Privacy Compliance Joint Stock Company (“PC“, “we“, “us” or “our”) publishes this Privacy Notice (“Notice”) to clarify how we collect, use, disclose, and store personal data in our role as a Personal Data Controller and Processor as well as the rights and obligations of our clients and partners (collectively referred to as “you” or “your”) in respect of these activities.
This Notice is integral to the terms and conditions governing the relationship between you and us if referred to in any related agreement. However, regardless of the validity of any agreement or other document entered into or established between you and us, this Notice is always in effect for you until we terminate the processing of your personal data.
Interpretation of terms
- PC stands for Privacy Compliance Joint Stock Company (including legal successors), and its branches, representative offices, and business locations (hereinafter collectively referred to as “PC”, “we” “us” or “our”).
- Client is understood as an individual client (i) interested in PC’s services and products through direct marketing channels, accessing websites, online sales applications/platforms, communication channels, our social networks, etc.; or (ii) has entered into an service agreement with PC.
- Partner is understood as existing or potential individuals providing services and products for PC.
- Personal Data (“PD”) is information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment associated with a particular natural person or helps to identify a particular natural person. Personal Data includes basic Personal Data and sensitive Personal Data.
- Within the scope of this Notice, “Personal Data Controller”, “Personal Data Processor”, “Personal Data Controller and Processor”, “Data Subject”, “Basic Personal Data”, “Sensitive Personal Data”, “Personal Data Processing”, “Third-party” and other terms will have the meaning set forth in Decree 13/2023/ND-CP of the Government on Personal Data protection and amending, supplementing and replacement documents from time to time (“PDPD”).
Personal Data Processing Purposes
PC will only process your Personal Data for the purposes below (“Purposes”) through the following specific processing activities:
1. Providing services and products
Via the following activities:
- Introduce, offer, market, and provide information about services and products to you or receive introductions and offers of services and products from you1;
- Verify your identity and/or legal status;
- Conduct due diligence checks and risk assessment/analysis, such as assessing your documents, financial capacity, etc. if you are our client;
- Process, manage or verify your eligibility for the provision of services or products;
- Enter into, maintain and manage agreement of service and product provision with you;
- Provide or receive services, products and/or services arising or related to agreement with you;
- Contact and correspond with you regarding services and products;
- Make or receive payments for services and products according to agreements with you;
- Carry out necessary internal activities to provide or receive services and products according to agreements with you;
- Change, add, cancel or extend your agreement of service or product provision with us.
2. Safety and Security
Via the following activities:
- Prevent, detect and investigate (if necessary) fraud, scams, violations of law or crimes related to your or our activities;
- Protect our personnel, assets, and legitimate interests and relevant parties (if any);
- Manage compliance with our terms and conditions, notices and regulations;
- Contact to resolve security issues related to you;
- Manage entry and exit to premises and workplaces.
3. Support the provision of services and products
Via the following activities:
- Send or receive, investigate and resolve issues, questions, comments, and feedback related to services and products;
- Manage and improve our feedback system;
- Guide you to perform necessary activities to resolve problems related to services and products;
- Allow our other partners to access, support and manage the provision/use of services and products;
- Exercise our rights to claim against any third person related to you.
4. Enterprises Administration and Operations
Via the following activities:
- Prepare financial reports, synthesize and report business activities or other related reports according to our internal regulations and legal regulations;
- Manage our activities related to the provision/use of services and products according to agreement with you, our notices, internal regulations and the provisions of law;
- To carry out activities of organizing, arranging and restructuring businesses such as selling, dividing, separating all or part of the business, consolidating, merging, transforming businesses or expanding the scale of business activities, new establishments of subsidiaries, branches, representative offices, business locations of PC, etc.
5. Research and Development
Via the following activities:
- Conduct market research, surveys and analyze data related to services and products;
- Analyze and improve existing services and products;
- Test, research, develop, and create new services and products.
6. Legal and Litigation
Via the following activities:
- Comply with information provision requests according to the law or competent state agencies;
- Process your Personal Data based on the legal obligations that PC must perform;
- Initiate, comply, enforce or defend our rights and interests in legal disputes;
- Other purposes as prescribed by Vietnamese law.
7. Other purposes stated in the agreement between you and PC.
Types of Personal Data Processed
We may process your Personal Data including the following types of Basic Personal Data and Sensitive Personal Data:
1. Basic Personal Data
- Family name, middle name, first name as stated in the birth certificate, other names (if any);
- Date of birth; date of death or going missing;
- Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
- Personal images;
- Images and movements recorded by CCTV installed at our premises and other permitted locations;
- Phone number, ID card number, personal identification number, passport number, driver’s license number, license plate number, personal tax code number, social insurance number, health insurance card number;
- Marital status;
- Information about family relationships (parents, children);
- Information about your digital accounts, Personal Data reflecting your activities, history of activities in cyberspace;
- Other information associated with a particular natural person or helps to identify a particular natural person that is not Sensitive Personal Data, which may include (but is not limited to):
- Signatures (including both electronic signatures and digital signatures) and writing;
- E-mail address;
- Contact address; billing address;
- History and content of communications and exchanges between you and us;
- Information about your employment status (if related to the provision of services or products);
- Work experience and professional qualifications;
- Information about degrees, certifications, and licenses related to providing services and products to us;
- Other data relating to the conclusion, performance and termination of the agreement between you and us.
2. Sensitive Personal Data
- Information about client’s accounts at credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations;
- Other Personal Data that are regarded by law as specific and require necessary security measures.
Where and How Personal Data is Processed
1. Location of Personal Data Processing
We may process your Personal Data in Vietnam or in a location outside Vietnam. The overseas transfer of data will be based on your consent and for the Purposes to which you have consented, or pursuant to the laws.
When transferring your Personal Data to another country, we will comply with this Notice and applicable laws and will require the receiving party to process and protect your Personal Data appropriately and adequately in accordance with applicable laws through binding documents.
2. Sources of Personal Data Collection
We may collect your Personal Data from the following sources:
- Directly from you when you (a) communicate, correspond, interact with us or our Personal Data Processors (through face-to-face meetings, mail, telephone, online communications, social networks, surveys and other means); (b) provide us or our Personal Data Processors with documents containing your Personal Data, such as your legal identification documents, certificates, professional qualifications, etc; or (c) through the provision of services and products under the agreement with you;
- From parties related to you (such as your employer, guardian, etc.);
- From competent state agencies, organizations or individuals (e.g. a judgment or decision of the Court) or where the collection is based on a legal basis (for example, collecting from state agencies to fulfill our statutory obligations) or where Personal Data is collected from publicly available sources (e.g. public databases, advertising information, data published on electronic informational sites) (if any);
- Through audio and video recording devices at our premises or other permitted locations.
In cases where we do not collect Personal Data from you, we ensure that we only collect such data lawfully from entities that have the right to share it with us based on your consent or other legal bases.
In case the client or partner is an organization, to the extent that the organization has provided or will provide any Data Subjects’ Personal Data to PC (e.g. directors, shareholders, employees, authorized representatives, agents, etc.), the organization shall ensure that it (i) has informed the subject of our processing of their Personal Data in accordance with this Notice; (ii) has obtained legal consent and has evidence of such consent to provide to PC upon request; or there is another legal basis for us to process Personal Data in accordance with this Notice; and (iii) fully complies with relevant legal regulations on Personal Data protection.
3. Methods of Processing Personal Datal
In processing your Personal Data, we may use different methods, including manual processing, mechanical processing or automated processing. The aforementioned means may be used individually or together to process Personal Data.
We may process your Personal Data directly or through Personal Data Processors in accordance with the applicable laws. When processing Personal Data via Personal Data Processors, we will establish binding agreements and select Personal Data Processors with appropriate safeguards.
Organizations and Individuals Authorized to Process Personal Data
In addition to PC, the following organizations and individuals may process your Personal Data for the Purposes stated in this Notice:
- Personal Data Processors we engage to carry out a specific Purpose (if any);
- Partners and suppliers of products and services for PC;
- Clients to whom PC provides products or services that may be related to you;
- Our legal successors when we carry out the sale, total or partial division/separation, consolidation, merger and transformation of the business;
- Entities notified by you as authorized to interact with us on your behalf;
- Entities in connection with the exercise or maintenance of any rights of PC under agreement between you and us;
- The competent state agencies or other units to whom Personal Data must be disclosed in accordance with applicable laws.
Your Personal Data will only be shared with the above relevant parties with your consent or where permitted by law; and will be guaranteed to be treated and protected to a level not lower than that provided in this Notice.
Unwanted Consequences and Damage that could occur
PC applies various necessary and appropriate safeguards to protect your Personal Data from violations, unwanted consequences or damages, including managerial, organizational, technical and legal measures.
However, due to subjective and objective reasons, no data can be guaranteed to be 100% secure. Possible unwanted consequences and damage may include:
- Loss of Personal Data;
- Personal Data is shared illegally;
- Inaccurate data which leads to the provision of inappropriate products or services or the Data Subject’s requests not being met;
- Data Subjects can become victims of phishing attacks, identity theft, etc.
We always do our best to protect your Personal Data and the above incidents are not what we wish for. In case such incidents occur, we will resolve them according to the provisions of the law.
Retention of Personal Data
PC will only retain your Personal Data for the period necessary to fulfill the Purposes for which you have consented in advance unless a longer retention period is required or permitted by law.
The commencement of data processing is when we collect your Personal Data and the end date will depend on your agreement with us and the processing Purposes or applicable law.
When (i) the processing Purposes have been completed or (ii) your Personal Data is no longer necessary for the processing Purposes or (iii) there is a lawful request from you and we have no other lawful basis to retain your Personal Data or (iv) in accordance with the law or requests from competent authorities, we will delete, irrecoverably delete or destroy your Personal Data in a secure manner.
Your Rights, Obligations, and Our Commitments
1. Your Rights regarding Personal Data
Unless otherwise provided by law, as a Data Subject, you have the right to be informed, give consent, withdraw consent to our processing of Personal Data, request provision, access, rectification and deletion of your Personal Data. You also have the right to restrict or object to our processing of Personal Data and other statutory rights such as to file complaints, denunciations, lawsuits, claim damages and self-defense.
We would like to note that:
- Your rights may be restricted by law. We will then rely on applicable laws to perform the processing of Personal Data.
- We will take measures to verify requests from you or your legally authorized person. Unreasonable or illegal requests will be denied. In this case, we will respond to you with the reason for denying the request within a reasonable time, unless a response time period is required by applicable laws.
- Risks and negative effects may arise from your act of not providing Personal Data, or the exercise of your rights, such as withdrawing consent, requesting deletion of Personal Data or restricting, or objecting to our processing of your Personal Data.
2. Your Obligations regarding Personal Data
As a Data Subject, you are obligated to:
- Provide your complete and accurate Personal Data as required by law and PC;
- Ensure our right to lawful processing of other Data Subjects’ Personal Data that you provide to us;
- Timely notify us of changes or errors in the Personal Data provided to us (if any) and signs, incidents, events, situations or violations related to Personal Data;
- Comply with the laws on Personal Data and respect and protect the Personal Data of other Data Subjects;
- Indemnify and hold us harmless from and against all losses, damages, liabilities, claims and the like arising in any forms from the processing of your Personal Data that is related to us.
We would like to note that your failure to comply with the above obligations and other obligations prescribed by laws may affect the legitimate rights and interests of yours, ours and those of relevant parties. In that case, you will be responsible before the law, PC and relevant parties for non-compliance with your obligations.
3. Our Commitments regarding Personal Data
- PC will only process Personal Data based on your consent unless otherwise provided by law.
- Your Personal Data is processed and protected in accordance with PC’s regulations, commitments and the applicable laws.
- When processing your Personal Data, we will comply with the following principles: (i) Lawfulness; (ii) Transparency; (iii) Purposes limitation; (iv) Data minimization; (v) Accuracy; (vi) Storage limitation; (vii) Confidentiality and Integrity; and (viii) Accountability.
Processing of Personal Data in Special Cases
1. Children’s Personal Data
We do not knowingly collect or solicit Personal Data from children (as prescribed by laws from time to time). If we learn that we have collected Personal Information from a child, we will delete that information as quickly as possible. If you believe that a child may have provided us their Personal Information, please contact us.
2. Personal Data of People Declared Missing or Deceased
Unless otherwise provided by laws, the processing of the Personal Data of a person declared missing or deceased requires the consent of that person’s spouse or adult children, in the absence of such persons, the consent of the father or mother of the person declared missing or deceased is required.
If you provide PC with the Personal Data of a person declared missing or deceased, you must ensure that you have obtained the legal consent as above.
Amendments and Updates
We reserve the right to amend, supplement and update this Privacy Notice from time to time.
The latest version will be posted on our website (privacycompliance.vn).
You are advised to regularly update the latest version of this Notice and our regulations and notices sent to you or posted on PC’s website.
Please contact us directly if you wish to exercise your rights set out in this Notice or have any questions about this Notice and our processing of Personal Data.
- Address: 9th floor, TH Tower, 3/98 Vu Trong Phung street, Thanh Xuan district, Hanoi.
- Tel: [..]
- Email: Info@privacycompliance.vn
This Privacy Notice goes into effect seven (07) days after the date of publication (date […]).
You have carefully read and understood this entire Notice and clearly understand and agree that this Notice is a Notice of Processing of Personal Data as prescribed in PDPD. To the extent permitted by law, this Notice, when confirmed by you and/or included in contracts or agreements between you and us, shall also be deemed to constitute a valid consent and a lawful basis for us to process your Personal Data.
Matters not specified in this Notice will be resolved in accordance with the provisions of laws, notices and other documents issued by PC or according to agreements between us and relevant parties. If any provision in this Notice is illegal or inconsistent with the law, the provisions of applicable laws will prevail.
[This Privacy Notice is made in English and Vietnamese with the same legal validity. In case of conflict, Vietnamese shall prevail.]