Notice on personal data processing

1.1 “Personal Data” refers to digital data or information in other forms that identify or help identify a specific individual, including basic personal data and sensitive personal data. Personal data, once anonymized, shall no longer be considered personal data. Personal data is specifically defined in Section 2, Part I of this Personal Data Processing Notice (the ‘PDPN’).  

1.2 “Products and Services” refers to (i) products and services provided by VIB; and (ii) products and services provided by VIB’s partners and distributed through VIB.

1.3 This PDPN sets forth and governs the processing of personal data relating to “Personal Data Subjects”, including:

• Individual customers who register for and/or are currently using the Products and Services (hereinafter referred to as ‘Customers’);
• Related persons of the Customer as required by law to be collected (“Related Parties”); 
• Other individuals as determined by VIB from time to time, including but not limited to: guarantors who are individuals; dependents; spouse; children; parents; siblings; grandparents; aunts/uncles; friends; beneficiaries; referees; colleagues; lawful heirs; estate administrators/users; legal representatives; guardians; individuals residing/living at the customer’s residence; emergency contacts; users of the Customer’s VIB Online Banking application; and/or other individuals in accordance with applicable laws (collectively referred to as “Third Parties” in this document)
• By providing the Personal Data of a Data Subject to VIB, the Customer represents and warrants that: (i) The Customer has obtained the full and valid consent of such Data Subject for the processing of their Personal Data under the terms and conditions set forth in this PDPN; and (ii) The Customer shall be fully responsible for the lawfulness, accuracy and validity of the Personal Data provided to VIB. 

1.4 Within the scope of personal data processing under this PDPN, VIB shall act as a data controller and/or data processor in accordance with applicable laws.  

1.5 “Personal Data Processing” means one or more activities performed on personal data, including but not limited to: collecting, analyzing, aggregating, encrypting, decrypting, modifying, deleting, destroying, anonymizing, providing, disclosing, transferring, and other relevant activities.

2.1 Group 1 Personal Data: Full name (including middle name and given name), aliases (if any); date of birth; date of death or date of missing status; gender; place of birth, place of birth registration, permanent residence, temporary residence, current place, hometown, contact address; nationality; personal images; phone number, personal identification number, passport number, driver’s license number, vehicle plate number; marital status; family relationship information (spouse, parents, children); personal account number information; and other information associated with or used to identify data subject that is not classified as Group 2 Personal Data below.

2.2 Group 2 Personal Data:  Data revealing racial or ethnic origin; political opinions, religious or spiritual beliefs; information relating to private life, personal secrets, and family secrets; health status; biometric data and genetic characteristics; data revealing an individual’s sexual life or sexual orientation; data relating to criminal convictions and offences, and information on breaches of the law, as collected or held by competent law enforcement authorities; the individual’s location identified via positioning services; login names and passwords used to access the individual’s electronic identification accounts; images of the identity card, citizen identification card, or personal identification card; login names and passwords used to access bank accounts; bank card information and data on banking transaction history; financial and credit information as well as information on financial, securities, and insurance activities or transaction history of the Personal Data Subject held by credit institutions, foreign bank branches, payment intermediary service providers, securities institutions, insurance institutions, or other authorized organizations; behavioral tracking data and activity data generated from the use of telecommunications services, social networks, online media services, and other services in cyberspace; and other personal data required by law to be kept confidential or subject to stringent security measures.

2.3 Group 3 Personal Data: Data generated or extracted from, or related to, technical systems (including devices, applications, software, operating systems, browsers, IP addresses, and other technical systems), including but not limited to: language settings; date and time of access to digital platforms; application usage statistics; configuration settings; and access timestamps; usernames; passwords; login credentials; usage data; and other related data or information. Data generated or extracted relating to advertisement preferences, cookie data, clickstream data; web browsing history; responses to direct marketing; and opt-out preferences for direct marketing; and other related data or information.

3.1 Processing requests from Customers when requested to provide products and services, and for purposes arising from VIB’s proactive proposals, advertising, marketing, introduction, or offering of products or services to the Customer:

• Identify/recognize, verify the Personal Data Subject's identity and background information, including identity and personal background;
• Update personal information of the Personal Data Subject;
• Check and compare with relevant data sources;
• Enter, check, and control the completeness and accuracy of the data entered into the system;
• Evaluate and assess the financial status of the Customer/Personal Data Subject;
• Measure, build, and evaluate the creditworthiness of the Customer/Personal Data Subject;
• Credit scoring, credit ranking, assessment of credit information, and evaluation of the creditworthiness of the Customer/Personal Data Subject;
• Check, assess, evaluate, and approve credit conditions of the Customer/Personal Data Subject;
• Serve the purposes of anti-money laundering, counter-terrorism financing, compliance with embargoes, or provide to competent authorities as regulated from time to time;
• Comply with FATCA (Foreign Account Tax Compliance Act) under the agreement between the IRS and the Government of Vietnam;
• On behalf of the Customer/Personal Data Subject, to verify and reconcile the Customer’s/Personal Data Subject’s information and account information (excluding passwords) held by tax authorities and by product or service providers that VIB deems necessary, for the purpose of assessing, evaluating and authenticating the Customer’s/Personal Data Subject’s information so that VIB may provide products or services at the Customer’s request or where VIB proactively offers or introduces such products or services to the Customer;
• Authenticate the Customer/User on VIB Online Banking application to enable access to digital/electronic accounts and personalize their experience on VIB Online Banking application with respect to the products and services offered through the application;
• Automatically register the Customer/Personal Data Subject on digital applications so that the Customer/Personal Data Subject and/or VIB can manage their transaction information at VIB;
• Activate/open, manage, maintain, close/lock the services and utilities of the products used by the Customer.
• Provide/send account statements, balance confirmations, invoices, correspondence, letters or other notifications (including but not limited to: updates on changes, including any amendments, supplements, extensions, suspensions, and replacements of products/services and utilities provided by or through VIB) to the Customer/Personal Data Subject or other related parties;
• Implement advertising, marketing, introduction and offering programs for products and services to the Customers, and to administer promotions, incentives and VIB’s customer care support.
• Respond to the Customer inquiries and complaints and resolve disputes.
• Serve the purposes of contract execution, disbursement/use for credit facilities.
• Serve the processing of Customer/Personal Data Subject requests related to product/service applications.
   

3.2 Use and analysis for the development, provision, and enhancement of product and service quality, including:

• Generating data, reports, statistics, and feedback for VIB and/or for related parties specified in Section 4 of this Personal Data Processing Notice; 
• Conducting market research, surveys, and data analysis related to products, services, and utilities provided by VIB and/or in cooperation with other parties;
• Risk assessment, trend analysis, statistical processing, planning, including credit and risk data analysis to establish and maintain credit scoring systems, checking credit history to assess/appraise and maintain the credit history data of Customer/the Data Subject;
• Collecting and recording your evaluations and feedback through surveys to improve service quality.
   

3.3 Fulfilling the requirements necessary for VIB to exercise its rights and perform its obligations in complying with applicable laws and VIB’s regulations, including:

• Managing and recording calls and/or recordings and communications conducted through electronic channels with the Customer/Personal Data Subject and other relevant parties;
• Managing benefits or entitlements related to VIB’s relationship with the Customer/Personal Data Subject or arising from the Customer’s/Personal Data Subject’s participation in events, campaigns, advertising, marketing, promotional, preferential or support programs organized by VIB or jointly organized by VIB with other organizations or individuals;
• Managing VIB’s infrastructure and business operations;
• Protecting or enforcing VIB’s rights, including but not limited to: collecting fees and charges; recovering debts; handling collateral (including but not limited to working with competent authorities and with organizations and/or individuals deemed necessary by VIB for debt recovery and/or collateral handling, and publicly announcing such matters on VIB’s website for the purposes of debt recovery and/or collateral handling);
• Meeting or complying with VIB’s internal policies;
• Meeting or complying with procedures, legal instruments, rules, regulations, guidelines, official letters, directives or requirements issued by any court or competent authority (domestic or international) (including but not limited to the disclosure of information to competent authorities or for any other purposes required or permitted under any laws, regulations or guidelines of competent authorities);
• Conducting transactions for the purchase, sale, assignment or transfer of VIB’s business and/or assets;
• Conducting transactions for the purchase, sale, assignment or transfer of rights, benefits or obligations under the Customer’s contract(s)/agreement(s) with VIB (including but not limited to debt sale transactions);
• For audit purposes;
• For information and data storage and retrieval purposes;
• Performing and complying with agreements or contracts entered into between VIB and other parties
• Providing information to service providers of VIB.
   

3.4 Carrying out other activities related to the development, improvement, provision, operation, processing, and management by VIB of banking products and services.

3.5 Generating credit information products through specialized software systems of the Vietnam Credit Information Joint Stock Company (PCB), for the purpose of enabling VIB to exercise its rights and perform its obligations in accordance with applicable laws and VIB’s regulations, and for other purposes as deemed necessary by VIB from time to time arising from and/or in connection with VIB’s Products and Services and/or the Customer.

• VIB’s officers, employees, collaborators, branches and units within VIB’s system, and VIB’s subsidiaries and affiliated companies;
• Companies and/or organizations acting as vendors, suppliers, partners, agents or consultants of VIB, including but not limited to: 
  • Service providers assisting VIB in verifying the Customer/Personal Data Subject, operating products, operating websites, applications or devices, providing the Customer with products or services selected by the Customer, or managing activities on behalf of VIB, including but not limited to marketing services, newsletter distribution, market surveys and training services;
  • Partners and affiliated parties cooperating with VIB in jointly providing products and services to the Customer;
  • Companies providing administrative, postal, telecommunications, data processing, information technology, payment, credit reference, custody, data entry, verification, record management, technology support, information security, data center, consulting and/or other services related to or supporting VIB’s operations;
  • Companies providing payment services and services related to payment transactions conducted via websites or applications;
  • Companies providing debt collection services and credit risk restriction and control services.
  • Audit firms; law firms;  
  • Valuation, appraisal, and pricing consulting companies;
  • Rating organizations. 
• Competent authorities and individuals involved in debt recovery;
• Personal Data Subjects whom VIB deems necessary to contact for the purpose of recovering the Customer’s debts;
• Parties involved in or prospective parties to transactions relating to the purchase, sale, assignment or transfer of VIB’s business and/or assets; 
• Parties involved in or prospective parties to transactions relating to the purchase, sale, assignment or transfer of rights, benefits or obligations under the Customer’s contract(s)/agreement(s) with VIB;
• Insurance companies, insurance brokers or companies providing direct or indirect credit protection measures;
• The National Credit Information Center of Vietnam (CIC); 
• Vietnam Credit Information Joint Stock Company (PCB), Enterprise Registration Certificate No. 0102547296, first issued on 27 November 2007.
• The credit information provided to PCB comprises the Personal Data specified in Section 2, Part I of this PDPN of the Personal Data Subject at VIB. The provision of credit information to PCB shall ensure compliance with the Government’s regulations on the provision of credit information services and other relevant laws.
• In the event that PCB has its Certificate of Eligibility for provision of credit information services revoked, VIB shall cease providing the Personal Data Subject’s credit information to PCB, and the Customer agrees that the Personal Data Subject’s credit information at PCB shall be handled in accordance with the Government’s regulations on the provision of credit information services. VIB shall notify the Customer of the handling of the Personal Data Subject’s credit information within a maximum period of ten (10) working days from the date VIB receives notification from PCB regarding the plan for handling such credit information.
• Any individual, competent authority, regulatory authority, organization or other person to whom VIB is permitted or required to disclose information in accordance with the laws of any country, or pursuant to any contract or other commitment between such organization, individual and VIB;
• Any organization or individual involved in the enforcement or preservation of any of VIB’s rights under the agreements between the Customer and VIB;
• Any organization or individual intending to settle any outstanding amounts owed by the Customer to VIB; 
• Organizations providing personal data processing service;
• Personal data processors; 
• Organizations or individuals other than the Personal Data Subject, VIB, and the personal data processor that participate in the processing of Personal Data in accordance with applicable laws;
• Other organizations or individuals as required by law;
• Any party whom VIB deems necessary for the purposes of personal data processing as set out in Article 3. 

5.1 Sources of Personal Data:

• Directly from the Customer:
  • Information declared and provided by the Customer in writing, including but not limited to: application for credit facilities, loan utilization plan, and other documents related to the implementation of the credit facility.
  • Through the relationship established between VIB and the Customer when the Customer registers for and/or uses any Products and Services via any transaction channels of VIB and/or VIB’s authorized agents.
  • From VIB’s websites: VIB may collect Personal Data when the Customer/Personal Data Subject accesses any of VIB’s websites or uses any features or resources available on or through such websites. 
  • From VIB’s mobile banking application for mobile devices: VIB may collect Personal Data when the Customer/Personal Data Subject downloads or uses VIB’s mobile banking application on a mobile device. 
  • From communications and interactions between VIB and the Customer: VIB may collect the Personal Data of the Personal Data Subject during communications and interactions between VIB and the Customer (whether in person, by mail, by telephone, online, via electronic communications, or through any other means), including participation in surveys, promotional programs, or competitions organized by VIB in which the Customer takes part.
  • Through the Customer’s cashless transactions conducted at VIB’s affiliated agents and/or merchant acceptance points.
  • From interactions or automated data collection technologies: VIB may collect information including IP address, referring URL, operating system, web browser, and any other information automatically recorded from a connection through:
    • Cookies, flash cookies, pixel tags, web beacons, or other tracking technologies
    • Cookies, plug-ins, or social media connectors of other organizations or individuals;
    • Any technologies capable of tracking personal activities across devices or websites;
    • Location information or other metadata provided by a device;
    • Other means: VIB may collect Personal Data when the Customer/Personal Data Subject interacts with VIB through any other means.
• From other organizations or individuals: 
  • From vendors, service providers, partners, affiliates, and other organizations and individuals related to VIB’s business operations;
  • From the Personal Data Subject and parties related to the Customer/Personal Data Subject, including but not limited to: the Customer’s legal representative, authorized representative, guarantor, employer, security provider, individuals residing/living at the Personal Data Subject’s permanent residence/temporary residence/current address, and other organizations and individuals in accordance with applicable laws.
• From state authorities, competent authorities in Vietnam, and other sources as permitted by applicable laws.
   

5.2 Methods of Collection: 

• VIB may collect the Personal Data of the Personal Data Subject through the following methods: recording or documenting instructions or information provided verbally in person, by telephone, via email, message, or through any other electronic means; extracting instructions or information directly entered by the Customer/Personal Data Subject into VIB’s systems or electronic devices; video recording; and other methods of collection implemented by VIB from time to time.

• The Customer has the following rights: to be informed of Personal Data Processing activities; to give or withhold consent; to request withdrawal of consent to the processing of Personal Data; to access, review, or request the correction of Personal Data; to request the provision, deletion, or restriction of the processing of Personal Data; to object to the processing of Personal Data; to lodge complaints, denunciations, initiate lawsuits, and claim damages in accordance with applicable laws; and to request competent authorities or relevant organizations and individuals involved in Personal Data Processing to implement measures and solutions to protect his/her Personal Data in accordance with applicable laws.
• The Customer has the following obligations: to protect his/her own Personal Data; to respect and protect the Personal Data of Related Parties and Third Parties; to provide complete and accurate Personal Data in accordance with applicable laws, contractual agreements, or when consenting to VIB’s processing of his/her Personal Data; to comply with laws on personal data protection and participate in the prevention and combat of violations relating to Personal Data; to obtain consent from Related Parties and Third Parties regarding the processing of their Personal Data in accordance with this PDPN and provide such consent upon request by VIB and/or Related Parties and/or Third Parties and/or competent state authorities; to comply with regulations on personal data protection and fulfill other obligations as prescribed by applicable laws.
• The Customer is responsible for regularly reviewing the PDPN published on VIB’s official website in order to update any amendments and to notify Related Parties and Third Parties accordingly.

• VIB shall commence the processing of the Personal Data of the Personal Data Subject from the time such Personal Data is collected and shall continue such processing for the period necessary to fulfill the purposes set out in this PDPN and to perform the agreements or contracts entered into with the Customer, unless a longer period is required or permitted under applicable laws.
• The processing shall terminate when VIB no longer retains any Personal Data of the Personal Data Subject in accordance with VIB’s regulations and applicable laws. 
• Personal Data shall be retained by VIB and subject to appropriate security measures for protection. To the extent permitted by applicable laws, VIB may retain Personal Data in Vietnam or overseas, including through cloud-based storage solutions. 

• Where the Customer (pursuant to a written authorization from the Personal Data Subject) wishes to access the Personal Data of the Personal Data Subject being processed by VIB, or where the Customer believes that the Personal Data held by VIB is inaccurate, incomplete, misleading, or not up to date, the Customer may submit a written request for access, correction, or update through VIB’s branches/transaction offices or through other channel(s) as may be established and notified by VIB to the Customer from time to time.
• VIB shall, using reasonable efforts, comply with requests for access to or correction of the Personal Data of the Personal Data Subject upon receipt of a complete and valid request and payment of the relevant processing fee (if any) from the Customer. 
• Please note that VIB may, at its discretion, permit the requested correction and/or require additional documentary evidence relating to the new Personal Data in order to prevent fraud and inaccuracies.
• VIB undertakes to process the Personal Data of the Personal Data Subject based on the Customer’s consent in accordance with this PDPN, unless otherwise provided by applicable laws. In the course of processing Personal Data, VIB shall use its best efforts to ensure appropriate security safeguards and to implement optimal information security measures; however, the processing of Personal Data may involve risks of data leakage or improper processing. Accordingly, to the extent practicable, VIB shall regularly review and update its managerial and technical measures in the processing of the Personal Data of the Personal Data Subject.
• In the event that the Customer becomes aware of any violation relating to the processing of the Personal Data of the Personal Data Subject, the Customer has the right to submit a written request to VIB for assistance, within VIB’s reasonable capacity, in order to prevent or limit the disclosure of the Personal Data of the Personal Data Subject, unless otherwise provided by applicable laws. 
• For the purpose of ensuring the lawful rights and obligations of the Customer and the authority and responsibilities of VIB, the exercise of the rights and obligations set out in this Article shall be carried out by VIB upon sufficient verification of the identity of the Customer/the Customer’s lawful representative, the validity and legality of relevant documents, and subject to compliance with applicable laws on personal data protection and other relevant regulations.
• The Customer has the right to withdraw his/her consent to any or all of the matters set out in this PDPN through VIB’s branches/transaction offices or through other channel(s) as may be established and notified by VIB to the Customer from time to time. The withdrawal of consent must be made in writing, including in electronic form or other verifiable format. In the event that the Customer withdraws consent to the processing of Personal Data in accordance with this PDPN, VIB shall be entitled to cease providing Products and Services to the Customer. Such withdrawal shall be deemed a unilateral termination by the Customer of any contract entered into with VIB, a unilateral termination of any commitment or obligation established by VIB in favor of the Customer, and shall constitute a breach of contractual obligations/commitments between the Customer and VIB. VIB expressly reserves all its lawful rights and remedies in such circumstances. VIB shall not be liable for any costs, damages, or losses arising to the Customer and/or the relevant Personal Data Subject as a result of such termination.
• Notwithstanding the foregoing, the Customer agrees and acknowledges that any withdrawal of consent to the processing of Personal Data under this PDPN shall not affect any prior processing of Personal Data conducted on the basis of the Customer’s consent before such withdrawal.
• The deletion or destruction of Personal Data shall be carried out by VIB in accordance with applicable laws and VIB’s regulations from time to time.
• This Personal Data Processing Notice is provided in both Vietnamese and English. In the event of any discrepancy or inconsistency between the Vietnamese version and the English version, the Vietnamese version shall prevail.

In the event that the Customer has any questions relating to the terms and conditions set out in this PDPN, please contact VIB’s 24/7 Call Center via email at: dvkh247@vib.com.vn.