PERSONAL DATA PROTECTION POLICY

ARTICLE 1. INTRODUCTION ABOUT FTI

FPT International Telecom Company Limited is a company duly incorporated under Vietnamese law, headquartered at Lot L.29B-31B-33B Tan Thuan Street, Tan Thuan Export Processing Zone, Tan Thuan Dong Ward, District 7, Ho Chi Minh City, Vietnam (hereinafter referred to as “FTI”).

ARTICLE 2. DEFINITION

2.1 “Personal Data” means any information in form of symbols, letters, numbers, images, sounds or other similar forms on the digital environment attached to a particular person or helps identify a particular person. Personal data includes basic personal data and sensitive personal data.

2.2 “Information that helps identify a particular person” is information derived from the activities of a person that, when combined with other data and information, can identify a particular person.

2.3 “Basic Personal Data” includes:

1. Last name, middle name and first name, other names (if any);
2. Date of birth;
3. Gender;
4. Place of birth, place of birth registration, permanent residence address, temporary residence address, current residence address, hometown, contact address;
5. Nationality;
6. Photos of individuals;
7. Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
8. Marital status;
9. Information about family relationships (parents, children);
10. Information about the individual’s digital account; personal data reflecting activities, history of activities on cyberspace;
11. Other information relating to a particular person or helping to identify a particular person is not covered by this Article 1.3.

2.4 “Sensitive personal data” means personal data associated with the privacy of individuals that, when violated, directly affects the legitimate rights and interests of individuals, including:

1. Political and religious views;
2. Health status and private life status recorded in the medical record, not including blood type information;
3. Information related to racial or ethnic origin;
4. Information about inherited or acquired genetic characteristics of an individual;
5. Information about the individual’s physical attributes and biological characteristics;
6. Information about an individual’s sex life and sexual orientation;
7. Data on crimes and offenses collected and stored by law enforcement agencies;
8. Customer information of credit institutions, foreign bank branches, payment intermediary service providers and other authorized organizations, including: customer identification information as prescribed by law, information on accounts, information on deposits, information on deposited assets, information on transactions, information on organizations and individuals being the guarantors at credit institutions, bank branches, organizations providing intermediary payment services;
9. Personal location data identified through location services;
10. Other personal data required by law is unique and requires necessary security measures.

2.5 “Data Subject” means the individual reflected by the personal data.

2.6 “Personal data processing” means one or more activities that affect personal data, such as collecting, recording, analyzing, confirming, storing, correcting, disclosing, associating, accessing, exporting, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data or other related actions.

2.7 “Personal data controlling” means determining the purposes and means of processing personal data.

2.8 “Data Provider” means the Party that provides the Personal Data of the Data Subject to the Other Party when preparing a transaction, in the process of performing a transaction with the Other Party or interacting with the Other Party. To clarify, the Data Provider may be a Data Subject or a Data Controller and/or Data Processor.

2.9 “Data Controller and/or Data Processor” means the Party that controls personal data and/or processes personal data of the Provider.

2.10 “Data Provider; Data Controller and/or Data Processor” are collectively referred to as the “Parties” and individually as the “Party”.

2.11 “Transaction channel” means channels where FTI and the other Party conduct transactions which include, but not limited to, Contract, website, application, etc. or other transaction channels from time to time provided by FTI.

ARTICLE 3. COMMITMENT ON PERSONAL DATA PROTECTION

3.1. This Policy explains the purposes and methods that the Data Controller and/or the Data Processor controls and/or processes the personal data that the Data Provider provides when preparing a transaction, during the execution of a transaction with the Data Controller and/or Data Processor, or interact with the Data Controller and/or Data Processor. This Policy also instructs the Data Provider on how to exercise its rights in relation to its personal data.

3.2. The Data Controller and/or Data Processor commits to comply with the following principles during its control and processing of personal information of the Data Provider:

1. The Personal Data of the Data Provider is controlled and processed in a lawful, fair, transparent and in accordance with applicable laws;
2. The Personal Data of the Data Provider is collected for a specific, clear, and lawful purpose and shall not be processed other than the purposes stated in this Policy and in accordance with applicable laws;
3. The Personal Data of the Data Provider is stored appropriately and to the extent necessary for processing in accordance with applicable law;
4. The Personal Data of the Data Provider is accurate and up-to-date; and the inaccurate data relating to the processing purposes will be promptly deleted or corrected in accordance with applicable laws;
5. The Data Controller and/or Data Processor shall apply technical and organizational measures in accordance with applicable laws to maintain the appropriate level of security of personal data, including protections from unauthorized or illegal access to personal data and unintended destruction, loss or damage.

3.3. The Data Controller and/or Data Processor guarantees and procures its partners (service providers, other suppliers, customers, etc.) to guarantee the compliance with the protection of personal data as required by the law.

3.4. The Data Controller and/or Processor undertakes to comply with other principles prescribed by law regarding the protection of personal data, especially those relating to the rights of data owners and their obligations in transferring data to foreign countries.

ARTICLE 4. PURPOSE OF CONTROLLING AND PROCESSING PERSONAL DATA

4.1. The Data Provider agrees for the Data Controller and/or Data Processor to process the Data Provider’s Personal Data and share the data processing results for the following purposes:

1. To support the Data Provider and update the Data Provider’s information when purchasing and using products and/or services provided by the Data Controller and/or Data Processor or partners of the Data Controller and/or Data Processor;
2. To provide products and/or services of the Data Controller and/or Data Processor, products and/or services of the Data Controller and/or Data Processor in cooperation with the Data Provider (including, but not limited to, in registration, account management/ Resources/ Brand name/ Hotline to use the Service, registration and support under service warranty policies, forwarding information to Service Providers…);
3. To organize trade introduction and promotion, market research, opinion polls, brokerage;
4. To research and develop new services and provide suitable products and services for the Data Provider;
5. To conduct trading in marketing services, introducing advertising products;
6. To measure, analyze surface data, assess and other processes to improve and enhance the quality of services provided by the Data Controller and/or Data Processor to the Provider;
7. To investigate and resolve the supplier’s inquiries and complaints;
8. To adjust, update, secure and improve the products, services, equipment that the Data Controller and/or Data Processor is providing;
9. To verify the identity and ensure the confidentiality of the Data Provider’s information;
10. To notify the Data Provider about changes to the policies and promotions of the products and services that the Data Controller and/or Data Processor is providing;
11. To prevent fraud, identity theft and other illegal activities;
12. To comply with applicable laws, relevant industry standards and other applicable policies of the Data Controller and/or Data Processor;
13. The Data Controller and/or Data Processor collects, stores and uses personal data of the Data Provider for the purpose of performing services such as record keeping and compliance with legal and tax obligations. The Data Controller and/or Data Processor stores these data for a period of time or as required by law;
14. Any other purpose exclusively for the operation of the Data Controller and/or Data Processor and for any other purpose that the Data Controller and/or Data Processor notifies the Data Provider, at the time of collection of personal data by the Data Provider or before the commencement of the relevant processing or as otherwise required or permitted by applicable law.
15. Other cases for the purpose of performing transactions, contracts, agreements between the Data Controller and/or Data Processor with the Data Provider.

4.2. Where it is necessary to process the Personal Data of the Data Provider for other purposes or at the request of the Data Provider, the Data Controller and/or the Data Processor will notify the Data Provider through the Transaction Channels of the Data Controller and/or Data Processor for the Data Provider to express the consent in advance.

4.3. The Parties have been thoroughly informed and fully aware that the processing activities of Personal Data as contemplated hereunder may serve multiple processing purposes. An omission of any purpose(s) (if any) shall not constitute a waiver as long as the meaning of such purpose(s) has been implied within the scope of processing activities listed in this Article 3, which the Parties hereby acknowledge to become a lawful purpose and meet all conditions for consent as required by the laws.

ARTICLE 5. TYPES OF CONTROLLED AND PROCESSED PERSONAL DATA

The Data Controller and/or Data Processor may collect and process the following types of personal information:

1. Name, citizen identification number/identity card number/passport number, gender, date of birth, title;
2. Place of birth, place of birth registration, place of permanent residence, temporary residence, current residence, hometown, contact address;
3. Gender;
4. Nationality;
5. Personal account and contact information: contact information such as phone number, mailing address, email address, fax number; home address, mobile phone number, personal email address;
6. Communication between the Data Controller and/or Data Processor and the Data Provider;
7. Call information, messages and call recording data arising during the Data Provider’s use of the voice, message, and switchboard services of the Data Controller and/or Data Processor;
8. Image, audio and video data arising during the Data Provider’s use of camera services with data storage features of the Data Controller and/or Data Processor;
9. Images of individuals, including images provided when registering to use the service, images of the Data Provider posted on FTI’s application/website during the use of the service;
10. Data posted, stored, created by the Data Provider on the system, cloud computing service platform provided by the Data Controller and/or Data Processor;
11. Information about the individual’s digital account; personal data reflecting activities, history of activities on cyberspace;
12. The data on telecommunications consumption behavior: call, SMS, data, vas;
13. The data provided by the Data Provider to the Data Controller and/or the Data Processor when registering to use the service and also the data arising during the Customer’s use of the services of the Data Controller and/or the Data Processor.

ARTICLE 6. METHODS OF CONTROLLING, PROCESSING PERSONAL DATA

The Data Controller and/or Data Processor controls and/or processes personal data through the service provision/use system, website, mobile application, events, which is organized, informed on the Contract or relevant documents by the Data Controller and/or Data Processor. In addition, the Data Controller and/or Data Processor may receive the Data Provider’s personal data from its affiliates, partners, other service providers of the Data Controller and/or Data Processor, when the Data Provider agrees to provide personal information to the Data Controller and/or Data Processor, or from public administrations and government organizations.

ARTICLE 7. PERSONAL DATA STORAGE TIME

The Data Controller and/or Data Processor will store personal data provided by the Data Provider on the Data Controller and/or Data Processor’s internal system in the course of providing services, performing the Contract or until the purpose of control or resolution is fulfilled, or until compliance with statutory obligations allows, and until the disputes are resolved.

ARTICLE 8. ORGANIZATIONS RELATED TO CONTROLLING AND PROCESSING PERSONAL DATA

8.1. Receiving personal data

The Data Provider agrees that the Data Controller and/or Data Processor may disclose personal data and/or share personal data processing results to other organizations and individuals for the purposes set out in Article 4 of this Policy:

1. FPT Corporation and other member companies under FPT Corporation, telecommunication companies, internet providers, contractors, agents, business partners, or service/goods providers of the Data Controller and/or Processor.
2. Branches, business units and the employees working in such branches, business units, agents of the Data Controller and/or Data Processor.
3. Other organizations and individuals, such as: audits, investigator, attorneys, courts, competent government bodies, etc. under the laws.

8.2. Transferring personal data to foreign countries

The Data Controller and/or Data Processor may transfer the Data Provider’s personal data to foreign countries for processing and storage for the purposes set out in Article 4 of this Policy. The transferring personal data to foreign countries by the Data Controller and/or Data Processor must comply with the laws of Vietnam.

ARTICLE 9. PROCESSING OF PERSONAL DATA UNDER SPECIAL CASES

The Data Controller and/or Data Processor ensures that the Data Provider’s processing of personal data fully meets the requirements of the law in the following special cases:

9.1. Surveillance camera (CCTV) footage, in particular cases, may also be used for the following purposes:

1. for quality assurance purposes;
2. for the purposes of public security and occupational safety;
3. detect and prevent suspicious, inappropriate or unauthorized use of FTI facilities, products, services;
4. detect and prevent criminal acts; and/or
5. investigate and verify incidents.

9.2. The Data Controller and/or Data Processor always respects and protects children’s personal data. In addition to the personal data protection measures prescribed by law, before processing children’s personal data, the Data Controller and/or Data Processor will verify the children’s age and request consent of:

1. children and/or
2. parents or guardians of children as prescribed by law.

9.3. In addition to complying with other relevant legal provisions, for the processing of personal data related to the personal data of the person who is declared missing/deceased, the Data Controller and/or Data Processor will have to obtain the consent of one of the relevant persons in accordance with the provisions of applicable law.

ARTICLE 10. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS

10.1 Rights of Data Subjects regarding their Personal Data

1. The right to know and to agree

By this Policy, the Data Provider becomes aware of the Data Controller and/or Data Processor’s personal data processing activities. By signing at the end of this Policy, the Data Provider explicitly expresses its consent for the Data Controller and/or Data Processor to process its personal data.

2. The right to access

The Data Provider may request the Data Controller and/or Data Processor to confirm, at any time, its processing of any Data Provider’s personal data, as well as to request the Data Controller and/or Data Processor to inform about the type of data being processed, the purpose of such processing, and the recipient or a list of recipients of such data.

3. The right to edit

The Data Provider has the right to request the Data Controller and/or Data Processor to correct inaccurate or incomplete information relating to the Data Provider.

4. The right to request data deletion

The Data Provider has the right to request the deletion of its personal data stored by the Data Controller and/or Data Processor in accordance with applicable laws, for example when the Data Provider’s personal data is no longer necessary for the purposes of the original collection, processing or when the Personal data of the Data Provider is unlawfully processed.

5. The right to restrict processing of personal data

The Data Provider has the right to request the Data Controller and/or Data Processor to limit the processing of the its Personal Data without deleting the relevant data under the conditions prescribed by applicable laws.

6. The right to transfer data

The Data Provider may at its own discretion recover some of its data for private use or transfer such data to another company under the conditions prescribed by applicable laws.

7. The right to object

The Data Provider may, at any time, object any direct marketing of its Personal Data by the Data Controller and/or Data Processor.

8. The right to withdraw consent

If the processing of Personal Data has been consented to be performed by the Data Provider, the Data Provider may withdraw its consent at any time. However, withdrawal of consent will not affect the legality of prior processing of data based on the Data Provider’s consent.

In the event that the Data Provider withdraws its consent, the Data Controller and/or Data Processor may not be able to provide the Data Provider with the required quality and adequate services if the withdrawn information directly affects service delivery or service quality.

9. The right to complain, denounce or initiate lawsuits as prescribed by law.
10. The right to claim compensation for actual damage in accordance with the law if the Controller and/or Data Processor commits violations of regulations on protection of Personal Data, unless otherwise agreed by the parties. otherwise agreed or otherwise provided by law.
11. Method of exercising the right: in writing to the Data Controller and/or Data Processor.

10.2. Obligations of the Data Provider regarding Personal Data

1. In case the Data Provider is an organization and has provided Personal Data of individuals related to or under control of the Data Provider to the Data Controller and/or Data Processor, the Data Provider shall ensure that it has obtained such individual’s consent for the provision of their data.
2. To comply with the provisions of laws, regulations, instructions of FTI related to the processing of Personal Data of the Data Provider.
3. To be solely responsible for the information, data and consents that they create and provide in the network environment; to take responsible in case personal data is leaked or infringed due to its fault.
4. To regularly update FTI’s Regulations and Personal Data Protection Policy from time to time, which is notified to the other Party or posted on FTI’s Transaction Channel. To follow the instructions of FTI to express consent or disapproval for the processing purposes of Personal Data as notified by FTI from time to time.

ARTICLE 11. UNINTENDED CONSEQUENCES AND DAMAGES

11.1. FTI uses a variety of information security technologies to protect your Personal Data from unauthorized retrieval, use or sharing. However, please note that no data can be 100% secured. Therefore, FTI is committed to protect your Personal Data to our maximum capabilities.

Some unintended consequences and damages may include, but are not limited to:

1. Losses of Data Provider’s data due to hardware and software errors during the data processing;
2. The security vulnerability is beyond FTI’s reasonable control, the system is attacked by a third party resulting in data leakage;
3. The Data Provider is solely responsible for such personal data leakage due to: self-carelessness or fraud; visit websites/download apps that contain malware…

11.2. FTI recommends that the Data Provider keep the Data Provider’s account login password and OTP code confidential and do not share these information with anyone else.

11.3. The Data Provider should protect the electronic equipment during use. The Data Provider should lock, log out of, or exit from your account on our website or Application as soon as you stop using.

11.4. If FTI is aware of any attack on the data storage server resulting in loss of Data Provider’s Personal Data by any third party, FTI shall be responsible for notifying such incident to the competent regulatory authorities for timely handling and investigation and to the Data Provider.

ARTICLE 12. GENERAL TERMS

12.1. This Policy is effective as of 01 July 2023 and shall be updated, amended, supplemented from time to time in accordance with the prevailing laws without any requirement for prior consent or notice. Changes and effective time will be updated and announced in the Transaction Channels and other channels of FTI. The Data Provider’s continued use of the service after the notice period of amendments and supplements from time to time means that the Data Provider has accepted such amendments and supplements.

12.2. Party has fully understood and agreed that this Policy is also the Notice of Personal Data Processing specified in Article 13 of Decree 13/ND-CP/2023 on Protection of Personal Data and as amended and supplemented from time to time before FTI conducts Personal Data Processing. Accordingly, FTI does not need to take any other measures for the purpose of notifying the Processing of Personal Data to the Provider.

12.3. This Policy is construed and governed by the laws of Vietnam.

12.4. This Policy represents the entire Policy between the Parties and supersedes any prior interpretation or Policy, written, oral or otherwise in relation to the matters mentioned above.

12.5. For the purpose of protecting personal data in accordance with the law, this Policy will also be applied to contracts, agreements, documents, etc. between the Parties that are signed before, during and after the Policy takes effect.

12.6. In the event that any provision of this Policy is found by a court of competent jurisdiction to be invalid, that provision shall be automatically void and no longer binding on the Parties, however such judgment shall also be shall not invalidate the remaining provisions of this Policy, and the validity of such provisions shall remain in full force.

12.7. This Policy is publicly posted by FTI on the website for the parties to know. The Parties agree to have carefully read and understand their rights and obligations and agree to the entire content of the Policy. Moreover, by signing any Agreement(s) or any other documents whereby a reference to this Policy is made, the Data Providers undertake to obtain or procure to obtain all necessary consents from the Data Subject on the provision, processing, and control of their Personal Data during the performance and execution of the transaction and guarantee the compliance of all personal data protection regulations as contemplated herein. This Policy is an integral part of the Agreement(s) or any other documents whereby a reference to this Policy is made.

This Personal Data Protection Policy was last updated in July 2024.