PRODUCTS & SERVICES

COMMITMENT TO PERSONAL DATA PROTECTION

(Pursuant to Decree No. 13/2023/ND-CP of the Government on Personal Data Protection, effective from July 1, 2023)

The Commitment to personal data protection is made by and between CMC Telecom and its  Agents/Customers/Partners (hereinafter collectively referred to as the “Provider”).

CMC Telecom and the Provider voluntarily agree to comply with the personal data protection regulations under the following terms:

Article 1: Definitions

“Contract” means the agreement between the Provider and CMC Telecom and/or the minutes, agreements, or appendices related thereto. This may include contracts for the sale of goods, provision of services, labor contracts, or other types of agreements, etc.

“Personal Data” means the personal data of any data subject that CMC Telecom receives from the Provider, which may include the Provider’s own personal data or the personal data of other data subjects that the Provider has lawfully collected and is permitted to transfer or provide to CMC Telecom for the purpose of performing the work specified in the Contract(s) between CMC Telecom and the Provider.

“Data Protection Laws” means all laws and regulations related to personal data protection or privacy applicable to the processing of personal data in Vietnam, including but not limited to the Law on National Security 2004, the Law on Cybersecurity 2018, and Decree No. 13/2023/NĐ-CP on personal data protection, as well as any amendments, supplements, or replacements thereof.

“CMC Telecom Network” refers to the data centers, cloud computing systems, servers, networking devices, storage software systems, and other systems (if any) of CMC Telecom that are used to perform the scope of work under the signed Contract(s) between CMC Telecom and the Provider.

The terms “personal data,” “data subject,” “Personal data processing,” “personal data controller,” and “personal data controlling and processing party” as used in this Commitment shall have the meanings as defined in Decree No. 13/2023/NĐ-CP on personal data protection.

Article 2: Personal Data Protection

1. The Parties acknowledge and agree as follows: (i) CMC Telecom is the personal data processor as defined under the Data Protection Laws; (ii) The Provider is the data subject or the personal data controller or personal data controlling and processing party in accordance with the Data Protection Laws; and (iii) Each Party shall comply with its respective obligations under the applicable Data Protection Laws concerning the processing of Personal Data.

2. Purpose of Personal Data collection and processing:

CMC Telecom shall collect, store, and process Personal Data as necessary to perform the Contract executed with the Provider and related activities.

The Provider consents to allow CMC Telecom to process its data and share the results of such processing for the following purposes:

  • Sending notifications regarding exchanges of information between the Provider and CMC Telecom;
  • Preventing acts of destruction, hijacking of the Provider’s user accounts, or impersonation of the Provider;
  • Organizing introductions and commercial promotions, conducting market research, opinion surveys, and brokering;
  • Researching and developing new services and providing appropriate products or services to the Provider;
  • Using the Provider’s information for marketing and advertising purposes;
  • Verifying identity and ensuring information security of the Provider;
  • Collecting, storing, and using the Provider’s Personal Data for purposes such as record keeping and compliance with legal and tax obligations. CMC Telecom shall retain this data for the period prescribed by law;
  • Performing other actions as prescribed by applicable law from time to time.

CMC Telecom shall not:(a) Process, store, use, or disclose Personal Data except as necessary to fulfill contractual obligations or as required by law; (b) Sell Personal Data to any third party; (c) Store, use, or disclose Personal Data beyond the scope of the direct business relationship between CMC Telecom and the Provider, except as instructed by the data subject or required by law.

For clarity, the Provider’s instructions on Personal Data processing shall conform to the Contract and comply with all applicable Data Protection Laws. The Provider is responsible for the accuracy, quality, and lawfulness of the Personal Data and the manner in which such data is obtained. If the Provider is not the data subject, the Provider acknowledges and agrees that: (i) The Provider has obtained the explicit consent (as required by the Data Protection Laws) of the data subject for all data collection, sharing, and usage as agreed in the Contract; and (ii) The Provider has informed and obtained explicit consent (as required by the Data Protection Laws) from the data subject regarding the potential processing of Personal Data outside their original country. If the Provider is the personal data controlling and processing party , the Provider guarantees that its instructions and actions with respect to the Personal Data, including the designation of CMC Telecom as a sub-processor, have been duly authorized by the relevant data controller. CMC Telecom shall not be required to follow any instructions from the Provider if such instructions violate the applicable Data Protection Laws.

3. Types of Personal Data Protected: The Personal Data protected under this Commitment includes information in the form of symbol, script, digit, image, sound, or in a similar form in the electronic environments which is affiliated to a specific person or helps identify a specific person. This may include both basic personal data and sensitive personal data, such as: name; address; phone number; date of birth; email address; occupation; health status; income; or any other information that is, at any given time, defined as personal data under applicable law.

4. Methods of Personal Data Protection: CMC Telecom shall collect, analyze, assess, use, store, transfer, process, and provide Personal Data to relevant parties or competent state authorities, and carry out other activities for the purposes stated in Clause 2 of this Article.

5. Parties involved in the protection of Personal Data: The Provider agrees that, for the purposes stated in Clause 2 of this Article, CMC Telecom may disclose Personal Data to its subsidiaries and/or affiliates to the extent necessary, provided that such subsidiaries and/or affiliates commit to fulfilling equivalent obligations in accordance with this Commitment.

6. Duration of Personal Data Protection: The protection of Personal Data shall commence from the time CMC Telecom receives the personal data and the Provider’s consent to the processing of such data. CMC Telecom shall continue processing the Personal Data throughout the duration of the Contract and in accordance with applicable legal requirements.

7. CMC Telecom’s Commitment:

CMC Telecom commits to making every necessary and reasonable effort to ensure the security and protection of the Personal Data in accordance with the information security and personal data protection standards required by Vietnamese law and this Commitment. In the course of processing Personal Data, interruptions, delays, disconnections, or incidents may occur due to causes beyond the reasonable control of CMC Telecom, including but not limited to interruptions resulting from system upgrades, repairs, network transmission failures, or technical issues caused by CMC Telecom’s suppliers/contractors. In such cases, CMC Telecom shall make the utmost effort to promptly notify the Provider of the incident, and the Provider agrees to exempt CMC Telecom from liability for such events.

In the event of a detected breach of personal data protection regulations, CMC Telecom shall notify the Provider as soon as possible after becoming aware of such breach. Furthermore, the personal data controller or the personal data controlling and processing party shall notify the Ministry of Public Security (the Department of Cyber Security and Hi-Tech Crime Prevention and Control) within 72 hours after the violation occurs.

Article 3: Rights and Obligations of Data Subjects

a, Rights of the Data Subject

1. To know information on the processing of their personal data; to consent or refuse consent to the processing of their Personal Data under this Commitment, unless otherwise provided by law.

2. To access forviewing, modifying, or requesting modificationof their Personal Data, unless otherwise provided by law.

3. To withdraw their consent, unless otherwise provided by law.

4. To delete or request deletion of their Personal Data in accordance with Article 4 of this Commitment.

5. To request restriction of processing of their Personal Data, unless otherwise provided by law. The restriction of data processing shall be imposed within 72 hours after it is requested by a data subject, for all personal data for which the data subject requests processing restriction, unless otherwise provided by law.

6. To request to provide the former with their personal data, unless otherwise provided by law.

7. To object to the processing of their personal data by personal data controllers or personal data controlling and processing parties in order to stop or restrict disclosure of personal data or use of personal data for advertising or marketing purposes, unless otherwise provided by law. CMC Telecom shall comply with the data subject’s request within 72 hours after receipt, unless otherwise provided by law.

8. To protect themselves; to file complaints, denunciations, or lawsuits; and to claim compensation for damages in accordance with the law.

b, Obligations of the Data Subject

1. To protect their own Personal Data; and to request relevant organizations and individuals to protect their Personal Data.

2. To respect and protect the Personal Data of others.

3. To provide adequate and accurate Personal Data when permitting the processing of their personal data.

4. To participate in the dissemination and popularizingof personal data protection skills.

5. To comply with the law on personal data protection and participate in preventing and combating violations of regulations on personal data protection.

Article 4: Return and Deletion of Personal Data

1. Depending on the content of the Contract, the Provider may be granted the right to retrieve or delete Personal Data. If there is no request for data deletion from the Provider, the deletion of Personal Data shall occur within thirty (30) days from the date of termination of the Contract, or a shorter period if specified in the Contract. If the Contract does not specify a timeline for data deletion, CMC Telecom shall apply its internal policies in effect at that time. In all cases, the Provider acknowledges that prior to the termination of the Contract, the Provider is responsible for exporting any Personal Data it wishes to retain or deleting all unnecessary Personal Data after the termination of the Contract, provided that such export or deletion complies with legal requirements.

2. Data deletion at the request of the Provider shall not apply in the following cases:

a) Where the law prohibits data deletion;

b) Where the Personal Data is processed by competent state authorities for the purpose of serving the operation of such authorities in accordance with the law;

c) Where the Personal Data has been lawfully disclosed to the public as prescribed by law;

d) Where the Personal Data is processed for legal purposes, scientific research, or statistical purposes in accordance with the law;

đ) In emergencies related to national defense, national security, public order and safety, major disasters, dangerous epidemics; when there is a threat to national defense and security not yet declared as a state of emergency; for the purpose of preventing riots, terrorism, crime, and legal violations;

e) For responding to emergency situations that pose a threat to the life, health, or safety of the data subject or other individuals.

3. The return or deletion of Personal Data, whether upon the Provider’s request or upon partial termination of the Contract, shall be carried out on the condition that it does not adversely affect CMC Telecom’s ability to continue providing the remaining services under the Contract and does not violate applicable regulations on personal data protection or any other relevant legal provisions

Article 5: Declarations of the Provider

1. The Provider voluntarily agrees to and fully understands the provisions set out in each Clause of this Commitment.

2. In the event that the Provider is the personal data controller or the personal datacontrolling and processing party, the Provider hereby guarantees that:

  • The data subject has been clearly informed and has fully consented to all contents related to the notification of personal data processing, which is conducted once prior to the processing activities; and to the contents specified in Article 2 of this Commitment, before consenting to the Provider’s collection of Personal Data, in accordance with this Commitment and the Data Protection Laws;
  • Has compiled a dossier of impact assessment of personal data processing in accordance with the applicable legal regulations related to the processing of Personal Data

3. The Provider undertakes to compensate and indemnify CMC Telecom for any damage or loss arising from the Provider’s failure to perform its obligations in accordance with this Article.

Article 6: General Provisions

This Commitment constitutes an integral and inseparable part of the Contract signed between the Provider and CMC Telecom, to which this Commitment is referenced. In the event that CMC Telecom provides any Personal Data that CMC Telecom has collects/holds to the Provider, the Provider undertakes to ensure a level of protection for such Personal Data no less stringent than the level of protection committed to by CMC Telecom under this document.