Privacy policy

1. PURPOSE OF POLICY
		This personal data protection policy (“Policy”) issued by Fujitsu Vietnam Ltd (“We” or “FVL”) defines requirements to ensure compliance with Decree No. 13/2023/ND-CP of the Government dated 17 April 2023 on Personal Data Protection (“PDPD”).
2. SCOPE OF APPLICATION
2.1. This Policy applies to all employees, interns, trainees, contractors, representatives, and other personnel of FVL who receive and Process Personal Data for and on behalf of FVL, have access to Personal Data collected or Processed by FVL, or who provide Personal Data to FVL. 2.2. This Policy shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law and other binding agreements.
3. DEFINITIONS
3.1.		“Authority” means Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam.
3.2.		“Data Controller” means an individual or organization who (either alone or jointly with other persons) determines the purposes for which and the manner in which any Personal Data is or is to be Processed.
3.3.		“Data Processor” means an organization or individual that Process Personal Data on behalf of the Data Controller, pursuant to an agreement with the Data Controller.
3.4.		“Data Subject” means the person whose information is reflected by Personal Data.
3.5.		“Data User” in relation to Personal Data, means a person (including business units or FVL’s assigned employee) covered by the scope of this Policy who, either alone or jointly or in common with other persons, assign to control the collection or Processing of Personal Data.
3.6.		“DPC” means the Data Protection Committee of FVL, as being appointed by FVL from time to time in accordance with Section 4.1 of this Policy.
3.7.		“FVL” means Fujitsu Vietnam Ltd. Under this Personal Data Protection Policy, FVL shall be the Data Controller, cum Data Processor as the case may be.
3.8.		“Personal Data” means any information under forms of symbols, letters, numbers, images, sounds, or in other equivalent formats on an electronic medium which is associated with a particular person or information used to identify a particular person. Personal data includes Basic Personal Data and Sensitive Personal Data. Information used for identification of a particular person refers to information derived from an individual's activities that, when combined with other data and stored information, can identify a particular person. Basic Personal Data includes: - Family name, middle name and first name as stated in a birth certificate, other name (if any); - Date of birth; - Gender; - Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, native place, contact address; - Nationality; - Image of the individual; - Telephone numbers, people’s identity card number, personal identification number, passport number, driver’s license numbers, numbers in vehicles’ number plates, personal tax identification number, social insurance number, health insurance card number; - Marital status; - Information about family relationships (parents, children); and - Information about digital account of the individual; personal data on activities, history of activities in cyberspace. Sensitive Personal Data is Personal Data associated with an individual’s privacy that, when violated, will directly affect the individual’s legitimate rights and interest, which includes: - Health status and private information recorded in the health record; - Information relating to racial origin, ethnic origin; - Information about the inherited or acquired genetic characteristics of the individual; - Information about physical characteristics, unique biological characteristics of the individual; - Data on crimes and offences are collected and stored by law enforcement authorities; - information on bank accounts; - Location data of the individual identified through location services; and - Other data that is specified by the law to require necessary security measures.
3.9.		“Process” (or other grammatical forms of such word such as “Processed” or “Processing”) in relation to Personal Data means the carrying out of any operation or set of operations, whether by manual or automated means, that affect personal data, including but not limited to: collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, retrieval, withdrawal, encryption, decryption, copy, sharing, transmission, provision, transfer, erasure, destruction of Personal Data or other related activities.
3.10.		“Violation” means violation against regulations on protection of personal data as described in Section 8.1 of this Policy.
4. DATA PROTECTION COMMITEE
4.1. Appointment
	FVL shall appoint a Data Protection Committee (“DPC”) through an internal decision. The DPC shall comprise of the Head of Departments of FVL. The DPC shall act independently, in a neutral and impartial manner to ensure FVL’s full compliance with PDPD and this Policy. FVL shall appoint one (1) member of the DPC as the Head of DPC who shall be (i) the contact point for any queries and/or request related to this Policy and (ii) the representative in liaising with the Authority and other relevant state agencies regarding any matter related to the processing of Personal Data of FVL. The governance structure and the roles and responsibilities of the DPC shall be decided by FVL from time to time.
4.2. Duties
		The DPC shall monitor the application of this Policy. The DPC shall, on request or on their initiatives, advise Data Subjects on their rights and Data Controller, Data Processor, Data User on their responsibilities. The DPC is responsible for responding to inquiries, requests, and complains of the Data Subjects on the processing of Personal Data of FVL. Other duties as set forth in this Policy or as required by applicable laws.
4.3. Cooperation with the DPC
		All subjects as governed by this Policy shall cooperate with the DPC by assisting the DPC and make available any information necessary for the DPC to carry out their duties.
5. DATA PROTECTION PRINCIPLES
5.1.		FVL shall process and protect Personal Data in accordance with the Vietnamese laws, this Policy and the consent form, as the case may be, collected from the Data Subject and any other documents entered into with the Data Subject.
5.2.		FVL shall collect Personal Data appropriately and limited to the declared data processing purposes; the purpose for data processing shall be clear, specific, lawful and in accordance with this Policy, the consent form and applicable Vietnamese laws.
5.3.		FVL shall update and supplement Personal Data in conformity with its Processing purposes, in compliance with requests from the Data Subjects and the applicable Vietnamese laws.
5.4.		FVL shall always apply and keep up-to-date organizational and technical measures in accordance with the provisions of Vietnamese law to ensure the data security of Personal Data, including measures to protect against Violations, including but not limited to unauthorized access, unauthorized or unlawful access and/or destruction, loss, damage to Personal Data.
5.5.		FVL shall store Personal Data appropriately and to the extent necessary for the declared Processing purposes in accordance with Vietnamese laws.
6. FVL’S RESPONSIBILITIES
6.1. Consent
		FVL shall not process Personal Data without the consent of the Data Subject, unless otherwise being exempted by the applicable laws. The consent of the Data Subject shall be declared in writing, in the standard form (please refer to Section 6.2) The exceptional cases whereby consent from the Data Subject is not required, as stipulated by PDPD, shall comprise the followings: - The Processing of Personal Data to protect the life and health of the Data Subject or others in an emergency situation; - The disclosure of Personal Data in accordance with the applicable laws; - The Processing of Personal Data to fulfill obligations under contracts between the Data Subject with FVL as prescribed by law; and - The Processing of Personal Data to serve operations by regulatory authorities as prescribed by relevant laws. Consent can be withdrawn by the Data Subject in written request.
6.2. Notification
		FVL shall inform the Data Subject of the purposes for which Personal Data will be collected, used, or disclosed in order to obtain their consent. The notification and consent form shall contain the following information: - Purpose(s) of Processing the Personal Data; (Note that FVL may supplement or amend the purposes of Processing Personal Data. On such occasion, FVL will notify and obtain consent from the Data Subject on the revision) - Type of Personal Data which will be used in relation to the purpose(s); and - Method of Personal Data Processing; - Information on other organizations and individuals permitted to Process Personal Data; - Contact address of the DPC or Head of Department in charge for any queries on the Processing of Personal Data; - Rights and obligations of the Data Subject; - Possible undesirable consequences and damage; and - Time of commencement and completion of Processing.
6.3. Access and Correction
		Subject to any limitation or requirement imposed by PDPD and the completion of Consent Form by the Data Subject, the Data Subject is entitled to obtain the information about his/her Personal Data which is in the possession of or under the control of FVL via personal data request form as provided via Exhibit A of this Policy, unless otherwise provided by law. FVL shall grant the Data Subject the right to access, if appropriate, and correct his Personal Data that is in the possession of or under the control of FVL. Subject to any limitation or requirement imposed by PDPD and the Data Subject completing the written request, FVL shall comply with requests on provision and modification of Personal Data.
6.4. Accuracy
		The Data Subject is personally responsible for the sufficiency and accuracy of his/her Personal Data. FVL is responsible to update the Personal Data subject to the requests of the Data Subject in compliance with Section 6.3, in the event that the Data Subject requests for correction/supplementation of Personal Data due to inaccuracy and/or insufficiency.
6.5. Protection
		FVL shall make reasonable security arrangements to protect Personal Data in its possession or under its control right from the beginning of, and during its course of Personal Data processing, in order to prevent (i) unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored. FVL shall appoint the DPC to manage the protection of Basic Personal Data and Sensitive Personal Data as specified in Section 4. The contact information of the DPC shall be provided to the Authority for cooperation in protection of Personal Data. FVL and other Data Processor duly authorized for Processing of Personal Data shall inspect the cyber security of systems, means and equipment serving personal data processing before processing personal data. From time to time, FVL shall review and update its security arrangement to ensure that the security measures in place are adequate for the protection of Personal Data.
6.6. Storage, Retention and Erasure of Personal Data
		FVL may only retain Personal Data for as long as it is necessary to fulfill the purposes for which they are collected, or as required or permitted by the application laws. FVL shall destroy documents containing Personal Data, or remove the means by which the Personal Data can be associated with the Data Subject, as soon as it is reasonable to assume that: - the purpose for which that Personal Data was collected is no longer being served by its retention; and - retention is no longer necessary for FVL’s legal or business purposes. Unless otherwise specified by the Vietnamese laws, FVL must comply with the request of the Data Subject for erasure of Personal Data, if: - the Data Subject finds that such personal data are no longer necessary for the consented purpose of data processing, and accepts damage that is likely to occur upon request for data deletion; - the Data Subject withdraws the consent; - the Data Subject objects to Personal Data Processing by FVL and any party authorized by FVL under contractual agreement, and consent of the Data Subject for Processing the concerned Personal Data has no plausible reason for continued Personal Data Processing; - The Personal Data are Processed in contravention of the consented purpose, or the Personal Data Processing violates law; and - The Personal Data are subject to deletion in accordance with Vietnamese laws. Unless otherwise specified by the Vietnamese laws, the erasure of Personal Data shall be carried out by FVL within 72 consecutive hours from the receipt of the request for Personal Data erasure from the Data Subject along with the documents to sufficiently identify the Data Subject. Before the permanent erasure of both Basic Personal Data and Sensitive Personal Data or destruction of Personal Data-containing devices, FVL shall inspect its cyber security of system, means and equipment serving personal data processing.
6.7. Transfer
		FVL may transfer or disclose Personal Data to third party or affiliate company of FVL and/or places where the IT system is used to store such Personal Data for the performance of any of the purposes for which FVL had duly notified and obtained consent from the Data Subject. FVL cannot transfer Personal Data outside of Vietnam without (i) the consent from the Data Subject; (ii) a legitimate legal basis for such transfer, and (iii) contractual obligations on the recipient of Personal Data to protect the Personal Data at a standard that is comparable to the protection under the laws of Vietnam. FVL shall be responsible to submit the dossier of assessment of impact of the transfer of Personal Data outside of Vietnam to the Authority in accordance with PDPD.
6.8. Notification of personal data protection violation
		FVL shall assess whether a Violation is notifiable and notify the Authority and/or the affected individuals where it is assessed to be notifiable. Please refer to Section 8 below for further details.
6.9. Accountability
		FVL shall implement the necessary policies and procedures in order to meet its obligations under the prevailing laws and make such policies and procedures publicly available.
6.10. Exceptional for business contact information
		The obligations described in this Section 6 do not apply to business contact information. FVL is not required to obtain consent before collecting, using and disclosing business contact information. Business contact information refers to the employee code or contractor code created by FVL, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the Data Subject, not provided by the Data Subject solely for his personal purposes (i.e., such information must be provided in a work-related context). In most circumstances, information provided on a business card/email’s signature would be considered business contact information. If in doubt as to whether the personal data you hold would be considered business contact information, please contact our DPC.
7. RESPONSIBILITY OF ALL DATA USERS
7.1.		Every Data User is key in enabling FVL to comply with its PDPD obligations. Each Data User must be diligent and must exercise caution while dealing with or handling the Personal Data, in the course of his duties and responsibilities at FVL. This Section sets out further guidance as to how the Data Users should handle Personal Data to ensure that the PDPD obligations are complied with. The guidance provided in this Policy is not exhaustive. If in doubt, the Data User should consult their immediate supervisors and/or the DPC.
7.2.		Obtaining Consent It is reasonable to expect that Data Subject will only give their consent after having been notified of the purpose(s) of why FVL wants to collect, use or disclose their Personal Data. Hence FVL must abide by the rules and guidelines for obtaining consent from Data Subject as specified in Section 6.1 and 6.2 and be aware of exceptions/circumstances where consent is not required.
7.3.		Handling withdrawal of consent If a Data Subject wishes to withdraw consent, he/she should be allowed to do so with reasonable notice to FVL (e.g., 3 working days to respond to the request and 10 working days to affect the withdrawal of consent). Data User should, however, inform the concerned Data Subject of the likely consequences of their withdrawal of consent, e.g., without their personal contact information you may not be able to inform them of future events or launches of new products and services from FVL. After learning about these consequences, the Data Subject may change their minds about the withdrawal of consent.
7.4.		Protection of Personal Data Data User is required to strictly adhere to FVL’s responsibilities as described in Section 6 and take the necessary security precautions to protect the Personal Data in the possession or under control (including the physical storage media that contain such personal data) to prevent unauthorised access, use, disclosure, or similar risks. This includes putting in place relevant technical, administrative and physical controls to protect the Personal Data in Data User’s care such as the following: Secure handling of the Personal Data (electronic or physical) at the collection, use and disclosure points; Taking reasonable and appropriate measures to maintain the confidentiality and integrity of Personal Data, and only share data with authorised persons on a ‘need to know’ basis; Ensuring Personal Data is transferred electronically or manually in a secure manner; Ensuring proper access controls to storage systems as well as security measures incorporated into any equipment such as multi-function copiers and scanners; Ensuring storage media (e.g., portable hard disk, SD card, thumb drive) containing Personal Data is either password-protected or encrypted; and Ensuring there are procedures in place to manage security incidents.
7.5.		Retention of Personal Data As a requirement, all Personal Data that no longer have any business or legal use will be destroyed or disposed of in a secure manner. Data User is not allowed to retain Personal Data in Data User’s possession or under their control when it is no longer needed for any business or legal purposes in FVL. Some personal data may be retained for research or statistical purposes if the means by which the personal data is associated with unique individuals can be removed, e.g. by anonymizing the data (i.e. removing unique identifiers such as ID number, mobile phone number, full name and address, that can identify a particular individual).
7.6.		Transfer of Personal Data If a Data User needs to transfer personal data to another country outside Vietnam, they must ensure that the standard of data protection in the recipient country is comparable to that of Vietnam’s PDPD. If this is not so, a Data User must enter into a contractual agreement (or data transfer agreement) with the receiving party to accord similar levels of data protection as those in Vietnam.
7.7.		Handling of Violation The members of DPC will follow the Violation response procedure under Section 8 of this Policy on the appropriate course of action. If there is a need to escalate the reporting to higher level management in FVL, the Head of DPC will follow the data breach reporting and escalation protocol.
8. MANAGING PERSONAL DATA PROTECTION VIOLATION AND INCIDENT RESPONSE
8.1.		A Personal Data Protection Violation (“Violation”) refers to incidents whereas the regulations on personal data protection under PDPD and/or other relevant Vietnamese regulations on personal data protection are infringed, and the rights and obligations of the Data Controller, Data Processor, Data Subject, and other Third Party related to the Data Processing is breached or unfulfilled. A Violation may occur due to malicious activities (e.g., hacking, thefts and scams); human error (e.g., loss of employee computers or confidential documents or improper disposal of personal data) and/or computer system error (e.g., program errors or bugs which may be exploited). If not managed properly, this could lead to financial losses and cause customers to lose trust in FVL. Incidents of Violation includes (but not limited to) incident exposing Personal Data to the risks of unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. It also includes circumstances where there has been a loss of any storage medium or device on which Personal Data is stored, thereby exposing the Personal Data to the risks as described above.
8.2.		Once FVL has credible grounds to believe that an incident has occurred, it is required to take reasonable and expeditious steps to assess whether the incident is a Violation that shall be notified to the Authority under PDPD.
8.3.		It is therefore critical that any incident (whether suspected or confirmed as a Violation) is reported to FVL immediately because FVL may be legally or contractually obligated to report the alleged Violation to the Authority, the individuals whose Personal Data is affected, or to FVL’s customers within the prescribed timeframes under PDPD or contracts with customers.
8.4.		Any Data User including employee who becomes aware of a Violation or suspects that a Violation may have occurred must immediately notify his/her immediate supervisor, the corresponding Head of Department and the Head of DPC. Risks and impact of the Violation will be assessed and managed by the corresponding Head of Department and DPC accordingly.
9. TRAINING AND AUDIT
9.1. Data User, Data Subject or Data Processor is required to attend and participate in trainings related to data privacy organized by FVL from time to time. 9.2. Data User, Data Processor under this Policy shall follow the audit protocol in relation to Personal Data which will be adopted by the FVL.
10. NON-COMPLIANCE OF THIS POLICY
		Any non-compliance with this Policy is taken very seriously by FVL and will lead to appropriate disciplinary action being taken in accordance with the Vietnamese Labour Code and FVL’s internal policies, including but not limited to: reprimand, deferment of wage increase, demotion and/or termination of labour contract.
11. DISPUTE RESOLUTION PROCESS
11.1. Employees
		Employees with inquiries or complaints about the Processing of their Personal Data should first discuss the matter with their immediate supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate supervisor, or if the supervisor and the employee are unable to reach a satisfactory resolution of the issues raised, the employee should bring the issue to the attention of the corresponding Head of Department or DPC in writing.
		If the issue cannot be resolved through consultation with the employee’s supervisor or the corresponding Head of Department and DPC, it shall be handled first through non-judicial procedures established by applicable employment agreements, union agreements, or statutory provisions, as may be applicable to a particular person.
11.2. Non-employees
		Non-employees with inquiries or complaints about the Processing of their Personal Data should bring the matter to the attention of the Head of DPC in writing.
11.3. Appeals
		If the issue is not resolved through consultation with the employee’s supervisor or the Head of Department and DPC, or through other mechanisms under existing employment agreements, union agreements, or statutory procedures, then the individual may, at their option, seek redress through a complaint to the Authority.
12. CONTACT INFORMATION
		If you have any questions about this Policy, please contact: Tran Thi Thanh Ha Data Protection Committee Fujitsu Vietnam Ltd Room 01-03, 17^th floor, Keangnam Landmark 72, Cau Giay New Urban Area, Me Tri Ward, Nam Tu Liem District, Hanoi, Vietnam Email: [email protected]
13. REVIEW OF THIS POLICY
		This Policy shall be revised from time to time. Pursuant to the reviews, if amendments to this Policy are considered necessary, FVL will modify this Policy and, where necessary, provide notice of such modifications.

1. PURPOSE OF POLICY

2. SCOPE OF APPLICATION

2.1. This Policy applies to all employees, interns, trainees, contractors, representatives, and other personnel of FVL who receive and Process Personal Data for and on behalf of FVL, have access to Personal Data collected or Processed by FVL, or who provide Personal Data to FVL.

2.2. This Policy shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law and other binding agreements.

3. DEFINITIONS

3.1.

3.2.

3.3.

3.4.

3.5.

3.6.

3.7.

3.8.

3.9.

3.10.

4. DATA PROTECTION COMMITEE

4.1. Appointment

4.2. Duties

4.3. Cooperation with the DPC

5. DATA PROTECTION PRINCIPLES

5.1.

5.2.

5.3.

5.4.

5.5.

6. FVL’S RESPONSIBILITIES

6.1. Consent

6.2. Notification

6.3. Access and Correction

6.4. Accuracy

6.5. Protection

6.6. Storage, Retention and Erasure of Personal Data

6.7. Transfer

6.8. Notification of personal data protection violation

6.9. Accountability

6.10. Exceptional for business contact information

7. RESPONSIBILITY OF ALL DATA USERS

7.1.

7.2.

7.3.

7.4.

7.5.

7.6.

7.7.

8. MANAGING PERSONAL DATA PROTECTION VIOLATION AND INCIDENT RESPONSE

8.1.

8.2.

8.3.

8.4.

9. TRAINING AND AUDIT

9.1. Data User, Data Subject or Data Processor is required to attend and participate in trainings related to data privacy organized by FVL from time to time.

9.2. Data User, Data Processor under this Policy shall follow the audit protocol in relation to Personal Data which will be adopted by the FVL.

10. NON-COMPLIANCE OF THIS POLICY

11. DISPUTE RESOLUTION PROCESS

11.1. Employees

11.2. Non-employees

11.3. Appeals

12. CONTACT INFORMATION

13. REVIEW OF THIS POLICY