Internal Privacy Policy
(Applicable to Employees and Contact Persons)
1. Introduction
This Internal Privacy Policy (the “Privacy Policy”) is specifically for Vietnam jurisdiction and describes how we collect and process personal data about you (i) during and after your working relationship with us in case you are our employees, workers and contractors (together, the “Employees”); or (ii) during and after you serve as the contact person and/or representative person for your company or employer (the “Contact Persons”), in accordance with Vietnamese laws on personal data protection, as amended from time to time.
It is important that you read and retain this Privacy Policy, together with any other privacy notice we may provide on specific occasions when we are collecting and processing personal data about you so that you are aware of how and why we are collecting and processing such data and what your rights are under the personal data protection regulations.
The body of this Privacy Policy applies to all current and former Employees and the Contact Persons and the respective annexes are applicable to you depending on whether you are the Employees or Contact Persons. Please refer to Annex 1 if you are one of the Employees and Annex 2 if you are one of the Contact Persons.
This Privacy Policy does not form part of any contract of employment or other contract to provide services. We may update this Privacy Policy at any time but if we do so, we will publish the updated Privacy Policy on our website https://www.cydas.com/vn/privacy/ as soon as reasonably practical.
2. Our role in processing your personal data
CYDAS Inc. is a “controller-processor” and responsible for your Personal Data (as defined below) (collectively referred to as the “Company”, “we”, “us” or “our” in this Privacy Policy). This means that we are responsible for deciding how we process your Personal Data. We are required under personal data protection regulations to notify you of the information contained in this Privacy Policy.
3. The Personal Data we process
We will process the categories of personal data as described under Annex 1 if you are the Employees (“Employees Personal Data”) and under Annex 2 if you are the Contact Persons (“Contact Persons Personal Data”, together with the Employees Personal Data, the “Personal Data”) for the Purposes as defined in the “How we process your Personal Data” section, subject to your consent and in accordance with the personal data protection regulations of Vietnam.
4. Why we process your Personal Data
4.1. Purposes for which we will process your Personal Data
We will only process your Personal Data when the law allows us to. Most commonly, we will collect, record, analyze, confirm, store, edit, publish, combine, access, retrieve, revoke, encrypt, decrypt, copy, share, transmit, supply, transfer, delete, and destroy the Personal Data or conduct other related actions with respect to the Personal Data (collectively or individually referred to as “process” or “processed” or “processing”) in accordance with the laws for the purpose of:
(a)
negotiation, execution, performance and management of the employment contract, probation contract, training contract, and other agreements with the Employees or commercial contracts and transactions with our clients for whom you are acting as the contact persons;
(b)
operation, management of the Company, and implementation of our business and corporation;
(c)
performance of our rights and obligations as allowed or required by laws;
(d)
delivery of relevant advertisements to you if applicable; and
(e)
protection of your interests (or someone else’s interests) in accordance with the laws (together, the “Purposes” and any of them, the “Purpose”).
For a detailed description of each of the Purposes applicable to the Employees and the Contact Persons, please refer to Annex 1 if you are one of the Employees and Annex 2 if you are one of the Contact Persons.
4.2. Change of purpose
We will only process your Personal Data for the Purposes for which we collect it unless we reasonably consider that we need to process it for another reason and that reason is compatible with the original Purposes. If we need to process your Personal Data for an unrelated purpose, we will notify you and explain the legal basis allowing us to do so. Please note that we may process your Personal Data without your consent, in compliance with the above rules, where this is required or permitted by law.
5. How we process your Personal Data
Personal Data will be processed in compliance with the applicable laws using paper, electronic and/or telematic means, using methods related to the Purposes.
5.1. Collection of Personal Data
We collect the Employees Personal Data through the job application and recruitment process by filling in forms or corresponding with you by post, phone, email or otherwise, either directly from you as a candidate or sometimes from an employment agency or background check provider. We may sometimes collect additional information about you, which may include your Personal Data, from third parties including former employers, credit reference agencies, or other background check agencies. We will collect additional Employees Personal Data in the course of job-related activities throughout the period you work for us.
We collect the Contact Persons Personal Data through the contract negotiation, execution and/or performance, or by corresponding with us by post, phone, email or otherwise either directly from the Contact Persons or from our client for whom you are acting as the contact person.
5.2. Disclosure of Personal Data
We may share your Personal Data with the parties entitled to process Personal Data as listed in the “Controller-Processor of Personal Data” section and “Other parties entitled to personal data processing or relating to the Purposes” section for the Purposes. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your Personal Data in line with the applicable laws. We do not allow our third-party service providers to process your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
5.3. Transferring Personal Data outside of Vietnam
For the Purposes, we share your Personal Data within the Cydas group companies (“Cydas Group”) which will involve transferring your Personal Data outside of Vietnam. Many of our external third parties are based outside of Vietnam so their processing of your Personal Data will involve a transfer of data outside of Vietnam. As a result, your Personal Data may be transferred to the following countries outside of Vietnam:
(a)
Japan; and
(b)
Other countries where Amazon Web Service establishes its region and we determine to use.
We have taken appropriate measures to ensure that your Personal Data receives an adequate level of protection and is treated by those third parties in a way that is consistent with and respects the applicable laws.
If you require further information about how your Personal Data is transferred outside of Vietnam or have any claims, you can contact us via the contact information provided in the “Mechanism of Communication and Claim” section. Such queries and claims shall be handled by the Company in accordance with applicable laws.
6. Controller-Processor of Personal Data
Controller-Processor of Personal Data: CYDAS Inc,.
7. Other parties entitled to personal data processing or relating to the Purposes
We would need to collect, disclose, share, transfer, or otherwise engage the following third parties in processing your Personal Data for, or in relation to, or within the scope of the applicable Purposes:
(a)
Internal parties including the Company’s managers, officers, staff, and employees and parent company, subsidiaries, affiliates within Cydas Group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and hosting of data.
(b)
External parties including:
(ⅰ) Service providers (including contractors and designated agents) that provide IT and system administration services, data maintenance services, fraud prevention agencies, labor-related services and other services in relation to the applicable Purposes;
(ⅱ) Professional advisers acting as processors or controllers including lawyers, bankers, accountants, auditors, insurers and relevant experts who provide consultancy, financial, banking, payment intermediary services, legal, insurance, tax and accounting services, or other services in relation to the applicable Purposes;
(ⅲ) Security companies, trust banks, stock exchanges and the like in relation to the applicable Purposes;
(ⅳ) Business partners and clients of the Company;
(ⅴ) Investors and other parties in connection with any merger, acquisition, partnership, restructuring, financing or any other business transaction with the Company;
(ⅵ) Competent authorities based in Vietnam and/or outside of Vietnam; and
(ⅶ) Viewers of our website.
8. Your rights as a data subject
You may exercise, among other rights as provided by law, the following rights in relation to your Personal Data pursuant to the manual, policies and internal rules as we may designate from time to time in accordance with the laws:
(a) Right to know of the data processing
You have the right to know about our processing of your Personal Data unless otherwise provided by law.
(b) Right to consent to data processing
You have the right to give or not to give consent to the processing of your Personal Data, except in certain circumstances provided by law.
(c) Right to access data
You have the right to access your Personal Data in order to look at, rectify or request rectification of your Personal Data, unless otherwise provided by law.
(d) Right to withdraw consent
You have the right to withdraw your consent to the processing of your Personal Data unless otherwise provided by law.
In the event that you withdraw your consent to the processing of the Employees Personal Data, we may not be able to carry out in full the required performance of the contract, work and tasks for you concerning your employment relationship with us if the information to which your consent is withdrawn has a direct impact on the performance of contract/work. Similarly, for the Contact Persons Personal Data, we may not be able to carry out in full the required performance of the contract, work and tasks for you and the client for whom you are acting as a contact person if the Personal Data to which your consent is withdrawn has a direct impact on the performance of contract, work and tasks.
The withdrawal of consent shall not affect the lawfulness of the processing to which consent was given before it is withdrawn.
The withdrawal of consent shall be expressed in a format that can be printed and reproduced in writing, including in electronic or verifiable format. When receiving your request for withdrawal of consent, we shall notify you of potential consequences and damage of such withdrawal of consent.
(e) Right to erasure
Unless otherwise provided by law, you have the right to erase or request for the erasure of your Personal Data. However, this shall not apply if, to the extent permitted by law, such Personal Data is required to be retained or otherwise processed to fulfill our obligations at law.
In certain events of your erasure of Personal Data, we may not be able to carry out in full the required performance of the contract/work for you and/or the client for whom you are acting as a contact person if the Personal Data required to be deleted has a direct impact on the performance of the contract/work.
(f) Right to restrict data processing
You have the right to request restrictions of the processing of your Personal Data unless otherwise provided by law. Your request shall be implemented within 72 hours after receiving the valid request, unless otherwise provided by law.
In certain events of restriction of data processing, we may not be able to carry out in full the required performance of the contract/work for you and/or the client for whom you are acting as a contact person if the Personal Data required to be restricted has a direct impact on the performance of contract/work.
(g) Right to request the provision of data
You have the right to request us to provide you with your Personal Data which is provided to us during the course of the services/works we operate, unless otherwise provided by law.
(h) Right to object to data processing
You have the right to object to our processing of your Personal Data (ⅰ) to prevent or limit the disclosure of your Personal Data or (ⅱ) for advertising and marketing purposes, unless otherwise provided by law. We shall comply with your request within 72 hours after receiving the valid request unless otherwise provided for by law.
(i) Right to complain, denounce and initiate lawsuits and claim damages
In the event that we violate applicable personal data protection regulations, you have the right to file complaints, denunciations and lawsuits as prescribed by law;
(j) Right to claim compensation
You have the right to claim damages in accordance with the procedures and regulations as prescribed by law if there are grounds that our violation affects your legitimate interests; and
(k) Right to self-protection
You have the right to self-protection in accordance with the Civil Code and other relevant laws.
9. Your obligations as a data subject
You have the following obligations in relation to your Personal Data, among other obligations as provided by law:
(a) to protect your own Personal Data; to request relevant organizations and individuals to protect your personal data;
(b) to respect and protect others’ Personal Data;
(c) to fully and accurately provide your Personal Data when you consent to the personal data processing;
(d) to participate in the dissemination of personal data protection skills; and
(e) to comply with regulations on personal data protection and prevent violations against regulations on personal data protection; and
(f) to not take advantage of the protection of personal data to breach laws.
10. Commencement and ending time of the data processing
(a) Personal data processing will commence from the time we obtain your Personal Data in the manner as described in this Privacy Policy in accordance with law.
(b) Personal Data will be retained within the necessary period for the Purposes and/or as stipulated in the applicable laws. In many instances, Personal Data may be held for 10 years (or longer if required by law) after the termination of your employment, engagement or contracts in accordance with our obligations under accounting and other applicable regulations.
When the aforesaid retention period expires, or the Personal Data is no longer necessary for legal purposes or in other cases as required by law, we will take steps to destroy or anonymize the Personal Data and if such measures are impracticable (for example, if such Personal Data has been stored in back-up archives), we will store the Personal Data until deletion becomes practicable and ensure that no new processing takes place thereafter in accordance with our document retention and disposal policy, and applicable laws and regulations.
(c) We will cease the personal data processing at the end of the retention period as described in (b) above or in other cases under the laws.
11. Risks, Consequences and Security
We take appropriate security measures in a way that is consistent with and respects the applicable law on data protection to protect the Personal Data we process and prevent the Personal Data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed.
However, despite our safeguards and efforts to secure Personal Data, please be aware that no data security measures can guarantee 100% security. There may be an incident that affects the function and security of the Company system and interrupts our ability to maintain our performance of the contract/work concerning the employment relationship with the highest standards. Nonetheless, we strive to protect your Personal Data and will carry out necessary responses in such circumstances in accordance with the law.
12. Mechanism of Communication and Claim
We have appointed a contact person who is responsible for overseeing questions in relation to this Privacy Policy. In case of any questions or claims in relation to this Privacy Policy, including any requests to exercise your legal rights, you may contact us using the details set out below:
Name : Head of Corporate Headquarters
Telephone number : +81-03-6435-3953
E-mail : privacy_info@cydas.com
Contact address : 2-1-33, Shiba, Minato-ku, Tokyo, 105-0014, JAPAN
Such questions or claims shall be handled by us in accordance with applicable laws. We would appreciate the chance to deal with your concerns before you pursue any other statutory measures, so please contact us in the first instance.
This Privacy Policy is effective from 8 November 2023.
Annex 1
For Employees
1. Introduction
1.1 Basic personal data
(a) Names, national ID number, contact information, date of birth, nationality, passport number, driver’s
license, tax ID number, business card, occupation/title, place of work, photographs, and video images
(where applicable);
(b) Gender;
(c) Marital status;
(d) Visa and work permit details in relation to business travel/work relocation;
(e) Payroll records and tax status information;
(f) Salary, annual leave, pension and benefits information;
(g) Education and training history, qualifications and skills;
(h) Location of employment or workplace;
(i) Recruitment information (including information included in a CV or cover letter or as part of the application process);
(j) Employment records (including job titles, work history, working hours, holidays, training records and professional memberships);
(k) Performance information;
(l) Labor disciplinary information;
(m) Desired job and working style;
(n) Personal information obtained through electronic means for security purposes such as security/swipe card records, other than CCTV footage; and
(o) Other personal data that you have provided to us.
1.2 Sensitive personal data
(a) Bank account details;
(b) Health status and private life recorded in medical records (excluding information on blood type) for health check support and insurance policy;
(c) Information related to racial and ethnic background;
(d) Genetic information and biometric data;
(e) Data on crimes and criminal activities for background check;
(f) Personal values, evaluations, career visions, interests and special skills;
(g) Relationships with other employees;
(h) Your physical attributes which may be captured by the security CCTV system (if any); and
(i) Other sensitive information where necessary with your consent or as required by law.
2.How we process the Employees Personal Data
Further to the general description of the Purposes under the “How we process your Personal Data” section above, we describe below non-exhaustively some details of the Purposes in relation to the Employees Personal Data for your ease of reference:
(a) Check your information (including reference and background check with your former employers, credit reference agencies or other background check agencies), assess your qualifications and make a decision
about your recruitment, assignment or appointment or for the termination of the working relationship;
(b) Calculate and make salary payments to you, performing relevant tax and social insurance contributions in
accordance with the laws;
(c) Administer the employment contract we have entered into with you;
(d) Communicate with you;
(e) Conduct performance reviews, manage performance and determine performance requirements;
(f) Make decisions on periodic salary reviews and compensation;
(g) Serve prospective or ongoing grievance or disciplinary hearings;
(h) Provide education, training and development activities and requirements;
(i) Deal with whistleblowing claims, legal disputes and claims otherwise involving you including accidents
at work;
(j) Prevent fraud and other unlawful activity or misconduct;
(k) Maintain sickness and other absence records;
(l) Support your health check and insurance policy;
(m) Comply with health and safety obligations;
(n) Monitor your use of our information and communication systems to ensure compliance with our IT, data security and other policies;
(o) Ensure network and information security, including preventing unauthorised access to our computer and
electronic communications systems and preventing malicious software distribution;
(p) Conduct data analytics studies to review and better understand employee retention and attrition rates;
(q) Deal with your requests in connection with the exercise of your data subject rights;
(r) Providing annual healthcare;
(s) Apply for visa and work permit if required by laws;
(t) Make arrangements (such as hotel/flight booking) for traveling needs;
(u) PR, marketing and IR activities for the Company;
(v) Protect your interests (or someone else’s interests) in accordance with the laws; and
(w) Satisfy our relevant legal and regulatory rights and obligations.
Some of the above Purposes may overlap and there may be several grounds which justify our use of your Employees Personal Data.
Annex 2
For Contact Persons
1. Contact Persons Personal Data we process
1.1 Basic personal data
(a) Names;
(b) Gender;
(c) Contact information such as working or personal phone numbers, email address, etc.;
(d) Title, location of employment or workplace;
(e) Personal information obtained through electronic means for security purposes such as security/swipe card records (if any), other than CCTV footage; and
(f) Other personal data that you have provided to us during the execution and/or contract performance.
1.2 Sensitive personal data
We may collect and process your physical attributes captured by our security CCTV system, and your information about criminal convictions and offenses (if any) in certain cases. We do not collect any other sensitive personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).
2. How we process the Contact Persons Personal Data
Further to the general description of the Purposes under the “How we process your Personal Data” section above, we describe below non-exhaustively some details of the Purposes in relation to the Contact Persons Personal Data for your ease of reference:
(a) Register a new customer and register you as the contact person of such customer;
(b) Process and deliver your order including: (i) manage payments, fees and charges; and (ii) collect and
recover money owed to us;
(c) Manage our relationship with you which will include: (i) notifying you about changes to our terms or privacy policy; and (ii) asking you to leave a review or take a survey;
(d) Administer and protect our business (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
(e) Use data analytics to improve our products/services, marketing, customer relationships and experiences;
(f) Respond to inquiries by our client for whom you are acting as contact person;
(g) Organize events and seminars;
(h) Deliver relevant advertisements to our client for whom you are acting as contact person, by your email and non-periodically upon any appropriate advertisement; and make suggestions and recommendations to our client for whom you are acting as contact person about our goods or services (including events, seminars and other information relating to our goods or services) that may be of interest by your email and non-periodically upon any appropriate advertisement; and
(i) For our relevant legal and regulatory rights and obligations.
Some of the above Purposes may overlap and there may be several grounds which justify our use of your Contact Persons Personal Data.