This Personal Data Protection Policy describes how to collect, use and process personal data arising in the course of operation and business of Vinmec International General Hospital Joint Stock Company (hereinafter referred to as the "Company") located in No. 458 Minh Khai Street, Vinh Tuy Ward, Hai Ba Trung District, Hanoi City, Vietnam and the official website is https://vinmec.com.
ARTICLE 1. GENERAL PROVISIONS
1.1. Personal Data: means information in the form of symbols, letters, digits, images, sounds, or similar forms in the electronic environment that are associated with a specific person or help identify a specific person. Personal Data includes Basic Personal Data and Sensitive Personal Data.
1.2. Data Subject: means the individual reflected by the Personal Data, including all individual customers who are using the Company's products and services, the Company's employees, shareholders and/or other individuals who have a legal relationship with the Company.
1.3. Process, Processing or Processed: means one or more activities affecting Personal Data, such as: collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieval, recalling, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data or other related actions.
1.4. Personal Data Protection Policy, or Policy: means the entire content of this policy drafted and issued by the Company, including 11 articles in full and complete, to be applied to the Company, its branches and business locations, and its branches’ business locations.
1.5. Whenever the Personal Data of any relevant person of the Data Subject (including but not limited to information of dependents, related persons in accordance with the law, spouse, children and/or parents and/or guardians, friends, beneficiaries, authorized persons, partners, contacts for emergencies or other individuals of the Data Subject) is provided to the Company, the Data Subject and the relevant persons of the Data Subject warrant, guarantee and assume responsibility that the information has been fully provided and has been agreed/approved by the Data Subject lawful to be processed for the purposes set out in the Policy. The Data Subject and the relevant person of the Data Subject agrees that the Company is not responsible for due diligence on the legality and validity of this consent/consent and the storage of evidence proving that it is the responsibility of the relevant person of the Data Subject and the Data Subject. The Company is exempt from liability and is required to compensate for related damages and expenses when the Data Subject or/and related persons of the Data Subject do not comply with the contents specified herein.
1.6. By registering, using the Company's products and services, entering into contracts and/or allowing the Company to Process Personal Data, the Data Subject accepts in full and without any conditions to the policies mentioned herein and the changes (if any) from time to time.
1.7. The Policy may be updated, modified, supplemented or replaced by the Company from time to time and posted by the Company on the Company's official website. You can visit and check our official website regularly for the latest changes.
1.8. The Company undertakes to comply with the following principles when Processing Personal Data:
a) The Company processes and protects Personal Data in accordance with the provisions of Vietnamese laws; fully complies with contracts, agreements, and other documents established with the Data Subject;
b) The Company collects Personal Data for specific, explicit and lawful purposes, within the scope of the purposes stated in Article 3 of the Policy and in accordance with the provisions of Vietnamese laws;
c) The Company always applies and updates technical measures in accordance with the provisions of Vietnamese laws to ensure the safety of Personal Data, including the protection from unauthorized access and/or destruction, loss or damage to Personal Data;
d) The Company stores Personal Data appropriately and to the extent necessary to process it in accordance with the provisions of Vietnamese laws;
e) The Company is committed to complying with regulations related to the protection of children's data.
ARTICLE 2. PROCESSED PERSONAL DATA
In order for the Company to Process Personal Data for the purposes set out in Article 3 of the Policy, the Company may process the following types of Personal Data:
2.1. Basic Personal Data includes:
a) Original family name, middle name and last name, other names (if any);
b) Date of birth; date of death or disappearance;
c) Gender;
d) Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address;
e) Nationality;
f) Individual image; information obtained from security systems, including image recordings of the Data Subject on the camera systems and surveillance cameras at the Company's business/transaction locations;
g) Telephone number, identity card number, citizen identification number, personal identification number, passport number, driver's license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
h) Occupation and workplace;
i) Marital status;
j) Information about family relationships (parents, children);
k) Information about the individual's digital account; Personal Data reflects interests and history of activities in cyberspace;
l) Other information that is associated with a specific person or helps to identify a specific person does not fall within the scope of Sensitive Personal Data as set out in Article 2.2 below.
2.2. Sensitive Personal Data includes the following key data:
a) Political views, religious views;
b) Health status and private life are recorded in medical records, excluding information about blood type;
c) Information related to racial origin, ethnic origin;
d) Information about an individual's inherited or acquired genetic trait;
e) Information about physical attributes, unique biological characteristics of individuals;
f) Data on crimes and criminal acts collected and stored by law enforcement agencies;
g) Information about the bank account of the Data Subject;
h) Data about the customer's location determined through the location service;
i) Other Personal Data is specified by law as specific and requires necessary security measures.
ARTICLE 3. PURPOSES OF PERSONAL DATA PROCESSING
Personal Data may be processed for one or more of the following purposes:
3.1. Evaluating the capability to provide products, services and/or enter into contractual commitments with the Data Subject, including but not limited to the purposes as follows:
a) Identifying and verifying information of the Data Subject;
b) Evaluating, reviewing and approving the provision of products and services according to the registration documents, applications, contracts of the Data Subject and/or related persons of the Data Subject;
c) Consider providing or continuing to provide any of the Company's products and services to the Data Subject.
3.2. Fulfilling obligations in contracts, agreements, terms, conditions and other documents between the Company and the Data Subject, customer support, including but not limited to the purposes as follows:
a) Performing obligations under contracts, agreements and providing products and services to Data Subjects;
b) Updating and processing information of Data Subjects;
c) Taking care of and settling complaints and lawsuits of Data Subjects;
d) Using and transfering to partners Personal Data and relevant information to identify and fix problems of products and services; product repair;
e) Contacting and notifying the Data Subject;
f) Implementing promotional programs, exchanging gifts, awarding, delivering gifts;
g) Performing other customer care and support activities.
3.3. Improving the quality of the Company's products and services, including but not limited to:
a) Providing information that the client has requested or that the Company finds useful to the client;
b) Improving technology, interface of websites, social networks, and applications to ensure convenience for customers;
c) Managing customer accounts and loyalty programs;
d) Statistics and data analysis for research, development, development and improvement of products and services; improve customer experience;
e) Developing and providing new products and services that are personalized according to the actual needs and conditions of customers;
f) Introducing and providing promotions and incentives for products and services of the Company and of the Company in cooperation with partners;
g) Proposing products and services that customers may be interested in through identifying customer interests.
3.4. Serving the Company's business and operation activities including but not limited to the fulfillment of reporting, financial, accounting and tax obligations, auditing, compliance activities and other activities serving the Company's legitimate business in cases that the Company deems necessary.
3.5. Restructuring and transfer of projects/enterprises:
In the course of business, the Company may sell or buy businesses or restructure the business or transfer other projects or services in accordance with the provisions of law. Accordingly, Personal Data and the right to use information in general are among the transferred assets. In all cases, the transfer and processing of data will be carried out by the parties in accordance with the provisions of the law and the Policy.
3.6. Marketing: Building marketing campaigns, promoting products and services, including building campaigns based on customer preferences.
3.7. Prevention, caution, investigation and detection of crimes.
3.8. Protect social order and safety, protect the legitimate rights and interests of Data Subjects, the Company and other related parties.
3.9 .Compliance with the provisions of law and international treaties to which Vietnam is a signatory, including but not limited to:
a) To provide to competent state agencies in accordance with law;
b) In order to fulfill its obligations in accordance with the provisions of law, international treaties that the Company must comply with (if any).
3.10. Other purposes obtained the consent of the Data Subject.
ARTICLE 4. HOW PERSONAL DATA IS PROCESSED
4.1 How the data is collected
Personal Data is collected as follows:
a) From the Company's websites and applications: Personal Data is collected when the Data Subject fills in the forms posted on the Company's websites and applications.
b) From the provision of products and services, the performance of obligations under contracts and agreements of the Company: Personal Data is collected when the Data Subject purchases, registers to use, uses any products and services, signs a contract with the Company.
c) From exchanges and communications with the Data Subject: Personal Data is collected through interaction between the Company and the Data Subject (in person, by mail, telephone, online, call center system, electronic communication or any other means) including surveys.
d) From social networks: The Company's social networks and/or social networks cooperated by the Company with partners.
e) From audio and video recording devices: located at stores, business points or places where part or all of the Company's business activities are carried out that the Data Subject meets, appears or interacts with the Company;
f) From interactions or automated data collection technologies: The Company may collect automatically recorded information from the connection:
(i) Cookies, pixel tags, and other similar technologies;
(ii) Any technology capable of tracking personal activity on devices or websites;
(iii) Other data information is provided by a device.
g)Other vehicles
The Company may collect Personal Data through public and official sources of information or through the receipt and sharing of necessary data from the parent company, subsidiaries, affiliates, and partners in the process of cooperating with the Company in accordance with the applicable regulations.
4.2. How the data is stored
Personal Data is stored in Vietnam at the Company's database system or wherever we or our affiliates, subsidiaries, affiliates, partners or service providers have facilities.
The storage period of personal data is determined based on the purpose of use as stated in the Policy and in accordance with the applicable regulations.
4.3. How the data is transferred/shared
a) The Company will not sell Personal Data to any party. The Company uses the necessary security measures to ensure that the transfer/sharing of Personal Data is secure. Personal Data shared by the Company with (i) the Company's parent company, subsidiaries, affiliates; (ii) individuals/organizations involved in the Processing of Personal Data as set out in the Policy; or (iii) competent state agencies or other cases in accordance with the applicable regulations.
b) If the recipient of Personal Data is headquartered outside the territory of Vietnam, when providing/transferring Personal Data abroad (including but not limited to the use of cyberspace, equipment, electronic means or other forms to transfer Personal Data outside the territory of Vietnam), The Company will require the receiving party to ensure the safety and security of the Personal Data provided/transferred. The Company is committed to fully complying with the regulations and compliance requirements of Vietnamese law to protect the safety of Personal Data.
4.4. How the data is analyzed
Personal Data is analyzed based on the Company's internal processes, data security principles and information security for information technology systems.
4.5. How the data is encrypted
When necessary, the processed Personal Data is encrypted in accordance with appropriate encryption standards during storage or transfer and processing to ensure that the data is protected at all times.
4.6. How the data is deleted
In accordance with the applicable regulations or upon a valid request from the Data Subject, the Company will delete the stored Personal Data, except for the following cases:
a) The law does not allow data deletion or require mandatory data storage;
b) Personal Data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with law;
c) Personal Data has been disclosed in accordance with the law;
d) Personal Data is processed to serve legal requirements, scientific research and statistics in accordance with law;
e) In case of national defense and security emergencies, social order and safety, major disasters, dangerous epidemics; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; prevention and combat of riots, terrorism, crime and law violations;
f) Responding to an emergency situation that threatens the life, health, or safety of a Data Subject or other individual.
Throughout the Processing of Personal Data, security is the highest priority of the Company. The Company takes appropriate technical measures to prevent unauthorized access to and use of Personal Data. We also regularly collaborate with security experts to update the latest cybersecurity techniques to ensure the safety of Personal Data. Your payment card data issued by financial institutions is protected by the Company on the principle that important payment card data (card number, full name, CVV number) is not recorded on our system. Your payment transaction is made on the system of the relevant bank.
ARTICLE 5. PROCESSING OF CHILDREN'S PERSONAL DATA
5.1. The Company will Process Children's Personal Data in accordance with the principle of protecting the rights and best interests of children and in accordance with the provisions of the law.
5.2. The Company only processes the Personal Data of children and provides products and services to children, if the parent or guardian consents to the use of the Company's products and services, consents to the Company Processing the Personal Data of the child, agree to the Policy and comply with the requirements of relevant laws. In the event that a child aged 7 years or older uses the Company's products and services, in addition to the requirements set forth herein, the Company will only process the child's Personal Data with the consent of the child. The parent or guardian is responsible for obtaining the consent of the child before providing the child's Personal Data to the Company.
ARTICLE 6. CONSEQUENCES AND UNEXPECTED DAMAGE ARE LIKELY TO OCCUR
6.1. The Company uses many different information security technologies such as firewall systems, access control measures, encryption, etc. to protect and prevent unauthorized access, use or sharing of Personal Data. However, the Company cannot commit to ensuring absolute security of Personal Data in certain cases such as:
a) Hardware and software errors in the process of data processing that cause loss of data of the Data Subject;
b) The security vulnerability is beyond the control of the Company, the system is attacked by hackers, causing data to be exposed and leaked.
6.2. The Company recommends that Data Subjects keep confidential information related to account login passwords, OTP codes and do not share this content with any other person.
6.3. The Data Subject should be well aware that at any time when the Data Subject discloses and makes public his/her Personal Data, such data may be collected and used by others for purposes beyond the control of the Data Subject and the Company.
6.4. The Company recommends that Data Subjects preserve personal devices (phones, tablets, personal computers, etc.) during use. The Data Subject should log out of his or her account when not in use.
6.5. In case the data storage server is attacked, which leads to the loss, disclosure or leakage of Personal Data, the Company will be responsible for notifying the case to the investigating authorities for timely handling and notifying the Data Subject in accordance with the law.
6.6. Cyberspace is not a secure environment, and the Company cannot guarantee that Personal Data shared over cyberspace will always be secure. When transmitting Personal Data over cyberspace, the Data Subject should only use secure systems to access the website, application or device. The Data Subject is responsible for keeping his/her access credentials on each website, application or device securely and confidentially.
ARTICLE 7. START TIME, END TIME OF PROCESSING OF PERSONAL DATA
7.1. Personal Data is processed from the moment the Company lawfully receives the Personal Data and the Company has an appropriate legal basis for processing the data in accordance with the law.
7.2. Personal Data will be processed until the purposes of the data processing have been completed.
7.3. The Company may be required to store Personal Data even if the contract between the parties has been terminated in order to perform its obligations in accordance with the law and/or the requirements of the competent state authorities.
ARTICLE 8. ORGANIZATIONS AND INDIVIDUALS PARTICIPATING IN THE PROCESSING OF PERSONAL DATA
8.1. As the case may be, the Company may be the controller of personal data or the controller and processor of personal data.
8.2. To the extent permitted by law, the Data Subject clearly understands that the Company may share Personal Data for the purposes stated in the Policy with the following organizations and individuals:
a) Parent companies, subsidiaries and associated companies of the Company;
b) Organizations and individuals providing services and/or cooperating with the Company, including but not limited to: agents, auditors, lawyers, business partners, providing information technology solutions, software, applications, operation, management, troubleshooting services, etc. infrastructure development;
c) Any individual or organization that is a representative, authorized party of the Data Subject, acting on behalf of the Data Subject.
The sharing of data will be carried out in accordance with the order, manner and current legal regulations. The recipients of Personal Data are obligated to keep Personal Data confidential in accordance with the Policy, the Company's internal regulations, standards for the protection of Personal Data and applicable legal regulations.
8.3. The Company may be required to share Personal Data with competent state authorities in accordance with the law.
ARTICLE 9. RIGHTS OF DATA SUBJECTS
9.1. Right to know about his/her Personal Data Processing activities, unless otherwise provided by law.
9.2. Right to consent or object to consent to the Processing of his/her Personal Data, unless otherwise required by law.
9.3. Right to view, correct or request correction of your Personal Data, unless otherwise required by law.
9.4. Right to withdraw consent.
9.5. Right to erasure data.
9.6. Right to restrict the processing of your Personal Data in accordance with the law.
9.7. Right to request the provision of his/her Personal Data, unless otherwise provided by law.
9.8. Right to object to data processing.
9.9. Right to complain, denounce and initiate lawsuits.
9.10. Right to claim damages.
9.11. Right to self-protect.
The Data Subject may exercise these rights by making a request to the Company. The request form must be sent to the Company with basic contents such as the requester's information, detailed request content (e.g. type of data to be provided or to be deleted, text name, record (if any)), reason and purpose when making the request, relevant information depending on the specifics of the request (e.g. request documents) the request for supply needs to be in the form of a file or paper, the address for receiving documents, etc.). All costs (if any) arising from the fulfillment of the requirements stated herein including but not limited to the cost of printing, photocopying, postage, courier fees for sending the data will be borne by the requester and must be paid at the latest upon receipt of the data or a period set by the Company.
The Company will process the requests of the Data Subject in accordance with the provisions of the law and consider the legitimate interests of the Data Subject. However, in the event that the Data Subject withdraws his/her consent, requests the deletion of the data and/or exercises other relevant rights with respect to any or all of the Personal Data that affects the ability to provide/maintain the products, the Company's services to the Data Subject or maintaining the contractual relationship, depending on the nature of the Data Subject's request, the Company may consider and decide not to continue to provide the Company's products and services to the Data Subject or terminate the contractual relationship between the Company and the Data Subject. Acts carried out by the Data Subject under this regulation shall be deemed to be a unilateral termination by the Data Subject for any relationship between the Data Subject and the Company and may lead to a breach of obligations or contractual commitments between the Data Subject and the Company, and the Company reserves its legal rights and remedies in such cases. Accordingly, the Company will not be liable to the Data Subject for any losses incurred and the Company's legal rights will be fully reserved. With reasonable efforts, the Company will make a lawful and valid request from the Data Subject within a reasonable time in accordance with the applicable regulations.
However, for security purposes, the Company may require the Data Subject to verify his identity before processing the Data Subject's request. The Company has the right to refuse to comply with the requests of the Data Subject in certain cases, including but not limited to: (i) The Data Subject does not comply with the order and procedures instructed by the Company in which the content of the request is missing or invalid; (ii) The Data Subject fails to provide or inadequately provides papers and documents for identity verification; or (iii) in case the Company assesses that there are signs of fraud or violation of Personal Data protection; or (iv) the applicable regulations do not allow the implementation of the request of the Data Subject.
ARTICLE 10. OBLIGATIONS OF THE DATA SUBJECT
10.1.Self-protection of personal data; request other relevant organizations and individuals to protect their Personal Data. Promptly notify the Company when detecting any errors, mistakes, leaks of Personal Data or suspicion that Personal Data is being breached.
10.2. Respect and protect the personal data of others.
10.3. Provide complete and accurate Personal Data when agreeing to allow the Processing of Personal Data. If there is any false information, the Data Subject will bear it at its own expense in the event that such information affects or restricts the interests of the Data Subject.
10.4. Comply with the law on personal data protection and participate in the prevention and control of violations of regulations on personal data protection.
10.5. Other responsibilities as prescribed by law.
ARTICLE 11. OTHER REGULATIONS
11.1. The Data Subject confirms that, by accepting the Policy, the Data Subject has consented to the Personal Data being processed by the Company, the organization or individual participating in the Personal Data Processing process as set out in the Policy, know the type of data to be processed, the purpose of the data processing, the individual entity to which the Personal Data is processed, and its rights and obligations in relation to the Personal Data. The Data Subject has been notified, known and consented to all contents that need to be notified before the Personal Data is processed by the Company, organizations and individuals participating in the Personal Data Processing process. The Data Subject agrees that the Company, organizations and individuals involved in the Processing of Personal Data do not need to notify each other before the Processing of Personal Data.
11.2. If you have any questions about the Company's personal data protection, please contact us and we will try to answer your question as soon as possible. You can also contact us at the address below:
Vinmec International General Hospital Joint Stock Company
Contact address: No. 458 Minh Khai Street, Vinh Tuy Ward, Hai Ba Trung District, Hanoi City, Vietnam
Phone: +84 243 975 0028
Email: info@vinmec.com
11.3. The Personal Data Protection Policy is applicable from 1st July 2023, being the updated version of the Privacy Policy in accordance with the laws on Personal Data protection. Rights and obligations of the Data Subject is guaranteed as per the applicable law from time to time.