Personal Data Protection Policy

PERSONAL DATA PROTECTION POLICY OF VISAHO JOINT STOCK COMPANY

 

1. Purpose

Implement the contents on personal data protection specified in Decree No. 13/2023/ND-CP dated April 17, 2023 of the Government on Personal Data Protection effective 1 July 2023.

Visaho Joint Stock Company (“VISAHO”) always attaches great importance to compliance with the law in general and the law on the protection of personal data (“personal data”) in particular when collecting, recording, analysis, validation, storage, editing and sending personal data abroad etc. for personal data (hereinafter collectively referred to as “processing of personal data”).

Therefore, VISAHO develops and communicates this Personal Data Protection Policy (“Policy”) to all data subjects (“data subjects”) specified in section 2 below.

2. Interpretation of terms

2.1   “Personal data” is information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment that is associated with a specific person or helps identify a person specifically. Personal data includes basic personal data and sensitive personal data.

2.2   “Basic personal data” includes the following information:

1) Full name, middle name and birth name, other name (if any);

2) Date of birth; day, month, year dead or missing;

3) Sexual;

4) Place of birth, birth registration, permanent residence, temporary residence, current residence, hometown, contact address;

5) Nationality;

6) Personal image;

7) Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;

8) Marital status;

9) Information about family relationships (parents, children);

10) Information about the individual’s digital account; Personal data reflects activities, history of activities in cyberspace;

11) Other information relating to a specific person or helping to identify a specific person is not included in sensitive personal data.

2.3   “Sensitive personal data” is personal data associated with an individual’s privacy that, when violated, will directly affect the legitimate rights and interests of the individual includes:

1) Political views, religious views;

2) Health status and private life are recorded in the medical record, not including blood type information;

3) Information related to racial or ethnic origin;

4) Information about inherited or acquired genetic characteristics of an individual;

5) Information about the individual’s physical attributes and biological characteristics;

6) Information about an individual’s sex life and sexual orientation;

7) Data on crimes and offenses are collected and stored by law enforcement agencies;

8) Customer information of credit institutions, foreign bank branches, payment intermediary service providers and other authorized organizations includes: customer identification information as prescribed by law, information account information, deposit information, information about deposited assets, transaction information, information about organizations and individuals being the guarantor at credit institutions, bank branches, payment intermediary services;

9) Personal location data identified through location services;

10) Other personal data required by law is unique and requires necessary security measures.

2.4   “Processing of personal data” is one or many activities on personal data, including the collection, recording, analysis, confirmation, storage, modification, disclosure, combination, access, retrieval, collection recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions.

2.5   “Data subjects” is an individual who represents or may represent the Company (as mentioned in the Letter of Consent for Processing Personal Data) in the process of accessing, studying, using or involved in the operating process and services provision of VISAHO.

3. Subjects of application

The Policy apply to the following subjects:

1) Work under labor contracts, probationary contracts, training, internship, service, seasonal contracts... and dispatched personnel.

2) Apply for job positions at VISAHO through all recruitment channels including but not limited to applying through recruitment websites, facebook, linkedin, zalo websites, via candidate referrals policy etc.

3) Provide personal data to the Management Board and projects under VISAHO according to operational management regulations applied at the buildings and projects managed by VISAHO.

4)     Carry out transactions and sign contracts and agreements with VISAHO.

Data subjects should carefully read this Policy, including revised and supplemented versions of the Policy, before providing personal data to VISAHO. That Data subjects who

1) Work under labor contracts, probationary contracts, training, internship, service, seasonal contracts... and dispatched personnel.

2) Apply for job positions at VISAHO through all recruitment channels including but not limited to applying through recruitment websites, facebook, linkedin, zalo websites, via candidate referrals policy etc.

3) Provide personal data to the Management Board and projects under VISAHO according to operational management regulations applied at the buildings and projects managed by VISAHO.

4)     Carry out transactions and sign contracts and agreements with VISAHO.

is a confirmation of having read, understood, and fully understood the contents of this Policy and voluntarily and agreeing to allow VISAHO to process personal data in accordance with the entire content of this Policy, including all Amendments and supplements to the Policy which are updated and published on VISAHO's Website/Application, contact/information channels and other hosting platforms time to time and in accordance with relevant laws. If the data subjects do not agree with any part of this Policy, please do not provide/submit personal data to VISAHO.

4. Types of processed personal data

Data subjects should carefully read this Policy, including all Amendments and supplements to the Policy, before providing data to VISAHO. Regard for Data subjects who

1) Work under labor contracts, probationary contracts, training, internship, service, seasonal contracts... and dispatched personnel.

2) Apply for job positions at VISAHO through all recruitment channels including but not limited to applying through recruitment websites, facebook, linkedin, zalo websites, via candidate referrals policy etc.

3) Provide personal data to the Management Board and projects under VISAHO according to operational management regulations applied at the buildings and projects managed by VISAHO.

4)     Carry out transactions and sign contracts and agreements with VISAHO.

depending on the time and purpose of data processing, VISAHO will collect and process personal data including basic personal data and possibly sensitive personal data.

5. Purposes of processing personal data

5.1   VISAHO may process personal data for one or more of the following purposes:

1) Recruitment, labor management, employment... according to current labor laws;

2) Identify, authenticate and check customer information;

3)     Maintain contact with customers, provide customer support and answer customer questions related to operational management at VISAHO managed projects;

4)     Marketing activities and promoting the Company's image;

5)     Quickly and promptly notify customers of information about the building, VISAHO project managing operations and/or information about activities, event programs of the buildings under VISAHO’s management.

6)     Accident investigation, dispute resolution, complaints and other activities to comply with obligations under Viet Nam’s law;

7)     Storage, management, backup for incident recovery or other similar purposes;

8)     Detect, prevent, investigate and handle activities that violate VISAHO policies and regulations and/or violate Viet Nam’s laws;

9)     Comply with the provisions of law and requirements of competent state agencies including but not limited to the obligation to disclose information and report according to legal regulations on promotions, record keeping, audit;

10) Sharing, transmitting, giving personal data to other third parties (for the implementation of the above purposes and other relevant purposes), including but not limited to: affiliated companies, other companies belonging to the same branch; the mother companies, VISAHO partners, agents, goods/service suppliers, contractors, consultants, etc. or at the request of competent state units and agencies.

11) For any other purpose required or permitted by any law, regulation, guideline and/or competent State Authority.

12) To serve other purposes related to VISAHO's business activities that VISAHO deems appropriate time to time; and

13) To implement customer survey and other reasonable purposes related to those mentioned above.

5.2   VISAHO will request consent the data subject before using the data subject's personal data for other purposes which are not stated in section 5.1 above and will treat the data subject’s personal data in line with the relevant local law on processing personal data.

6. Processing of personal data

6.1   Collection of personal data

In order for VISAHO to be able to carry out its business activities, VISAHO may need and/or be required to collect personal data, including: (i) Basic personal data and (ii) Sensitive personal data cause related to the Data subjects.

6.2   Processing of personal data

time to time and depending on each of the above purposes, VISAHO will perform one or more activities processing personal data, such as: the collection, recording, analysis, confirmation, storage, modification, disclosure, combination, access, retrieval, collection recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data or other related actions.

Personal data processing activities may be carried out by VISAHO in an automated or non-automated manner, by electronic means or manual means or in any other manner that VISAHO considers appropriate.

VISAHO thoroughly applies protection and security measures during the processing of personal data, including protection against violations of regulations on personal data protection and prevention of loss, destruction or damage due to incidents, using technical measures. Please note, however, that VISAHO cannot completely eliminate security risks related to the processing of personal data.

7. Start time and end time of data processing

VISAHO will begin processing personal data immediately upon receipt of personal data until:

- Receive a written termination request a competent State agency; or

- Personal data is deleted and destroyed according to the provisions of law and/or regulations and decisions time to time by VISAHO.

- The data subject has a written request to withdraw his or her consent in accordance with the law. However, in this case, VISAHO is allowed to store the necessary information of members to carry out the contract that the parties have signed; Provide information when requested by State agencies (such as Tax Authorities checking documents, invoices, other state agencies...). Withdrawing the data subject's consent in this case does not affect the legality of the activities of collecting, storing, and using personal information previously provided by the member to VISAHO.

8. Organizations processing personal data and other organizations and individuals related to purposes of processing personal data

VISAHO and other third parties may be located in Vietnam or any other locations outside the territory, including but not limited to: affiliated companies, other companies belonging to the same branch; the mother companies, VISAHO partners, agents, goods/service suppliers, contractors, consultants, etc. will carry out the processing of personal data in relation to the purposes for which the personal data is processed.

VISAHO will take all measures to require these third parties to commit to implementing personal data protection requirements at least as required by this Policy and as required by law.

9. Rights and obligations of data subjects

9.1   Rights of data subjects

1)     Right to know: Data subjects have the right to know about their personal data processing, unless otherwise provided by law.

2) Right to consent: Data subjects are free to consent or object to processing their personal data, unless otherwise provided by law.

3) Right to withdraw consent: Data subjects have the right to revoke consent, unless otherwise provided by law.

4) Right to access: Data subjects have the right to access, view, and request correction of their personal data, unless otherwise provided by law.

5) Right to data: Data subjects have the right to request the deletion of his/her personal data, unless otherwise provided by law.

6) Right to restrict data processing: Data subjects can request to limit the processing of their personal data, unless otherwise provided by law;

The restriction must be carried out within 72 hours after the data subject's request, with all personal data that the data subject requests to restrict, unless otherwise provided by law.

7) Right to provide data: Data subjects can request a data controller to provide them with their personal data being processed, unless otherwise provided by law.

8) Right to object to data processing: Data subjects can prevent or limit the disclosure of personal data or the use of personal data for advertising and marketing purposes, unless otherwise provided by law.

The request must be fulfilled within 72 hours after receiving the request.

9) Right to complain, denounce and initiate lawsuits: Data subjects have the right to complain, denounce or initiate a lawsuit in accordance with the law.

10) Right to claim damages: Data subjects have the right to claim damages in accordance with the law when there is a violation of his/her personal data protection regulations unless otherwise agreed by the parties or otherwise provided for by law.

11) Right to self-defense: In accordance with the provisions of the Civil Code, other applicable laws, and this Decree, data subjects have the right to protect themselves, or they may request that competent agencies and organizations implement civil rights protection measures in accordance with the provisions of the Civil Code, other applicable laws.

9.2   Obligations of Data subjects

1) Protect your personal data; request other relevant organizations and individuals to protect their personal data.

2) Respect and protect other people's personal data.

3) Provide complete and accurate personal data when agreeing to process personal data.

4) Participate in propagating and disseminating personal data protection skills.

5) Implement legal regulations on personal data protection and participate in preventing and combating violations of personal data protection regulations.

10.  Regulations on image collection and use

In cases where employees, customers... (also known as "Data subjects") agree to allow VISAHO to collect, store and use their images in public communication and trademark branding activities, VISAHO will have the right to store and use the image of the "Data subjects" without time limit for the following purposes:

1) Advertising VISAHO's business or use it to introduce VISAHO's image to the public

2) Posting images on websites, newspapers, social networks or other media

3) Posting images in magazines, handbooks or internal publications of VISAHO

4) Using images to introduce VISAHO products or services

5) Other purposes in accordance with the law without harming the honor, dignity and reputation of "Data subjects".

That "Data subjects" agreeing to allow VISAHO to collect, store and use his or her images means:

1) "Data subjects" will not complain, or demand any costs regarding VISAHO's use of their images at the time of collection or in the future and will not withdraw consent in any cases.

2) “Data subjects” agrees that his/her images may be used in print and/or electronic formats, VISAHO will apply appropriate measures to ensure that the “Subject's” images data” will be used solely for its intended purposes. However, “Data subjects” understands that VISAHO cannot completely eliminate the risks and “Data subjects” agrees that VISAHO is not responsible for:

(i) the forms in which those images are used by websites, social networks, publishers or other third parties without VISAHO's consent

(ii) the consequences arising therefrom.

The consent of "Data subjects" is voluntary, completely optional and consent will be expressed by signing confirmation.

VISAHO, at any time, has the right to amend, supplement or adjust the content of this Policy and such amendments will take effect immediately at the time of posting on the Website/Application or contact channels/ Other official information of VISAHO.

11.  Storage of personal data

Personal data is stored, managed and secured by the Company according to the Company's regulations. The Company will take reasonable measures to protect personal data in accordance with the personal data protection Policy and legal regulations during storage.

The Company stores personal data for a period necessary to fulfill purposes of agreements, contracts, documents signed by both parties and according to this personal data protection Policy, unless the longer storage time is required or permitted by data subjects and applicable legal regulations.

12.  Other regulations

VISAHO, at any time, has the right to amend, supplement or adjust the content of this Policy and such amendments will take effect immediately at the time of decision and posted on the Website/Application or other documents. Other official contact/information channels of VISAHO.

If Data subjects do not agree with any part of the revised content, please terminate your access, participation, submission of personal data to VISAHO and/or implement data subject's rights as prescribed in this Policy and according to relevant laws.

13.  Implementation provisions

- Applicable forms:

·       Data Subject Rights Request Form - HR-BM01

·       Consent letter for processing personal data - HR-BM02

- Contact information for processing personal data:

·       For employees working at VISAHO:

o   HR Department: 024 3221 6336. HR Department is designated as VISAHO's representative department to process personal data of employees working at VISAHO.

·       Building management boards, projects, and functional departments under VISAHO are designated as VISAHO representative departments to process personal data of customers and partners related to operational management and professional works.

- This policy takes effect from the date of signing.

- Contents not mentioned in this Policy will be implemented in accordance with the law.

- This policy is prepared in Vietnamese and English. In case there is any difference between the Vietnamese and English versions, the Vietnamese version will prevail.

- In case of a dispute (if any), the parties prioritize resolving the dispute through negotiation. In case the negotiation fails, they have the right to request a competent Court to resolve it according to the provisions of law. /.