CUSTOMER PERSONAL DATA PROTECTION POLICY

Policy Statement:
VinaCapital Group Ltd (hereinafter referred to as (“VinaCapital” or the “Company”) respects the privacy and protects the personal data of customers and related parties in accordance with Vietnamese law as well as the strict requirements the Company has implemented.

VinaCapital’s Customer Personal Data Protection Policy (the “Policy”) applies to individuals and entities that VinaCapital interacts with, including external investors; potential customers; existing customers; investors who are organizations and their personnel, as well as employees of VinaCapital; suppliers, customers accessing VinaCapital’s website, as well as customers who have been using the products and services of VinaCapital (hereinafter referred to as the “Customer”).

This Policy is effective from 01 July 2023 until further notice.

1. Definitions and Abbreviations

The defined terms are capitalized and the definition of the term is shown in the table below:

2. Introduction

VinaCapital respects the privacy and protects the Personal Data of the Customer and related people in accordance with Vietnamese law as well as the strict requirements it has implemented.

VinaCapital will only collect, use, store, and process the Customer’s Personal Data in accordance with the law (including Decree No. 13/2023/ND-CP dated 17 April 2023 on Personal Data protection and documents amending, supplementing and replacing this Decree from time to time), this Policy, contracts, and other agreements/commitments (if any) between the Customer and VinaCapital.

3. Subject of Application

The Policy includes the content of the Customer Personal Data processed by VinaCapital, the purpose of processing Personal Data, how Personal Data is processed, who Personal Data is shared with, Personal Data storage policy, the Customer’s rights and obligations with respect to Personal Data and other related content.

By accepting during the registration process or using VinaCapital’s products and services, and/or allowing VinaCapital to process the Customer’s Personal Data, the Customer voluntarily agrees to all of the content mentioned in this Policy.

In case a Customer provides Personal Data of a third party (such as information of dependents, spouses, children, parents, siblings, beneficiaries, authorized persons, custodian, partner, emergency contact or other related person) to VinaCapital, the Customer guarantees and ensures that the Customer has obtained the consent and authorization of such third party as required by law applicable to the processing of Personal Data (including but not limited to collection, use and disclosure) and must inform VinaCapital as the subject of such processing Personal Data for the purposes set forth herein.

4. Types of processed Personal Data

To serve for the signing, business activities, investment, reporting, contract to settle the interests of the Customer, individual investors, employees, and perform the obligations of VinaCapital to the Customer, competent State Authorities, etc., VinaCapital (including VinaCapital’s related party processing data, or third parties, depending on the purpose) will need to process the Customer’s Personal Data (collect, record, analyze, confirm, store, modify, use, make public, combine, access, retrieve, withdraw, encrypt, decrypt, copy, share, transmit, provide, transfer, deletion, destruction of personal data or other related actions). Processed Personal Data may include Basic Personal Data and/or Sensitive Personal Data.

4.1. BASIC PERSONAL DATA

a) Full name, middle name and given name, other name (if any);

b) Date of birth; day, month, year of death or declared missing;

c) Gender;

d) Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;

e) Nationality;

f) Image of the individual;

g) Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, medical insurance number;

h) Marital status;

i) Information on family relationships (parents, children);

j) Information about the individual digital’s accounts; Personal Data reflecting online activity , including historical activity;

k) Other information relating to a particular person or helping to identify a particular person that is not covered by paragraph 4.2 below.

4.2. SENSITIVE PERSONAL DATA

Sensitive Personal Data is Personal Data associated with an individual’s privacy that, when violated, will directly affect an individual’s legitimate rights and interests, including:

a) Political and religious opinions;

b) Health conditions and personal information stated in health records, excluding information on blood group;

c) Information about racial or ethnic origin;

d) Information about genetic data related to an individual’s inherited or acquired genetic characteristics;

e) Information about an individual’s own biometric or biological characteristics;

f) Information about an individual’s sex life or sexual orientation;

g) Data on crimes and criminal activities collected and stored by law enforcement agencies;

h) Customer information from credit institutions, foreign bank branches, payment service providers and other licensed institutions, including the Customer’s identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;

i) Personal location identified via location services;

j) Other specific Personal Data as prescribed by law that requires special protection;
Depending on the role of VinaCapital in each specific situation:
(i) The controller of Personal Data; or/and
(ii) The party processes Personal Data; or /and
(iii) The Controller and party processing of Personal Data.

VinaCapital will exercise its respective powers and responsibilities in accordance with applicable laws.

5. Purpose of Processing Personal Data

VinaCapital may process the Customer’s Personal Data for the following listed purposes (“Purposes”), case by case, including but not limited to:

• Comply with legal obligations before opening an account/establishing a relationship with a client, including performing “ Customer Recognition”, implementing Anti-Money Laundering procedures and other required processes as required by law and our internal policies and procedures;
• Provide financial services to the Customer, including services of fund management, investment advisory and portfolio management; investment trust;
• Execution of trading orders and investment instructions as well as necessary work to provide services to the Customer;
• Provide Customer care services;
• Provide information and reports on funds/services managed/provided by VinaCapital;
• Communicate with the Customer (for example, by email, phone, text, social media, mail or face-to-face contact) and ensuring that these forms of communication comply with applicable laws;
• Maintain and update the Customer’s contact information;
• Introduce products and services provided by VinaCapital;
• Perform rights and obligations under the contract signed between VinaCapital and the Customer;
• Business activities within VinaCapital;
• Operate and manage the Company’s website; provide information to the Customer; display advertisements and other information to the Customer; communicate and interact with the Customer through the Company’s websites;
• Manage the Company’s communication system; operate the security system and check computer safety;
• Ensure security at the Company’s premises (including records of the Customer’s arrival at the Company’s premises and CCTV recordings) and electronic security (including log-in records and access details when the Customer accesses the Company’s electronic systems);
• Detect, investigate and prevent violations of the Policy and criminal offenses in accordance with current laws;
• Establish, exercise and defend the Company’s legal rights and conduct legal proceedings;
• Comply with applicable laws, regulations and other requirements; and
• Other purposes as prescribed by the current laws;

6. Personal Data processing timeline

6.1. STARING TIME TO PERSONAL DATA PROCESSING

VinaCapital will start processing the Customer’s Personal Data from the time of receipt of Personal Data until further notice.

6.2. ENDING TIME OF PERSONAL DATA PROCESSING

VinaCapital will stop or suspend the processing of the Customer’s Personal Data in the following cases (whichever comes first):

• – At the Company’s written request in accordance with this Policy and relevant regulations/ agreements/ contracts;
• – The service contract is terminated and the parties have fulfilled their relevant rights and obligations;
• – End of the dispute, complaint by agreement/judgment/decision with legal effect;
• – Subject to the provisions of current laws;

However, VinaCapital may continue to store Personal Data to meet its legal obligations and VinaCapital is responsible for keeping Personal Data confidential in accordance with the law.

7. Sharing and Transferring of Personal Data

In order to carry out the purposes and the processing of Personal Data in accordance with this Policy, VinaCapital may share and transfer the Customer’s Personal Data or Personal Data of third parties related to the Customer to the following parties:

a) Employees and contractors of VinaCapital;

b) Companies and/or organizations within VinaCapital Group;

c) Parties providing insurance products for VinaCapital including, but not limited to, individuals and organizations providing insurance consulting services to VinaCapital;

d) VinaCapital’s auditors, consultants and lawyers;

e) Medical examination and treatment services to VinaCapital;

f) Competent state authorities (including the US Internal Revenue Service and FATCA reporting requirements);

g) Vietnam Securities Business Association, Securities Depository Center, Custodian Bank, Depository Bank;

h) Any person, authority or regulatory bodies or third parties that VinaCapital is authorized or required to disclose under the laws of any country, or under any other contract or undertaking between the third party and VinaCapital;

i) Any individual involved in exercising or maintaining any rights or obligations under the Customer’s agreement(s) with VinaCapital;

j) Service providers for VinaCapital that data sharing is necessary for VinaCapital to be able to perform its obligations to the Customer;

k) Individuals/organizations authorized by VinaCapital;

l) Outsourcing service provider(s) for VinaCapital;

m) Third parties responsible for data processing for Personal Data under contracts and agreements with VinaCapital, including research, survey and rating agencies;

n) Credit institutions, payment intermediary service providers;

o) Parties with the Customer’s consent or with whom VinaCapital has a legal basis to share the Customer’s Personal Data; Apart from the above cases, VinaCapital will not disclose the Customer’s Personal Data to any other party unless:

(i) With the Customer’s consent; or
(ii) VinaCapital is required or permitted to disclose in accordance with the law; or
(iii) VinaCapital transfers rights and obligations under the agreement(s) between the Customer and VinaCapital.

In the event of an overseas transfer of Personal Data, VinaCapital will use all reasonable efforts to require the receiving party to ensure that the Personal Data transferred to them will be treated with an appropriate level of security and safety. VinaCapital ensures compliance with legal and regulatory obligations related to the transfer of Personal Data abroad.

8. Personal Data Protection

VinaCapital regularly reviews, evaluates and updates the management of and technical measures when processing and storing the Customer’s Personal Data. VinaCapital’s employees are trained to handle Personal Data securely and with the utmost care.

In case of detection of a violation against regulations on protection of Personal Data, VinaCapital will proceed to notify the competent authorities and related parties of the violation within the time limit prescribed by law and apply reasonable measures to settle and minimize any damage of such violation within VinaCapital’s ability.

9. Customer’s Rights and Obligations to Personal Data

9.1. As a data owner, the Customer’s has the following rights:

(i) Right to be informed;

(ii) Right to give consent;

(iii) Right to access;

(iv) Right to withdraw consent;

(v) Right to delete Personal Data;

(vi) Right to obtain restriction on processing;

(vii) Right to obtain Personal Data;

(viii) Right to refuse data processing;

(ix) Right to file complaints, denunciations and lawsuits;

(x) Right to claim damage;

(xi) Right to self-protection;

(xii) and other related rights as prescribed by law.

9.2. The Customer may exercise rights by contacting VinaCapital via the contact details provided in Section 13 of this Policy.

VinaCapital will fulfill a legal and valid request from the Customer in accordance with the provisions of current law from the date of receipt of a valid request.

9.3. In the event that the Customer withdraws consent to the processing of Personal Data, request data deletion and/or exercise other relevant rights with respect to any or all of the Customer’s Personal Data, and depending on the nature of the Customer’s request, VinaCapital may review and decide not to continue providing the product(s) and/or service(s). The acts performed by the Customer in accordance with this Policy may be considered as a request to terminate the contract of using services and products between the Customer and VinaCapital. VinaCapital will not be liable to the Customer for any loss incurred.

9.4. VinaCapital relies on the Customer’s Personal Data to provide product(s) and/or service(s), therefore, the Customer needs to ensure that at all times, the information provided by the Customer to VinaCapital is true, accurate and complete. The Customer needs to promptly notify VinaCapital of any changes to the information provided.

9.5. The Customer has obligations in the protection of the Customer’s and other individua’s Personal Data as listed below:

• Self-protect the Customer’s Personal Data; request other relevant organizations and individuals to protect their Personal Data.
• Respect and protect the Personal Data of the others.
• Provide complete and accurate Personal Data when agreeing to allow the processing of Personal Data.
• Participate in circulation and dissemination of Personal Data protection workshops and/or conferences.
• Comply with the provisions of the law on the protection of Personal Data and participate in the prevention and combat of violations of regulations on the protection of Personal Data.
• Other obligations set forth in applicable laws and regulations.

10. Storage of Personal Data

The Customer’s Personal data stored by VinaCapital will be kept confidential.

VinaCapital will take appropriate measures to protect the Customer’s Personal Data.

VinaCapital processes and stores the Customer’s Personal Data for as long as necessary to fulfill the Purposes under this Policy, unless a longer retention period of Personal Data is required or permitted by applicable laws.

11. Other related matters

The Customer fails to provide Personal Data upon request or not consent to allow VinaCapital to process Personal Data that it considers necessary and/or required to meet legal requirements may cause VinaCapital to not be able to fulfill the Purposes set forth in this Policy and/or comply with VinaCapital’s legal obligations, therefore, VinaCapital may NOT be able to:

• Provide the service that the Customer requests or carry out the Customer’s instruction/request;
• Maintain the provision of VinaCapital’s services to the Customer;
• Perform rights and obligations under the contract between VinaCapital and the Customer;
• Verify the Customer’s identity (including for the purpose of keeping Customer’s information secure);
• Provide necessary information related to the Customer’s investment in time of VinaCapital provides services to the Customer;
• Personalize the Customer’s experience with VinaCapital’s services; or
• Inform the Customer about products and services that may be relevant to the Customer’s interests or needs;
• And new products, new utilities in the future.

In the event that the Customer restricts or does not agree to allow VinaCapital to process Personal Data / withdraw the Customer’s consent to the processing of Personal Data / object to the processing of Personal Data and/or exercise other rights that would result in VinaCapital not processing Personal Data, the Customer understands and acknowledges that VinaCapital may not/cannot continue to provide the product(s) and/or services to the Customer, and VinaCapital reserves the right to terminate the provision of the relevant product(s) and/or service(s) without compensation and the Customer is obliged to perform all obligations and services owed by the Customer to VinaCapital at the time VinaCapital ceases to provide such product(s) and/or service(s).

However, VinaCapital may still retain and process the Customer’s Personal Data in accordance with the requirements of applicable laws and regulations or of any competent authority.

12. Amendments and Supplements

This Policy must be reviewed at least once a year or whenever there are any material changes or events that may materially affect this Policy.

Notice of amendments and supplements will be posted on VinaCapital’s website and/or other channels that VinaCapital considers appropriate.

13. Contact Information

In case the Customer has any questions regarding this Policy or VinaCapital’s processing of Personal Data, the Customer may contact VinaCapital using the following information:

Hotline: 1900 636 553
Email: irwm@vinacapital.com

14. Version Control