PRIVACY POLICY

Chapter 1. Purpose and scope of application

Article 1. Purpose

This regulation stipulates that an Information Management System should be established for the purpose of appropriately managing various types of information assets.

Article 2. Scope - Subjects of application

1. This regulation applies to all employees and all business activities of the Company.
2. The subjects of application of this regulation are the assets specified in Article 3.6.

Chapter 2. Definition of terms used

Article 3. Definition of terms

The key terms used in this regulation are defined as follows.

1. Decree

Decree No. 13/2023/ND-CP on personal data protection.

2. Personal Data (or Personal Information)

Personal data is information in the form of symbols, letters, numbers, images, sounds, etc. that is associated with a specific person or helps to identify a specific person, including basic personal data and sensitive personal data.

Basic personal data includes:

a. Full name, middle name, birth name and other names (if any)

b. Date of birth; date of death or disappearance 

c. Gender

d. Place of birth, place of birth registration, permanent residence, temporary residence, current residence, contact address

e. Nationality

f. Personal image 

g. Phone number, ID card number, personal identification number, passport number, driver's license number, license plate number, personal tax code number, social insurance number, health insurance card number

h. Marital status 

i. Information about family relationships (parents, children)

j. Information about individual digital accounts; personal data reflecting activities and history of activities in cyberspace

k. Other information that is associated with or helps to identify a specific person

3. Sensitive personal data

Personal data related to an individual's privacy that, when violated, will directly affect the individual's legitimate rights and interests, including:

a. Political views, religious views 

b. Health status and personal information are recorded in the medical record, excluding information regarding blood type.

c. Information relating to racial or ethnic origin

d. Information about an individual's inherited or acquired genetic characteristics

e. Information on individual physical attributes and biological characteristics

f. Information about the individual's sexual life and sexual orientation

g. Data on crimes and criminal acts collected and stored by law enforcement agencies

h. Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including: customer identification information as prescribed by law, account information, deposit information, deposit information, transaction information, information about organizations and individuals who are guarantors at credit institutions, bank branches, and payment intermediary service providers.

i. Data on the location of individuals determined through location services

j. Other personal data that is specified by law as specific and requires necessary security measures

4. Data Subject

Data Subject is the individual about whom the Personal Data is reflected.

5. Processing of personal data

Is one or more activities affecting Personal Data, such as: collecting, recording, analyzing, validating, storing, editing, publishing, combining, accessing, retrieving, withdrawing, encrypting, decrypting, copying, sharing, transmitting, providing, including transferring, deleting, destroying Personal Data or other related actions.

6. Assets

A general term for things that are valuable to the Company such as information assets (including Personal Data used for the Company's business purposes, regardless of form), software assets, physical assets, services.

7. Information security

Is the application of security management measures, maintaining the availability, integrity and confidentiality of Assets.

8. Information Protection

Activities to prevent, detect, stop and handle violations related to Personal Data according to the Decree.

9. Information management system

Is a management system including policies, systems, plans, implementation, testing and review aimed at ensuring Information Protection based on the usefulness of Assets used for business purposes.

10. Staff

All employees of the Company, regardless of whether they sign a fixed-term or indefinite-term labor contract, hereinafter referred to as "All employees".

11. Data Subjects Required to Provide

The Company has the right to respond to all requests for disclosure, withdrawal of consent, correction, addition or deletion of content, restriction of processing, suspension, etc. from the Data Subject.

Chapter 3. Information management system

Article 4. Establishment of Information Management System

In order to properly manage and protect Assets for business purposes, the Company needs to decide, invest necessary management resources, establish an Information Management System and continuously update and improve the Information Management System. 

Article 5. Basic policies

The Company has established the following policy as a basic policy relating to the information management system and widely disseminated to All Employees.

[Personal Information Protection Policy]

Article 6. Organizational structure and responsibilities

The responsibilities and authorities of each position in the organizational structure related to the Information Management System are specified as follows:

1. Business representative (General Director)

In order to properly manage and protect the Assets used for business purposes, the General Director decides, invests the necessary management resources, establishes and continuously improves the Information Management System. In addition, the General Director assigns and approves the necessary management positions in the organizational structure, actively maintains the Information Management System in the Company.

2. Head of administrative management

Based on the basic policy stipulated in Article 5, the Director of the administrative management block has the responsibility and authority to deploy and operate the Information Management System, and at the same time report the operating status of the Information Management System to the General Director as a basis for review and improvement.

3. Head of Internal Control Department

Based on the basic policy stipulated in Article 5, the Head of Internal Control Department builds and develops the operating mechanism of the Information Management System and the mechanism for all employees to have a deeper understanding of information security.

Article 7. Compliance with laws and regulations

1. The Company must regularly monitor and grasp the situation of promulgation, amendment and repeal of regulations related to the Information Management System, and if necessary, amend the basic policies, regulations and internal documents of the Company accordingly.
2. Propose to amend valid contracts and agreements signed with entrusted partners in accordance with the situation of promulgation, amendment and repeal of legal regulations. 

Article 8. Compliance with contract content

Except in cases of special reasons such as conflicts with legal regulations, the Company must comply with the content of the contract agreed with business partners on information security or Information Protection. 

Chapter 4. Risk Management

Article 9. Identification of Personal Data, Analysis, Risk Assessment

1. For Assets that are Personal Data, the Company implements the following policies:

① Identify Personal Data used for business purposes, and record the results in the Information Asset Ledger.

② For the Personal Data identified in point ①, take necessary measures to prevent misuse.

③ For Personal Data identified in point ①, prepare and maintain Personal Data Processing Impact Assessment Records, including the Company's records; submit the records to the Department of Cyber Security and High-Tech Crime Prevention and Control under the Ministry of Public Security (A05); update the records when there are changes and resubmit them to A05.

Article 10. Asset management measures

In order to ensure Information Security for Assets, the Company implements the following Information Security management measures and reviews them when necessary.

1. Implement access control measures to prevent external intrusion, unauthorized entry into unauthorized areas, information leakage, etc.
2. Implement appropriate controls to prevent leakage, loss, falsification, etc. of confidential information.
3. Implement appropriate management measures for data folders and files when accessing confidential information and information devices, to prevent confidential leakage, accidental damage, or careless destruction.
4. Cooperate with the technical department to take appropriate measures against computer viruses to prevent damage caused by computer viruses as well as minimize damage to the lowest level.
5. Take appropriate measures, when sending, carrying confidential information and Personal Data outside the Company, to prevent information leakage.

Chapter 5. Compliance provisions relating to the processing of Personal Information

Article 11. Determination of purpose of use

1. When collecting Personal Information, it is necessary to determine the purpose of use, and to carry out actions within the scope necessary to achieve that purpose.
2. When determining the purpose of use, it is necessary to consider clarifying in detail the scope of the processing and provision of data within the permitted scope, in order to be able to predict the possible effects on the Data Subject caused by the processing and provision of the collected information.

Article 12. Valid collection

The collection of Personal Information must be based on lawful and valid means.

Article 13. Consent to collect Personal Data

When collecting Personal Information, the Data Subject must be notified and given explicit consent in writing or in a reproducible form, including a pre-determined electronic form or a verifiable format. Except as provided for in clauses 15.1.1 to 15.1.4. In addition, when processing Sensitive Personal Data, the Data Subject must be informed that the data to be processed is Sensitive Personal Data.

a. Data type

b. Name of the individual or legal entity processing Personal Data including the Company

c. Name, title, department, contact address of the person in charge of managing the protection of Personal Information (or the manager designated by the Company)

d. Purpose of processing 

e. Rights and obligations of Data Subjects

Article 14. Prior notice in case of processing of Personal Data

When processing Personal Data, after obtaining consent as prescribed in Article 13, the Company must notify the following contents in a format that can be printed, copied in writing including in electronic form or verifiable format.

a. Purpose of data processing 

b. How data is processed 

c. Data processing start and end time

d. Type of data processed

e. Name of the legal entity (company) processing 

f. Damages and risks that may arise

Article 15. Remedial measures

1. When processing Personal Information, regardless of whether the Data Subject has given consent or not, information that is likely to encourage or lead to illegal or inappropriate behavior must be removed. Information processing shall only be carried out to the extent necessary to achieve the identified processing purposes. 

In the event that the processing of Personal Information exceeds the scope of the identified necessary processing purposes, the Data Subject must be notified and the Data Subject's consent must be obtained in accordance with Articles 13 and 14. Unless the cases from a. to d. below fall into this category.

a. In necessary cases for the purpose of protecting human health and life according to the provisions of the Decree

b. In case of performing the obligations of the Data Subject under the contract between the Data Subject and relevant agencies, organizations and individuals as prescribed by the Decree.

c. In case of serving the activities of state agencies according to the provisions of specialized laws.

d. Other cases as prescribed by the Decree

2. When processing Personal Data, the Company must record and store system logs.

Article 16. Measures relating to provision

In the event of providing Personal Data to a third party, the consent of the Data Subject must be obtained and the Data Subject must be notified in advance as provided for in Articles 13 and 14. Unless the Data Subject has explicitly agreed to this content in advance.

Article 17. Transfer of Personal Data abroad

In case of transferring Personal Data of Vietnamese citizens to a third party abroad, the Company must prepare and store assessment records according to the form prescribed in the Decree and submit them to A05. In addition, in case of changes in the content of the records, the Company must amend and resubmit them to A05.

Article 18. Processing of Personal Data of persons declared missing or dead

When processing Personal Data of a person declared missing or dead, the consent of that person's spouse or minor child must be obtained. In the event that the person has no spouse or minor child, the consent of the parent of the person declared missing or dead must be obtained.

Article 19. Processing of Children's Personal Data

1. The processing of children's Personal Data must be carried out in accordance with the principles of protection of children's rights and in the best interests of the child.
2. In case of processing Personal Data of children aged 7 years and above, the consent of the child is required. In case of processing Personal Information of children under 7 years of age, the consent of the child's father, mother or guardian is required.
3. The deletion of children's Personal Data must be carried out in accordance with the provisions of the Decree.

Chapter 6. Provision, correction, termination of processing of Personal Data

Article 20. Rights in relation to Personal Data

1. In case of a request to provide, withdraw consent, correct, supplement or delete content, restrict processing, suspend processing by a Data Subject according to the procedures of the Decree related to the Data Subject requested to provide, the Company must promptly comply with such requests in accordance with the provisions of the Decree.
2. The Company must ensure the rights of Data Subjects as prescribed in Article 9 of the Decree.

Chapter 7. Appropriate Management

Article 21. Ensuring accuracy

The Company shall ensure the accuracy and currency of Personal Data to the extent necessary to achieve the purposes of processing and shall delete Personal Data without undue delay when such processing is no longer necessary.

Chapter 8. Recruitment, Training and Management of Employees

Article 22. Training and staff management

The Company must appropriately train and manage Employees in the necessary content to ensure information protection when Employees handle information assets.

Article 23. Recruitment and confidentiality agreement

During the recruitment process, the Company must conduct a comprehensive review and require employees to sign a confidentiality commitment that clearly states their obligation to keep information confidential when they start working at the Company, and even after the termination of the employment contract, the obligation to keep information confidential is extended for a certain period of time.

Chapter 9. Trust Partner Management

Article 24. Management of trust partners

In order to properly manage the trust partner related to information assets, the Company must carefully examine when deciding on the trust partner, must sign a contract related to information confidentiality with the trust partner when entrusting the processing of Personal Data.

Chapter 10. Emergency Response

Article 25. Response to emergency situations

1. In the event of an information security incident or failure or leakage or loss of Personal Information (including violations of the Decree) that significantly affects business operations, the Company will consider the anticipated economic disadvantages and reputational damage and take countermeasures to minimize the impact on the Data Subject.

2. In case of emergency, the following measures must be taken as decided by the General Director or the Head of Internal Control Department.

a. Notice to Data Subjects

b. Report to relevant agencies on the actual situation, causes of occurrence, and response policies. 

In addition, reports to A05 must comply with the content and methods prescribed in the Decree.