Within the scope of this Policy, the following terms shall be understood and interpreted as follows:

1. DXS processes personal data in the following circumstances:

a. When Customers/Partners or their lawful representatives contact DXS to request consultation on DXS’s products and services or express interest in DXS’s products and services;

b. When Customers/Partners trial, enter into contracts, register for, or use DXS’s products and services;

c. When Customers/Partners access and/or register accounts on websites/wapsites/applications providing DXS’s products and services;

d. When Customers/Partners consent to provide personal data to DXS via public sources such as DXS’s product and service websites/wapsites/applications; meetings, events, seminars, conferences, social networks, or dialogue and discussion programs organized, sponsored, or attended by DXS; and/or through files (cookies) recorded on DXS’s websites;

e. When Customers/Partners of an organization or enterprise allow such organization or enterprise to share their personal data with DXS;

f. When Customers/Partners are customers of an organization or enterprise in which DXS has made capital contributions or acquired shares, or are customers of an organization or enterprise cooperating with DXS in providing products and services;

g. Upon request by competent state authorities;

h. When DXS carries out activities in accordance with the purposes of personal data processing stipulated in Article 3 of this Policy;

i. Other cases as prescribed by law.

2. Personal data of Customers/Partners processed by DXS (hereinafter referred to as “Personal Data”) include the following information and may vary depending on the type of products or services and the manner in which Customers/Partners interact with DXS:

a. Basic personal data:

– Surname, middle name, given name, and other names (if any);

– Date, month, and year of birth; date, month, and year of death or missing declaration;

– Gender;

– Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, and contact address;

– Nationality;

– Images of the individual;

– Phone number; identity card number; personal identification number; passport number; driver’s license number; vehicle license plate number; personal tax identification number; social insurance number; health insurance card number;

– Marital status;

– Information about family relationships (parents, children);

– Information about an individual’s digital accounts; personal data reflecting activities and activity history in cyberspace;

– Other information associated with a specific individual or enabling the identification of a specific individual not falling under Point b, Clause 2 of this Article.

b. Sensitive personal data:

– Data relating to criminal records and criminal acts collected and stored by law enforcement authorities;

– Information of Customers/Partners of credit institutions, branches of foreign banks, payment intermediary service providers, and other authorized organizations, including: customer identification information as prescribed by law; account information; deposit information; deposited asset information; transaction information; information on organizations or individuals acting as guarantors at credit institutions, bank branches, or payment intermediary service providers;

– Data on an individual’s location determined through positioning services;

– Other personal data deemed sensitive or requiring special protection measures as prescribed by law.

c. DXS shall notify Customers/Partners of which personal data are mandatory and/or optional at the time Customers/Partners contact, communicate with, register, or enter into contracts with DXS. Mandatory personal data are those that DXS is required to collect under applicable laws or those essential for providing part or all of DXS’s products and services to Customers/Partners.

d. If mandatory personal data are not provided as requested by DXS, Customers/Partners may be unable to use certain DXS products and services. In such cases, DXS may refuse to provide products or services to Customers/Partners without incurring any compensation and/or penalties (except in cases attributable to DXS’s fault).

e. At any time, Customers/Partners may voluntarily provide DXS with personal data beyond DXS’s requirements. By providing such data, Customers/Partners consent to DXS processing their personal data for the purposes stated in this Policy or for the purposes stated at the time such data are provided. In addition, when voluntarily providing information beyond DXS’s requirements, Customers/Partners are requested not to provide sensitive personal data as prescribed by law from time to time. DXS shall not process and shall bear no legal liability for any sensitive personal data voluntarily provided by Customers/Partners beyond DXS’s requirements.

Except as otherwise provided in Article 13 of this Policy, DXS shall notify and obtain the consent of the Customer/Partner prior to processing the Customer’s/Partner’s Personal Data. Personal Data collected, updated, or supplemented must be relevant and limited to the scope and purposes necessary for processing as stipulated in this Policy. The Personal Data of the Customer/Partner shall only be processed for one or more of the following purposes (“Purposes”):

• To verify the accuracy and completeness of information provided by the Customer/Partner; to identify or authenticate the Customer’s/Partner’s identity and carry out customer verification procedures; and to process registration for the use of DXS’s products and services.
• To assess application dossiers and eligibility of the Customer/Partner for the use of DXS’s products and services. DXS may apply scoring methods, assign risk thresholds, and review the Customer’s/Partner’s usage history of DXS’s products and services in order to assess and manage credit risks, ensure payment capability, and fulfill payment and other related obligations throughout the provision of DXS’s products and services.
• To manage and evaluate business operations, including designing, improving, and enhancing the quality of DXS’s products and services, as well as conducting marketing and communication activities; to carry out market research, surveys, and data analysis related to DXS’s products and services; and to research and develop new products, services, and delivery models that meet the needs of Customers/Partners.
• To provide customer support services, including contacting Customers/Partners for consultation, information exchange, handling requests or complaints, delivering invoices, statements, reports, or other documents related to DXS’s products and services through various channels (e.g., email, chat), and responding to Customer/Partner inquiries. DXS may also contact Customers/Partners (or parties designated or requested by the Customers/Partners) to notify them of information related to the use of DXS’s products and services.
• To conduct advertising and marketing based on preferences and service usage habits of the Customer/Partner. DXS may use Personal Data to advertise and market DXS’s products and services, promotional programs, research and surveys, news, updates, events, prize-winning contests, reward distribution, and other advertising content related to DXS’s products and services or those of DXS’s cooperating partners.
• Opt-out of marketing communications: Where the Customer/Partner does not wish to receive emails, messages, and/or periodic newsletters for advertising and marketing purposes from DXS, with frequencies determined by DXS’s policies from time to time and in accordance with applicable laws, the Customer/Partner may refuse or unsubscribe following the instructions provided by DXS via channels such as SMS, phone calls, checkboxes on websites/wapsites/applications, or by contacting DXS’s customer service hotline.
• To prepare financial reports, operational reports, or other related reports as required by law.
• To comply with legal obligations in accordance with applicable laws and regulations.
• To prevent fraud or mitigate threats to the life, health of individuals, and public interests. DXS may use the Customer’s/Partner’s Personal Data to prevent and detect fraud or abuse in order to protect the Customer/Partner, DXS, and other relevant parties.
• For internal management purposes.
• DXS does not engage in the buying or selling of Personal Data in any form.

DXS applies one or more operations affecting personal data, including but not limited to: collecting, recording, analyzing, verifying, storing, amending, disclosing, combining, accessing, retrieving, recalling, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other related actions.

1. Commencement of data processing: From the time the purposes stipulated in Article 3 of this Policy arise.
2. Termination of data processing: DXS shall terminate the processing of personal data once the purposes stipulated in Article 3 of this Policy have been fulfilled, unless otherwise required by law, or where Customers/Partners withdraw their consent to the processing of personal data, or where competent state authorities require such termination in writing.

Except for the cases stipulated in Article 13 of this Policy, DXS shall obtain the consent of Customers/Partners when sharing their personal data with the following organizations and individuals for the purposes stipulated in Article 3 of this Policy, specifically:

• DXS.
• Third-party service providers or partners in business cooperation agreements (with or without profit sharing): DXS uses and/or cooperates with other companies and individuals to carry out certain tasks and programs such as advertising and promotional programs for Customers/Partners, market research, analysis and product development, strategic consulting, and fee collection services. Such third-party service providers and/or partners may access, collect, use, and process Customers’/Partners’ personal data within the scope permitted by DXS in order to perform their functions and must comply with applicable laws on personal data protection in their capacity as Data Processors.
• Corporate restructuring: In the course of business development, DXS may sell or acquire businesses or carry out corporate restructuring in accordance with applicable laws and business needs. In such transactions, personal data may be transferred, and the transferee shall continue to comply with the provisions of this Policy.
• Disclosure as required by law: DXS is permitted to disclose personal data as required by law or upon request by competent state authorities.
• Disclosure to telecommunications enterprises: DXS is permitted to disclose personal data to telecommunications enterprises for the purposes of tariff calculation, billing, and preventing Customers’/Partners’ acts of evading contractual obligations.

1. Right to be informed and right to give consent: Under this Policy, DXS informs Customers/Partners of personal data processing activities prior to carrying out such processing. Customers/Partners have the right to agree or disagree with the terms and conditions of this Policy in accordance with the methods instructed by DXS via channels and means such as SMS messages, phone calls, checkboxes on websites/wapsites/applications, or by contacting DXS’s customer service hotline. DXS shall only process personal data upon obtaining the consent of Customers/Partners.
2. Right of access and right to request provision of personal data: Customers/Partners have the right to access DXS’s applications/websites/wapsites and/or contact DXS directly to view and extract the personal data that they have provided to DXS for the purposes stipulated in Article 3 of this Policy. Where Customers/Partners are unable to access or extract such personal data on their own or encounter difficulties in doing so, they may contact DXS for assistance.
3. Right to rectification: Customers/Partners have the right to request the rectification of their personal data, provided that such rectification does not violate applicable laws. Where Customers/Partners are unable to rectify their personal data themselves or encounter difficulties in doing so, they may contact DXS for assistance.
4. Right to object, restrict processing, or withdraw consent:
   1. Customers/Partners have the right to object to, request restriction of, or withdraw their consent to the processing of their personal data. However, such objection, restriction, or withdrawal of consent may result in DXS being unable to provide products and services to Customers/Partners, which may lead to DXS unilaterally terminating the contract without any obligation to compensate Customers/Partners due to changes in the conditions for contract performance (except where such inability is attributable to DXS’s fault). Accordingly, DXS recommends that Customers/Partners carefully consider before objecting to, restricting, or withdrawing consent to the processing of their personal data.
   2. Where Customers/Partners wish to limit the receipt of marketing, advertising, or promotional content from DXS and withdraw any prior consent (if any) and/or object to the continued use of their personal data for the purposes stipulated in Article 3 of this Policy, Customers/Partners shall follow DXS’s instructions provided at the time personal data are collected or contact DXS using the information provided in this Policy. If Customers/Partners do not wish to receive notifications from DXS’s applications, they may adjust notification settings within the application or on their devices.
5. Right to erasure of personal data: Customers/Partners have the right to request DXS to erase their personal data, provided that such request complies with applicable laws. However, the erasure of personal data may result in DXS being unable to provide products and services to Customers/Partners, which may lead to DXS unilaterally terminating the contract without any obligation to compensate Customers/Partners due to changes in the conditions for contract performance (except where such inability is attributable to DXS’s fault). Accordingly, DXS recommends that Customers/Partners carefully consider before requesting the erasure of their personal data.
6. Right to lodge complaints, denunciations, or initiate legal proceedings: Customers/Partners have the right to lodge complaints, denunciations, or initiate legal proceedings in accordance with applicable laws.
7. Customers/Partners have the right to claim compensation from DXS in accordance with applicable laws in the event of violations of personal data protection regulations, provided that all of the following conditions are simultaneously satisfied:
   • DXS commits an act in violation of personal data protection laws;
   • Such violation results in actual damages to Customers/Partners; and
   • Customers/Partners have fully complied with their obligations regarding the protection of their personal data in accordance with applicable laws, this Policy, and other agreements between DXS and Customers/Partners.
8. Right to self-protection: Khách hàng/Đối tác có quyền tự bảo vệ theo quy định của Bộ luật Dân sự, luật khác có liên quan và Nghị định 13/2023/NĐ-CP về bảo vệ Dữ liệu cá nhân (và các bản sửa đổi kèm theo), hoặc yêu cầu cơ quan, tổ chức có thẩm quyền thực hiện các phương thức bảo vệ quyền dân sự theo quy định tại Điều 11 Bộ luật Dân sự.

Customers/Partners are responsible for protecting their personal data as follows:

1. Customers/Partners shall proactively implement measures to protect, manage, and safely use their accounts and personal technological devices (including smartphones, computers, tablets, and laptops), such as logging out after use, setting strong and hard-to-guess passwords, and keeping login credentials and passwords confidential. These measures help prevent unauthorized access to Customers’/Partners’ accounts. DXS shall be exempt from liability for any damages incurred by Customers/Partners in cases where passwords are disclosed, lost, or stolen, leading to unauthorized access to accounts; or where any activities are conducted on Customers’/Partners’ accounts via lost or misplaced devices resulting in unauthorized use of services; or where DXS’s systems are unlawfully compromised by third parties despite DXS having implemented all necessary measures to protect its systems.
2. Upon consenting to all terms and conditions of this Policy, Customers/Partners are responsible for providing complete and accurate personal data as requested by DXS and for promptly notifying DXS upon discovering any violations of personal data protection regulations. Customers/Partners may voluntarily provide personal data beyond DXS’s requirements, provided that they comply with the provisions stipulated in Clause 2, Article 2 of this Policy.
3. Customers/Partners are responsible for respecting the personal data of other data subjects and complying with applicable laws on personal data protection, as well as participating in the prevention and combating of violations of personal data protection regulations.

1. Personal data of Customers/Partners stored by DXS shall be kept confidential. To the extent possible, DXS shall make every effort to implement appropriate measures to protect Customers’/Partners’ personal data.
2. Location of personal data storage: To the extent permitted by law, DXS may store Customers’/Partners’ personal data in Vietnam and overseas, including on cloud computing storage solutions. DXS applies data security standards in compliance with applicable laws and regulations.
3. Duration of personal data storage: DXS shall store Customers’/Partners’ personal data only for a period appropriate to fulfill the purposes stipulated in Article 3 of this Policy. However, where applicable laws provide otherwise regarding the retention period of personal data, DXS shall comply with such legal requirements.

1. Personal data of Customers/Partners is committed to being kept confidential in accordance with applicable laws and DXS’s Personal Data Protection Policy.
2. DXS endeavors to ensure that Customers’/Partners’ personal data is protected against violations of personal data protection regulations and to prevent loss, destruction, or damage caused by incidents through the application of technical measures. DXS maintains its commitment to personal data confidentiality by applying physical, electronic, and managerial measures to protect personal data, including but not limited to:
   1. The official websites of DXS and information systems containing personal data are protected by security measures and technologies such as firewalls, encryption, and intrusion prevention systems. DXS also implements human control measures and establishes inspection, evaluation, and review procedures to prevent violations of personal data protection regulations.
   2. DXS shall take all appropriate measures to ensure that Customers’/Partners’ personal data is processed in accordance with the purposes that have been notified. DXS shall always comply with legal requirements related to the storage of personal data.
3. DXS shall fulfill Customers’/Partners’ requests relating to their personal data, provided that such requests are in compliance with applicable laws.
4. DXS shall perform other obligations in accordance with applicable laws and this Policy.

1. DXS applies various information security measures and technologies to protect Customers’/Partners’ personal data from unauthorized use or unintended disclosure. DXS commits to protecting Customers’/Partners’ personal data to the maximum extent possible. Nevertheless, certain unintended consequences or damages may occur, including:
   1. Hardware or software errors arising during the processing of personal data, which may cause unintended impacts (such as errors, damage, or loss) to Customers’/Partners’ personal data;
   2. Security vulnerabilities beyond DXS’s control, where systems are attacked by hackers, leading to the leakage of Customers’/Partners’ personal data;
   3. Customers/Partners themselves causing the leakage of their personal data due to carelessness or fraud; accessing websites or downloading applications containing malicious software; or voluntarily sharing information with others.
2. DXS recommends that Customers/Partners strictly comply with their obligations to protect personal data as stipulated in Article 8 of this Policy and in accordance with applicable laws.
3. In the event of hardware or software errors occurring during the processing of personal data as stipulated in Point a, Clause 1 of this Article, DXS shall be responsible for compensating Customers/Partners for direct damages in accordance with the relevant contracts, general terms and conditions, and applicable laws. In cases where data storage servers are attacked by hackers resulting in the loss of Customers’/Partners’ personal data, or where Customers/Partners themselves cause the leakage of personal data as stipulated in Points b and c, Clause 1 of this Article, DXS shall be responsible for notifying the competent authorities for timely investigation and handling, and for informing Customers/Partners accordingly.

DXS’s websites/wapsites/applications may include third-party advertisements and links to other websites/wapsites/applications. Third-party advertising partners may collect information about Customers/Partners when they interact with such partners’ content, advertisements, or services. Any access to and use of third-party links or websites are not governed by this Policy but are instead subject to the privacy policies of such third parties. DXS shall not be responsible for the information practices or policies of any third parties.

DXS may process personal data without the consent of the data subject in the following cases:

• In emergency situations where it is necessary to immediately process relevant personal data to protect the life or health of the data subject or others;
• Where personal data is disclosed in accordance with applicable laws;
• Where personal data is processed by competent state authorities in cases of national defense or security emergencies, threats to national security or public order and safety, major disasters, dangerous epidemics; where there is a risk threatening national security or defense but not to the extent of declaring a state of emergency; or for the prevention and combat of riots, terrorism, crime, and legal violations in accordance with the law;
• For the performance of contractual obligations of the data subject with relevant agencies, organizations, or individuals in accordance with applicable laws;
• For the performance of activities of state authorities as prescribed by specialized laws.

In case Customers/Partners have any questions regarding this Policy or wish to exercise their rights relating to personal data, please contact DXS using the following methods and information:

• Contact DXS’s hotline as provided on DXS’s official websites/wapsites/applications from time to time;
• Send official correspondence to the following address: Dat Xanh Services – 2W Ung Van Khiem Street, Ward 25, Binh Thanh District, Ho Chi Minh City;
• Contact DXS directly at its transaction offices nationwide;
• Use other contact methods such as live chat, contact via DXS’s official fanpage, or the customer service email address provided to Customers/Partners from time to time.

Within the scope of this Policy, the following terms shall be understood and interpreted as follows:

1. This Policy sets out specific provisions governing the following matters:
   1. The scope and purposes of personal data processing of the Data Subject;
   2. The parties involved in the processing of personal data;
   3. Rights and obligations related to the Data Subject’s personal data;
   4. The commencement and termination of personal data processing;
   5. Methods of personal data processing;
   6. Potential consequences and unintended damages that may occur; and
   7. Other matters related to the processing of personal data.
2. By submitting an application to DXS and/or by permitting DXS to use his/her personal data and/or the personal data of Related Persons, the Data Subject accepts all terms and conditions set out in this Policy (hereinafter collectively referred to as the “Personal Data Processing Terms and Conditions”).
3. By providing personal data of Related Persons to DXS, the Data Subject represents and warrants to DXS that such Related Persons have been fully informed of this Policy and that the Data Subject has obtained the lawful consent and authorization of the Related Persons for the processing of personal data in accordance with the Personal Data Processing Terms and Conditions under this Policy.
4. The Personal Data Processing Terms and Conditions under this Policy constitute an integral part of the agreements, contracts, terms, and conditions governing the relationship between the Data Subject and DXS. In the event of any discrepancy and/or conflict between the Personal Data Processing Terms and Conditions and any terms and conditions for the same purposes stipulated in agreements and/or contracts between the Data Subject and DXS (if any) entered into before, on, or after the effective date of this Policy, the Personal Data Processing Terms and Conditions shall prevail and automatically replace such terms and conditions of those agreements and/or contracts.

Scope of processing: Depending on each specific case, DXS shall process all or part of the Data Subject’s basic personal data and sensitive personal data, including:

1. Basic personal data
   • Surname, middle name, given name, and other names (if any);
   • Date, month, and year of birth; date, month, and year of death or declaration of missing;
   • Gender;
   • Nationality;
   • Place of birth, permanent residence, temporary residence, hometown, and contact address;
   • Phone number, email address, identity card number, citizen identification number, passport number, driver’s license number, vehicle license plate number, personal tax identification number, social insurance number, health insurance card number, work permit number and information stated in the work permit, visa;
   • Marital status and information on family relationships (parents, spouse, children, etc.);
   • Information relating to Related Persons;
   • Curriculum vitae (CV) or résumé, cover letter, current or previous work experience; educational background, academic transcripts, or other information provided by the Data Subject to DXS for registration, job application, and throughout the recruitment process;
   • Reference information and information obtained from background checks (if any), including information provided by third parties;
   • Personal data reflecting employment history, education and training history, rewards and disciplinary records;
   • Images, videos, and audio recordings of the individual (including but not limited to images in application files, or images and voice recordings captured via online conferencing platforms, or images collected through security surveillance systems at offices/buildings);
   • Information on workplace location and business travel history;
   • Information on personal skills, talents, and hobbies of the Data Subject (if any);
   • Results of any aptitude or personality tests completed and provided by the Data Subject to DXS;
   • Information on employment commencement, rank, and position of the Data Subject;
   • Any other information required by law or voluntarily provided by the Data Subject to DXS during the recruitment process and/or during employment at DXS that does not constitute sensitive personal data;
   • Other information associated with a specific individual or enabling the identification of a specific individual that does not constitute sensitive personal data.
2. Sensitive personal data:
   • Bank account numbers;
   • Political opinions and religious beliefs;
   • Data relating to criminal records and criminal acts in judicial background records;
   • Financial information such as salary, allowances, subsidies, bonuses, and other benefits (as amended or adjusted from time to time);
   • Health status and private life recorded in medical records;
   • Racial origin and ethnic origin;
   • Images and fingerprints;
   • Location data of individuals determined through positioning services;
   • Other personal data deemed sensitive or requiring special protection measures as prescribed by law.

DXS processes the Data Subject’s personal data for the following purposes (hereinafter referred to as the “Processing Purposes”):

• To verify the identity of the Data Subject and the accuracy of the information provided, and to conduct reference checks and background investigations (where necessary).
• To assess and evaluate the eligibility and suitability of Candidates for the positions applied for or similar employment opportunities in the future, or to identify potential conflicts of interest.
• To carry out preparatory steps for entering into probationary contracts, labor contracts, vocational training contracts, internship agreements, and other agreements in accordance with applicable laws; and to enter into and perform obligations under such contracts and agreements.
• To carry out procedures and processes related to the recruitment of the Data Subject, including cases of unsuccessful or successful evaluations, and job offer proposals.
• To fulfill obligations relating to tax, social insurance, labor, trade unions, and occupational health examinations for Employees in accordance with applicable laws; and to provide Employees’ personal data to competent state authorities upon request, including but not limited to labor, insurance, statistics, trade union, state bank, and tax authorities.
• To pay salaries, bonuses, and implement policies, regimes, and employee welfare programs in accordance with internal regulations, collective labor agreements, and other internal policies of DXS, including the management of insurance and other benefits for Employees and their dependents.
• To conduct training courses and programs aimed at enhancing soft skills or other necessary skills and awareness for recruitment processes, talent planning, job-related training, or for the performance of probationary or labor contracts with DXS.
• To arrange business trips, events, activities, training programs, vocational training, or internal labor rotation.
• To evaluate Employees’ competence and suitability for new positions (applicable in promotion cases).
• To manage internal human resources, maintain databases for DXS’s operational needs, and compile and update Employee information; and to conduct internal communications regarding disciplinary measures in order to build an effective and disciplined working culture.
• To conduct risk management and control, internal investigations, and disciplinary actions in the event of violations, and to resolve labor disputes.
• To conduct audits, finalizations, reporting, statistics, surveys, and analysis of human resources, labor, payroll, tax, social insurance, and health insurance data.
• To enter into, perform, and comply with agreements and contracts between DXS and other parties.
• To share Employees’ contact information with customers and/or suppliers and partners relevant to the Employees’ job positions.
• To seek professional advice (including but not limited to legal advice) in relation to any matters of DXS and/or the Data Subject.
• To conduct statistics and classification of officers and employees eligible for preferential loans granted by DXS during the year.
• To provide the Data Subject with information about DXS, as well as DXS’s services and products.
• To provide personal data to units and branches (if any), service providers, or other relevant third parties to carry out personal data processing activities on behalf of or as authorized by DXS, and for the Processing Purposes.
• To assist Employees in obtaining immigration visas or work permits when necessary, and to establish contact in emergency situations.
• To manage and ensure security and safety at the workplace.
• To carry out other activities related to labor relations or for any other purposes required or permitted by laws, regulations, or guidelines issued by competent state authorities.
• For any other purposes permitted by Vietnamese law.

The above purposes may continue to apply for a reasonable period of time even after the Data Subject withdraws an application (in the case of Candidates) or terminates or changes the employment relationship with DXS (in the case of Employees), including during periods in which DXS is entitled to exercise its rights under any contract with the Employee or in accordance with applicable laws.

If DXS processes the Data Subject’s personal data for purposes other than the Processing Purposes stated herein, DXS shall notify the Data Subject of how such personal data will be processed and obtain additional consent prior to such processing in accordance with applicable laws and regulations.

1. In compliance with applicable Vietnamese laws, DXS may share part or all of the Data Subject’s personal data with the following parties:
   1. Business units, branches/transaction offices, subsidiaries, and affiliated companies (if any);
   2. Organizations and individuals acting as Data Processors, including but not limited to:
      1. Providers of goods and services, including but not limited to courier service providers, human resources service providers, work permit and visa service providers;
      2. Recruitment partners, candidate search and job placement partners;
      3. Training and coaching partners;
      4. Healthcare service providers, medical examination providers, hospitals;
      5. Travel and transportation service providers;
      6. Cloud storage and information technology service providers;
      7. Providers of analytical and advisory services;
      8. Professional advisory firms (including but not limited to lawyers, legal advisors, financial consultants, accountants, auditors, and/or other professional advisory service providers);
      9. Notary offices and bailiff offices;
      10. Insurance companies or insurance brokers.
   3. Any third party that the Data Subject permits DXS to share personal data with, including but not limited to the Data Subject’s Related Persons;
   4. Any competent state authorities and/or their affiliated units in accordance with Vietnamese laws.
   5. Business transfers: DXS has the right to share Employees’ personal data with other parties in connection with any merger, acquisition, consolidation, cooperation, restructuring, capital raising, or any other business transactions.
   6. Other third parties that DXS deems necessary for the Processing Purposes or as required by law.
2. Notwithstanding the foregoing, DXS shall treat the Data Subject’s personal data as private and confidential, and except for the parties listed above, DXS shall not disclose personal data to any other party except in the following cases:
   1. With the consent of the Data Subject;
   2. Where DXS is required or permitted to disclose personal data in accordance with applicable laws;
   3. Where DXS is required or permitted to do so pursuant to a decision of a competent state authority;
   4. Where DXS transfers its rights and obligations under agreements between the Data Subject and DXS; and/or
   5. Where DXS is required to fulfill its obligations to any competent state authority.

1. The Data Subject has the following rights with respect to his/her personal data, unless otherwise provided by law:
   1. Right to be informed: The Data Subject has the right to be informed of the processing of his/her personal data.
   2. Right to give consent: The Data Subject has the right to consent or refuse consent to the processing of his/her personal data, except in cases where the law permits the processing of personal data without the Data Subject’s consent.
   3. Right of access: The Data Subject has the right to access, view, edit, or request the correction of his/her personal data.
   4. Right to withdraw consent: The Data Subject has the right to withdraw his/her consent.
   5. Right to erasure: The Data Subject has the right to delete or request the deletion of his/her personal data.
   6. Right to restriction of processing: The Data Subject has the right to request restriction of the processing of his/her personal data.
   7. Right to data provision: The Data Subject has the right to request that his/her personal data be provided to him/her.
   8. Right to object to processing: The Data Subject has the right to object to the processing of his/her personal data in order to prevent or limit the disclosure of personal data or its use for advertising or marketing purposes.
   9. Right to lodge complaints, denunciations, or initiate legal proceedings: The Data Subject has the right to lodge complaints, denunciations, or initiate legal proceedings in accordance with applicable laws.
   10. Right to claim compensation for damages: The Data Subject has the right to claim compensation for damages in the event of violations of regulations on the protection of his/her personal data.
   11. Right to self-protection: The Data Subject has the right to protect himself/herself in accordance with the Civil Code, other relevant laws, and Decree No. 13/2023/ND-CP on Personal Data Protection, and to request competent authorities or organizations to apply measures for the protection of civil rights.
2. When the Data Subject wishes to exercise any of his/her rights with respect to personal data that is being controlled and processed by DXS, the Data Subject shall notify DXS using one of the methods specified in this Policy. Upon receipt of a complete and valid request, DXS shall endeavor to fulfill such request within the time period required by law and, if unable to do so for any reason, shall notify the Data Subject accordingly, except where Vietnamese law does not permit DXS to notify the Data Subject.
3. Where the Data Subject is a Candidate who exercises the right to withdraw consent with respect to his/her personal data or requests the correction, deletion, and/or destruction of personal data, resulting in DXS being unable to continue the interview process, DXS shall deem such request as the Candidate’s decision not to continue applying for the position at DXS.
4. Where the Data Subject is an Employee who exercises the right to withdraw consent with respect to his/her personal data or requests the correction, deletion, and/or destruction of personal data, resulting in DXS being unable to enter into a contract with the Employee, DXS shall deem such request as the Employee’s refusal to enter into an employment contract. Where the exercise of such rights by the Data Subject causes DXS to be unable to perform its obligations toward the Employee under the employment contract or agreement, DXS shall not be liable for any losses incurred by the Employee as a result of exercising such rights.
5. For the avoidance of doubt, when the Data Subject withdraws his/her consent:
   1. Such withdrawal shall only take legal effect with respect to DXS from the time the Data Subject submits the request to DXS and DXS has completed the identification process to verify the Data Subject’s rights, and shall not have retroactive effect on any consent given prior to that time; and
   2. Such withdrawal shall apply only to the specific personal data processing purpose(s) and shall not apply to all processing purposes stipulated in this Policy, unless otherwise specifically stated by the Data Subject.

The Data Subject has the following obligations with respect to his/her personal data:

1. To protect his/her personal data: The Data Subject shall take measures to protect his/her personal data and require other relevant organizations and individuals to protect such data. If personal data is disclosed due to the Data Subject’s carelessness or any fault of the Data Subject, the Data Subject shall bear the risks and damages that may arise.
2. To respect and protect the personal data of others.
3. To provide complete and accurate personal data to DXS when consenting to the processing of personal data.
4. To participate in awareness-raising and training activities on personal data protection organized by DXS or its partners or service providers, and to acknowledge that any non-compliance may result in risks to the Data Subject’s personal data.
5. To promptly notify DXS of any changes to the personal data previously provided by the Data Subject.
6. To provide legally valid documents upon DXS’s request to prove that the Data Subject has obtained the necessary consent and authorization from Related Persons to provide their personal data.
7. To comply with applicable laws on personal data protection and to participate in the prevention and combating of violations of personal data protection regulations.

DXS processes the Data Subject’s personal data from the time DXS receives the Data Subject’s consent to the processing of personal data. The Data Subject’s personal data shall be processed for the period necessary to achieve the Processing Purposes and/or to perform the obligations that DXS has notified to the Data Subject and/or to perform the agreements and/or contracts entered into between DXS and the Data Subject, unless a longer retention period is required or permitted by applicable laws (for example, for inspection, taxation, labor, and audit purposes). Certain categories of personal data may be retained for a longer period than other categories of personal data.

1. Collection of personal data: DXS and/or the Personal Data Processors may collect the Data Subject’s personal data from various lawful sources, including but not limited to:

• Data provided directly by Candidates to DXS during the interview process;
• Data provided directly by Employees to DXS upon entering into contracts with DXS and throughout the course of employment at DXS;
• Data obtained from communications, contacts, and interactions with the Data Subject;
• Data obtained from audio and video recording devices associated with security systems installed at business units/branches/transaction offices and at DXS;
• Data provided by the Data Subject to third parties (being organizations or individuals other than DXS and Personal Data Processors but permitted to process personal data) and consented by the Data Subject for such third parties to provide to DXS. For the purposes of this provision, third parties may include, but are not limited to, service providers in communications, recruitment, market surveys, marketing, fraud prevention, data aggregation, and/or other third parties related to DXS’s activities;
• Data obtained from DXS’s Personal Data Processors (including business partners), affiliated banks, publicly available data sources, data sources of competent state authorities, and other sources;
• Data obtained from any other sources and/or third parties not mentioned above, provided that such sources and/or third parties process personal data in compliance with Vietnamese laws and have obtained the Data Subject’s consent to provide such data to other parties, including DXS.

2. DXS shall use all means permitted by Vietnamese law to collect personal data from the above sources, including but not limited to landline telephones, call centers, mobile phones, email, laptops, surveillance cameras (CCTV), and other electronic transaction systems.

Processing of personal data obtained from audio and video recording in public areas

• DXS may collect and process image data of individuals and information obtained from security systems (such as audio and video recordings at areas equipped with surveillance cameras – CCTV, including but not limited to branches, business units, and head offices, including transaction counters, corridors, entrances/exits, and parking areas) for the purposes of protecting national security, public order and safety, and the lawful rights and interests of organizations and individuals in accordance with applicable laws, without requiring the consent of the Data Subject.
• At DXS, security systems and CCTV operate 24/7 to ensure safety and security for Data Subjects, prevent crime, protect facilities, and support fire prevention and firefighting. DXS commits to processing the Data Subject’s personal data strictly in accordance with this Policy and applicable laws.

3. Processing of children’s personal data

• DXS processes children’s personal data in accordance with the principle of protecting children’s rights and acting in the best interests of the child. Prior to processing children’s personal data, DXS shall take appropriate measures to verify the age of the child.
• DXS may receive personal data of children who are children, relatives, or dependents of Employees and process such personal data for the Processing Purposes stipulated in Article 4 of this Policy. DXS shall only process children’s personal data based on agreements with Employees for such Processing Purposes. Employees are responsible for ensuring that children have been fully informed of the relevant Processing Purposes and that consent has been obtained from children aged seven (7) years or older, as well as consent from parents or legal guardians in accordance with regulations, except for cases stipulated in Article 17 of Decree No. 13/2023/ND-CP dated April 17, 2023, prior to providing such information to DXS.

4. Cross-border transfer of personal data

• DXS may transfer or grant access to the Data Subject’s personal data to overseas partners or service providers for processing in accordance with the Processing Purposes consented to by the Data Subject. In other cases, DXS’s partners or service providers headquartered in Vietnam may use equipment or data processing systems located outside the territory of Vietnam to process personal data on behalf of DXS. Such cases shall also be deemed as cross-border transfers of the Data Subject’s personal data.
• It should be noted that certain countries may have levels or practices of personal data protection that are lower or higher than those of Vietnam. In all cases involving cross-border transfers of personal data, DXS shall endeavor to implement appropriate measures to ensure the protection of the Data Subject’s personal data, including entering into data protection agreements or commitments, selecting partners acting as Personal Data Processors with clearly defined responsibilities, and only cooperating with partners that have appropriate data protection measures in place.

Please note that although DXS always endeavors to ensure that the Data Subject’s personal data is protected to the fullest extent in accordance with applicable laws, DXS cannot completely and absolutely eliminate all risks to personal data during the processing process. The transmission of information via the Internet or DXS’s internal information systems may still involve certain inherent risks arising from force majeure events or incidents and cyber security crimes, such as cyberattacks, cyber terrorism, unauthorized cyber espionage, which may disrupt data processing or result in personal data leakage.

In such cases, DXS shall promptly take necessary actions to prevent, remedy, and minimize potential unintended damages to personal data, and shall coordinate with competent state authorities to handle violations. The Data Subject also agrees that, to the extent that DXS has implemented reasonable measures to prevent such risks, DXS shall not be liable for compensation for any damages caused by the acts of any third party that adversely affect the Employee’s personal data, provided that such damages are not attributable to the fault of DXS.

The websites/wapsites/applications of DXS may contain third-party advertisements and links to other websites/wapsites/applications. Third-party advertising partners may collect information about Customers/Partners when Customers/Partners interact with their content, advertisements, or services. Any access to and use of third-party links or websites are not governed by this Policy but are instead governed by the privacy policies of such third parties. DXS shall not be responsible for the information practices or policies of any third party.

In the event that Customers/Partners have any questions regarding this Policy or wish to exercise their personal data rights, please contact DXS using the following methods and information:

1. Contact the call center using the information published on DXS’s official websites/wapsites/applications from time to time;
2. Send an official letter to the following address: Dat Xanh Services – 2W Ung Van Khiem Street, Ward 25, Binh Thanh District, Ho Chi Minh City;
3. Contact DXS directly at its transaction offices nationwide.