Privacy Policy

REGULATIONS ON PERSONAL DATA PROTECTION

 

This regulation on personal data protection (hereinafter referred to as “RPDP”) is published and publicly announced by Navibank Securities Joint Stock Company (“NVS”) on NVS’s website, and is applied according to law of Vietnam. By using products, services, utilities and/or conducting any transactions or relationships with NVS in any way, organizations and individuals need to read, understand and voluntarily accept, comply with this RPDP.

 

Article 1. Objectives and scope of regulation

  1. Regulations on NVS’s activities regarding collection, purpose, type of data, method and location of processing personal data, scope of use of personal data, processing period, data storage period personal data and the measures by which NVS processes and manages personal data while the Data Subject (defined in Article 2 below) uses or interacts with products, services, websites electronic information or services of NVS and/or carry out any transactions or relationships with NVS.
  2. The RPDP have scope of application from the time the Data Subject interacts, communicates, establishes any relationship, transaction and/or accesses and uses NVS’s channels, platforms and applications.
  3. NVS recommends that Data Subjects carefully read this RPDP and regularly check NVS’s website, NVS’s notifications in any way to Data Subjects to update changes to the RPDP. At the same time, NVS also recommends that Data Subjects regularly check their information to update any changes that NVS may make according to the regulations stated in this Regulation. The data subject agrees to apply, coordinate and commit to comply with the RPDP.

 

Article 2. Explanation of words

  1. Data subject” is the individual whose personal data is processed by NVS. The data subject can be an individual customer/partner of NVS or an employee of NVS or any other individual participating/carrying out any transaction or relationship with NVS in any way, now and in the future.
  2. “Personal data” is information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment that is associated with a specific person or helps identify a specific person. Personal Data includes Basic Personal Data and Sensitive Personal Data.
  3. “Basic personal data” is the most basic information of an individual, including:
    1. Surname, middle name, birth name, other names (if any);
    2. Date of birth; date, month, year of death or disappearance;
    3. Sex;
    4. Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
    5. Nationality;
    6. Images of individuals;
    7. Phone number, ID card number, personal identification number, passport number, driver’s license number, license plate number, personal tax code number, social insurance number, health insurance card number;
    8. Marital status;
    9. Information about family relationships (parents, children);
    10. Information about individual digital accounts; Personal data reflecting activities and history of activities in cyberspace;
    11. Other information that pertains to a specific person or helps identify a specific person that is not considered Sensitive Personal Data.
  4. Sensitive personal data” is personal data and information associated with an individual’s privacy rights that, when violated, will directly affect the individual’s legitimate rights and interests, including:
    1. Political views, religious views;
    2. Health status and personal life are recorded in medical records, excluding information about blood type;
    3. Information related to racial origin and ethnic origin;
    4. Information about an individual’s inherited or acquired genetic characteristics;
    5. Information about physical attributes and biological characteristics of individuals;
    6. Information about individual’s sex life and sexual orientation;
    7. Data on crimes and criminal acts are collected and stored by law enforcement agencies;
    8. Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations, including: customer identification information according to the provisions of law, account information, deposit information, deposited asset information, transaction information, information about organizations and individuals that are guarantors at credit institutions, bank branches, and organizations providing payment intermediary services;
    9. Data about the individual’s location determined through location services;
    10. Other personal data is regulated by law as specific and requires necessary security measures.
  5. Personal data processing” means one or more activities affecting personal data, such as: collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieve, retrieve, encrypt, decrypt, copy, share, transmit, provide, transfer, delete, destroy personal data or other related actions.
  6. Automatic personal data processing” is a form of personal data processing performed by electronic means to evaluate, analyze, and predict the activities of a specific person, such as: habits, interests, trust levels, behavior, location, trends, abilities, and other circumstances.
  7. Customer” is an organization or individual who accesses, learns about, registers, uses products, services, utilities and/or has relationships/transactions during operations, providing products, NVS’s services and utilities.
  8. Company” or “NVS” means Navibank Securities Joint Stock Company, including the company’s headquarters, branches, offices, and transaction offices (if any).
  9. Third party ” is an organization or individual other than NVS and the Data Subject.
  10. Cookie” is a small text file placed on a Data Subject’s computer or mobile device when the Data Subject visits a website or uses an application. Cookies collect information about users and their visits to websites or use of applications, such as their Internet protocol (IP) address, how they arrived at the website (for example, through a search engine or a link from another site) and how they navigate the site or app. NVS uses cookies and other technologies to facilitate the Data Subject’s Internet sessions and the Data Subject’s use of NVS applications, providing the Data Subject with products and/or services according to the Data Subject’s preferred settings, to monitor the use of NVS websites and applications and to compile statistics on activities performed on NVS websites and/or through NVS applications.
  11. Pixel tag” also known as a web beacon, is an invisible tag placed on certain pages of NVS’s website but not on the Data Subject’s computer. Pixel tags are often used in conjunction with cookies and are used to track the behavior of users visiting a website. To clarify, any terms that have not been explained in this RPDP will be understood and applied according to the provisions of relevant internal documents issued by NVS from time to time and/or in contracts, agreements, documents entered into between the Data Subject and NVS or interpreted according to the provisions of Vietnamese law.

 

Article 3. General rules

  1. This RPDP is an inseparable part of the Requirements cum contract for opening an account and registering to use securities trading services, contracts, agreements, applications, registrations… that arise and governs and establishes the relationship between the Data Subject and the NVS.
  2. By providing Personal Data of a third party (including but not limited to: information of dependents, legally related persons, spouses, children and/or parents and/or the Data Subject’s guardian, friend, reference, beneficiary, proxy, partner, emergency contact person or individual, representative, or authorized person data) to NVS, the Data Subject represents, warrants and undertakes that the Data Subject has obtained the lawful consent of that third party for the processing and information that NVS is the processing subject. Processing Personal Data for the purposes stated in the RPDPs.
  3. Depending on the role of NVS in each specific situation are (i) Personal Data Controller; (ii) Personal Data Processor; or (iii) the Data Controller and Processor, NVS will exercise the respective powers, responsibilities and principles for processing Personal Data in accordance with applicable laws.
  4. The Data Subject understands and agrees that the provision of Personal Data of the Data Subject to NVS (including but not limited to information NVS has before, during and after the Data Subject’s consent these RPDPs) is the Data Subject’s full consent allowing NVS to use Personal Data throughout the process of receiving and processing personal data, starting from the time NVS receives the information until there is a request from the Data Subject to terminate data processing.
  5. The RPDPs will prevail in the event of any conflict or inconsistency with the agreements, terms and conditions in the contracts, agreements, documents, and materials governing the relationship between Data Subject with NVS, whether such contracts, agreements, documents, or documents are entered into before, on, or after the date the Data Subject accepts these RPDPs.
  6. All rights and obligations of NVS and Data Subjects in this RPDP will not be replaced, terminated or changed but will be concurrent with the rights and obligations that NVS and Data Subjects currently have in any document and no provision in this RPDP implies the limitation or elimination of any of the rights and obligations of the parties that have been established.

 

Article 4. Personal data processing activities

  1. Type of Personal Data Processed

The types of Data Subjects’ Personal Data processed include:

    • Basic personal data is stated in Clause 2.3, Article 2 of this RPDP; and
    • Sensitive personal data is stated in Clause 2.4, Article 2 of this RPDP.

The types of Personal Data are processed in accordance with the specific relationships and transactions between the Data Subject and NVS according to agreements, contracts, and other relevant documents arising between the parties.

  1. How to process data

Depending on each data processing purpose stated in Clause 4.3 below, NVS may process Data Subject Data in one or several of the following ways:

    • Collect data
      • For NVS to provide products, services, features, facilities to Data Subjects, or process Data Subject requests, or perform other contractual obligations with Data Subjects, or NVS may be required and/or required by law to collect Personal Data of Data Subjects and individuals related to Data Subjects.
      • Collection methods and collection methods: NVS (and personal data processors used by NVS – if any) may directly or indirectly collect Personal Data of Data Subjects when the Subject requested by the Data Subject and/or during the process of NVS providing any product or service to the Data Subject and/or during the process of the Data Subject interacting, communicating, accessing, using channels , NVS’s platform, applications and from one or more of the sources as listed below, including but not limited to: Directly from Data Subjects: NVS collects during contact, work, providing services, meeting the Data Subject face to face and being provided with information by the Data Subject.
      • From NVS’s websites and online transaction systems: NVS may collect Personal Data of Data Subjects when Data Subjects access any website or online transaction system of NVS or use any features or resources available on or through this website or online transaction system.
      • From mobile applications: NVS may collect Personal Data of Data Subjects when Data Subjects download or use NVS mobile applications.
      • From exchanges and communications with Data Subjects: NVS may collect Personal Data of Data Subjects when Data Subjects and NVS contact each other, such as via email, video call, phone call, radio, electronic communications or any other means (including but not limited to surveys and investigations conducted or obtained by NVS).
      • From the Data Subject’s choice to register/link the Data Subject’s account on the NVS application platform with the Data Subject’s social network account and/or on a third party platform with the Data Subject’s account. Data Subject’s securities trading account at NVS. The Data Subject agrees that NVS may access, collect and process the Data Subject’s personal data that the Data Subject has voluntarily provided to these account service providers in accordance with this policy, and NVS will manage and use this personal data of Data Subjects in accordance with this RPDP at all times.
      • From interactions or automatic data collection technologies: NVS may collect Personal Data of Data Subjects and related parties that is automatically logged from the Data Subject’s connection to NVS such as cookies , pixel tags, plug-ins, third-party social networking sequences or any technology with tracking capabilities.
      • From competent state agencies: NVS may receive Personal Data of Data Subjects from management agencies such as the State Securities Commission, Vietnam Securities Depository Center/Vietnam Securities Depository Corporation. Registering and clearing Vietnamese securities, stock exchanges or other competent agencies in Vietnam.
      • Public sources: NVS may receive Personal Data of Data Subjects from public sources such as phone books, advertising information/flyers, information publicly available online, etc.
      • From related persons of NVS, suppliers, service providers, partners, affiliates and third parties related to NVS’s business activities;
      • From third parties having a relationship with the Data Subject;
      • From other sources where the Data Subject consents to the sharing/provision of Personal Data, or where collection is required or permitted by law.
    • Data saving:

Personal data is stored in NVS’s database system or anywhere that NVS or its branches, subsidiaries, affiliates, partners or service providers have facilities, and create a backup copy to a data center in another region. Personal data of Data Subjects is stored by NVS in forms appropriate to its activities. Reasonable measures will be taken to protect the data when stored at NVS.

During the process of accessing NVS’s electronic information pages, websites, applications, and social networks, NVS may also temporarily store information via cookies, clickstreams or similar data storage tools to store data that the server can retrieve.

    • Data Analysis: Analysis of Personal Data is performed in accordance with NVS’s internal processes. NVS always has a strict monitoring mechanism for each data analysis process, which requires testing to meet legal requirements on data security and ensuring information security for information technology systems before conducting analysis. NVS has strict rules that ensure that personal information is anonymized or de-identified at the appropriate stage in the processing process.
    • Data encryption: Collected personal data is encrypted according to appropriate encryption standards when necessary during data storage or transfer, to ensure that the data is protected, authenticated, and complete, intact and cannot be altered once sent.
    • Deleted cannot be recovered

The Data Subject’s personal data will be irreversibly deleted by NVS and/or the party processing data for NVS and/or third parties authorized to process personal data in the following cases:

      • The processing of data is not for the right purpose or has completed the purpose of processing personal data according to this Regulation.
      • The storage of personal data is no longer necessary for the activities of NVS/data processing party for NVS/third parties.
      • NVS/party processing data for NVS/Third Party is dissolved or no longer operating or declares bankruptcy or terminates business operations in accordance with the law.
      • Other processing methods: in addition to the above methods, NVS may process Data Subject’s data in other ways, including: recording, confirming, editing, publishing, combining, access, retrieve, retrieve, decrypt , share, transmit, provide, destroy personal data or other related actions.
  1. Purpose of processing personal data

NVS (and parties authorized to process Personal Data for NVS) may use and process Personal Data for one or more of the following purposes (collectively, “ Purposes ”):

    • Serves to provide NVS products and services to Data Subjects or to perform contractual obligations between NVS and Data Subjects, towards the needs and interests of Data Subjects , specifically:
      • Identify, authenticate identity, confirm transactions of Data Subjects with NVS, assess risks of tampering or suspected tampering of Data Subjects in transactions with NVS, protect Data Subjects from fraudulent or other illegal conduct;
      • Review the legal, financial and other conditions of the Data Subject with respect to any product, service or transaction proposed or provided by NVS;
      • Display on NVS’s trading platform and applications separate and integrated information about the Data Subject’s assets, finances, transactions, contracts, and/or any features or utilities of the Data Subject. Data Subjects can select, query information and remind to exercise the rights and obligations of Data Subjects related to entering into and implementing contracts and transactions of Data Subjects with NVS and partners of NVS (in case there are products, services, utilities provided by NVS’s partners or entrusted, delegated, assigned to agents for NVS to provide, information to Data Subjects);
      • Develop, improve, upgrade NVS’s products, services, features, utilities, and transaction systems through reporting, statistics, synthesis, and data analysis (including financial analysis, behavior analysis, trading trends, preferences and analyzing other factors, …);
      • Provide to service providers/partners of NVS to perform services, features, utilities for Data Subjects and/or NVS;
      • Contact, evaluate and deal with instructions or requests from Data Subjects, including responding to queries or comments, resolving or investigating any complaints, legal claims or disputes or to exchange information, provide documents or other documents related to transactions or use of NVS products, services, features and utilities;
      • Notify Data Subjects of product and service policies, program rules, instructions for using features and utilities, improvements and enhancements to the utility and quality of products and services of NVS, as well as other information about the Data Subject’s relevant rights and obligations that NVS finds necessary to notify;
      • Promote, introduce, information about products, services, promotional programs, research, surveys, news, updates, events, prize contests, customer loyalty programs , reward programs, machine sewing draws, sending of related gifts and prizes, communication activities and any form of related commercial promotion of services, products, features, NVS’s utilities and products, services, and activities of other partners that cooperate with NVS;
      • Inspect, test, install, manage, upgrade, make technical improvements and implement other measures to ensure safety, security and protection of Data Subjects and Data Subjects’ personal data anticipate harmful situations and risks of harm;
      • Other purposes aimed at improving service quality and/or for the needs and interests of Data Subjects.
    • To carry out obligations according to legal regulations and/or requirements of competent State agencies and/or according to rules , agreements, operational requirements, operations, and business administration from time to time of NVS, specifically:
      • Store records and documents related to NVS’s operations according to legal regulations;
      • Prepare and submit or disclose information on financial reports, operational reports, tax reports, labor reports or other related reports; Providing information to serve investigations, inspections and examinations by competent agencies;
      • To monitor, inspect, audit, risk management, compliance management, security and safety, human resource management and other management purposes to meet and comply with NVS’s internal policies and laws;
      • Protect the legitimate interests of NVS, including and not limited to collecting fees, charges and/or to recover any debts, financial obligations, or to serve the resolution of complaints lawsuits and complaints between Data Subjects and NVS and/or other relevant parties;
      • Implement money laundering, crime and terrorist financing prevention, comply with anti-access and anti-corruption regulations according to regulations;
      • To prevent or minimize threats to the lives and health of others and public interests in case of necessity;
      • To serve other purposes related to NVS’s operations, management, administration, investment and business that NVS considers appropriate from time to time, or according to legal regulations promulgated from time to time;
    • NVS will request permission from the Data Subject before using the Data Subject’s Personal Data for purposes other than those stated in this RPDP.
    • NVS only processes the Data Subject’s personal data for the purposes registered and declared by NVS in accordance with this Regulation and according to other documents approved and agreed to by the Data Subject.
  1. Parties involved in data processing

NVS may itself or use third party service providers to process data of data subjects. The list of parties processing data for NVS is published by NVS to data subjects. The data processor for NVS has the following responsibilities:

    • Only processed according to the contents recorded in the agreement with NVS.
    • Must delete and return all personal data of the Data Subject to NVS upon completion of processing personal data as agreed with NVS.
    • The Data Processor’s processing of personal data must be recorded and maintained in a system log. At the same time, there must be technical procedures/documents describing the storage of personal data processing logs.
    • Can demonstrate compliance with personal data protection regulations and have appropriate protective measures in place.
    • The Data Subject’s personal data must be stored for a period consistent with the purpose of data processing.
    • Allow NVS to control and must demonstrate compliance with laws on personal data protection before NVS when requested.
    • Other responsibilities according to this Regulation, agreement with NVS and according to legal regulations.
  1. Processing of personal data in some special cases
    • NVS will be able to record audio, video and process personal data collected from audio and video recording activities via surveillance cameras in areas where cameras are installed (including but not limited to transaction counter area, office, hallway area, exit area,…) in accordance with the requirements to ensure security in the operations of NVS and for Data Subjects according to the provisions of law.
    • For the use and processing of Personal Data of a person declared missing/deceased (in case NVS is known and notified), NVS will have to obtain the consent of the spouse or adult child of that person, in the absence of these people, the consent of the father or mother of the person declared missing or deceased must be obtained, except in the case of processing personal data that does not require the owner’s consent data in accordance with current law.
    • Processing of children’s personal data
      • NVS respects and protects children’s Personal Data in accordance with the principles of protecting the rights and best interests of children.
      • In addition to the Personal Data protection measures prescribed by law, before processing a child’s Personal Data, NVS will verify the child’s age and request the consent of (i) the child children aged 7 years or older and/or (ii) the child’s father, mother or guardian as prescribed by law.
      • NVS will stop processing children’s personal data, irreversibly delete or destroy children’s personal data in the event of:
        • Processing data for purposes other than the purpose or for which the purpose of processing personal data agreed to by the data subject has been completed, unless otherwise prescribed by law;
        • The child’s father, mother or guardian withdraws consent to the processing of the child’s personal data, unless otherwise provided by law;
        • At the request of a competent authority when there is sufficient evidence to prove that the processing of personal data affects the legitimate rights and interests of children, unless otherwise prescribed by law.
  1. Collection, transfer and disclosure of Personal Data
    • NVS has been applying personal data protection measures to prevent unauthorized collection of personal data from its systems and service equipment.
    • NVS will not sell, exchange, rent, or illegally trade personal information of Data Subjects, unless otherwise agreed by the Data Subject. However, to carry out the purposes and processing activities of Personal Data in this RPDP, the Data Subject agrees that NVS may disclose the Personal Data of the Data Subject or the Personal Data of the third parties related to the Data Subject, to one or more of the following:
      • To employees and departments within NVS for the purposes stated in this RPDP and/or contracts, agreements, documents signed between Data Subjects;
      • To the parent company, subsidiaries and any branches, representative offices, agents or affiliated companies of NVS, or any company that is a related person of NVS;
      • Partners, strategic partners of NVS and contractors of these partners, including but not limited to banks, financial institutions, financial institutions and other organizations and individuals participating in activities for the above purposes and/or the process of providing individual or integrated products and services of NVS;
      • Organizations and individuals are affiliated and cooperate with NVS to provide products and services in investment, finance, banking, credit assessment and rating, credit information, intermediary activities, agents, brokers, types of trading floors, trade promotion, advertising, information technology, solutions, utilities, platforms, operations, storage, infrastructure development, systems, equipment equipment, facilities, software, applications, managed services, service or commercial entities that integrate with NVS’s applications, and service providers that perform services on behalf of NVS ( e.g. IT services, logistics, printing services, telecommunications, debt collection, consulting, distribution and marketing);
      • Competent state authorities in Vietnam or any individual, regulatory body or third party to whom NVS is authorized or required to disclose under the laws of any country, or under any any other contract/agreement or commitment between a third party and NVS;
      • Business partners, rewards providers, gift providers, co-branders, loyalty program participants or co-organizers, advertisers, charities or organizations non-profit organization, any related organization for the purpose of operating and implementing NVS’s business activities, the party implementing the system, application or device operation or providing any Data Subjects which products or services the Data Subject chooses or the purposes stated in this RPDP;
      • Any individual or organization involved in exercising or maintaining any rights or obligations under the agreement(s) between the Data Subject and NVS;
      • Certain professionals such as lawyers, notaries, rating agencies or auditors as necessary in specific circumstances (e.g. consulting, litigation, auditing);
      • The party receiving the transfer, receiving the transfer of rights, obligations and assets of NVS; parties in transfer, consolidation or merger transactions in NVS’s operations and/or parties who need to find out information for the purpose of receiving this transfer, receiving transfer, consolidation or merger;
      • Any individual or organization that is a representative, authorized party or has consent from the Data Subject, acting on behalf of and/or on behalf of the Data Subject; or The party involved in the transaction as well as the implementation of the transaction of the Data Subject (payee, beneficiary, designated person related to the account, intermediary organizations providing the platform, collection and payment services, non-cash payment services, depository, clearing and settlement organizations…);
      • Agencies, organizations, and individuals involved in processing Personal Data and/or related to the Purpose of processing personal data and individuals, organizations, and agencies that NVS has a good faith belief that the sharing sharing and providing is reasonable for the Purpose as in Article 4.4 of this RPDP;
      • Other individuals, agencies, and organizations that NVS finds necessary to meet and protect the legitimate rights and interests of the Data Subject and of NVS;
      • Third parties with whom the Data Subject consents or with whom NVS has a legal basis to share the Data Subject’s Personal Data;
    • NVS considers the Personal Data of Data Subjects to be private and confidential, and other than the parties stated in Article 4.6.b above, NVS will not disclose the Personal Data of Data Subjects to any other party.
  2. Transfer of Personal Data abroad
    • In order to carry out the purpose of processing Personal Data in this RPDP, NVS may have to provide/share Personal Data of Data Subjects to relevant third parties of NVS and these third parties can be in Vietnam or any other location outside the territory of Vietnam.
    • When providing/sharing Personal Data abroad, NVS will require the receiving party to ensure that the Data Subject’s Personal Data transferred to them will be confidential and secure. NVS ensures compliance with legal and regulatory obligations regarding the transfer of Personal Data of Data Subjects.
  1. Third-party websites and applications
    • This RPDP applies to both websites, applications and platforms of other parties that provide NVS’s services and utilities, and other websites, applications, and platforms that provide NVS’s products, services and utilities contains advertising information, content, links, integrations, and links to other parties’ websites, applications, and platforms.
    • When accessing these third-party websites, applications, and platforms, Data Subjects should read and understand the terms and conditions on personal data protection, privacy policies, and information security. their or their relevant internal regulations. NVS cannot control the content or links that appear on other parties’ websites, applications, or service platforms and is not responsible for the activities of Data Subjects used by those websites, applications or another platforms, linked to or from any website, application or device as well as the other party’s processing of the Data Subject’s data.
  1. Prohibitions on processing personal data
    • Do not buy or sell personal data in any form, unless otherwise prescribed by law.
    • Do not provide personal data in the following cases:
      • Causing harm to national defense, national security, social order and safety;
      • Providing personal data by Data Subjects may affect the safety, physical or mental health of others;
      • The data subject does not consent to provide, represent or authorize the receipt of personal data.
    • Setting up software systems, technical measures or organizing activities to collect, transfer, buy and sell personal data without the consent of the Data Subject is a violation of the law;
    • Processing personal data contrary to the provisions of law on personal data protection.
    • Processing personal data to create information and data aimed against the State of the Socialist Republic of Vietnam.
    • Processing personal data to create information and data that affects national security, social order and safety, and the legitimate rights and interests of other organizations and individuals.
    • Obstructing personal data protection activities of competent authorities.
    • Taking advantage of personal data protection activities to violate the law.

 

Article 5. Exercise the rights and obligations of Data Subjects in relation to Personal Data

  1. General rules
    • Data subjects have the following rights: (i) Right to know; (ii) Right to consent; (iii) Right of access; (iv) Right to withdraw consent; (v) Right to data deletion; (vi) Right to restrict data processing; (vii) Right to provide data; (viii) Right to object to data processing; (ix) Right to complain, denounce and sue; (x) Right to claim compensation for damages; (xi) Right to self-defense and other related rights as prescribed by law. If Data Subjects have any questions about the RPDPs or any other concerns regarding how NVS manages and protects Data Subjects’ Personal Data and/or have any requests To exercise their rights, Data Subjects can send requests to NVS or manually access, retrieve, update, and edit data through applications (supported from time to time) or communication channels. Receive requests from other Data Subjects provided by NVS from time to time.
    • NVS will, using reasonable efforts, comply with a lawful and valid request from a Data Subject within the legally prescribed time period from receipt of a complete, valid request and the associated processing fee ( if any) from the Data Subject, subject to NVS’s right to invoke any exemptions and/or exceptions under the law. In case it cannot be done, NVS will promptly notify the Data Subject or within the time limit prescribed by law (if any).
    • In the event that the Data Subject withdraws his or her consent, requests data erasure and/or exercises other relevant rights in respect of any or all of the Data Subject’s Personal Data, and Depending on the nature of the Data Subject’s request, NVS may consider and decide not to process the Data Subject’s request or not continue to provide NVS’s products and services to the Data Subject, data entities or termination of other relationships/transactions between the two parties due to (i) legal regulations and/or competent authorities do not allow NVS to perform such activities or (ii) cannot ensure the standards standards/quality of products or services if such data is deleted/restricted or (iii) legal regulations require NVS to collect personal data of Data Subjects when providing products, service or (iv) other cases according to NVS’s assessment, deletion/restriction of data may disrupt the structure and infrastructure of protecting historical data and Data Subject information. In case NVS decides not to provide products or services to Data Subjects, actions performed by Data Subjects in accordance with this regulation will be considered a unilateral termination on the part of the Data Subject. for any relationship between the Data Subject and NVS, and may result in a breach of obligations or commitments under the contract or agreement between the Data Subject and NVS; At that time, NVS reserves the right to reserve NVS’s legal rights and remedies in cases that arise. NVS shall not be liable to Data Subjects for any loss (if any), and NVS’s legal rights shall be expressly reserved to limit, restrict, suspend , cancel, prevent, or prohibit it. Data Subjects should note that due to the specific nature of NVS’s operations, the law requires that NVS must store Data Subject information in certain cases, in which case NVS cannot meet data deletion requests. Data Subject’s data if deletion would result in a violation of the law. The Data Subject’s withdrawal of consent, request for restriction of data processing, data erasure, or objection to processing of Personal Data does not affect the lawfulness of the previous processing of Personal Data with the consent of the Data Subject.
    • For security purposes, it may be necessary for a Data Subject to make his or her request in writing or use another method approved by NVS from time to time to prove and authenticate the Data Subject’s identity. NVS may require the Data Subject to verify identity before processing the Data Subject’s request.
  2. Data subjects are responsible for protecting their personal data and requesting other relevant organizations and individuals to protect their personal data. At the same time, Data Subjects must also respect and protect the Personal Data of others.
  3. Provide complete and accurate personal data to NVS when establishing relationships, entering into contracts and/or throughout the period of using products, services, and transactions with NVS.
  4. Implement and comply with legal regulations on personal data protection and participate in preventing and combating violations of personal data protection regulations.
  5. In case of changes or adjustments to Personal Data, the Data Subject is responsible for accessing NVS’s online transaction system (if the system supports it) to proactively check and update the Data, personally or contact and immediately notify NVS so that NVS can promptly update such changes and adjustments. The data subject will be fully responsible for any delay in updating or delay in notifying NVS to update this Personal Data; At the same time, the delay in updating or delay in notifying NVS to update data from the Data Subject will exempt NVS from all damages and risks arising to the Data Subject and related parties ( if any).

 

Article 6. Personal Data Protection Measures; Unwanted consequences and damages

  1. Measures to protect personal data
    • NVS always values privacy and strives to secure and ensure the safety of Data Subjects’ Personal Data as NVS’s most important asset and NVS always strives to ensure confidentiality, safety, Comply with the law, limit unwanted consequences and damages that may occur. NVS has been applying necessary measures to protect the personal data of Data Subjects (including related subjects of Data Subjects) and is responsible for protecting the Personal Data of Data Subjects. Data is a mandatory requirement that NVS sets for all employees. NVS carries out the responsibility to protect Personal Data in accordance with current laws with appropriate security methods according to legal regulations, market practices and regularly reviews and updates management measures and techniques when processing Data Subject’s Personal Data (if any).
    • Management measures: from time to time, NVS will issue regulations/processes/policies/instructions related to the protection of personal data of Data Subjects, including but not limited to regulations on ensuring information security in NVS’s operations; data center entry and exit management process; virus prevention regulations, etc
    • Technical measures: depending on each period, NVS implements technical measures to check network security for systems and means and equipment serving DLCN processing before being put into operation, periodically doing so. Scanning and evaluating the safety and security of information systems, including management and use of hardware devices, software management, and application of technical standards according to specialized legal regulations.
    • NVS appoints a department with the function of protecting personal data and appoints personnel in charge of protecting personal data according to legal regulations.
  2. Unwanted consequences and damages may occur
    • Data subjects understand that providing and agreeing for NVS to use and process Personal Data will always have potential risks such as the risk of partial Data leakage or inappropriate data processing, promptly, may arise from causes such as: system errors, transmission lines, force majeure events, viruses, network attacks or hardware or software errors, actions and operations of the Subject data or any other third party that affects the provision and processing of the Data Subject’s Personal Data…. Risks may arise such as the Data Subject’s Personal Data being exposed or stolen by another party, leading to this Personal Data being used for undesirable purposes or beyond the control of NVS and the Data Subject, causing both physical and mental damage. NVS will be responsible to the Data Subject for damages caused by NVS’s processing of Personal Data, except in cases not due to NVS’s fault.
  3. NVS and Data Subjects should both recognize that cyberspace (the Internet) is not a secure environment and that there can be no absolute guarantee that Data Subjects’ Personal Data shared using the Internet will always be protected. The Data Subject’s personal data transmitted when the Data Subject uses the Internet is the responsibility of the Data Subject and the Data Subject should only use secure systems to access the website, application or device. In addition to NVS’s efforts to protect Personal Data, Data Subjects are also responsible for securing their access credentials for each website, application, platform and protecting their devices and assets, transaction accounts, security elements, your own account login information and immediately notify NVS if any abuse or illegal use is detected.

 

Article 7. Start and end times of processing of Personal Data

  1. The time for processing personal data will not depend on the time the Data Subject transacts with NVS and/or the Data Subject has terminated/stopped using the products, services or contracts, agreements, transactions and other relationships between NVS and Data Subjects. This RPDP is always in effect from the time the Data Subject’s Personal Data is recorded and received on the NVS system until the Personal Data Processing Purposes in Clause 4.3, Article 4 are completed or cases of termination of personal data processing according to legal regulations.
  2. NVS stores the Data Subject’s Personal Data for the period necessary to fulfill the purposes in accordance with the agreements, contracts, documents, and materials the Data Subject has signed with NVS and/or as appropriate for the purposes stated in this RPDP, except that the Personal Data storage period may be longer if required by a competent state agency or permitted by the Data Subject and according to regulations Current law.

 

Article 8. Effect, Notification and Amendments and Supplements to the RPDP

  1. When using any product, service or accessing any website, application or device of NVS or connected to NVS or conducting any transaction or relationship with NVS in any way. In any form, the Data Subject is deemed to have accepted these RPDPs in their entirety. In case the Data Subject does not accept this RPDP, the Data Subject has the right to make a written decision to NVS to terminate the use of services, products or access to NVS’s websites, applications or devices or terminate the use of websites, applications or devices connected to NVS. In case the Data Subject makes a decision to terminate but still continues to use products or services or access NVS’s websites and applications and/or use devices and applications connected to NVS understands that the Data Subject has changed his/her mind and agrees to be governed by this RPDP.
  2. Regardless of the validity of contracts, agreements, or other documents entered into or established between the Data Subject and NVS, this RPDP is always in effect and applies to the Data Subject until the The data processing purpose is completed and there is an agreement to terminate the processing of the Data Subject’s personal data with NVS and/or when NVS’s internal regulations and relevant legal regulations stipulate the termination of processing manage, delete, and destroy all Personal Data of Data Subjects.
  3. NVS has the right to amend, update or adjust the terms of this RPDP from time to time and ensure the amendments and supplements are consistent with relevant legal regulations. All notices of any amendments, updates or adjustments to this RPDP will be sent by NVS to Data Subjects through one or several of the following methods: publicly available on the website, email, application NVS’s mobile phone, mobile subscriber messages or other methods that NVS deems appropriate.
  4. NVS understands that the Data Subject’s continued use of services, products, and access to NVS’s website/application means that the Data Subject agrees to the revised and updated content of this RPDP.