​

1. Acquisition of personal information

The purpose of this Policy is to govern the processing of personal data by ES CONSULTING VIETNAM CO., LTD. (hereinafter referred to as "ESC") in order to protect personal data by setting out ESC's procedures for the protection of personal data under its control.

2. Definitions

(1) "Personal Data" means any symbol, letter, number, image, sound or electronic information that is associated with or can be used to identify an individual. Personal Data includes General Personal Data and Sensitive Personal Data as specified below.
This Policy does not apply to information created for ESC employees and in ESC's possession in connection with business purposes, including, but not limited to, job title or title, work telephone number, work address, work email address or work fax number, and other similar information.

(1-1) “General personal data” includes the following:
- Last name, middle name, first name and other names (if any)
- Date of birth, death or disappearance
- Gender
- Place of birth, place of birth registration, place of permanent residence, place of temporary residence, place of origin, contact address
- nationality
- Person Image
- Phone number, ID card number, personal identification number, passport number, driver's license number, license plate number, taxpayer ID number, social security number, health insurance card number
- Marital status
- Information about an individual's family relationships (parents, children)
- Digital account information, personal data reflecting your activities and activity history in cyberspace
- Information that is associated with or can be used to identify an individual, other than as specified in this 2.1.1
(1-2) “Sensitive personal data” refers to personal data related to an individual’s privacy, which, if violated, would directly affect an individual’s legal rights and interests. This includes:
- Political and religious beliefs
- Health status and personal information contained in your health record (excluding information about your blood type)
- Information about racial or ethnic origin
- Information about genetic data relating to an individual's inherited or acquired characteristics
- Information about an individual's biometric or biological characteristics
- Information about an individual's sex life or sexual orientation
- Data about crimes and criminal activity collected and stored by law enforcement agencies
- Information on customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions, including customer identification information, accounts, deposits, deposited assets, transactions, organisations and individuals who are guarantors of credit institutions, bank branches and payment service providers as provided by law;
- Personal location information identified through location services
- Certain other personal data requiring special protection as provided for by law.

(2) “Data Protection Officer” or “DPO” means the individual designated by ESC to be responsible for preventing, detecting and addressing breaches and for ensuring that ESC complies with the provisions of Law relating to the protection of personal data.
(3) “Data Subject” means any individual to whom the Data relates, including all ESC’s stakeholders, such as employees, customers, suppliers and other parties related to ESC’s employment, recruitment, business transactions and services.
(4) “Personal data processing” means one or more activities that affect personal data, such as collection, recording, analysis, review, storage, modification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, making available, transferring, erasure, destruction, or other related activities.
(5) “Personal data protection” refers to the act of preventing, detecting, and managing violations related to personal data in accordance with the law.
(6) “Third Party” refers to any organization or individual other than ESC and Data Subjects as defined in this Policy.
For further clarity, any terms not explained in this Article shall be construed and applied in accordance with the laws of Vietnam.

3. Data Subject Consent

(1) Before processing any personal data, the ESC will obtain the data subject’s consent in a prescribed format.
(2) ESC may process personal data without the data subject’s consent in the following cases:
- To protect the life and health of the Data Subject or another person in an emergency situation.
- To disclose your personal data in accordance with the law.
- To fulfil the data subject’s obligations under contracts with the ESC, associated institutions, organisations and individuals as provided for by law.
- Any other case provided for by law.
(3) Data subjects have the right to withdraw their consent to the processing of their personal data.
(4) The withdrawal of consent shall not affect the lawfulness of the processing of personal data for which the data subject has given consent to ESC before the withdrawal. After receiving the data subject's request to withdraw consent, ESC shall inform the data subject of the possible consequences and damages if the data subject withdraws consent.

4. Collection of personal data

(1) Types of personal data collected:
ESC collects the following personal data about its employees primarily in connection with employment or recruitment:
Name, address, phone number, email address, ID number, passport number, fingerprints, FIN (Foreign Identification Number), date and place of birth, nationality, gender, resume, education history, employment history, etc.
In addition to the Personal Data primarily collected above, ESC will collect other Personal Data from time to time, as defined in this Policy, in accordance with ESC’s operations and current legal regulations.
(2) Collection method
ESC collects personal data in the following ways:
(2-1) Direct communication with data subjects
- Documents, agreements, contracts, transactions, software, systems, records and other materials submitted to ESC
- interactions between the Data Subject and the ESC, including face-to-face meetings, oral and/or written communications between the Data Subject and the ESC, conversations by landline and/or mobile phone, email, messaging or any other means of communication;
- Any other means that ESC may collect when you interact with ESC
(2-2) Interactions with personal data providers
(2-2-1) Personal data providers include, but are not limited to, the following:
- An individual who provides Data of another person, including but not limited to Data of a dependent, legal relative, spouse, child, parent, sibling, guardian, blood relative, foster relative, dependent, friend, acquaintance, beneficiary, beneficiary, insured, authorized person, partner, customer, emergency contact or related individual about whom ESC collects information in accordance with ESC's regulations and applicable law.
- Companies or organisations that provide data of others, including but not limited to employees, employee's dependents, legal relatives, spouses, children, parents, siblings, guardians, blood relatives, foster relatives, dependents, friends, acquaintances, beneficiaries, beneficiaries, insureds, authorized persons, partners, customers, emergency contacts or related individuals about whom ESC collects information in accordance with ESC regulations and applicable law for the purposes of transactions or services with such companies and organisations.
- Other third parties who provide ESC with data about others that is necessary for the operation of ESC in accordance with ESC rules and applicable law.

(2-2-2) When providing personal data of data subjects to ESC, the information provider promises, warrants and assumes the following responsibilities to ESC:
- The information provided to ESC is accurate and complete and you will notify ESC of any changes and errors in the personal data provided to ESC.
- The information provider shall fully inform the data subject and obtain the individual's legal consent/authorization or valid permission to:
- Providing personal data to ESC.
- Allow ESC to process your personal data for the purposes described in Section 5 of this Policy.
- The Information Provider agrees that ESC is not responsible for verifying the legality and validity of this consent/approval/authorization and that preservation of supporting documentation is the Information Provider's responsibility.
(2-3) Other data from which information is generated or aggregated with other data already held by the ESC (the subject matter and content of which is accessible without restriction by law and includes widely distributed public data, such as websites, social networks, newspapers, etc.).

5. Purposes and methods of processing personal data

(1) ESC collects, uses and stores employees’ personal data for the following purposes:
- Contacting employees regarding work
- Fulfillment of social insurance and personal income tax obligations
- Providing employee benefits
- Employee payroll calculation and payment (including bonuses, allowances and deductions)
- Job performance evaluation
- Development of occupational safety and health management systems
- Protection of information systems and information assets
- Creating a contact list for all employees and the general public
- Other matters related to employment management or as required by law
- ESC may continue to use collected personal data even after an employee has left the company.
(2) ESC may collect, use, store and process personal data provided by companies, organizations or other third parties for the following purposes and other activities:
- Communicating with company, organisation or third party personnel on matters related to ESC activities.
- Fulfilling ESC's obligations in relation to the transaction or service.
- Any other matters required by law.
(3) ESC may also process personal data for purposes other than those mentioned above and for related matters in accordance with the law.
(4) ESC carries out personal data processing activities, where appropriate, via systems and software, either manually or in combination with automated means.

6. Disclosure of Personal Data and Personal Data Processors

(1) The ESC is fully aware of the data subjects’ right to confidentiality and privacy.
(2) ESC may disclose or process personal data to vendors who provide the following services to ESC:
- Personnel Advice
- Payroll services
- Accounting services
- Banking Services
- Legal Services
- Data processing services
- Health Insurance Services
- Educational Services
- Other services necessary for the operation of the ESC
(3) In addition to the above, ESC also discloses personal data to authorities or individuals required by law (such as the Ministry of Labor, War Invalids and Social Affairs, tax authorities, social insurance authorities, courts, etc.).
In addition, ESC may disclose Personal Data to limited ESC employees whose jobs require them to maintain, edit or otherwise have access to Personal Data.
(4) When transferring personal data to a third party, ESC will take measures to ensure that personal data continues to receive the same level of protection as provided for by Vietnamese law. ESC declares that when transferring personal data externally, it will be fully in accordance with Vietnamese law.
(5) Unless permitted by law, regulation or guideline, ESC will not use or disclose personal data for other purposes without first identifying and documenting those other purposes and obtaining the written consent of the affected data subjects.

7. Retention of Personal Data

ESC will retain data subjects' personal data for as long as necessary for ESC's business operations.
ESC will immediately cease to retain Personal Data once it reasonably believes that it is no longer relevant for the purposes for which it was collected and is no longer required by law or for ESC's business purposes.

8. Accuracy of Personal Data

ESC usually relies on personal data provided by data subjects (or their authorized representatives). To ensure that personal data is up-to-date, complete and accurate, data subjects are responsible for updating us of any changes to their personal data by notifying our Data Protection Officer in writing or by email at the contact details set out in Article 13 of this Policy.

9. Protection of Personal Data

(1) ESC attaches great importance to ensuring security against the risks of unauthorized access, collection, use, disclosure, copying, modification, disposal, and destruction of personal data. ESC implements security measures, such as firewalls, computer protection, and password-protected files, to enhance the security of personal data stored.
(2) Personal data stored in electronic form will be managed as follows:
- All personal data held electronically will be stored and managed in access-controlled folders to which only authorised persons have access.
- If personal data is sent or received by email, such personal data will be deleted immediately once stored in access-controlled folders.
(3) All hard copy Personal Data will be kept in locked personal data files. ESC will regularly review and implement appropriate security measures in the processing and retention of Personal Data.
(4) In some cases, violations or problems may occur during the processing of personal data (loss, destruction, damage due to incidents, use of technology, force majeure, failure of data processing and control systems, violations by third parties, etc., especially in the case of personal data transmitted over the Internet). Even if protection and security measures are applied in depth, ESC cannot ensure the confidentiality of personal data. Therefore, ESC will implement an emergency response of ESC, which will report and inform lawfully involved parties and the competent authorities within 72 hours after the occurrence of any violation or problem. At the same time, ESC will try to minimize and prevent the consequences and damages as far as possible.

10. Data Subject Rights

(1) ESC respects and protects the following rights with the utmost care:
- Right to know
- Right to consent
- The right to access (including the right to request to view, correct or amend your personal data)
- Right to withdraw consent
- Right to delete data
- Right to restrict data processing
- Right to provide data
- Right to object to data processing
- The right to lodge a complaint, lodge a complaint or take legal action
- Right to claim damages
- The right to self-defense
(2) You may at any time request from ESC copies of ESC records containing your Personal Data, or the deletion, correction or other request of your Personal Data, and ESC must comply with these requests in accordance with the conditions and to the extent permitted by laws, regulations and guidelines.
(3) To make any of the above requests, the data subject is responsible for completing a specific personal data provision request form or personal data management request form and submitting it to our Data Protection Officer.
(4) The ESC has the right to refuse the data subject's request if:
- If the data subject does not comply with the ESC's instructions and procedures.
- if ESC is unable to identify the data subject or verify the accuracy and completeness of the personal data and/or the data subject does not provide documents or documentation to verify his/her identity, the accuracy and completeness of the personal data or provides incomplete documents or documentation.
- If ESC believes there are indications of counterfeiting, fraud or a breach of personal data protection.
- The data subject's request is unlawful.

11. Data Subject Obligations

(1) Protect your personal data.
(2) Respect and protect the personal data of others.
(3) You will provide complete and accurate personal data and documentation verifying the personal data in accordance with this Policy.
(4) to notify ESC in a timely manner of all changes, corrections of errors and updates to the personal data provided to ESC, together with documentation verifying the changes or corrections to the personal data.
(5) Comply with the regulations of the Act on the Protection of Personal Data and prevent violations of the regulations on the protection of personal data.
(6) If you discover or suspect that your personal data has been leaked or that there has been a violation of the protection of personal data under this Policy, you will immediately notify ESC.
(7) To actively cooperate with the ESC, competent government authorities or third parties to address any issues that arise affecting the security of personal data.
(8) You are solely responsible for the information, data, and consents you create, and will be liable if any personal information is leaked or compromised due to your negligence.
(9) Other obligations required by law.

12. Duration of processing of personal data

(1) Initiation: ESC will begin processing personal data immediately after receiving consent from the data subject in the manner described in this Policy.
(2) Termination: ESC will cease processing your personal data when (whichever is the later):
- Upon written request of the data subject (except for any refusal permitted under this Policy)
- The cases stipulated in Article 7 of this Policy.
- Requirements of competent authorities or provisions of law

13. Inquiries

ES CONSULTING VIETNAM CO., LTD.
住所：2 Bis-4-6 Le Thanh Ton Street、Ben Nge Ward、District 1、Ho Chi Minh City、
メール:dpo@esnet.com.vn

2024


ES CONSULTING VIETNAM CO., LTD.
General Director
Shin Takata