PERSONAL DATA PROTECTION POLICY

Issue/Revision: 01

PURPOSE

This policy is issued to:

  • Protect the personal data of customers, employees, partners, and stakeholders;
  • Ensure that the collection, storage, processing, and use of personal data are carried out in accordance with legal regulations;
  • Minimize the risk of leakage, loss, or unauthorized use of personal data;
  • Ensure compliance with regulations on personal data protection and information security.

SCOPE OF APPLICATION

This policy applies to:

  • All employees;
  • Temporary employees and collaborators;
  • Suppliers and partners with access to data;
  • IT systems, applications, and databases owned or managed by the company.

LEGAL BASIS

This policy is based on:

  • Decree 13/2023/ND-CP on the protection of personal data;
  • Cybersecurity Law;
  • Information Technology Law;
  • Relevant current legal regulations;
  • ISO 27001 standards and the company’s internal regulations.

DEFINITIONS

Personal Data

Information in the form of symbols, writing, numbers, images, sounds, or similar forms in an electronic environment associated with or helping to identify a specific person.

Examples:

  • Full name;
  • Citizen Identification Number (CCCD/CMND);
  • Email;
  • Phone number;
  • Address;
  • Location data;
  • Camera images;
  • Bank account information.

Processing of Personal Data

Includes one or more activities such as:

  • Collection;
  • Recording;
  • Storage;
  • Editing;
  • Analysis;
  • Sharing;
  • Deleting or destroying data.

PRINCIPLES OF PERSONAL DATA PROTECTION

The Company is committed to the following principles:

Legal Collection

Personal data will only be collected when:

  • There is a clear purpose;
  • There is the consent of the data subject (if required by law);
  • It is consistent with business operations.

Limitation of Use

Personal data will only be used for the purposes stated.

Strictly Prohibited:

  • Unauthorized use;
  • Unauthorized sharing;
  • Use for personal purposes.

Minimizing Data

Only collect data necessary for processing purposes.

Data Security

The company implements technical and management measures to:

  • Prevent unauthorized access;
  • Prevent data leakage;
  • Prevent unauthorized modification;
  • Ensure data integrity.

Storage Limits

Personal data is only stored for the period necessary according to:

  • Business purposes;
  • Legal regulations;
  • Contracts with customers or partners.

TYPES OF DATA COLLECTED

The company may collect:

Customer Data

  • Full name;
  • Email;
  • Phone number;
  • Address;
  • Transaction information.

Employee Data

  • Personnel records;
  • Contract information;
  • Salary information;
  • Insurance Information.

Partner Data

  • Contact Information;
  • Contract Information;
  • Payment Information.

PURPOSE OF DATA PROCESSING

Personal data is used for the following purposes:

  • Personnel management;
  • Customer management;
  • Service provision;
  • Contract signing;
  • Technical support;
  • Customer care;
  • Legal compliance;
  • Protection of assets and IT systems.

RIGHTS OF DATA ENTITY

Data entity has the right to:

  • Be informed about data processing activities;
  • Agree to or refuse data processing;
  • Request data correction;
  • Request data deletion;
  • Request restrictions on processing;
  • File complaints or claim compensation as prescribed by law.

SHARING DATA WITH THIRD PARTIES

The company does not share personal data with third parties except:

  • With the consent of the data subject;
  • At the request of a competent government agency;
  • To fulfill contractual obligations;
  • As required by law.

All third parties must commit to data confidentiality.

SECURITY MEASURES

The company implements security measures including:

Technical Measures

  • Access control;
  • Strong passwords;
  • Multi-Factor Authentication (MFA);
  • Antivirus/EDR;
  • Firewall;
  • Data encryption;
  • Regular backups;
  • Access monitoring.

Management Measures

  • NDA for employees;
  • Information security training;
  • Regular compliance checks;
  • Physical access control;
  • Risk assessment.

DATA LEAK HANDLING

Upon detecting an incident involving personal data:

  1. Report immediately to the IT/Security department;
  2. Isolate the affected system;
  3. Investigate the cause;
  4. Assess the extent of the impact;
  5. Notify relevant parties if necessary;
  6. Implement corrective measures;
  7. Record the incident.

RESPONSIBILITIES

Board of Directors

  • Approve policies;
  • Ensure resources for implementation.

IT/Information Security Department

  • Implement security measures;
  • Monitor compliance;
  • Handle security incidents.

Department Head

  • Manage data within their area of ​​responsibility;
  • Ensure employee compliance.

Employees

  • Comply with policies;
  • Do not disclose data without authorization;
  • Report security incidents.

TRAINING AND AWARENESS

  • New employees must receive training on personal data protection;
  • Regular training at least once a year;
  • The company may conduct awareness tests or e-Learning.

COMPLIANCE MONITORING AND EVALUATION

The company performs:

  • Regular monitoring;
  • Internal evaluation;
  • Data access review;
  • Annual policy review or review when legal changes occur.

VIOLATION HANDLING

Any violation of this policy may result in:

  • Warning;
  • Internal disciplinary action;
  • Termination of employment;
  • Legal prosecution.

EFFECTIVENESS

This policy takes effect from the date of signing.

Any amendments or additions must be approved by the Board of Directors.

General Director

13 May, 2026

Scroll to Top