PERSONAL DATA PROCESSING NOTICE
PERSONAL DATA PROCESSING NOTICE
Effective Date: 1st July 2023 Version No: 1.0
If you are reading this Personal Data Processing Notice (the “Notice”) on behalf of a corporate entity/business enterprise or an individual which maintains and/or maintained contractual relationship with the Relia Vietnam JSC (as defined below), this Notice is intended to be addressed to, without limitation, such individual, the individual guarantor, obligor, corporate officers (e.g. authorized representatives/signatories/dealers and contact persons), directors, board members, member of board of director, employees, shareholders, beneficial owners or other personnel and related individuals of the corporate entity/business enterprise and of agents and partners, agents, consultants, contractors of the corporate entity/business enterprise (the “Relevant Individuals”) and “you” shall be construed accordingly to mean the Relevant Individuals. Please assist to make available this Notice to the Relevant Individuals in your corporate entity/business enterprise or such Relevant Individual.
Relia Vietnam JSC (included HoChiMinh Branch) (collectively referred to as “we“, “our“, “us“, the “company” or “RVN“) respect an individual’s privacy and comply with all applicable laws of Vietnam on personal data protection (“Personal Data Protection Regulations”) follow Decree No. 13/2023/NĐ-CP (released 17th April 2023, affected 1st July 2023)
This Notice sets out how we, as data controller and/or processor, will process personal data
Please read this Notice carefully before agreeing or disagreeing with us to process the personal data. By confirming consent, you acknowledge that You have read, understood, and fully agree with the entire contents of this Notice. In case you do not agree or only partially agree with the content of the Notice, you may send a document to RVN’s headquarters stating the parts you disagree with, then RVN will have the right to consider continuing to provide services or refuse to provide services or terminate agreements/contracts, subject to RVN’s policy and laws at that time.
1. Definition and interpretation
– “Personal Data Protection Regulations” means all the applicable data privacy laws and guidance, including Decree 13/2023/ND-CP dated 17 April 2023 on personal data protection (as amended from time to time) (“Decree 13”).
– “Personal data” means any information in the forms of symbols, writing, digits, imagines, sounds or similar forms on an electronic environment associated with a specific person or helping to identify a natural person. Personal data includes basic personal data and sensitive personal data.
– “Sensitive personal data” refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests.
– “Data subject” means an individual to whom the personal data reflects. In this Notice, “you” or “your” also refers to the data subject whose personal data is maintained at us.
– “Personal data processing” is one or more activities that affect personal data, such as: collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieval, recover, encrypt, decrypt, copy, share, transmit, provide, transfer, delete, destroy personal data or other related actions.
For purpose of this Notice, any party (including us) mentioned herein might include any directors, officers, board members, member of board of director, employees, shareholders or other personnel and related individuals of such party and of such party’s agents and partners, agents, consultants, contractors.
2. Whose personal data this Notice applies to
The Notice describes our practices when processing personal data of any data subjects in the context of relationships with corporate and individual customers, suppliers, service providers, merchants, partners, agents, financial institutions, tax auditor, competent authorities, governmental agencies, any third party in connection with our business or any products/services or relationship with customer or any other third parties from whom RVN receives or to whom RVN provides any product or service and/or with whom RVN enters into, negotiates or discuss for or in connection with any transaction or services and any of their personnel or authorized persons (collectively “Personal Data Provider(s)”).
In case you provide us with personal data that is not yours, you warrant and are responsible for obtaining the consent of that Data Subject to allow us to process their data pursuant to the purposes of processing stated in this Notice.
3. Personal data we collect and process
Depending on the purposes of personal data processing as described below, your personal data that we need to process may include, but not limited to, the following information, as the case may be
– Contact information such as details of family name, middle name, first name, other names, current and former addresses of permanent resident, temporary residence, current residence, contact address, hometown, phone/telephone number, email address or any other information we use to communicate with Personal Data Provider(s);
– Identity information such as details of contact information (mentioned above), employer, age, date and place of birth, place of birth registration, nationality, gender, photograph, information of identification card/ citizen identification card/ passport, personal identification number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number, marital status, or involves in any adverse news, which may include data about criminal convictions, crimes, criminal acts, family relationship or any other related information. This may extend to historic information about individuals including past employment and qualifications, political view, religious view and other sensitive personal data;
– Transaction information or any information obtained through or for purpose of or in connection with any services and/or products and/or support received or provided or consulted by us from or to Personal Data Provider, such as any information in relation to the accounts of any Personal Data Provider(s) (such as signature, finger print, token, facial image or other biometrics);
– Personal photo, such as photographs or video taken at events, from the information captured or recorded on security systems (including the footage or image on the closed circuit television (CCTV) or any photo from any documents submitted to us or other public or third party’s sources;
– Website or application information that is captured in our web or application logs such as device information, unique identification numbers (such as an IP address or device ID), browser information (e.g. browser type, pages visited, date/time of access), accessed resources, communication data, location data, data created as the result of operation and action of the user on the digital platform. This may also include information captured by any cookies and information captured on users of the website.
– Communications information including communication by email, phone, telephone, fax, post, device, application, platform, system or other electronic communications in the course of communicating with Personal Data Provider and providing services to or receive from the Personal Data Provider and including recordings of phone/telephone calls;
– Account access information where we provide on-line account access, log-inand similar credentials, and information about use of such access, personal data reflecting the activities or history activities of such individual on cyberspace; and
– Relationship information that helps us to understand more about how to conduct business and working with Personal Data Provider, their business requirements, and what types of products and services may be of interest to customers.
4. How we process personal data
We might collect certain personal data in the ordinary course of business and for compliance with the applicable regulations through any communication means, applications, cyberspace, equipment, electronic media or any other forms. We also may collect and receive these orally, in writing or electronically directly from the Personal Data Provider(s) or directly or indirectly through the transactions with or effect by Personal Data Provider(s) or through our checking and verification processes.
We use and process the personal data we collect to the extent necessary and legitimate and for the following purposes:
– Considering and processing applications for products or services, effecting any payments, transactions and fulfilling or completing instructions or requests of or in connection with our customers and/or Personal Data Provider(s);
– Providing products and services to you and/or Personal Data Provider(s);
– Performing our obligations, or exercising our rights, under our contracts or agreements or equivalent documents with Personal Data Provider;
– Sending letters, email or any other communications, by various methods, such as mail, email, telephone, chat, fax and other channels;
– Event management including inviting individuals to events;
– Performing a service level to which we are subject, which may include certain service or regulatory requirements such as the requirement to record certain telephone call;
– Recording and/or monitoring communications (including communication by email, phone, telephone, fax, post, device, application, platform, other electronic communications) between Personal Data Provider(s) and those of entities associated with Personal Data Provider(s) (as the case may be) and us. This will be done to comply with our internal procedures and policies, administration and support, assist with security, crime prevention and anti-fraud, investigate or detect unauthorized or wrong use or abuse of our services, system or other material to the extent permitted by applicable law and for legitimate purposes or other purposes required by law;
5. Who involves the personal data processing and/or has the right to process personal data for aforesaid purpose
We may disclose your personal data which we received to the extent necessary and legitimate for the purpose of disclosure, to the respective receivers as the case may be, including but not limited to, the following:
– To third parties who provide technical services, such as suppliers of software applications and other IT systems, and print services, etc. which we use to process that personal data;
– To third parties providing services to us such as our professional advisers (e.g. auditors and lawyers);
– To competent authorities such as tax authorities, courts, regulators, enforcement agency and other government agencies, security or police authorities or any other authorities and their agent where required or requested by law or where we consider it necessary (to the extent permitted by law); and
– To any person to whom disclosure is allowed or required by local Vietnam law, regulations or any other applicable instrument.
If the recipients are overseas, personal data may be sent to another country including countries with weaker privacy and data protection laws than in Vietnam. We will not otherwise disclose to third parties unless we have your permission or we are under a legal or similar obligation.
6. Where we will hold and how we secure personal data
6.1. We may transfer, maintain, store or process the personal information of data subject covered by this Notice on servers or databases inside or/and outside the Vietnam, in particular to our Hanoi head office, HCMC branches, and Relia group company at Japan. For example, we may be required to send to Relia group company in Japan the names of directors, officers, board members, staff members or shareholders of its corporate customers who are Japanese nationals or non-Japanese nationals (in the latter case, whether residing in Japan or otherwise) for screening checks.
6.2. We place great importance on ensuring the security of personal data entrusted to us. We regularly establish, review, implement and update reasonable and/or appropriate technical, physical and/or organizational security and precautionary measures and/or safeguards for processing of personal data, such as password-protected systems, multi-factor authentication, encrypted information and transmission, regular security scanning, antimalware controls, cyber monitoring, incident response management, upgrading system to check, patching up and security hardening and mitigate any vulnerabilities to cyber-attacks, regular training of employees in confidentiality, data privacy, information security, risk management, including handling personal data in a secure manner, etc.. We are also a highly regulated entity subject not only to Data Protection Regulations, but also laws and regulations on confidentiality in BPO industry which requires us to have strict policies, procedures and technical in place for risk management. Please note, however, that despite of taking reasonable and adequate precautions, safeguards and/or security measures, communication system, platforms (including electronic ones, or those are in cyberspace) are not error free and may involve transmission via servers and/or systems that are not under the our control and email transmissions may not be secure and are subject to risks, therefore, each individual must be cautious on information security when transmitting information through internet or cyberspace.
7. Retention for processing personal data
We might start to process the personal data of data subject covered by this Notice once we receive those and retain for as long as required to perform the purposes for which the data was collected, depending on the legal basis on which that data was obtained and/or whether additional legal/regulatory obligations mandate that we retain the personal data.
In general terms, this will mean that personal data will be kept for the duration of our relationship with or in connection with the data subject and the period required by laws and regulations; and
– As long as it is necessary where we deem necessary and/or in accordance with our internal policies for individuals to be able to bring a claim against us and for us to be able to defend ourselves against any legal claims. This will generally be the length of the relationship plus the length of any statutory limitation period under applicable law.
– As long as reasonably and necessary in connection with our internal operation, policy, management, administration and maintenance requirements (including, but not limited to, technical, systems, security, record-keeping, risk management, audit, monitoring, security and/or surveillance measures and/or limitations.
– In certain circumstances, personal data may need to be retained for a longer period of time, for example, where we are in ongoing correspondence or there is a continuing claim or investigation.
After the retention period, we may destroy, dispose, discard or take any proper action in regard to the personal data in any reasonable, practicable and proper manner as we understand to be permitted by laws. We will not be obliged to return or destroy the said personal data if not reasonably possible or practicable.
8. Data subject’s rights and obligations in relation to the personal data
8.1. An individual may have certain rights in relation to their personal data which RVN processed about such individual, as provided under Data Protection Regulations. Those may include rights to access, correct the data or object to process, delete the data.
8.2. We recognize and uphold the right of the data subjects, however, your request for implementing such rights may be subject to applicable laws and regulations, this Notices, our agreement with you, our policies, procedures, restrictions and/or requirements, which may include but not limited to:
– that the request be in good faith, for reasonable purpose and within a reasonable scope;
– that the request be subject to our verification measures and/or requirements, including, but not limited to identifying you as the data subject;
– that the request be in writing, indicating the specific purpose and scope of the action requested, and, if required by us, accompanied with satisfactory proof that such action requested is warranted;
– that the request and/or proposed date of action requested is subject to our approval as we may have to carry out preliminary actions, including, but not limited to, assessing the feasibility, validity and/or legitimacy of the request, compliance with our requirements, impact on other information (e.g. personal data and confidential information of others), preparing access and/ or isolating the data;
– that the manner, format and/or method of performance of the action requested shall be determined by us as we may have to determine the same in relation to different factors such as our obligations of confidentiality to you and/or other persons (whether under laws, contract or otherwise), security, surveillance measures, safety requirement, legal and/or regulatory obligations and preserving the integrity and confidentiality of the information;
– that you be subject to and observe our security, confidentiality, privacy and/or other policies and procedures;
– that the request be subject to the personal data still being retained by us in a form that be practicability and reasonably acted on;
– that the request will not cause or threaten to cause: (1) us to breach our obligations under the laws and regulations or our obligations to other person or another person’s rights under applicable laws and regulations or otherwise; (2) a security breach or otherwise impact on our security; (3) information held by us to become false, inaccurate, unintelligible or misleading; (4) a failure or error in our system; or (5) a violation of our intellectual property rights, proprietary rights and/or privacy or confidentiality rights;
– Any action that shall be requested by data subject may be denied by us: (1) when the requests are recurring within a short time interval, (2) where granting such request could compromise the privacy of another person or unreasonably expose sensitive, confidential and/or proprietary information, (3) where there are any similar or analogous circumstances or where there are other reasonable circumstances justifying the denial and/or (4) pursuant to any of our agreements or our company policies;
– That we may take measures to redact or prevent the disclosure of trade, industrial and/or other business secrets, confidential and/or proprietary information and/or any other information the disclosure which could endanger or compromise our information systems, and/or any expose to harm the confidentiality, integrity, and/or availability of information (including, but not limited to, personal data) under our control or custody;
8.3. We take reasonable steps to ensure that personal data is accurate, complete and updated, however, you have shared responsibility with regard to the accuracy of your personal data and should timely update with us of any change to the data. While we recognized the right of data subject to access and/or correct any personal data held by us, this may be subject to the requirements set out in this Notice, our agreements with you and/or our policies, procedures, laws and regulations. We also may use our reasonable discretion in allowing the correction requested and/or may require further evidence of new information to avoid any fraud or inaccuracy.
8.4. As we have no control over your request, your request may increase our risk and/or may impact on our business, operation and/or dealings with you and others, you may be required to hold us free and harmless and indemnify us for any claim, losses, expenses or liabilities we may incur in connection with your request.
8.5. Please note that the exercise of your rights (including, but not limited to, withdrawal of your consent to any part or aspect of the processing may put us in a position where we can no longer transact, deal with and/or communication with or in relation to you.
8.6. If you would like to exercise, or discuss, any of these rights, you should submit your request in writing to us to the address indicated herein and provide sufficient information to allow us to understand the scope of the request.
9.Consequences and damaged that might occur while processing the personal data
In the process of data processing, Company always tries to comply with legal regulations, ensure security barriers, apply measures to ensure information system safety as much as possible in order to keep Personal data secure the personal data at the highest level. However, for technical reasons or other reasons beyond the control of RVN, data loss and information leakage may still occur and cause undesirable consequences and damages to data subject and/or us. In this case, RVN will do the best to repair and strengthen the security barrier, minimizing damage to the Board. In addition, within the legal framework, Company will notify the related parties of violations within the statutory time limit. Compensation for damages, if any, in the event of a breach of regulations on the protection of personal data will also be affected by agreement or by law.
10. Changes to this Notice
This Notice may be updated from time to time and the updated version will be posted on website or sent to you. You are advised to visit our website regularly to check for any amendments.
11. How to Contact Us
If you have any questions, request or concerns in regard to this Notice or our data processing practices, you can contact us at the relevant address below:
* Relia Vietnam JSC – Hanoi center
Address: 10th Floor, Detech II Building, 107 Nguyen Phong Sac, Dich Vong Hau Ward, Cau Giay District, Hanoi
* Relia Vietnam JSC – HoChiMinh Center
Address: 5th Floor, Tan Tung Duong Building, 222-226 Hoang Hoa Tham, Ward 12, Tan Binh District, HCMC