I. DEFINITIONS
1.1. "Personal data" means information in the form of symbols, scripts, numbers, images, sounds or the like in the electronic environment that is associated with a specific person or helps identify a specific person. Personal data includes basic personal data and sensitive personal data.
1.2. "Information that helps identify a specific person" means information formed from an individual's activities that, when combined with other data and stored information, can identify a specific person.
1.3. "Basic Personal Data" includes:
a. Full name, middle and birth name, other names (if any);
b. Date, month, year of birth;
c. Gender;
d. Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
e. Nationality;
f. Images of individuals;
g. Phone number, identity card number, personal identification number, passport number, driver's license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
h. Marital status;
i. Information about family relationships (parents, children);
j. Information about the individual's digital account; personal data reflecting activities and history of activities in cyberspace;
k. Other information attached to a specific person or helping to identify a specific person does not fall under this Article 1.3.
1.4. "Sensitive personal data" means personal data associated with the privacy of individuals that, when infringed, will directly affect the legitimate rights and interests of individuals, including:
a. Political views, religious views;
b. Health and personal status are recorded in the medical record, which does not include information about blood type;
c. Information related to racial and ethnic origin;
d. Information about inherited or acquired genetic traits of individuals;
e. Information about physical properties, individual biological characteristics;
f. Information about the sex life, sexual orientation of the individual;
g. Data on crimes and offenses collected and stored by law enforcement agencies;
h. Customer information of credit institutions, foreign bank branches, intermediary payment service providers, other permitted organizations, including: customer identification information in accordance with the provisions of law, account information, deposit information, information about deposited assets, etc information on transactions, information about organizations and individuals acting as guarantors at credit institutions, bank branches, intermediary payment service providers;
i. Location data of individuals identified through location services;
j. Other personal data regulated by law are specific and require necessary security measures.
1.5. "Data subject" means the individual reflected by personal data.
1.6. "Personal data processing" means one or more activities affecting personal data, such as collection, recording, analysis, confirmation, storage, correction, publicity, combination, access, retrieval, withdrawal, encryption, decryption, copying, sharing, transmission, provision, transfer, etc deletion, destruction of personal data or other related actions.
1.7. "Control over personal data" means deciding the purposes and means of processing personal data.
1.8. "Provider" means the Party that provides the data subject's personal data to the other Party when preparing a transaction, in the course of conducting a transaction with the other Party or interacting with the other Party. For clarification, the Provider may be the Data Subject or the Data Controller and/or Processor.
1.9. "Data Controller and/or Processor" means the Provider's personal data controller and/or personal data processor.
1.10. Suppliers; Data Controllers and/or Processors are collectively referred to as the "Parties" and individually as the "Parties".
1.11. "Transaction channels" means the transaction channels between UP FILE and the other Party, including but not limited to the Contract, website, application ... or other trading channels depending on the period provided by UP FILE.
ARTICLE 3. COMMITMENT TO PERSONAL DATA PROTECTION
3.1. This Policy explains the purposes and methods for which the Controller and/or Data Processor controls and/or processes the personal data that the Provider provides when preparing a transaction, in the course of conducting a transaction with a Controller and/or Processing or interacting with the Controller and/or Data Processing. It also instructs the Provider on how to exercise its rights in relation to personal data.
3.2. The Data Controller and/or Processor commits to comply with the following principles in the process of controlling and processing personal information of the Provider:
a. Personal data of the Provider is controlled and processed in a lawful, fair, transparent manner and in accordance with applicable laws;
b. Personal data of the Provider is collected for specific, explicit and legitimate purposes and will not be processed other than the purposes stated in this Policy and in accordance with applicable laws;
c. Personal data of the Supplier is stored appropriately and to the extent necessary for the purpose of processing in accordance with applicable laws;
d. The personal data of the Supplier is accurate and updated and inaccurate data related to the purpose of processing will be deleted or corrected promptly in accordance with applicable laws;
e. Data Controller and/or Processor shall take technical and organizational measures in accordance with applicable laws to ensure an appropriate level of security of personal data, including safeguards against unauthorised or unlawful access to personal data and destruction, loss, unintended damage.
3.3. The Data Controller and/or Processor ensures and is solely responsible to its partners (service providers, other suppliers, customers, etc.) also comply with the protection of personal data in accordance with the law.
3.4. The Data Controller and/or Processor undertakes to comply with other principles provided for by law on personal data protection, in particular those relating to the rights of data owners and obligations regarding data transfer abroad.
ARTICLE 4. PURPOSE OF CONTROLLING AND PROCESSING PERSONAL DATA
4.1. The Provider agrees to allow the Data Controller and/or Processor to process the Supplier's Personal Data and share the results of data processing for the following purposes:
a. Assist the Supplier in updating the Provider's information when purchasing or using products and/or services provided by the Data Controller and/or its partners and/or Data Processors;
b. Provide Controller's products and services and/or Data Processing, Controller products and services and/or Data Processing in cooperation with partners to the Provider (including but not limited to registration, Account management/ Resources/ Brandname/ Hotline using the Service, register and support service warranty, forward information to Service Providers...);
c. Organizing trade introduction and promotion, market research, public opinion polling and brokerage;
d. Research and develop new services and provide suitable products and services to the Supplier;
e. Trading in marketing services, introducing advertising products;
f. Measurement, internal data analysis, evaluation and other processing to improve and enhance the quality of services provided by the Data Controller and/or Processor to the Provider;
g. Investigate and settle inquiries and complaints of the Supplier;
h. Adjust, update, secure and improve the products, services, equipment that Data Controller and/or Processor are providing;
i. Verify the identity and ensure the confidentiality of information of the Provider;
j. Notify the Supplier of changes to policies, promotions of products and/or services offered by Data Controller and/or Processor;
k. Prevent and prevent fraud, identity theft, and other illegal activities;
l. Comply with applicable law, relevant industry standards and other applicable Data Controller and/or Processing policies;
m. Data Controller and/or Processor collects, stores and uses the Provider's personal data for the purposes of performing services such as record keeping and complying with legal and tax obligations. Data Controller and/or Processor stores such data for a period of time or as required by law;
n. Any other purpose specific to the operation of the Controller and/or Data Processing and under any other purpose notified to the Provider by the Controller and/or Data Processor, at the time of collection of the Provider's personal data or prior to the commencement of the relevant processing or otherwise required, or as permitted by applicable law.
o. Other cases for the purpose of performing transactions, contracts, agreements between the Controller and/or Data Processing with the Provider.
4.2. Where it is necessary to process the Supplier's Personal Data for other purposes or at the request of the Supplier, the Data Controller and/or Processor shall notify the Supplier through the Controller's transaction channels and/or Data Processing so that the Supplier expresses its consent prior to doing so.
ARTICLE 5. TYPE OF PERSONAL DATA CONTROLLED, PROCESSED
Data Controller and/or Processor may collect and process the following categories of personal information:
a. Name, citizen identification number/identity card/passport, gender, date of birth, position;
b. Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
c. Gender;
d. Nationality;
e. Contact information and personal accounts: contact information such as telephone number, mailing address, email address, fax number; home address, mobile phone number, personal email address;
f. Communications between Data Controller and/or Processor and Provider;
g. Call information, messages and call recording data arising during the Provider's use of the Controller's voice, messaging, switchboard services and/or Data Processing;
h. Image, audio and video data arising during the Provider's use of camera services featuring data storage and/or data processing;
i. Photos of individuals, including images provided when registering to use the service, images of the Provider posted on UP FILE's application/website during the use of the service;
j. Data posted, stored, created by the Provider on the system or cloud service platform provided by the Data Controller and/or Processor;
k. Information about the individual's digital account; personal data reflecting activities and history of activities in cyberspace;
l. Telecommunications consumer behavior data: call, sms, data, vas;
m. The data provided by the Provider to the Controller and/or the Data Processor when registering to use the service and also the data generated during the Customer's use of the Controller's services and/or Data Processing.
ARTICLE 6. HOW TO CONTROL AND PROCESS PERSONAL DATA
The Controller and/or Data Processor controls and/or processes personal data through service provision/use systems, websites, mobile applications, events organized and/or Data Processing by the Controller, contractual information or documents, relevant documentation. In addition, the Data Controller and/or Processor may receive the Provider's personal data from its affiliates, partners, other service providers and/or Data Processing when the Provider consents to the provision of personal information to the Controller and/or Data Processing or from an administrative authority public and governmental institutions.
ARTICLE 7. RETENTION PERIOD OF PERSONAL DATA
The Data Controller and/or Processor shall store the personal data provided by the Provider on the Controller's internal systems and/or Data Processing during the provision of services, performance of a contract or until the fulfillment of the purpose of control, processing or until compliance with statutory obligations allows and disputes are resolved.
ARTICLE 8. ORGANIZATIONS INVOLVED IN THE PROCESSING OF PERSONAL DATA
8.1. Recipients of personal data
The Data Controller and/or Processor may disclose personal data to third parties, such as employees of the Controller and/or Data Processor authorized to access personal data, entities and member companies within the Controller and/or Data Processor, business partners, service providers or goods, for the purposes set out in Article 4 of this Policy.
8.2. Overseas transfers of personal data
Data Controller and/or Processor may transfer the Provider's personal data to a foreign country for processing and storage for the purposes set out in Article 4 of this Policy. Overseas transfers by Controllers and/or Data Processors are subject to Vietnamese laws.
ARTICLE 9. PROCESSING OF PERSONAL DATA IN SOME SPECIAL CASES
The Data Controller and/or Processor ensures that the Provider's personal data processing fully meets the requirements of the law in the following special cases:
9.1. CCTV footage, in specific cases, may also be used for the following purposes:
a. for quality assurance purposes;
b. for public security and occupational safety purposes;
c. detect and prevent suspicious, inappropriate or unauthorized use of UP FILE's facilities, products, services and/or facilities;
d. detection and prevention of criminal conduct; and/or
e. Conduct investigations and verify incidents.
9.2. Data Controller and/or Processor respects and protects children's personal data at all times. In addition to the personal data protection measures provided for by law, prior to processing children's personal data, the Data Controller and/or Processor will verify the age of the child and ask for the consent of:
a. children and/or
b. parents or guardians of children as prescribed by law.
9.3. In addition to complying with other relevant laws, for the processing of personal data related to personal data of the person declared missing/deceased, the Data Controller and/or Processor will have to obtain the consent of one of the relevant persons in accordance with applicable laws.
ARTICLE 10. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS WITH RESPECT TO PERSONAL DATA
10.1. Data Subjects' Rights with their Personal Data
a. Right to know and right to consent
Through this Policy, the Supplier is made aware of the Supplier's processing of personal data. By signing at the end of this Policy, the Supplier expresses its will to consent to the processing of the Supplier's personal data.
b. Access rights
The Provider has the right to request the Controller and/or Data Processor to confirm, at any time, that certain of the Provider's personal data is processed by the Data Controller and/or Processor, as well as to request the Controller and/or Data Processor to provide certain information about the type of data processed, the purpose of processing and the recipients or categories of recipients of such data.
c. Right to Rectification
The Supplier has the right to request the Data Controller and/or Processor to correct inaccurate or incomplete information relating to the Supplier.
d. Right to request deletion
The Supplier reserves the right to request deletion of its personal data stored by the Data Controller and/or Processor in cases under applicable laws, e.g. where the Supplier's personal data is no longer necessary for the purpose for which it was collected, initial processing or where the Provider's personal data is processed unlawfully.
e. Right to restriction of processing of personal data
The Supplier has the right to request the Data Controller and/or Processor to limit the processing of the Supplier's personal data without deleting the relevant data based on the conditions prescribed by applicable laws.
f. Right to data portability
The Supplier reserves the right to restore some of its data for its own use or for transfer to another company/enterprise based on the conditions prescribed by applicable laws.
g. Right to object
The Provider reserves the right to object at any time to the processing of its personal data by the Controller and/or Data Processor for direct marketing purposes.
h. Right to withdraw consent
Where the processing of the Supplier's personal data is based on the prior consent of the Supplier, the Supplier reserves the right to withdraw the consent at any time by sending a written request to the Data Processor, unless otherwise provided for by law. However, the withdrawal of consent will not affect the lawfulness of the previous processing of data based on the Provider's consent. In the event that consent is withdrawn by the Provider, the Data Controller and/or Processor may not be able to provide the Provider with the required full and quality services if the withdrawn consent directly affects the provision of services or the quality of services.
i. Right to complain, denounce or initiate lawsuits in accordance with law.
j. The right to claim compensation for actual damages in accordance with the law if the Data Controller and/or Processor commits a breach of the provisions on Personal Data protection, unless otherwise agreed by the parties or otherwise provided for by law.
k. Method of exercising the right: in writing to the Data Controller and/or Processor.
10.2. Suppliers' obligations with respect to their Personal Data
a. Where the Supplier is an organization and has provided personal data of persons related to or under the management of the Supplier to the Data Controller and/or Processor, the Supplier shall ensure that such individual's consent is obtained for the provision of their data.
b. Comply with the provisions of laws, regulations and instructions of UP FILE related to the processing of Personal Data of the Provider.
c. Take responsibility for the information, data and consent they create and provide in the network environment; Be solely responsible in case personal data is leaked or infringed due to his/her fault.
d. Regularly update the Regulations, Personal Data Protection Policy of UP FILE from time to time notified to the other Party or posted on UP FILE's transaction channel. Take actions in accordance with UP FILE's instructions to expressly express your consent or non-consent to the purposes of processing Personal Data as notified by UP FILE from time to time.
ARTICLE 11. AS A RESULT, UNWANTED DAMAGE IS LIKELY TO OCCUR
11.1. UP FILE uses a variety of information security technologies to protect Personal Data from unintended retrieval, use or sharing. However, no amount of data can be 100% secure. Therefore, UP FILE is committed to the maximum security of Personal Data. Some of the possible unexpected consequences and damages include but are not limited to:
a. Hardware and software errors in the data processing process cause data loss of the Provider;
b. The security vulnerability is beyond the control of UP FILE, the system is attacked by a third party causing data leakage;
c. The Supplier self-discloses personal data due to: carelessness or fraud; accessing websites/downloading applications containing malware...
11.2. UP FILE recommends that the Provider keep confidential information related to the Provider's account login password, OTP code and not share this login password and OTP code with any other person.
11.3. The supplier should preserve electronic equipment during use. The Provider should lock, log out, or exit the account on UP FILE's website or Application when there is no need to use it anymore.
11.4. In case of learning that the data storage server is attacked by a third party resulting in the loss of the Provider's Personal Data, UP FILE will be responsible for notifying the incident to the investigating authorities for timely handling and notify the Provider.
ARTICLE 12. GENERAL
12.1. This Policy is effective from 01/07/2023. The Supplier understands and agrees that this Policy may be amended from time to time and notified to the Supplier through UP FILE's transaction channels. The changes and effective date will be updated and announced in Trading Channels and other channels of UP FILE. The Provider's continued use of the service after the notice period for amendments and supplements from time to time means that the Supplier has accepted such amendments and supplements.
12.2. Each Party is aware of and agrees to this Policy which is also the Notice of Personal Data Processing stipulated in Article 13 of Decree 13/ND-CP/2023 on Personal Data Protection and amended and supplemented from time to time before UP FILE proceeds to Process Personal Data. Accordingly, UP FILE does not need to take any other measures for the purpose of notifying the Provider of the Processing of Personal Data.
12.3. This Policy is construed and governed in accordance with the laws of Vietnam.
12.4. This Policy represents the entire Policy between the Parties and supersedes any prior written or written interpretations or Policies relating to the matters referred to above.
12.5. For the purpose of protecting personal data in accordance with the law, this Policy will also apply to contracts, agreements, documents... between the Parties which are signed before, during and after the entry into force of this Policy.
12.6. In the event that any provision of this Policy is ruled invalid by a court of competent jurisdiction, such provision shall be automatically void and cease to be binding on the Parties, however such ruling shall not invalidate the remaining provisions of this Policy, and the validity of such terms shall remain in full.
12.7. This Policy is publicly posted by UP FILE on the website for mutual knowledge. The Parties agree to have carefully read, understand their rights and obligations and agree to the full content of the Policy.
This Personal Data Protection Policy was last updated in July 2023.
