DATA PROTECTION POLICY

1. Introduction

DIGINET Corporation (“DIGINET” hereinafter) Corporate Data Protection Policy lays out strict requirements for processing personal data pertaining to customers, business partners, employees or any other individual. It strives to comply as much as possible the requirements of the European Data Protection Directive and ensures compliance with the principles of national and international data protection laws in force all over the world. The policy sets a globally applicable data protection and security standard for DIGINET and regulates the sharing of information between DIGINET, subsidiaries, and legal entities. DIGINET are establishing guiding data protection principles governing transparency, data economy and data security and will publish in due course.

DIGINET managers and employees are obligated to adhere to the Corporate Data Protection Policy and observe their local data protection laws. As the Data Protection Officer, it is my duty to ensure that the rules and principles of data protection at DIGINET are followed around the world.

I will be pleased to answer any questions you have about data protection and international personal data transfer.

Le Thanh Tri
Data Protection Officer, thanhtri.le@diginet.com.vn, +84 903600097

 

1.1    Purpose

This Data Protection Policy applies to HCM headquarters and provincial offices and legal entities, basic principles of data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of the DIGINET as a first-class employer.

The Data Protection Policy provides one of the necessary framework conditions for cross-border data transfer among DIGINET offices and entities. It ensures an adequate level of data protection prescribed by the European Union General Data Protection Regulation, APPI, PDPA or other national Personal Data Protection Regulations and national laws for cross-border data transmission, including to countries which do not have adequate data protection law, yet.

In order to standardize the collection, processing, transfer, and use of personal data, and promote the reasonable, lawfully, fairly and transparent use of personal data to prevent personal data from being stolen, altered, damaged, lost or leaked, DIGINET establishes the personal data protection management policy and information security policies.

 

1.2     Application Scope

All processing of personal data by DIGINET is within the scope of this procedure. Means, all DIGINET’s business processes and information systems involved in the collection, processing, use and transfer of personal data and all employees, contractors and 3rd party providers involved in the processing of personal data on behalf of DIGINET. This policy is binding for all departments and functions which are involved in personal identifiable information processing. Every D DIGINET department, legal entity or office must follow this procedure. In scope are all data subjects whose personal data is collected, in line with the requirements of the GDPR and other national/international data protection regulation.

 

1.3    Application of national Laws

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed.

Each office or legal entity of DIGINET is responsible for compliance with this Data Protection Policy and the legal obligations. If there is reason to believe that legal obligations contradict the duties under this Data Protection Policy, the relevant subsidiary or legal entity must inform the Data Protection Officer. In the event of conflicts between national legislation and the Data Protection Policy, DIGINET in person the Data Protection Officer will work with the relevant subsidiary or legal entity of DIGINET to find a practical solution that meets the purpose of the Data Protection Policy.

 

2. Policy

2.1     Guiding principles

Principle 1:  Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Collection, processing, transfer, and use of personal data in an illegal way or non-administrative business operations are strictly prohibited.

Principle 2: Processing of personal data only where this is strictly necessary for legal and regulatory purposes, or for legitimate organizational purposes.

Collection only for specified, explicit and legitimated purpose and not further processed in a manner that is incompatible with those purpose.

Principle 3: Processing only of the minimum of personal information required for these purposes. Adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed.

DIGINET will only collect, process, transfer, and use the personal data provided by parties within the scope of laws, regulations, and business requirements, and will take appropriate and reasonable measures to handle and use the personal data within the necessary and reasonable scope.

Principle 4: Only processing relevant and adequate personal information. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased, or rectified without delay.

Principle 5: Maintaining a documented inventory of the categories of personal information processed by DIGINET.

Principle 6: Retaining personal information only for as long as is necessary for legal or regulatory reasons or for legitimate organizational purposes and ensuring timely and appropriate disposal,  taking into account storage limitation.

Principle 7: Respecting data subject right in relation to their personal information.

Principle 8: Processing in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by using appropriate technical or organizational measures.

Principle 9: Developing and implementing a PIMS to enable the PIMS policy to be implemented.

Principle 10: Identification of people/employees with specific responsibility and accountability for the PIMS. Implementation of a strong governance including a Data Protection Officer.

Principle 11: Maintain records of processing of personal information.

DIGINET employees breach these principals are fined based on the labor contract regulations.

 

2.2       Customer and Provider Data (Third-Party Data)
2.2.1        Data processing for a contractual relationship

Personal data of customers and providers (third-party) can be processed in order to establish, execute and terminate a contract. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare bids or purchase orders or to fulfill other requests that relate to contract conclusion. Customers or providers can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by customers or providers must be complied with.

2.2.2       Consent to data processing

Data can be processed following consent by the data subject. Before giving consent, the data subject must be informed in accordance with this Data Protection Policy. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.

2.2.3       Data processing pursuant to legal authorization

The processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions.

2.2.4       Data processing pursuant to legitimate interest

Personal data can also be processed if it is necessary for a legitimate interest of DIGINET. Legitimate interests are generally of a legal (e.g., collection of outstanding receivables) or commercial nature (e.g., avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.

2.2.5       User data and internet

If personal data is collected, processed, and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects.

If use profiles are created to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement.

If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access.

 

2.3       Employee Data
2.3.1       Data processing for the employment relationship

In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is also needed to use the data for further application processes or before sharing the application with other DIGINET legal entities.

In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized data processing apply.

If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the data subject.

There must be a legal authorization to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This includes legal requirements, collective regulations with employee representatives, consent of the employee, or the legitimate interest of the company.

2.3.2       Data processing pursuant to legal authorization

The processing of personal employee data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.

2.3.3       Collective agreements on data processing

If a data processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorized through a collective agreement. Collective agreements are pay scale agreements or agreements between employers and employee representatives, within the scope allowed under the relevant employment law. The agreements must cover the specific purpose of the intended data processing activity and must be drawn up within the parameters of national data protection legislation.

2.3.4       Consent to data processing

Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in this case it must be properly documented. In the event of informed, voluntary provision of data by the relevant party, consent can be assumed if national laws do not require express consent. Before giving consent, the data subject must be informed in accordance with this Data Protection Policy.

2.3.5       Data processing pursuant to legitimate interest

Personal data can also be processed if it is necessary to enforce a legitimate interest of DIGINET. Legitimate interests are generally of a legal (e.g., filing, enforcing or defending against legal claims) or financial (e.g., valuation of companies) nature.

Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the employee merit protection. Before data is processed, it must be determined whether there are interests that merit protection.

Control measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the company in performing the control measure (e.g., compliance with legal provisions and internal company rules) must be weighed against any interests meriting protection that the employee affected by the measure may have in its exclusion and cannot be performed unless appropriate. The legitimate interest of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken. Moreover, any additional requirements under national law (e.g., rights of co-determination for the employee representatives and information rights of the data subjects) must be taken into account.

 2.3.6      Telecommunications and Internet

Telephone equipment, e-mail addresses, intranet, and internet along with internal social networks are provided by the company primarily for work-related assignments. They are company tools and company resources. They can be used within the applicable legal regulations and internal company policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.

There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the DIGINET network that block technically harmful content or that analyze the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of laws or policies of DIGINET. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed.

 

2.4       Policy Review and Evaluation

This policy must be reviewed and evaluated twice a year to reflect the latest status of international standards, legal regulations, technologies, and businesses, and to ensure the timeliness of personal data management practices.

 

 2.5      Announce and Release

This policy is based on an announcement process that will enable personnel to understand the relevant principles and provisions of the personal data protection management policy so that they can follow it.

This policy must be revised and reviewed by the Personal Data Protection Working Group, approved by the Data Protection Officer and the responsible DIGINET board member (CTO). The Data Protection Officer is responsible for implementation and internal audits.

 

3. Data Protection Control

Compliance with the Data Protection Policy and the applicable data protection laws is checked annually with data protection audits and other controls. The performance of these controls is the responsibility of the Data Protection Representatives. The results of the data protection controls must be reported to the Data Protection Officer and the responsible DIGINET board member (CTO). On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.

 

4. Personal Data Protection Training

Every new employee must join the first day Personal Data Protection training.

For every employee processing personal data, it is mandatory to join the Personal Data Protection training (DIGINET Training Program) including a successful exam before starting personal data processing. An annually refresh training is also mandatory.

For every project personnel involved in processing of personal data, it is mandatory to join the extended Personal Data Protection training (DIGINET Training Program) including a successful exam before starting personal data processing. An annually refresh training is also mandatory.

DIGINET headquarter will provide a download version of all training material to each DIGINET legal entity and office.

 

5. Data Protection Officer

The Data Protection Officer, being internally independent of professional orders, works towards the compliance with national and international data protection regulations. He is responsible for the Data Protection Policy and supervises its compliance. The Data Protection Officer is appointed by the DIGINET Board.

The data protection representatives shall promptly inform the Data Protection Officer of any data protection risks.

Any data subject may approach the Data Protection Officer, or the relevant data protection representative, at any time to raise concerns, ask questions, request information, or make complaints relating to data protection or data security issues. If requested, concerns and complaints will be handled confidentially.

If the data protection representative in question cannot resolve a complaint or remedy a breach of the Policy for data protection, the Data Protection Officer must be consulted immediately. Decisions made by the Data Protection Officer to remedy data protection breaches must be upheld by the management of the company in question. Inquiries by supervisory authorities must always be reported to the Data Protection Officer.

 

6. Responsibilities and Disciplinary

The executive bodies of DIGINET, offices and legal entities are responsible for data processing in their area of responsibility. Therefore, they are required to ensure that the legal requirements, and those contained in the Data Protection Policy, for data protection are met. DIGINET executives, managers of a legal entity are responsible for ensuring that organizational, HR and technical measures are in place so that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of the relevant employees. If external agencies perform data protection controls, the Data Protection Officer must be informed immediately.

The relevant executives and managers of a legal entity must inform the Data Protection Officer as to the name of their data protection representative. The data protection representatives are the contact persons on site for data protection. They must perform checks and must familiarize the employees with the content of the data protection policies. The relevant management is required to assist the Data Protection Officer and the data protection representatives with their efforts. Executives and managers of legal entities must inform the data protection representatives in good time about new processing of personal data. For data processing plans that may pose risks to the individual rights of the data subjects, the Data Protection Officer must be informed before processing begins. This applies in particular to extremely sensitive personal data. The managers must ensure that their employees are sufficiently trained in data protection.

Improper processing of personal data, or other violations of the data protection laws, can be criminally prosecuted in many countries, and result in claims for compensation of damage. Violations for which individual employees are responsible can lead to sanctions under employment law.

If you do not understand the implications of this policy or how it may apply to you, seek advice from the Data Protection Officer via the phone or email (Le Thanh Tri, thanhtri.le@diginet.com.vn, +84 903600097).

 

7. Appendixes

7.1       Definition

 

Abbreviation Description
PII, Personal Identifiable Information,
Personal Data
Refer to the personal data defined by the EU GDPR (Article 4 (1)),
‘personal data’ means any information relating to an identified  or identifiable natural person (‘data  subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject EU GDPR (Article 4 – 1),
Data subject refers to any individual person who can be identified, directly or indirectly.
Data Controller EU GDPR (Article 4 – 7),
Data Controller means the natural or legal person, public authority, agency or anybody which alone or jointly with others, determines the purpose and means of processing of personal data; where the purpose and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor EU GDPR (Article 4 – 8),
Data Processor means a natural or legal person, public authority, agency or anybody which processes data on behalf of the controller.
Recipient EU GDPR (Article 4 – 9),
A natural or legal person, public authority, agency or anybody, to which the personal data are disclosed, whether third party or not.
Third Party EU GDPR (Article 4 – 10),
A natural or legal person, public authority, agency or anybody other than the data subject, controller, processor and persons who under direct authority of controller or processor, are authorized to process personal data
DPO/GDPO Data Protection Officer/Data Protection Officer
DPIA Data Protection Impacted Assessment
PIMS Personal Information Management System
EU European Union

 

7.2 Related Documents

 

No Code Name of documents
1 EU GDPR EU General Data Protection Regulation
2 95/46/EC EU Data Protection Directive 95/46/EC
3 Privacy shield EU-U.S. and Swiss-U.S. Privacy Shield Frameworks designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
4 APPI Act on the Protection of Personal Information, Japan.
It came into force on 30 May 2017.
5 PDPA Personal Data Protection Act 2012, Singapore
6 PDPO Personal Data (Privacy) Ordinance, Hongkong, 2012
7 PIPA South Korea’s substantial Personal Information Protection Act (PIPA) was enacted on Sept. 30, 2011
8 PIPEDA Personal Information Protection and Electronic Documents Act, Canada 2018
9 Privacy Act, APPs, CDR Privacy act Australia including Australian Privacy Principles, Consumer Data Right
10 HITRUST Health Information Trust Alliance (CSF, Common Security Framework)
11 HIPAA Health Insurance Portability and Accountability Act of 1996 (HIPAA), US
12 PCI DSS Payment Card Industry Data Security Standard, May 2018
13 CCPA California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq.
14 PDPL, UAR Decree-Law No. 45 of 2021
15 BS10012: 2017 British Standard Personal Information Management System
16 Vietnam Regulations Vietnamese laws on Privacy:

– Article 21 of the 2013 Constitution

– Article 38 of the Civil Code 2015

– Article 125 of the Penal Code

– Clause 2 of Article 19 of the Labor Code

Decree of the Vietnamese Government
on private data protection