Corporate Data Protection Policy

Corporate Policy Security

Data Protection Policy

A globally applicable data protection and security standard for VINEXT Software Technology Company, regulating the processing of personal data.

Version 3.6  ·  Last Updated:

1. Introduction

VINEXT Software Technology Company ("VINEXT" hereinafter) Corporate Data Protection Policy lays out strict requirements for processing personal data pertaining to customers, business partners, employees or any other individual. It meets the requirements of the European Data Protection Directive and ensures compliance with the principles of national and international data protection laws in force all over the world.

The policy sets a globally applicable data protection and security standard for VINEXT and regulates the sharing of information between VINEXT, subsidiaries, and legal entities. VINEXT have established guiding data protection principles – among them transparency, data economy and data security – as VINEXT Personal Data Protection Handbook and ISM guidelines.

"VINEXT managers and employees are obligated to adhere to the Corporate Data Protection Policy and observe their local data protection laws. As the Global Data Protection Officer, it is my duty to ensure that the rules and principles of data protection at VINEXT are followed around the world. I will be pleased to answer any questions you have about data protection and international personal data transfer."

Michael Hering

Global Data Protection Officer  |  support@vinext.vn  |  037.401.8578

1.1. Purpose

This Data Protection Policy applies worldwide to VINEXT, Subsidiaries as well legal entities and is based on globally accepted, basic principles of data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of the VINEXT as a first-class employer.

The Data Protection Policy provides one of the necessary framework conditions for cross-border data transfer among VINEXT, subsidiaries, and legal entities. It ensures an adequate level of data protection prescribed by the European Union General Data Protection Regulation, PDPD13, Draft PDPL91 VN, APPI, PDPA or other national Personal Data Protection Regulations and national laws for cross-border data transmission, including to countries which do not have adequate data protection law, yet.

1.2. Application Scope

See Policy_PIMS Scope_v1.5.

1.3. Application of national Laws

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy.

1.4 Prevention of national and international Data Protection Laws Violations

The Global Data Protection Officer GDPO reporting to the board member responsible for Data Protection CFO oversees the compliance and regulatory functions VINEXT, with the goal to identify, reduce, and monitor all areas of possible regulatory and reputational risk regarding personal data processing.

The Personal Data Protection Handbook is revised and supplemented twice a year. New employees are informed about the Handbook and QMS. GDPO provides periodically an online personal data protection education programs on VINEXT’s online training platform to keep employees informed about current regulatory developments.

2. Policy

2.1. Guiding principles

  • Principle 1: Lawfulness, fairness and transparency.
  • Principle 2: Purpose limitation.
  • Principle 3: Data minimization.
  • Principle 4: Providing clear information to data subjects.
  • Principle 5: Ensuring special safeguards if collecting from children.
  • Principle 6: Accuracy.
  • Principle 7: Maintaining a documented inventory.
  • Principle 8: Storage limitation.
  • Principle 9: Respecting data subject rights (Right to claim damage, Right to self-protection).
  • Principle 10: Integrity and confidentiality.
  • Principle 11 & 12: Appropriate safeguards for international transfer (Standard Contractual Clauses).
  • Principle 13 & 14: PIMS Implementation & Strong governance via GDPO.
  • Principle 15: Maintain records of processing.

2.2. Customer and Provider Data (3rd party)

2.2.1 Data processing for a contractual relationship

Personal data of customers and providers can be processed in order to establish, execute and terminate a contract. The public must have access to information about VINEXT's Personal Data Protection principles and must be able to communicate with the GDPO.

2.2.2 Consent to data processing

Data can be processed following consent by the data subject. The declaration of consent must be obtained in writing or electronically. The consent must be given freely, specific to the purpose and unambiguous.

2.2.3 Data processing pursuant to legal authorization & 2.2.4 Legitimate interest

Processing is permitted if national legislation requests or allows this. Personal data can also be processed if it is necessary for a legitimate interest of VINEXT (e.g., collection of outstanding receivables, avoiding breaches of contract).

2.3. Employee Data

In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily.

Telecommunications and Internet: Telephone equipment, e-mail, intranet, and internet are provided primarily for work-related assignments. There will be no general monitoring of telephone and e-mail communications. Evaluations can be conducted only in a concrete, justified case of suspected violations.

2.4. Access Request of state/government or regulatory body

Requests are handled by strictly following the requirements of the national law. All access requests are registered and managed by the GDPO, subject to agreement with the CFO/COO.

3. Data Protection Control

Compliance with the Data Protection Policy and the applicable laws is checked annually with data protection audits and other controls. The performance of these controls is the responsibility of the Data Protection Representatives. The results must be reported to the GDPO and the CFO/COO.

4. Technical and Organizational Measures

As a company processing Personal Data, VINEXT must take technical and organizational procedures to ensure compliance with the European Data Protection Regulation and other international laws. Confidentiality, integrity, availability and resilience must be guaranteed.

4.1. Confidentiality

a) Access Control / Building Security

Alarm system
Protection of building shafts
Automatic access control system
Access control by chip card
Locking system with code lock
Manual locking system
Biometric access control
Video surveillance of entrances
Identity check by reception
Recording visitors

b) Physical Access Control / System Protection

Internal access control
Strong password specification
Authentication username/password
Use of VPN technology
Encryption of mobile data media
Intrusion detection system
Central smartphone administration
Encryption of laptops

c) Electronic Access Control

Rights authorization concept
Logging of system access events
Application of virus protection
Physical deletion of media
Application of firewalls

4.2. Integrity

Data Transfer Control: Establishment of dedicated lines/VPN, Email encryption, Physical transport selection, Data transfer in anonymous/pseudonymous way, Use of encrypted external devices.

Input Control: Permission settings, continual logging of inputs/modification/deletion, activity logs.

4.3. Availability and Resilience

Server rooms equipped with air conditioning, fire extinguishers. Back-ups stored separately in a safe place. Emergency plan, Business continuity plan, Regular data file back-ups, Recovery testing.

5. Personal Data Protection Training

Every new employee must join the first day Personal Data Protection training. For every employee processing personal data, it is mandatory to join the training on VINEXT Training Platform including a successful exam before starting personal data processing. An annually refresh training is also mandatory.

For every PM, DM, SDM, team lead involved, an extended training is mandatory.

6. Global Data Protection Officer

The Global Data Protection Officer works towards the compliance with national and international data protection regulations. Any data subject may approach the GDPO at any time to raise concerns or make complaints.

Contact Details:

Name: Cao Thanh Duc, Global Data Protection Officer

Company: VINEXT Software Technology Company

Address: Hoa Binh Village, Tuyen Phu Commune, Quang Tri Province, Vietnam

Phone: 037.401.8578

Email: support@vinext.vn

7. Responsibilities and Disciplinary

The executive bodies of VINEXT, subsidiaries and legal entities are responsible for data processing in their area of responsibility. Managing directors and CEOs are responsible for ensuring that organizational, HR and technical measures are in place.

Improper processing of personal data, or other violations of the data protection laws, can be criminally prosecuted in many countries, and result in claims for compensation of damage. Violations for which individual employees are responsible can lead to sanctions under employment law.

8. Supplementary Guidelines and Documents

Every VINEXT employee can find the full suite of Policies, Guidelines, Procedures, and Templates on the platform QMS. This includes:

  • Policy_Personal Data Protection Training
  • Policy_Privacy Statement
  • Guideline_Personal Data Retention
  • Guideline_Risk Management DPIA
  • Template_Data Subject Access Request
  • Procedure_Personal Data Breach Notification

9. Exceptions

Any exception must be reviewed and approved by Global Data Protection Officer and also approved by the responsible board member of VINEXT (CFO/COO) / Managing Director / CEO of a Subsidiary Company/Legal Entity.

10. Appendix

10.1. Definitions

  • PII / Personal Data: Any information relating to an identified or identifiable natural person.
  • Data Subject: Any individual person who can be identified, directly or indirectly.
  • Data Controller: The natural or legal person which determines the purpose and means of processing.
  • Data Processor: Processes data on behalf of the controller.
  • DPO/GDPO: Data Protection Officer / Global Data Protection Officer.
  • DPIA: Data Protection Impacted Assessment.

10.3. Data Protection Law, Vietnam, Overview

There is no single data protection law in Vietnam. Regulations on data protection and privacy can be found in various legal instruments. The most important Vietnamese legal documents regulating data protection are the Cybersecurity Law and Network Information Security Law.

On July 1, 2025, Law 91/2025/QH15 Personal Data Protection Law (PDPL) was published to the national database on legal documents, coming in force 01.01.2026. On July 1, 2025, Law No. 60/2024/QH15 for the Data Law entered into effect.