1. INTRODUCTION ABOUT FTI
FPT International Telecom Company Limited is a company incorporated under Vietnamese law, headquartered at Lot L.29B-31B-33B Tan Thuan Street, Tan Thuan Export Processing Zone, Tan Thuan Dong Ward, District 7, Ho Chi Minh City, Vietnam (hereinafter referred to as “FTI”).
2. DEFINITION
- 2.1. “Personal data” means information in the form of symbols, letters, numbers, images, sounds or other similar forms on an digital environment that is associated with a particular person or helps to identify a particular person. Personal data includes basic personal data and sensitive personal data.
- 2.2. “Information that identifies a particular person” is information derived from an individual’s activities, and when such information is combined with other stored data and information, it can identify a particular person.
- 2.3.“Basic Personal Data” includes:
- a. Last name, middle name and first name, other name (if any);
- b. Date of birth;
- c. Gender;
- d. Place of birth, place of birth registration, permanent residence address, temporary residence address, current residence address, hometown, contact address;
- e. Nationality;
- f. Photos of individuals;
- g. Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
- h. Marital status;
- i. Information about family relationships (parents, children);
- j. Information about the individual’s digital account; personal data reflecting activities, history of activities on cyberspace;
- k. Other information relating to a particular person or helping to identify a particular person is not covered by this Article 1.3.
- 2.4. “Sensitive personal data” means personal data associated with an individual’s privacy that, when it is violated, it will directly affect the individual’s legitimate rights and interests, including:
- a. Political views, religious views;
- b. Health status and private life status recorded in the medical record, not including blood type information;
- c. Information related to racial or ethnic origin;
- d. Information about inherited or acquired genetic characteristics of an individual;
- e. Information about the individual’s physical attributes and biological characteristics;
- f. Information about an individual’s sex life and sexual orientation;
- g. Data on crimes and offenses collected and stored by law enforcement agencies;
- h. Customer information of credit institutions, foreign bank branches, payment intermediary service providers and other authorized organizations, including: customer identification information as prescribed by law, information on accounts, information on deposits, information on deposited assets, information on transactions, information on organizations and individuals being the guarantors at credit institutions, bank branches, organizations providing intermediary payment services;
- i. Personal location data identified through location services;
- j. Other personal data required by law is unique and requires necessary security measures.
- 2.5.“Data Subject” means the individual reflected by the personal data.
- 2.6. “Personal data processing” means one or more activities that affect personal data, such as collecting, recording, analyzing, confirming, storing, correcting, disclosing, associating, accessing, exporting, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transfering, deleting, destroying personal data or other related actions.
- 2.7. “Personal data controlling” means determining the purposes and means of processing personal data.
- 2.8. “Data Provider” means the Party that provides the Personal Data of the Data Subject to the Other Party when preparing a transaction, in the process of performing a transaction with the Other Party or interacting with the Other Party. To clarify, the Data Provider may be a Data Subject or a Data Controller and/or Data Processor.
- 2.9. “Data Controller and/or Data Processor” means the Party that controls personal data and/or processes personal data of the Provider.
- 2.10. Data Provider; Data Controller and/or Data Processor are collectively referred to as the “Parties” and individually as the “Party”.
- 2.11. “Transaction channel” means the transaction channels between FTI and the other Party, including but not limited to Contract, website, application, etc. or other transaction channels from time to time provided by FTI.
3. COMMITMENT ON PERSONAL DATA PROTECTION
- 3.1. This Policy explains the purposes and methods that the Data Controller and/or the Data Processor controls and/or processes the personal data that the Data Provider provides when preparing a transaction, during the execution of a transaction with the Data Controller and/or Data Processor, or interact with the Data Controller and/or Data Processor. This Policy also instructs the Data Provider on how to exercise its rights in relation to its personal data.
- 3.2. The Data Controller and/or Data Processor commits to comply with the following principles in the process of controlling and processing personal information of the Data Provider:
- a. Personal data of the Data Provider is controlled and processed in a lawful, fair, transparent and in accordance with applicable laws;
- b. The Personal Data of the Data Provider is collected for a specific, clear, lawful purpose and will not be processed other than the purposes stated in this Policy and in accordance with applicable laws;
- c. The Data Provider’s personal data is stored appropriately and to the extent necessary for processing in accordance with applicable law;
- d. The Data Provider’s personal data is accurate and up-to-date; and the inaccurate data relating to the processing purposes will be promptly deleted or corrected in accordance with applicable laws;
- e. The Data Controller and/or Data Processor applies technical and organizational measures in accordance with applicable laws to ensure the appropriate level of security of personal data, including measures protection from unauthorized or illegal access to personal data and unintended destruction, loss or damage.
- 3.3. The Data Controller and/or Data Processor guarantees and is solely responsible to its partners (service providers, other suppliers, customers, etc.) to also comply with the protection of personal data in accordance with the law.
- 3.4. The Data Controller and/or Processor undertakes to comply with other principles prescribed by law regarding the protection of personal data, especially those relating to the rights of data owners and their obligations in transferring data to foreign countries.
4. PURPOSE OF CONTROLLING AND PROCESSING PERSONAL DATA
- 4.1. The Data Provider agrees to allow the Data Controller and/or Data Processor to process the Data Provider’s Personal Data and share the results of the data processing for the following purposes:
- a. Supporting the Data Provider, updating the Data Provider’s information when purchasing and using products and services provided by the Data Controller and/or Data Processor or partners of the Data Controller and/or Data Processor;
- b. Providing products, services of the Data Controller and/or Data Processor, products, services of the Data Controller and/or Data Processor in cooperation with partners to the Data Provider (including but not limited to in registration, account management/ Resources/ Brandname/ Hotline to use the Service, register and support service warranty, forward information to Service Providers…);
- c. Organizing trade introduction and promotion, market research, opinion polls, brokerage;
- d. Researching and developing new services and provide suitable products and services for the Data Provider;
- e. Trading in marketing services, introducing advertising products;
- f. Measuring, analyzing surface data, assessing and other processing to improve and enhance the quality of services provided by the Data Controller and/or Data Processor to the Provider;
- g. Investigating and resolving the supplier’s inquiries and complaints;
- h. Adjusting, updating, securing and improving the products, services, equipment that the Data Controller and/or Data Processor is providing;
- i. Verifying the identity and ensure the confidentiality of the Data Provider’s information;
- j. Notifying the Data Provider about changes to the policies and promotions of the products and services that the Data Controller and/or Data Processor is providing;
- k. Preventing fraud, identity theft and other illegal activities;
- l. Complying with applicable laws, relevant industry standards and other applicable policies of the Data Controller and/or Data Processor;
- m. The Data Controller and/or Data Processor collects, stores and uses personal data of the Data Provider for the purpose of performing services such as record keeping and compliance with legal and tax obligations. The Data Controller and/or Data Processor stores these data for a period of time or as required by law;
- n. Any other purpose exclusively for the operation of the Data Controller and/or Data Processor and for any other purpose that the Data Controller and/or Data Processor notifies the Data Provider, at the time of collection of personal data by the Data Provider or before the commencement of the relevant processing or as otherwise required or permitted by applicable law.
- o. Other cases for the purpose of performing transactions, contracts, agreements between the Data Controller and/or Data Processor with the Data Provider.
- 4.2. Where it is necessary to process the Personal Data of the Data Provider for other purposes or at the request of the Data Provider, the Data Controller and/or the Data Processor will notify the Data Provider through the Transaction Channels of the Data Controller and/or Data Processor for the Data Provider to express the consent in advance.
5. TYPES OF CONTROLLED AND PROCESSED PERSONAL DATA
The Data Controller and/or Data Processor may collect and process the following types of personal information:
- a. Name, citizen identification number/identity card number/passport number, gender, date of birth, title;
- b. Place of birth, place of birth registration, place of permanent residence, temporary residence, current residence, hometown, contact address;
- c. Gender;
- d. Nationality;
- e. Personal account and contact information: contact information such as phone number, mailing address, email address, fax number; home address, mobile phone number, personal email address;
- f. Communication between the Data Controller and/or Data Processor and the Data Provider;
- g. Call information, messages and call recording data arising during the Data Provider’s use of the voice, message, and switchboard services of the Data Controller and/or Data Processor;
- h. Image, audio and video data arising during the Data Provider’s use of camera services with data storage features of the Data Controller and/or Data Processor;
- i. Images of individuals, including images provided when registering to use the service, images of the Data Provider posted on FTI’s application/website during the use of the service;
- j. Data posted, stored, created by the Data Provider on the system, cloud computing service platform provided by the Data Controller and/or Data Processor;
- k. Information about the individual’s digital account; personal data reflecting activities, history of activities on cyberspace;
- l. The data on telecommunications consumption behavior: call, sms, data, vas;
- m. The data provided by the Data Provider to the Data Controller and/or the Data Processor when registering to use the service and also the data arising during the Customer’s use of the services of the Data Controller and/or the Data Processor.
6. METHODS OF CONTROLLING, PROCESSING PERSONAL DATA
The Data Controller and/or Data Processor controls and/or processes personal data through the service provision/use system, website, mobile application, events, which is organized, informed on the Contract or relevant documents by the Data Controller and/or Data Processor. In addition, the Data Controller and/or Data Processor may receive the Data Provider’s personal data from its affiliates, partners, other service providers of the Data Controller and/or Data Processor, when the Data Provider agrees to provide personal information to the Data Controller and/or Data Processor, or from public administrations and government organizations.
7. PERSONAL DATA STORAGE TIME
The Data Controller and/or Data Processor will store personal data provided by the Data Provider on the Data Controller and/or Data Processor’s internal system in the course of providing services, performing the Contract or until the purpose of control or resolution is fulfilled, or until compliance with statutory obligations allows, and until the disputes are resolved.
8. ORGANIZATIONS RELATED TO CONTROLLING AND PROCESSING PERSONAL DATA
- 8.1. Receiving personal data
- The Data Controller and/or Data Processor may disclose personal data to third parties, such as employees of the Data Controller and/or Data Processor with access to personal data, entities and a member company of the Data Controller and/or Processor, business partner, service or goods supplier, for the purposes set out in Article 4 of this Policy.
- 8.2. Transferringpersonal data to foreign countries
- The Data Controller and/or Data Processor may transfer the Data Provider’s personal data to foreign countries for processing and storage for the purposes set out in Article 4 of this Policy. The transferring personal data to foreign countries by the Data Controller and/or Data Processor must comply with the laws of Vietnam.
9. PROCESSING OF PERSONAL DATA UNDER SPECIAL CASES
The Data Controller and/or Data Processor ensures that the Data Provider’s processing of personal data fully meets the requirements of the law in the following special cases:
- 9.1. Surveillance camera (CCTV) footage, in particular cases, may also be used for the following purposes:
- a. for quality assurance purposes;
- b. for the purposes of public security and occupational safety;
- c. detect and prevent suspicious, inappropriate or unauthorized use of FTI facilities, products, services;
- d. detect and prevent criminal acts; and/or
- e. investigate and verify incidents.
- 9.2. The Data Controller and/or Data Processor always respects and protects children’s personal data. In addition to the personal data protection measures prescribed by law, before processing children’s personal data, the Data Controller and/or Data Processor will verify the children’s age and request consent of:
- a. children and/or
- b. parents or guardians of children as prescribed by law.
- 9.3. In addition to complying with other relevant legal provisions, for the processing of personal data related to the personal data of the person who is declared missing/deceased, the Data Controller and/or Data Processor will have to obtain the consent of one of the relevant persons in accordance with the provisions of applicable law.
10. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
- 10.1. Rights of Data Subjects regarding their Personal Data
- a. The right to know and to agree
Via this Policy the Data Provider becomes aware of the Data Controller and/or Data Processor’s personal data processing activities. By signing at the end of this Policy, the Data Provider expresses its will to agree with the Data Controller and/or Data Processor’s processing of personal data. - b. The right to access
The Data Provider has the right to request the Data Controller and/or Data Processor to confirm, at any time, that some of the Data Provider’s personal data is processed by the Data Controller and/or Data Processor, as well as request the Data Controller and/or Data Processor to provide some information about the type of data to be processed, the purpose of processing and the recipient or category of recipients of such data. - c. The right to edit
The Data Provider has the right to request the Data Controller and/or Data Processor to correct inaccurate or incomplete information relating to the Data Provider. - d. The right to request data deletion
The Data Provider has the right to request the deletion of its personal data stored by the Data Controller and/or Data Processor in accordance with applicable laws, for example when the Data Provider’s personal data is no longer necessary for the purposes of the original collection, processing or when the Personal data of the Data Provider is unlawfully processed. - e. The right to restrict processing of personal data
The Data Provider has the right to request the Data Controller and/or Data Processor to limit the processing of the Data Provider’s personal data without deleting the relevant data based on the conditions prescribed by applicable law. - f. The right to transfer data
The Data Provider has the right to recover some of its data for its own use or to transfer to another company/enterprise based on the conditions prescribed by applicable law. - g. The right to object
The Data Provider has the right to object at any time to the Data Controller and/or Data Processor’s processing of its personal data for direct marketing purposes. - h. The right to withdraw consent
Where the Data Provider’s processing of personal data is performed based on the Data Provider’s prior consent, the Data Provider has the right to withdraw consent at any time. However, withdrawal of consent will not affect the legality of prior processing of data based on the Data Provider’s consent.
In the event that the Data Provider withdraws its consent, the Data Controller and/or Data Processor may not be able to provide the Data Provider with the required quality and adequate services if the withdrawn information directly affects service delivery or service quality. - i. The right to complain, denounce or initiate lawsuits as prescribed by law.
- j. The right to claim compensation for actual damage in accordance with the law if the Controller and/or Data Processor commits violations of regulations on protection of Personal Data, unless otherwise agreed by the parties. otherwise agreed or otherwise provided by law.
- k. Method of exercising the right: in writing to the Data Controller and/or Data Processor.
- a. The right to know and to agree
- 10.2. Obligations of the Data Provider regarding Personal Data
- a. When the Data Provider is an organization and has provided personal data of individuals related to or under the management of the Data Provider to the Data Controller and/or Data Processor, the Data Provider shall ensure that it obtains the individual’s consent for the provision of their data.
- b. Comply with the provisions of laws, regulations, instructions of FTI related to the processing of Personal Data of the Data Provider.
- c. To be solely responsible for the information, data and consents that they create and provide in the network environment; self-responsible in case personal data is leaked or infringed due to its fault.
- d. Regularly update FTI’s Regulations and Personal Data Protection Policy from time to time, which is notified to the other Party or posted on FTI’s Transaction Channel. Take actions in accordance with the instructions of FTI to express consent or disapproval for the purposes of processing Personal Data as notified by FTI from time to time.
11. UNINTENDED CONSEQUENCES AND DAMAGES
- 11.1. FTI uses a variety of information security technologies to protect Personal Data from unintended retrieval, use or sharing. However, no data can be 100% secured. Therefore, FTI is committed to maximum security of Personal Data.
Some unintended consequences and damages may include, but are not limited to:- a. Hardware and software errors in the data processing process cause data loss of the Data Provider;
- b. The security hole is beyond FTI’s control, the system is attacked by a third party, causing data leakage;
- c. The Data Provider self-discloses personal data due to: carelessness or fraud; visit websites/download apps that contain malware…
- 11.2. FTI recommends that the Data Provider keep confidential information related to the Data Provider’s account login password, OTP code and do not share this login password and OTP code with anyone else.
- 11.3. The Data Provider should preserve the electronic equipment during use. The Data Provider should lock, log out, or log out of the account on the FTI website or App when there is no need to use it anymore. The Data Provider should lock, log out, or log out of the account on the FTI website or App when there is no need to use it anymore.
- 11.4. In the event that it is known that the data storage server is attacked by a third party, leading to the loss of the Data Provider’s Personal Data, FTI will be responsible for notifying the incident to the investigating authorities for timely handling and notify the Data Provider.
12. GENERAL TERMS
- 12.1. This Policy is effective in July 1, 2023. The Data Provider understands and agrees that this Policy may be amended from time to time and communicated to the Data Provider through FTI’s Transaction Channels. Changes and effective time will be updated and announced in the Transaction Channels and other channels of FTI. The Data Provider’s continued use of the service after the notice period of amendments and supplements from time to time means that the Data Provider has accepted such amendments and supplements.
- 12.2. Party has fully understood and agreed that this Policy is also the Notice of Personal Data Processing specified in Article 13 of Decree 13/ND-CP/2023 on Protection of Personal Data and as amended and supplemented from time to time before FTI conducts Personal Data Processing. Accordingly, FTI does not need to take any other measures for the purpose of notifying the Processing of Personal Data to the Provider.
- 12.3. This Policy is construed and governed by the laws of Vietnam.
- 12.4. This Policy represents the entire Policy between the Parties and supersedes any prior interpretation or Policy, written, oral or otherwise in relation to the matters mentioned above.
- 12.5. For the purpose of protecting personal data in accordance with the law, this Policy will also be applied to contracts, agreements, documents, etc. between the Parties that are signed before, during and after the Policy takes effect.
- 12.6. In the event that any provision of this Policy is found by a court of competent jurisdiction to be invalid, that provision shall be automatically void and no longer binding on the Parties, however such judgment shall also be shall not invalidate the remaining provisions of this Policy, and the validity of such provisions shall remain in full force.
- 12.7. This policy is publicly posted by FTI on the website for the mutual understanding of the Parties. The Parties agree to have carefully read and understand their rights and obligations and agree to the entire content of the Policy. In addition, by entering into the Contract(s), agreement or any other document to which this Policy is referenced, the Data Provider undertake to agree or obtain the full consent of Data Subjects on the provision, processing and control of their Personal Data throughout the transaction process, contract performance and ensuring compliance and compliance with regulations on protection of personal data mentioned above in this Policy. This Policy is an integral part of the Contract(s), agreement or any other document to which this Policy is referenced.
This Personal Data Protection Policy was last updated in July 2023.