VISAHO JOINT STOCK COMPANY'S PERSONAL DATA PROTECTION POLICY
1. Purpose
Exercising Personal Data Protection of the National Assembly, effective from January 1, 2026.
Visaho Joint Stock Company (“VISAHO”) always prioritises compliance with the law in general and especially the law on personal data protection (“personal data”) when collecting, recording, analysing, verifying, storing, editing, transferring personal data abroad, etc., concerning personal data (hereinafter referred to as “processing personal data”).
Therefore, VISAHO has developed and announced this Personal Data Protection Policy (“Policy”) to all data subjects (“data subjects”) as specified in Section 2 below.
2. Explanation of terms (Based on Article 2 of the Law on Personal Data Protection 2025)
2.1 “Personal data” means digital data or information in other forms that identifies or helps to identify a particular person, including basic personal data and sensitive personal data. Personal data, after deidentification, is no longer personal data.
2.2 "Basic personal data" means personal data reflecting common and frequently used personal and background information in transactions and social relationships, as categorized by the Government. According to Article 3 of Decree No. 356/2025/ND-CP, basic personal data includes:
1) Surname, middle name, and given name, other names (if any);
2) Date of birth; date of death or disappearance;
3) Gender;
4) Place of birth, place of birth registration, place of permanent residence registration, place of temporary residence registration, current address, hometown, contact address;
5) Nationality;
6) Photograph of the individual;
7) Telephone number, personal identification number, passport number, driver's license number, vehicle license plate number;
8) Marital status;
9) Information about family relationships (parents, children, spouse);
10) Information about the individual's digital account;
11) Other information associated with or helping to identify a specific person that does not fall under the category of sensitive personal data.
2.3 "Sensitive personal data" refers to personal data linked to an individual's privacy, the violation of which would directly affect the legitimate rights and interests of agencies, organizations, and individuals using resources, means, and measures to prevent and combat data breaches. Based on Article 4 of Decree 356/2025/ND-CP, the list of sensitive personal data includes:
1) Data revealing racial and ethnic origins;
2) Political, religious, and belief views;
3) Information about private life, personal secrets, and family secrets;
4) Health status;
5) Biometric data and genetic characteristics;
6) Data revealing an individual's sexual life and sexual orientation;
7) Data on crimes and legal violations collected and stored by law enforcement agencies;
8) An individual's location determined through location services;
9) Username and password for accessing an individual's electronic identification account; images of identity cards, citizen identification cards, and national identity cards;
10) Username and password for accessing bank accounts; bank card information, and transaction history data of bank accounts; Financial and credit information, and information on the activities and transaction history of customers at credit institutions, branches of foreign banks, payment intermediary service providers, securities and insurance companies, and other authorized organizations;
11) Data tracking the behavior and activities of using telecommunications services, social networks, online communication services, and other services in cyberspace;
12) Other personal data that is legally required to be kept confidential or requires strict security measures.
2.4 "Processing personal data" refers to activities that affect personal data, including one or more activities such as: collecting, analysing, aggregating, encoding, decoding, modifying, deleting, destroying, deidentifying, providing, disclosing, transferring personal data, and other activities that affect personal data.
2.5 “Data subject” refers to an individual representing or potentially representing the company (as mentioned in the Letter of Consent regarding the processing of personal data) in the process of accessing, understanding, using, or being involved in the operation and provision of VISAHO's services.
2.6 "The personal data controller" is the agency, organization, or individual that decides the purpose and means of processing personal data.
2.7 "Personal data processor" refers to an agency, organization, or individual that processes personal data at the request of the personal data controller or the personal data controller and processor through a contract.
2.8 "The personal data controller and processor" refers to the agency, organization, or individual that determines the purpose, means, and directly processes personal data.
2.9 "Third parties" are organizations or individuals other than the subject of personal data, including the personal data controller, the personal data controller and processor, and the personal data processor, who participate in the processing of personal data as prescribed by law.
3. Applicable subjects
This Personal Data Protection Policy applies to the following:
1) Working under employment contracts, probationary contracts, training, internships, service contracts, seasonal work, and seconded personnel.
2) Applying for positions at VISAHO through all recruitment channels, including but not limited to applying via the recruitment website, Facebook, LinkedIn, Zalo, referrals, etc.
3) Providing personal data to the Management Board and projects under VISAHO's management in accordance with the management regulations applied at the buildings and projects managed by VISAHO.
4) Conducting transactions and signing contracts and agreements with VISAHO.
Data subjects must carefully read this Policy, including any revised and supplementary versions, before providing personal data to VISAHO. The data subject's consent will be based on the data subject's voluntary consent through written documents, recorded calls, consent via text message, email, or other methods as prescribed by law (Article 6 of Decree 356). This constitutes confirmation that the data subject has read, understood, and fully grasped the content of this Policy and voluntarily agrees to allow VISAHO to process personal data in accordance with the entire content of this Policy, including any revised and supplementary versions of the Policy updated and published on the Website/Application, contact/information channels, and other storage platforms at any given time by VISAHO and in accordance with relevant laws. If the data subject does not agree with any part of this Policy, please do not provide/send personal data to VISAHO.
4. Types of personal data processed
Data subjects must carefully read this Policy, including any revised or amended versions, before providing data to VISAHO. The data subject must:
1) Working under employment contracts, probationary contracts, training, internships, service contracts, seasonal work, and seconded personnel.
2) Applying for positions at VISAHO through all recruitment channels, including but not limited to applying via the recruitment website, Facebook, LinkedIn, Zalo, referrals, etc.
3) Providing personal data to the Management Board and projects under VISAHO's management according to the management regulations applied at the buildings and projects managed by VISAHO.
4) When conducting transactions and signing contracts with VISAHO, depending on the time and purpose of data processing, VISAHO will collect and process personal data, including basic personal data and possibly sensitive personal data.
5. Purpose of processing personal data
5.1 VISAHO may process personal data for one or more of the following purposes:
1) Recruiting, managing, and employing workers in accordance with current labor laws;
2) Identifying, verifying, and checking customer information;
3) Maintaining contact with customers, providing support, and answering customer inquiries related to the management and operation of VISAHO-managed projects;
4) Marketing and promoting the company's image;
5) Promptly and timely notifying customers of information regarding the building or project managed by VISAHO and/or information about activities and events of the building or project managed by VISAHO;
6) Investigating accidents, resolving disputes and complaints, and other activities to comply with obligations under Vietnamese law;
7) Storing, managing, and providing backup for incident recovery or other similar purposes;
8) Detect, prevent, investigate, and handle activities that violate VISAHO's policies and regulations and/or Vietnamese laws;
9) Comply with legal regulations and requirements of competent state agencies, including but not limited to the obligation to disclose information and report as required by law regarding promotions, record keeping, and auditing;
10) Share, transmit, and provide personal data to other third parties (for the purposes mentioned above and other appropriate purposes), including but not limited to: affiliated companies, other companies belonging to the same branch; parent company, partners, agents, suppliers of goods/services, contractors, consultants of VISAHO, etc., or at the request of competent state agencies.
11) For any other purpose required or permitted by any law, regulation, guideline and/or competent State Authority.
12) To serve other purposes related to VISAHO's business operations that VISAHO deems appropriate at any given time.
13) Customer surveys and other reasonable purposes related to those stated above.
5.2 VISAHO will require permission from the data subject before using their personal data for purposes other than those stated in section 5.1 above and will process personal data in accordance with relevant laws on personal data processing.
6. Methods for processing personal data
6.1 Personal Data Collection
For VISAHO to conduct business activities, VISAHO may need to and/or be required to collect personal data, including: (i) Basic personal data and (ii) Sensitive personal data relating to the Data Subject.
6.2 Methods for processing personal data
Depending on the time and purpose mentioned above, VISAHO will perform activities affecting personal data, including one or more of the following: collecting, analyzing, aggregating, encrypting, decrypting, modifying, deleting, destroying, de-identifying, providing, publishing, transferring personal data, and other activities affecting personal data. VISAHO may perform personal data processing activities automatically or non-automatically, using electronic means, manual methods, or any other method that VISAHO deems appropriate.
VISAHO strictly applies protective and security measures during the processing of personal data, including protection against violations of regulations on personal data protection and prevention of loss, destruction, or damage due to incidents, using technical measures. However, please note that VISAHO cannot eliminate the security risks associated with processing personal data.
7. Start time and end time of data processing
VISAHO will begin processing personal data as soon as it receives it until:
- Upon receiving a written request to terminate the processing from a competent State agency; or
- Personal data is deleted or destroyed in accordance with the law and/or regulations and decisions of VISAHO at any given time.
- Upon receiving a request to withdraw consent to the processing of personal data, restrict the processing of personal data, or object to the processing of personal data in accordance with the procedures of the data subject, VISAHO will respond within 2 working days, providing the data subject with full information on the procedure for ceasing the processing of personal data and implementing it within 15 days. Depending on the nature and complexity of the request, if an extension of processing time is needed, it will be extended a maximum of 15 days. VISAHO will inform the data subject of the reason for the extension and will be responsible for proving that the extension is necessary and reasonable. (Clause 2, Article 5, Decree 356)
- Upon receiving a request to delete personal data in accordance with the procedures from the data subject, VISAHO will respond within 2 working days, provide the data subject with complete information about the procedures, and complete the deletion within 20 days. (Clause 4, Article 5, Decree 356).
However, in this case, VISAHO stores the necessary information of members to fulfill the contract signed by the parties; and provides information when requested by state agencies (such as the Tax Authority for document and invoice inspections, other state agencies, etc.). Withdrawing the data subject's consent in this case does not affect the legality of the activities of collecting, storing, and using personal information previously provided by members to VISAHO.
8. Parties involved in the processing of personal data
For the personal data of the Data Subject, VISAHO acts as the Personal Data Controller and/or the Party responsible for controlling and processing personal data in accordance with the current Law on Personal Data Protection.
To fulfill the purposes of processing personal data as stated in Section 5, VISAHO may share and transfer personal data to the following parties, in Vietnam or outside the territory of Vietnam:
1) The personal data processor, and other personal data controller and processor under contract or agreement with VISAHO;
2) Relevant third parties, including but not limited to: parent company, subsidiary, affiliated company, partners, agents, suppliers of goods/services, contractors, and consulting units of VISAHO;
3) Competent state agencies when required by law.
In cases where the aforementioned processing of personal data includes the transfer of personal data abroad, VISAHO will comply with the regulations on transferring personal data abroad as stipulated in the Law on Personal Data Protection and its implementing decree, including the creation and retention of a Data Impact Assessment File for cases falling within the scope of this requirement.
VISAHO requires the Personal Data Processor, other Personal Data Controllers and Processors, and the aforementioned third parties to enter into contracts/agreements for personal data processing and to commit to applying personal data protection measures no less stringent than those required in this Policy and applicable laws on personal data protection.
9. Rights and obligations of data subjects (Article 4 of the Law on Personal Data Protection, effective January 1, 2026)
9.1 The rights of the subject of personal data include:
1) To be informed about the processing of personal data;
2) To agree or disagree, or to request the withdrawal of consent to the processing of personal data;
3) To view, edit, or request the editing of personal data;
4) To request the provision, deletion, or restriction of the processing of personal data; to submit requests for the recourse to the processing of personal data;
5) To file complaints, denunciations, lawsuits, or claims for compensation for damages as prescribed by law;
6) To request competent authorities or agencies, organizations, or individuals involved in the processing of personal data to implement measures and solutions to protect their personal data as prescribed by law.
9.2 Responsibilities of the Data Subject
1) Protect their own personal data;
2) Respect and protect the personal data of others.
3) Provide complete and accurate personal data as required by law, by contract, or when consenting to the processing of your personal data;
4) Comply with laws on personal data protection and participate in preventing and combating activities that violate personal data.
9.3 When exercising their rights and fulfilling their obligations, subjects of personal data must fully comply with the following principles:
1) Comply with the law; fulfill the obligations of the personal data subject under the contract. The exercise of the rights and obligations of the personal data subject must aim to protect the legitimate rights and interests of the personal data subject;
2) Do not hinder or obstruct the exercise of the legal rights and obligations of the personal data controller, the personal data processor, or the personal data handler;
3) Do not infringe upon the legitimate rights and interests of the State, agencies, organizations, or other individuals.
10. Regulations regarding the collection and use of images
In cases where employees, customers, etc. (also known as "Data Subjects") agree and allow VISAHO to collect, store, and use their images in VISAHO's Public Relations and brand promotion activities, VISAHO will have the right to store and use the images of the "Data Subject" for the period necessary to fulfill the Public Relations purposes below, or until the Data Subject withdraws their consent:
1) Advertising for VISAHO's business or using it to promote VISAHO's image to the public
2) Posting on websites, newspapers, social media, or other media
3) Including in VISAHO's magazines, handbooks, or internal publications
4) Introducing VISAHO's products or services
5) Other purposes consistent with the law that do not harm the honour, dignity, or reputation of the "Data Subject".
By agreeing to allow VISAHO to collect, store, and use their images, the "Data Subject" agrees to the following:
1) The data subject agrees to provide and allow VISAHO to use the images free of charge (without copyright fees or image royalties) for the purposes stated above. The data subject has the right to withdraw consent to the use of images at any time; however, the withdrawal of consent will not have retroactive effect on media publications legally released by VISAHO before the request was received.
2) The ‘’data subject’’ agrees that their images may be used in print and/or electronic formats. VISAHO will take appropriate measures to ensure that the ‘’data subject’’'s images are used solely for the intended purposes. However, the “Data Subject” understands that VISAHO cannot eliminate all risks and agrees that VISAHO is not liable for:
(i) how such images are used by websites, social networks, publishers or other third parties without VISAHO’s consent
(ii) the consequences arising therefrom.
The consent of the "Data Subject" is voluntary, not compulsory, and will be expressed by signing to confirm.
VISAHO reserves the right to amend, supplement, or modify the content of this Policy depending on the times, and such amendments will take effect immediately upon being posted on the Website/Application or other official contact/information channels of VISAHO.
11. Storing personal data
Personal data is stored, managed, and secured by the Company in accordance with the Company's regulations. The Company will take reasonable measures to protect personal data in accordance with the Personal Data Protection Policy and legal regulations during the storage process.
The company retains personal data for the period necessary to fulfill the purposes under the agreements, contracts, and written documents signed by both parties and in accordance with this Personal Data Protection Policy, unless a longer retention period for Personal Data is required or permitted by the Data Subject and applicable legal regulations.
12. Other regulations
VISAHO reserves the right to amend, supplement, or adjust the content of this Policy depending on the time, and such amendments will take effect immediately upon the decision and will be posted on the Website/Application or other official contact/information channels of VISAHO.
If the Data Subject does not agree with any part of the modified content, please cease accessing, participating in, submitting personal data to VISAHO and/or exercising the Data Subject's rights as set out in this Policy and under relevant laws.
13. Enforcement Clause
- Applicable forms:
· Request form for exercising data subject rights - HR-BM01
· Letter of consent for processing personal data - HR-BM02
Contact Information for Processing Personal Data:
• For employees working at VISAHO:
o Human Resources Department: 024 3221 6336. The Human Resources Department is designated as the VISAHO representative to process the personal data of employees working at VISAHO.
• Management Boards, projects, and departments under VISAHO are designated as VISAHO representatives to process personal data of customers and partners related to management and professional work.
- This policy takes effect from the date of signing.
- Matters not addressed in this policy will be governed by law.
- This policy is prepared in both Vietnamese and English. In case of any discrepancies between the Vietnamese and English versions, the Vietnamese version shall prevail.
- In the event of dispute, the parties shall prioritise resolving the dispute through negotiation. If negotiation fails, they have the right to request a competent court to resolve the dispute in accordance with the law.
