Personal information protection policy

 

1. Introduction

ACS Trading Vietnam Co., LTD. was established in 2008, invested by AEON Japan, has been trading in the right of whole sale and retailer distribution for licensed goods; Insurance agency activities; trading promotion services; Computer services and related services; Management consultancy activities; Other non-centralized social assistance activities; Architectural and engineering activities and related technical consultancy, … other goods/ services associated with the licenses.

Where we use “ACS”, “ACS”, “we”, “us” and “our” in this Policy, we are referring to ACS.

In ACS’s trading business, in each specific case, ACS is responsibility and plays the role of the Personal Data Controller, the Personal Data Processor, the Personal Data Controller – cum Personal Data Processor and Third Party. To respect each individual privacy and strive for the protection of the Personal data, ACS would like to introduce our Policy - Personal Information Protection Policy.

Personal Information Protection Policy (“Policy” hereinafter) renders compliance required for controlling and processing and protecting data of customers, business partners (individual), employees or any other individual who arise data exchanging/ transferring to ACS and vice versa (“Data Subject” or “you” hereinafter).

Please read this Policy carefully.

2. Purpose of Policy

  • The Policy meets the requirements of the Vietnamese Personal Data Protection law, provisions and ensures compliance with AFS’s policies, link as below: https://www.aeonfinancial.co.jp/en/activity/governance/privacy/privacy_detail/.
  • This Policy is an integral part of the agreement between ACS and Data Subject. When the Data Subject agrees/signs the agreement, the Data Subject confirms the terms of the Policy and consent to ACS to collect, use, disclose, store, transfer and/or process Personal data in accordance with law.
  • Employee data and Customer data are one of the data subjects which adjusted, applied by this Policy and data protection laws/regulations.
  • Comply, standardize, manage, control and process Personal data legally including but not limited to:  data collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities;
  • Prevent Personal data from being stolen, altered, damaged, lost or leaked.

 

3. Privacy Principles

ACS recognizes the importance of protecting Personal data and applies strict provisions of confidential information to secure Personal data. Privacy Principles as follow:

3.1. The Personal data shall be processed as prescribed by law.

3.2. The Data Subject shall be entitled to receive information related to the processing of his/her Personal data.

3.3. The Personal data shall be processed for the purposes that have been registered and declared by ACS.

3.4. The collected Personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of Personal data shall be prohibited in any form.

3.5. The Personal data shall be updated and added for the processing purposes.

3.6. The Personal data shall be protected and secured throughout the processing. To be specific, the Personal data shall be protected from violations against regulations on protection of Personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures.

3.7. The Personal data shall be stored within a period of time that is appropriate for the processing purposes.

3.8. ACS shall comply with the rules for data processing and prove its compliance;

3.9. Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure accuracy, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.

In some exceptional cases which are provided by laws and regulations, without the consent of Data Subject, ACS is entitled in processing Personal data to protect the life and health of Data Subject or others in an emergency situation.

4. Prohibited Acts

4.1. Processing person data in contravention of regulations of law on protection of Personal data.

4.2. Processing Personal data in order to provide information and data that affect national security, social order and safety, and legitimate rights and interests of other organizations and individuals.

4.3. Taking advantage of protection of Personal data to commit volitions of law.

5. Definition of terms

5.1.Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual, including general Personal data and sensitive Personal data.

5.2.Information used for identification of an individual" refers to information that results from an individual's activities and may identify an individual when it is combined with other stored information and data.

5.3.General Personal data” includes:

a. Last name, middle name and first name, other names (if any);

b. Date of birth; date of death or going missing;

c. Gender;

d. Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;

e. Nationality;

f. Personal image;

g. Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, taxpayer identification number, social security number and health insurance card number;

h. Marital status;

i. Information about the individual’s family relationship (parents, children);

j. Digital account information; Personal data that reflects activities and activity history in cyberspace;

k. Information associated with an individual or used to identify an individual other than that specified in Clause 5.4 of this Article.

5.4.Sensitive Personal data” refers to Personal data in association with individual privacy which, when being infringed, will directly affect an individual's legal rights and interests, including:

a. Political and religious opinions;

b. Health condition and personal information stated in health record, excluding information on blood group;

c. Information about racial or ethnic origin;

d. Information about genetic data related to an individual's inherited or acquired genetic characteristics;

e. Information about an individual’s own biometric or biological characteristics;

f. Information about an individual’s sex life or sexual orientation.

g. Data on crimes and criminal activities collected and stored by law enforcement agencies;

h. Information on customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;

i. Personal location identified via location services;

j. Other specific Personal data as prescribed by law that requires special protection.

Sensitive Personal data we will use it only for specific purposes and in compliance with the requirements of applicable laws

5.5.Personal data protection” refers to an act of preventing, detecting and handling violations related to Personal data in accordance with the law.

5.6.Data Subject” refers to an individual to whom the data relates.

5.7.Personal data processing” refers to one or multiple activities that impact on Personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.

5.8.Consent” of a Data Subject refers to an act that the Data Subject permits the processing of his/her Personal data in a clear, voluntary and affirmative manner.

5.9.Personal Data Controller” refers to an organization or individual that decides purposes and means of processing Personal data.

5.10.Personal data Processor” refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.

5.11.Personal Data Controller-cum-Processor” refers to an organization or individual that jointly decides purposes and means, and directly processes Personal data.

5.12.Third Party” refers to an organization or individual other than the Data Subject, Personal Data Controller, Personal data Processor, Personal Data Controller-cum-Processor that is permitted to process Personal data.

5.13. Outbound transfer of Personal data” refers to an act of using cyberspace, electronic devices, equipment, or other forms to transfer Personal data of a Vietnamese citizen to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam to process Personal data of a Vietnamese citizen. To be specific:

a. An organization, enterprise or individual transfers Personal data of a Vietnamese citizen to an overseas organization, enterprise or management department in order to process the data for the purposes agreed upon by the Data Subject;

b. The Personal data of a Vietnamese citizen is processed by automatic systems outside the territory of the Socialist Republic of Vietnam of the Personal Data Controller, Personal Data Controller-cum-Processor, Personal data Processor for the purposes agreed upon by the Data Subject.

5.14.Decree 13”: Decree 13/2023/ND-CP dated 17th April 2023, as amended and/or supplemented from time to time, on Personal data protection which is effective from 01st July 2023.

 

6. Purpose of Collection, Processing, Use of Data

ACS’s business operations associated with ACS’s licenses and any purpose for which ACS notify you at the time of obtaining your permission, including (but not limited to) the following:

  • Purposes of growing ACS business;
  • Know-your-customer, due diligence and customer identification, verification;
  • Performance of contract;
  • Contact by telephone, text message and/or fax message, email and/or mail or otherwise; (You acknowledge and agree that our such communication may be by mail, document or notice to you, which may include disclosure of certain Personal data about you to provide such documents as well as on the package/envelope.)
  • Providing customer care services and fulfills customer request;
  • Client and third party (e.g. vendor) relationship management;
  • Storage, Host, Backup (whether for disaster recovery or other purposes) and data processing;
  • Share data with third parties who provide software, collect, store and process data on behalf of ACS and are contractually obligated to keep data confidential subject to appropriate safeguards;
  • Compliance with a legal obligation;
  • Protecting personal safety and the rights, property or safety of others;
  • Responding to any actual threats or claims made against ACS or other requests regarding content that violates regulations of third parties;
  • Activities relating to information security and building security, including use of CCTV recording;
  • Recording and monitoring telephone lines or electronic communications for business and compliance purposes;
  • Preventing or investigating any actual or suspected fraudulent activity, illegal acts, omissions or misconduct arising from your relationship with ACS;
  • Business analysis or development/improvement of products, services, and processes;
  • Compiling statistics and research to meet report requirements and/or maintain internal or regulatory records; Audits;
  • Business restructurings;
  • Other purposes of ACS's business activities as permitted by law.

(collectively referred to as “Purposes”)

When necessary to perform our contract with Data Subject, and for the Purposes outlined above, we may share Personal data about Data Subject with a range of recipient(s), including (but not limited to) the following:

  • Regulators, courts, public authorities
  • AEON Group entities anywhere in the world, to the extent permitted by applicable laws and regulations from time to time;
  • Any contractor, subcontractor, agent, third-party product or service provider, professional consultant, business partner, associated person or service providers of ACS, including (but not limited to) auditors, insurers, lawyers;
  • Any business partner, investor, assignee or transferee in connection with potential or actual corporate restructuring, merge, acquisition or takeover involving ACS, including any transfer or potential transfer of any of ACS’s rights or duties under ACS’s agreement with Data Subject;
  • Any party has legitimate interest to do so (E.g. manage risk, verify identity, enable another company to provide the Data Subject that they have requested);
  • Any party that ACS has been instructed by the Data Subject to share Personal data with.

These recipient(s) could be located outside of the Socialist Republic of Vietnam.

Where we need to transfer or share your Personal data, we will carefully assess the legitimacy, propriety, and necessity of the data sharing. We will comply with, require the recipient to take all the Personal data protection measures required pursuant to relevant laws and regulations.

 

7. Responsibility of ACS

7.1. As the role of Personal Data Controller

7.1.1. Implement organizational and technical measures as well as appropriate safety and security measures to prove that the Personal data is processed in accordance with regulations of the law on protection of Personal data, review and update these measures when necessary.

7.1.2. Record and store log of the processing of Personal data.

7.1.3. Notify violations against regulations on protection of Personal data according to provisions.

7.1.4. ACS as the role of Personal Data Controller is responsible to select an appropriate Personal Data Processor with specific tasks and only work with the Personal data Processor that has appropriate measures for protecting Personal data.

7.1.5. Protect the rights of Data Subjects according to Article 8.1 this Policy.

7.1.6. Be responsible to the Data Subject for damage caused by the processing of Personal data.

7.1.7. Cooperate with the Ministry of Public Security and competent authorities in protecting Personal data and providing information serving investigation and handling of violations against the law on protection of Personal data.

7.2. As the role of Personal Data Processor

7.2.1. Only receive Personal data after having a contract or agreement on the processing of Personal data with the Personal Data Controller.

7.2.2. Processing Personal data under the contract or agreement concluded with the Personal Data Controller.

7.2.3. Fully implement measures for protecting Personal data specified in laws/ regulations and other relevant legal documents.

7.2.4. Be responsible to the Data Subject for damage caused by the processing of Personal data.

7.2.5. Delete or return all Personal data to the Personal Data Controller after completing the processing.

7.2.6. Cooperate with the Ministry of Public Security and competent authorities in protecting Personal data and providing information serving investigation and handling of violations against the law on protection of Personal data.

7.3. As the role of both Personal Data Controller and Processor

Comply with all regulations on responsibilities of both the Personal Data Controller and Processor in 7.1 and 7.2 above.

7.4. As the role of Third Party

Comply with all regulations on responsibilities provided in laws/ regulations and other relevant legal documents.

8. Data Subject ‘s Rights and Obligations.

8.1. Rights of Data Subject

8.1.1. Right to be informed: The Data Subject has the right to be informed of his/her Personal data processing;

8.1.2. Right to give consent: The Data Subject has the right to give consent to the processing of his/her Personal data, other than cases specified in Article 17 of Decree 13;

8.1.3. Right to access Personal data: The Data Subject has the right to access his/her Personal data in order to look at, rectify or request rectification of his/her Personal data;

8.1.4. Right to withdraw consent: The Data Subject has the right to withdraw his/her consent;

8.1.5. Right of rectify Personal data: The Data Subject is entitled to access in order to view and rectify directly or require ACS to rectify her/his Personal data, after ACS is agreed with his/her consent to collect these data;

8.1.6. Rights regarding to deletion, destruction, storage of Personal data: The Data Subject has the right to delete or request deletion of his/her Personal data in following:

a. The Data Subject confirms unnecessary any more for the purposes of collecting his/her consent and he/she accepts any damage that may be caused by the deletion;

b. The Data Subject withdraws consent;

c. The Data Subject objects to the processing of his/her Personal data and ACS do not have appropriate reasons for continuation in the processing;

d. The Personal data is processed for purposes other than those that the Data Subject gives the consent or the processing of Personal data is a violation against regulations of law;

e. The Personal data shall be deleted as prescribed by law.

8.1.7. Right to obtain restriction on processing:

a. The Data Subject has the right to obtain restriction on the processing of his/her Personal data.

b. The restriction on the processing of Personal data shall be implemented within 72 hours after receiving request of the Data Subject, and all Personal data that the Data Subject requests the restriction.

8.1.8. Right to obtain Personal data: The Data Subject has the right to request ACS to provide him/her with his/her Personal data;

8.1.9. Right to object to processing

a. The Data Subject has the right to object to ACS processing his/her Personal data in order to prevent or restrict the disclosure of Personal data or the use of Personal data for advertising and marketing purposes.

b. ACS shall comply with the Data Subject’s request within 72 hours after receiving the request.

8.1.10. Right to file complaints, denunciations and lawsuits: The Data Subject has the right to file complaints, denunciations and lawsuits as prescribed by law;

8.1.11. Right to claim damage: The Data Subject has the right to claim damage as prescribed by law when there are violations against regulations on protection of his/her Personal data, unless otherwise agreement;

8.1.12. Right to self-protection: The Data Subject has the right to self-protection according to regulations in the Civil Code, Decree 13 and other relevant laws, or request competent agencies and organizations to implement civil right protection methods according to regulations in Article 11 of the Civil Code.

 

8.2. Data Subject’s Obligations:

8.2.1. Protect his/her own Personal Data; request relevant organizations and individuals to protect his/her Personal Data;

8.2.2. Respect and protect others’ Personal Data;

8.2.3. Fully and accurately provide his/her Personal Data when he/she consents to the processing;

8.2.4. Participate in dissemination of Personal Data protection skills;

8.2.5. Comply with regulations of law on protection of Personal Data and prevent violations against regulations on protection of Personal Data.

9.Personal Data Processing Activities

9.1. Personal Data Collection and Processing

ACS collects Personal Data from the Data Subject through various sources, including (but not limited to) in the following cases:

  • When the Data Subject applies for products and/or services provided by ACS;
  • When the Data Subject submits any forms, including application or other forms in connection with any ACS products and/or services, online or otherwise;
  • When the Data Subject communicates with ACS, such as through phone calls (which may be recorded), correspondence, faxes, face-to-face meetings, social media platforms, email and other means;
  • When the Data Subject uses ACS’s website or interacts with ACS via the ACS mobile device application(s) (if applicable), including but not limited to cookies generated by the website visited by the user and Internet monitoring software to collect Personal Data;
  • When the Data Subject provides requests or complaint to ACS;
  • When ACS conducts surveys;
  • When ACS receives Personal Data from affiliated companies, third parties and from other sources;
  • When ACS carries out searches for information relating to the Data Subject through any public domain;
  • When the Data Subject submits Personal Data to ACS for any reason.

The above cases are not intended to be comprehensive, but merely outline some of the more common instances when a Data Subject's Personal Data may be collected.

In some cases, the Data Subject may provide Personal Data of other relevant individuals to ACS (e.g. family members or people on the Data Subject’s contact list). If the Data Subject provides ACS with Personal Data of relevant individuals, the Data Subject represent and warrant that he/she has received consents of relevant individuals to process their Personal Data in accordance with this Policy.

9.2. Consent

9.2.1. ACS is mandatory to grant the consent of the Data Subject for all activities in the processing of his/her Personal data.

9.2.2. The consent is only valid when the Data Subject voluntarily consents and clearly knows the following contents:

a. Type of Personal data;

b. Purposes;

c. Organization or individual permitted to process Personal data;

d. Rights and obligations of the Data Subject.

9.2.3. The consent of the Data Subject shall be expressed in a clear and specific manner in writing, by voice, by ticking the consent box, by consent syntax via message, by selecting consent settings or by other forms.

9.2.4. The consent must be bound to the same purpose.  In case of multiple purposes, ACS shall list these purposes so that the Data Subject consents to one or several purposes that have been set out.

9.2.5. The consent of the Data Subject shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format.

9.2.6. Silence or non-response is not considered as consent.

9.2.7. The Data Subject may give partial or conditional consent.

9.2.8. In case of the processing of sensitive Personal data, the Data Subject shall receive notification of thereof.

9.2.9. The consent of the Data Subject is valid until the Data Subject has other decisions or the competent authority makes written request.

9.2.10. In case of a dispute, ACS shall prove consent of the Data Subject.

9.2.11. Via the authorization in accordance with regulations of the Civil Code, an organization or individual may act on behalf of the Data Subject to carry out procedures related to the processing of his/her Personal data with ACS in case the Data Subject knows and consents as prescribed in Clause 9.2.3 of this Article.

9.2.12 The Customer agrees and allows ACS to access the Customer's credit information at the Vietnam National Credit Information Center (CIC), and/or any other third party for the purpose of serving the Customer's request and managing the Customer's profile.

9.2.13 The Customer agrees and allows ACS to share and provide the Customer's information, including personal data and information about credit accounts (if any) – which the Customer has provided to ACS during the execution of this Agreement – to the Vietnam National Credit Information Center, and/or any other third party.

9.3. Consent Withdrawal

9.3.1. The withdrawal of consent shall not affect the lawfulness of the processing to which consent was given before it is withdrawn.

9.3.2. The withdrawal of consent shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format.

9.3.3. When obtaining request for consent withdrawal from the Data Subject, ACS shall notify the Data Subject of potential consequences and damage if she/he withdraws his/her consent.

9.3.4. After complying with regulations in Clause 9.3.2 of this Article, ACS, Data Processor and Third Party shall stop and request relevant organizations and individuals to stop processing the Personal data of the Data Subject who has withdrawn his/her consent.

9.4. Notification of Personal Data Processing

9.4.1. ACS conducts transparent notifications to Data Subjects through ACS policy announcement on website https://acsvietnam.com.vn, Fanpages, Deferred Purchase Agreement (terms and conditions), Agreements, Company Templates, … and shall be made once before the Personal data is processed.

9.4.2. The following contents of the processing of Personal data shall be notified to the Data Subject:

a. Processing purposes;

b. Type of used Personal data related to the purposes specified in Point a Clause 9.4.2 of this Article;

c. Method of processing Personal data;

d. Information on other organizations and individuals related to the processing purposes specified in Point a Clause 9.4.2 of this Article;

e. Undesirable consequences and damage that may occur;

f. Starting and ending time.

9.4.3.  The notification to the Data Subject shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format.

9.4.5.  ACS is not required to comply with regulations specified in Clause 9.4.1 of this Article in the following cases:

a. The Data Subject knows and fully consents to the contents specified in Clauses 9.4.1 and 9.4.2 of this Article before permitting ACS to collect his/her Personal data;

b. The Personal data is processed by the competent state agency with a view to serving operations by such agency as prescribed by law.

9.5. Personal Data Submission

9.5.1.  The Data Subject has the right to request ACS to provide him/her with his/her Personal data. 

9.5.2.  ACS shall be entitled:

a. is permitted to provide Personal data of the Data Subject for other organizations and individuals when obtaining consent from the Data Subject, unless otherwise provided for by law;

b. provides the Data Subject’s Personal data for other organizations and individuals on behalf of the Data Subject if approved and authorized by the Data Subject, unless otherwise provided for by law;

9.5.3. ACS shall provide the Personal data of the Data Subject within 72 hours after receiving his/her request.

9.5.4. ACS shall not provide the Personal data in the following cases:

a. It causes harm to the national security, social order and safety;

b. The provision of Personal data may affect the safety, physical or mental health of other persons;

c. The Data Subject does not consent to provision of his/her Personal data, and does not permit or authorize any Third Party to receive his/her Personal data.

9.5.5.. Methods of requesting for provision of Personal data:

a. The Data Subject shall directly come or authorize another person to come to ACS to request for provision of his/her Personal data. 

b. ACS shall be responsible for instructing the requesting organization or individual to fill in a Personal data request form, or;

c. The request form for provision of Personal data according to forms No. 06/ND 13 and No. 07/ND 13 specified in the Appendix of this Policy shall be sent electronically, by post or by fax to ACS.

9.5.6. The Personal data request form shall be made in Vietnamese language, including the following main contents:

a. Full name; place of residence, address; ID Card number or passport number of the requesting person; fax number, phone number, email address (if any);

b. Requested Personal data, which specifies name of documents,

c. Methods of providing Personal data;

d. Reasons and purposes for provision of Personal data. 

9.5.7.  In case of request for provision of Personal data specified in Clause 9.5.2 of this Article, a written consent of the relevant individual or organization shall be attached.

9.5.8.  Receipt of the request for provision of Personal data

a. ACS shall be responsible for receiving requests for provision of Personal data, and monitoring the process and the list of Personal data provided upon request;

b. ACS shall notify and instruct the requesting organization or individual to come to the competent authority or notify the inability to provide Personal data in case the requested Personal data falls outside of their jurisdiction.

9.5.9.  Settlement of the request for provision of Personal data

When receiving a valid request for provision of Personal data, ACS is responsible for providing Personal data shall notify the deadline, location, methods of providing Personal data; actual costs for printing, copying, photocopying and sending information by post, by fax (if any) and payment method and term; and provide Personal data accordingly.

9.6. Rectification of Personal data

9.6.1.  As the role of the Personal Data Controller, the Personal Data Controller –cum- the Personal Data Processor, after obtaining his/her consent, ACS shall directly rectify Personal data of the Data Subject whenever possibility.  In case it is impossible to rectify Personal data, ACS shall notify the Data Subject after 72 hours from the time of receipt of his/her request.

9.6.2.  As the role of the Personal Data Processor, the Third Party, ACS may rectify the Personal data of the Data Subject after the Personal Data Controller and the Controller and the Personal Data Processor consent in writing and obtain consent from the Data Subject.

9.7. Storage, Deletion and Destruction of Personal data

9.7.1. The Personal data shall not be deleted as the request of the Data Subject in the following cases:

a. The deletion of Personal data is prohibited by law;

b. The Personal data is processed by the competent state agency to serve in their operations as prescribed by law.

c. The Personal data has been disclosed as prescribed by law.

d. The Personal data is processed with a view to serving law, scientific research and statistics as prescribed by law;

e. In the event of a state of emergency on national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; to prevent and combat riots and terrorism, to prevent and combat crimes and law violations according to regulations of law;

f. It is required to respond to emergent cases that threaten the life and health or the safety of the Data Subject or other persons.

9.7.2. In case of full division, partial division, merger, consolidation or dissolution of ACS, the Personal data shall be transferred in accordance with laws.

9.7.3. The deletion of Personal data shall be implemented within 72 hours after receipt of the Data Subject’s request for all Personal data collected by ACS.

9.7.4.  ACS shall store Personal data in forms in conformity with their operations and adopt measures for protecting the Personal data as prescribed by law.

9.7.5.  ACS shall permanently delete Personal data in the following cases:

a. The Personal data is processed for unintended purposes or the processing have accomplished associated with purposes under the consent of the Data Subject;

b. The storage of Personal data is no longer necessary for ACS operations.

c. ACS are dissolved or no longer operate or declare bankruptcy or terminate their business activities in accordance with the law.

9.8. Personal Data Processing Without the Consent of Data Subject

9.8.1.  The Personal data shall be processed to protect the life and health of the Data Subject or others in an emergency situation.  ACS shall be responsible for proving such situation. 

9.8.2.  Disclosure of Personal data in accordance with the law;

9.8.3.  Processing of Personal data by competent regulatory authorities in the event of a state of emergency regarding national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a threat to security and national defense but not to the extent of declaring a state of emergency; to prevent and fight riots and terrorism, crimes and law violations according to the provisions of law;

9.8.4.  The Personal data shall be processed to fulfill obligations under contracts the Data Subjects with relevant agencies, organizations and individuals as prescribed by law;

9.8.5.  The Personal data shall be processed to serve operations by regulatory authorities as prescribed by relevant laws.

9.9. Notification of violations against regulations on protection of Personal data

9.9.1. In case of detection of a violation against regulations on protection of Personal data, ACS shall notify the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) within 72 hours after discovering and detecting such violation according to Form No. 08/ND in the Appendix to this Policy. If the notification is given after 72 hours, the reason for the late notification shall be provided.

9.9.2.  Notification contents:

a. Description of the nature of the violation, including: time, place, violation, organization, individual, types of Personal data and the amount of relevant data;

b. Contact details of the employee (s) assigned to protect the data or organizations or individuals that are responsible for protecting Personal data;

c. Description of consequences and damage that may occur;

d. Description of measures for handling and minimizing the harm caused by the violation.

9.9.3.  If it is impossible to notify all the information specified in Clause 9.9.2 of this Article, the notification may be given every time a piece of information is available.

9.9.4.  ACS shall make a written minute/report of the violation against regulations on protection of Personal data, and cooperate with the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) in handling such violation.

9.10. Assessment of impact of Personal data processing

9.10.1. As the role of The Personal Data Controller, the Personal Data Controller-cum-Processor, ACS shall make and store the Dossiers on impacted assessment of Personal data processing from the time of starting to process Personal data. The Dossier on impacted assessment of Personal data processing includes:

a. Contact information and details of ACS;

b. Name and contact details of the organization or employee assigned to protect Personal data of ACS.

c. Processing purposes;

d. Types of Personal data to be processed;

e. Data-receiving organization or individual, including the organization or individual that is located or lives outside the territory of the Socialist Republic of Vietnam;

f. Cases of outbound transfer of Personal data;

g. Duration of processing of Personal data; estimated duration of deletion or destruction of Personal data (if any);

h. Description of measures for protecting Personal data; 

i. Assessing the impact of Personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

9.10.2. In case of the role of the Personal Data Processor according to processing agreements with the Personal Data Controller, ACS shall make and store the Dossier on the assessment of impact of Personal data processing. The Dossier on assessment of impact of Personal data processing includes:

a. Contact information and details of ACS;

b. Name and contact details of the organization or employee assigned to protect Personal data of ACS;

c. Description of processing of Personal data and types of Personal data to be processed under a contract with the Personal Data Controller;

d. Duration of processing of Personal data; estimated duration of deletion or destruction of Personal data (if any);

e. Cases of outbound transfer of Personal data;

f. General description of measures for protecting Personal data; 

g. Undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

9.10.3.  The Dossier on assessment of impact of Personal data processing provided in Clause 9.10.1 and Clause 9.10.2 of this Policy shall be made in valid writing.

9.10.4.  The dossier on assessment of impact of Personal data processing shall be always available in order to serve inspection and assessment by the Ministry of Public Security and sent to the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) 01 authentic copy according to Form No. 09/ND13 in the Appendix of this Policy within 60 days from the date of processing of Personal data.

9.10.5.  In case of incomplete Dossier, and as requirement of Ministry of Public Security, ACS is responsible to complete Dossier correctly and accordingly.

9.10.6.  ACS shall update and amend the Dossiers on assessment of impact of Personal data processing when there is any change of contents submitted to the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) according to Form No. 10/ND13 in the Appendix of this Policy.

9.11. Assessment of impact and Outbound transfer of Personal data

9.11.1. In case ACS transfers Vietnamese citizen’s Personal data abroad, ACS makes a Dossier on assessment of impact of outbound transfer of Personal data and carries out the procedures specified in below Clauses 9.11.3, 9.11.4 and 9.11.5 of this Article.

9.11.2. A dossier on assessment of impact of outbound transfer of Personal data includes:

a. Contact information and details of the ACS (Sender) and the Receiver;

b. Full name and contact details of an organization or individual under the ACS involved in sending and receiving a Vietnamese citizen’s Personal data;

c. Description and explanation about objectives of the processing of a Vietnamese Citizen’s Personal data after the Personal data is transferred abroad;

d. Description and clarification of type of Personal data to be transferred abroad;

e. Description and explanation about the observance of regulations on protection of Personal data, detailed measures for protecting Personal data;

f. Assessment of impact of Personal data processing; undesirable consequences and damage that may occur, measures for reducing or removing such consequences and damage.

g. Agreed consent of the Data Subject according to Clause 9.2 above when he/she is informed of the mechanism for feedback and complaint in case of arising problems or requests;

h. Document that shows obligations and responsibilities between ACS and the Receivers for processing of a Vietnamese Citizen’s Personal data.

9.11.3.  A dossier on assessment of impact of outbound transfer of Personal data shall be always available in order to serve inspection and assessment by the Ministry of Public Security.

9.11.4.  ACS prepares 02 authentic copies of the assessment. One is preserved in ACS to serve for inspection and other one sent to the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) according to Form No. 11/ND13 in the Appendix of this Policy within 60 days from the date of processing of Personal data.

9.11.5.  ACS shall notify the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) of information about the data transfer and contact details of the Department in charge, Person in charge of such transfer in writing after the Personal data is successfully transferred.

9.11.6.  Within 10 days from the date of getting requirement of Ministry of Public Security for Dossier completion, ACS (Sender) shall update and amend the Dossier on assessment of impact of outbound transfer of Personal data when there is any change of contents submitted to the Ministry of Public Security (Department of Cyber​​security and Hi-tech Crime Prevention) according to Form No. 10/ND13 in the Appendix of this Policy.

9.11.7.  According to specific situation, ACS is inspected in the outbound transfer of Personal data by the Ministry of Public Security once a year; or in case of detecting violations against the law on protection of Personal data, leaking or losing Vietnamese citizen's Personal data.

9.11.8.  Depending on specific situation of violation and requirement of Ministry of Public Security, the outbound transfer was mandatory to be stopped:

a. It is detected that the transferred Personal data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam.

b. ACS does not comply with regulations and this Policy;

c. Occurring incidents lead to leaking, lost of Vietnamese citizen's Personal data.

10. Personal Data Management and Protection

10.1. Protection

  • Deploy and apply a combination of compliance policy (promulgating and perfecting legal policies, internal regulations) and safe and appropriate security technology technical solutions in accordance with the law, review and update these measures as necessary.
  • Perform the recording, storage of Personal Data and the processing of Personal Data; notify violations of regulations on protection of Personal Data and coordinate with competent authorities in protecting Personal Data, providing information for investigation and handling of violations in accordance with law.
  • Receive Personal Data after having a contract or agreement on data processing with the Controller of Personal Data and conducts the processing of Personal Data in accordance with the content of the agreement with the Controller of Personal Data in line with ACS's business activities as prescribed.
  • Perform the selection of a Personal Data Processor in the line with the clear mission, appropriate conditions and safeguards.
  • Implement measures and coordinate with competent state agencies in protecting Personal Data, providing information for investigation and handling of violations in accordance with law and take responsibility before Data Subjects about damages caused by the processing of Personal Data.

10.2. Storage and Confidentiality

ACS treats Personal data confidentially and controls to prevent unauthorized access, stealing, undesirable or illegal controlling and processing. ACS’s employees are required identified, authorized accounts for accessing in master dada of ACS consistence with assigned tasks and duties.

ACS conducts storage of Personal Data, applying time of storage and decides forms of data storage associated with laws, regulations.

ACS implements reasonable security measures to protect your Personal Data in accordance with the laws on the protection of the confidentiality of personal information; however absolute security cannot be guaranteed such as in cases of unauthorized disclosure arising from malicious age hacker activity or sophisticated hacking by crimes without our fault.

10.3. Integrity

Personal Data Transfer is controlled to ensure that Personal data could not be read, copied, changed or deleted without authorization during transferring; and rendered according to corresponding agreements with legal entities.

10.4. Incident Response

Incidents or suspected incidents detecting or/ and regarding to Personal data protection must be reported to Department in Charge associated with AFS’s and ACSTV’s report rules.

Departments are responsible to cooperate with Department in Charge for assessing, investigation, gathering evidence of the incidents and Department in Charge will recommend solutions, preventive measures which is reported and approved by ACSTV’s Board of Directors or/and AFS (in case of necessity and/or follow AFS’s rules).

10.5. Management of cooperated parties, vendors, sub-contractors.

Personal data controlled by ACS (ACS’s Personal data) is prohibited to be carried out controlling and processing by cooperated parties, vendors, sub-contractors without prior specific authorization or agreements to ACS with binding strict and clear obligations in the Personal data protection.

11. Management of cooperated parties, vendors, sub-contractors.

In order to comply with relevant laws, regulations and AEON Group Japan’s Policies strictly, ACS has been implementing and applying strict provisions in controlling, processing and managing all kinds of Personal Data of ACS as well as our data processing activities in preventing from Personal Data being stolen or altered, damaged, lost or leaking illegal.

ACS’s employees are required to join in orient and training program about Personal Data protection which its materials have been updating commonly or in case of regulatory change.

All new employees and working employees must attend and complete the first day of Personal Data Protection training of ACS (one of trained sections in ACS training materials). An annually is refreshed by Code of Conduct Training compulsorily.

12. Responsibilities and Disciplinary

Any breaches of Personal data protection laws, regulations of authorities and/or ACS must be sanctioned associated with ACS regulations (disciplinary settlement) or/ and laws (administrative sanction or/and criminal prosecution).

Besides, relevant individuals and ACS’s employees who are lawbreakers, violators could be responsible and indemnify for actual damage, loss caused by infringement.

13. Disclaimer of Confidentiality Obligation

In order to increase the value provided to the Data subject, ACS may select different third-party websites/applications/services to link to ("Third Party Links"). We do not guarantee the security of the Personal Data and/or other information the Data subject provide on Third Party Links. Because even if such third party is affiliated with us, we cannot control these linked websites/applications/services as each has its own separate privacy policies and practices. We therefore accept no practical or legal liability for the content, security practices (or lack thereof) of Third Party Links. However, with the aim of protecting the integrity of our values, we welcome your feedback on these links.

14. Juvenile Subjects and other Persons

For the purposes of this Policy, a minor is a person under the age of 13. Unless otherwise stated, ACS is not intended to collect any Personal Data regarding minors.

In the event that a minor's Personal Data is disclosed to ACS, the Data Subject hereby consents to the processing of the minor's Personal Data and accepts and agrees to be bound by this Policy and is responsible for the actions of that minor.

ACS will not process the Personal Data of a deceased or missing person without the consent prescribed by law. It is your responsibility to promptly notify us of such fact.

15. Department in charge/Person in charge

ACS assigned Legal and Compliance Department was Department in Charge for duty of Personal data processing and protection activities.

In the event that the Data Subject have any queries (or complaints) about the way in which ACS process your Personal Data, you may raise these with Call Center at ACS or Department in Charge, and ACS will try to consider your request as soon as possible. This does not prejudice your right to file the complaint with a government authority that has a data protection authority, or

In the event that the Data Subject has any question in regards to the protection of Personal Data or if the Data Subject wish to exercise any of his/her rights, please get in touch with Call Center at ACS or Department in Charge who will promptly act on your request.

At: ACS Vietnam Trading Co., Ltd – Ho Chi Minh Headquarter

Attention: Data Protection Officer

Email: acs.cs@acsvietnam.com.vn

Address: 246 Cong Quynh St., Pham Ngu Lao Ward, District 1, Ho Chi Minh City.

Phone: 1900 5150

16. Effectiveness and Revision

This Policy is effective as of July 1, 2023, and must be reviewed and evaluated once a year or in case of arising suddenly some regulatory change, to reflect the latest information status and to ensure the compliance of AFS/ACS’s policies and Vietnamese laws, regulations. 

 

WEBSITE OWNER INFORMATION

Information about the website owner (e.g., footer page), including:

  • Name of unit: ACS Vietnam Trading Co., Ltd.
  • Address: 246 Cong Quynh Street, Pham Ngu Lao Ward, District 1, Ho Chi Minh City,
  • Phone: 1900 5150
  • Email: cs@acsvietnam.com.vn
  • Number of business registration certificate: 0305732706
  • Date of issue: May 26, 2008
  • Issued by: HCMC Department of Planning and Investment

 

Gọi ngay
SMS
Liên hệ