dossier to the Department of Cyber Security and Crime Prevention under the Ministry of Public Security within 60 days from the date of personal data processing in accordance with Form No. 06 of the Appendix to Decree No. 13/2023/NĐ-CP.

Step 2: After the data transfer is successful, the data transferor shall notify the Department of Cyber Security and High-Tech Crime Prevention under the Ministry of Public Security in writing about the data transfer and the contact details of the responsible organization or individual.

Step 3: The Ministry of Public Security (Department of Cyber Security and Prevention and Combating High-Tech Crimes) evaluates and requests the Data Transfer Party to complete the Personal Data Transfer Impact Assessment Dossier when the file is incomplete and does not comply with regulations.

General conditions: 

In accordance with the national strategy and plan for cybersecurity development, there will be separate plans for licensing in place at each point in time;

Enterprises with foreign elements, understood as having foreign investment capital, foreign legal representatives, or technical teams, will have certain limitations, this comes from cybersecurity concerns.

Specific conditions:

Personnel: The enterprise must ensure that it has a management and operation team that meets the professional requirements for information security. There must be a technical officer with primary responsibility who has a university degree in a related field or a certificate in information security, information technology, or electronics and telecommunications, with a number of personnel that meets the scale and requirements of the business plan (There must be a minimum of 02 engineers who have graduated from one of the following fields: electronics – telecommunications, information technology, mathematics, information security).

Infrastructure: The enterprise must have an appropriate business plan that includes the following: Purpose of import; scope and target audience; compliance with relevant standards and technical regulations for each type of product; and details of basic technical features of products and services.

A system of equipment and facilities is appropriate for the scale of the service provided and the business plan.

Technical solutions that are in accordance with the standards and technical regulations applicable to cybersecurity products and services.

The application for a Cyber Information Security Product and Service Business License consists of 5 sets (including 1 original set and 4 sets of valid copies), including:

• Application for a Cyber Information Security Product and Service Business License, specifying the types of network information security products and services to be traded;
• A certified copy of the Certificate of Business Registration, Certificate of Investment Registration, or other equivalent documents;
• An explanatory statement of the technical equipment system to ensure compliance with legal regulations;
• A business plan including the scope, targets for providing products and services, standards, and quality of products and services;
• Technical plan in accordance with the applicable standards and technical regulations for cyber information security products and a customer information security plan during the provision of network information security products and services (applicable to service providers);
• Criminal record of the legal representative and relevant management and executive personnel (applicable to service providers);
• Copies of diplomas or certificates of expertise in information security of managing, executive, and technical personnel.

Implementation process:

Step 1: Enterprises applying for a Cyber Information Security Products and Services Business License must submit their application to the Ministry of Information and Communications.

Step 2: Within 40 days from the date of receiving a complete application, the Ministry of Information and Communications shall take the lead in coordinating with relevant ministries and sectors to appraise and grant a Business License for information security products and services, except for the following products and services:

• Civil cryptography services;
• Electronic signature certification services;
• Civil cryptography products.

The time for reviewing initial and supplementary documents, explanations, and granting or issuing a notice of non-issuance of a license shall not exceed 15 working days from the date of receiving a valid application.

Cybersecurity products and services are products and services related to national security. Only qualified enterprises are granted licenses, and the Ministry of Information and Communications, and the Department of Information Security plan to grant licenses in each period.