Privacy Policy of VPBank NEO
Compliance & Control
PART P – GENERAL TRANSACTION TERMS AND CONDITIONS ON THE PROTECTION OF CUSTOMERS’ PERSONAL DATA
(Attached to the General Transaction Terms and Conditions on the Provision and Use of NonCredit Services applicable to Individual Customers at VPBank)
Article 1. VPBank’s Commitment to the Protection of Personal Information
1. The Terms and Conditions in this Part P apply to individual customers of VPBank and any individual whose Personal Data is processed by VPBank (hereinafter collectively referred to as the “Customer”).
2. The Terms and Conditions in this Part P explain the following VPBank policies relating to the protection of the Customer’s Personal Data:
a. The types of Personal Data collected by VPBank and how VPBank collects such Personal Data;
b. How VPBank processes Personal Data, including but not limited to activities such as recording, establishing, structuring, storing, adjusting or modifying, retrieving, consulting, using, disclosing, aligning or combining, restricting, erasing, or destroying Personal Data;
c. The recipients of Personal Data disclosed by VPBank;
d. This Personal Data Protection Policy also guides Data Subjects on how to exercise their rights related to their Personal Data.
3. VPBank commits to complying with the following principles in the processing of Personal Data:
a. The Personal Data of the Customer and any individual whose Personal Data is processed by VPBank is processed lawfully, fairly, transparently, and in compliance with applicable laws;
b. The Customer’s Personal Data is collected for specific, clear, lawful purposes and will not be processed beyond the purposes stated in this Policy and in accordance with applicable laws;
c. The Customer’s Personal Data is stored appropriately and only to the extent necessary for processing purposes in accordance with applicable laws;
d. The Customer’s Personal Data is accurate and kept up to date, and inaccurate data relevant to processing purposes will be promptly erased or rectified in accordance with applicable laws;
e. VPBank applies appropriate technical and organizational measures in accordance with applicable laws to ensure an appropriate level of security for Personal Data, including protection against unauthorized or unlawful access and against accidental destruction, loss, or damage;
f. VPBank also requires its partners and related parties to comply with appropriate Personal Data protection requirements in contracts and documents entered into with VPBank;
g. In cases where the law permits the processing of Personal Data without the Data Subject’s consent, VPBank is entitled to proactively carry out such processing in accordance with the law;
h. In addition to the above principles, VPBank commits to complying with other principles prescribed by law on Personal Data protection, particularly those relating to Data Subject rights and obligations concerning crossborder data transfers;
i. VPBank ensures that Personal Data protection is fully implemented in accordance with the General Transaction Terms and Conditions set out in this Part P and the documents and agreements entered into with the Customer.
Article 2. Types of Personal Data Collected by VPBank and Methods of Collection
1. Types of Personal Data Collected
In order to process Customer requests, provide products and services, and comply with applicable laws, VPBank may collect and process the following basic Personal Data and sensitive Personal Data of the Customer:
a. Surname, middle name, and given name at birth; other names (if any);
b. Date, month, and year of birth; date, month, and year of death or missing status;
c. Gender;
d. Place of birth; place of birth registration; permanent residence; temporary residence; current residence; hometown; contact address;
e. Nationality;
f. Personal images;
g. Phone number; identity card number; personal identification number; passport number; driver’s license number; vehicle license plate number; personal tax identification number; social insurance number; health insurance card number;
h. Marital status;
i. Information on family relationships (parents, children);
j. Information on digital accounts of individuals; Personal Data reflecting activities and activity history in cyberspace;
k. Other information associated with or capable of identifying a specific individual;
l. Information automatically collected when the Customer uses VPBank’s website, mobile applications, and other communication channels, such as IP address, cookies, device identifiers, etc.;
m. Political opinions; religious beliefs;
n. Health status and private life recorded in medical records, excluding blood group information;
o. Information related to racial or ethnic origin;
p. Information on inherited or acquired genetic characteristics of an individual;
q. Information on physical attributes and unique biological characteristics of an individual;
r. Information on sexual life or sexual orientation of an individual;
s. Data on criminal records and criminal acts collected and stored by law enforcement authorities;
t. Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other licensed organizations, including: customer identification information as prescribed by law; account information; deposit information; entrusted assets; transaction information; information on organizations or individuals acting as guarantors at credit institutions, bank branches, or payment intermediary service providers;
u. Location data of individuals determined via positioning services;
v. Other Personal Data related to the provision of our products and services and in accordance with applicable laws.
2. Methods of Collection and Processing of Personal Data
a. VPBank, in its capacity as a Personal Data Controller and Processor, and the Personal Data Processors engaged by VPBank—through VPBank employees, representatives, units, and individuals having lawful relationships with VPBank—may collect such data from Customers when they request, register for, inquire about, or use VPBank products and services, or during VPBank’s provision of any products and services, from various sources including but not limited to:
i. Through the relationship between the Customer and VPBank, such as information provided in application forms or transaction documents, when the Customer uses products or services, participates in surveys, promotions, competitions, or during financial assessments;
ii. Through verbal or written communications between the Customer and VPBank and/or its authorized agents;
iii. From suppliers, service providers, partners, merchants, and third parties, including but not limited to survey consultants, social media, marketing, credit references, fraud prevention, data aggregation, infrastructure and facility support providers, and other third parties related to VPBank’s business operations;
iv. From third parties having relationships with the Customer, such as employers, coaccount holders, guarantors, security providers, copartners, comanagers, or coshareholders;
v. From credit reporting agencies, credit reference providers, government authorities, or information collected from publicly available sources, guidelines, or registries;
vi. From the State Bank of Vietnam or other competent authorities in Vietnam or abroad;
vii. From analysis of the Customer’s use and management of accounts/facilities at the Bank, transactions conducted by the Customer, and payments made to/from the Customer’s accounts/facilities;
viii. Through files created by websites accessed by the Customer (cookies) or similar monitoring tools; and/or
ix. From thirdparty sources to which the Customer has consented or which are required or permitted by law.
b. The Customer’s Personal Data may be collected at VPBank’s business network, by VPBank units and individuals, and via communication systems including but not limited to websites, telephones, landline and mobile calls, emails, messages, chat rooms, and other communication channels.
c. For clarification, Customer information may be collected from data provided by the Customer, from VPBank’s requests to the Customer (or the Customer’s representative), collected directly by VPBank, or obtained from information providers (including publicly available information), created or aggregated together with other information VPBank possesses.
d. VPBank only carries out Personal Data collection activities within the scope permitted by law to serve lawful purposes or purposes required by law. Such purposes include but are not limited to: (a) recordkeeping; (b) compliance with applicable laws and regulations; (c) compliance with internal regulations and policies; (d) facilitating the management, support, and development of lawful products and services; (e) security, crime prevention, and antifraud purposes; and
(f) investigation or detection of unauthorized, unlawful, or abusive use of VPBank’s services, systems, or documents.
e. Depending on the purposes of processing, VPBank and its engaged Data Processors may apply appropriate processing methods, including but not limited to automated and nonautomated processing methods and other methods ensuring data protection requirements.
Article 3. Processing of Personal Data
1. Purposes of Processing
VPBank and its Data Processors may process Personal Data for one or more of the following purposes. Personal Data processing is understood as one or more operations performed on Personal Data, such as collection, recording, analysis, verification, storage, modification, disclosure, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, erasure, destruction, or other related actions:
a. To identify, verify, and maintain accurate Customer identification information (KYC); to conduct AML, credit, and other required checks;
b. To assess, evaluate, appraise, and approve the provision of products and services based on Customer applications and/or related persons;
c. To verify, build, and assess the Customer’s reliability in using products and services;
d. To perform contractual obligations and provide products and services;
e. To consider the provision or continued provision of any VPBank products or services;
f. To provide customer care and resolve complaints and disputes;
g. To contact Customers; conduct direct or indirect marketing; implement promotional programs; reward redemption, gift delivery, and prize awarding;
h. To better understand Customers’ investment needs and current and future financial conditions;
i. For data entry and verification of completeness and accuracy of data provided or entered into systems;
j. To improve, enhance, personalize, and customize products and services, including VPBank’s online services, and to develop new products and services;
k. To fulfill reporting, financial, accounting, and tax obligations;
l. To conduct audit, risk management, and compliance activities;
m. To provide information to credit rating agencies, credit information service providers, auditors, or competent authorities as required by law;
n. To serve internal operational purposes of the Bank and its affiliates, including credit and risk management, system planning and development, product development, insurance, auditing, and administration;
o. To protect or enforce VPBank’s lawful rights, including fee collection and debt recovery;
p. To comply with agreements and contracts between VPBank and other parties;
q. To provide information to VPBank’s suppliers and service providers;
r. To generate data, reports, and statistics for VPBank or related third parties or at the request of the State Bank of Vietnam or competent authorities;
s. To conduct market research, surveys, and data analysis related to VPBank products and services;
t. To assess risk, analyze trends, perform statistical and planning analysis, including credit, risk, and AML scoring systems and maintenance of credit history data;
u. To carry out transactions such as transfer, disposition, merger, or acquisition relating to VPBank’s operations;
v. To detect, prevent, and investigate crimes, attacks, or violations including fraud, money laundering, terrorist financing, bribery, corruption, or tax evasion;
w. To fulfill corporate social responsibility;
x. To comply with legal obligations, international treaties, commitments, and competent authority requirements;
y. To ensure VPBank’s legitimate business purposes or to enforce or protect lawful rights of VPBank and its affiliates;
z. To carry out other activities related to the provision, operation, management, development, and enhancement of VPBank services;
aa. To provide card services or handle suspected fraud, impersonation, or legal violations;
bb. To provide payment services and handle suspected fraud, impersonation, or legal violations.
2. VPBank will obtain the Customer’s consent before using Personal Data for purposes other than those agreed upon in documents referencing Personal Data protection and the General Transaction Terms and Conditions in this Part P.
3. Organizations and individuals authorized to process Personal Data and other related organizations and individuals: In order to provide products and services to the Customer, manage and operate such products and services, and serve the purposes as declared above, VPBank may disclose the Customer’s Personal Data or the Personal Data of parties related to the Customer to the following Data Processors:
a) Competent authorities that request the provision of information in accordance with applicable laws;
b) Entities providing credit information services, credit rating and evaluation services, auditing services; rating organizations; insurance companies or insurance brokers; or providers of credit‑related services;
c) Any member of VPBank; subsidiaries, affiliated companies, companies within the same group, and ecosystem entities of VPBank as determined by VPBank;
d) Any court, arbitration body, or competent authority, whether governmental or non‑governmental, that has jurisdiction over or requires the enforcement of obligations by VPBank;
e) Any contractors, agents, service providers, consultants, or affiliates of VPBank (including their employees, directors, and officers); organizations acting as vendors, suppliers, partners, or agents, including but not limited to companies providing business support services to VPBank such as administrative services, postal services, telemarketing, direct sales, human resources provision, data processing, information technology and computer services, legal services, debt collection, customer search and verification, custody services, market research, data modeling, record storage, data entry, SMS and email delivery, valuation, consultancy services, and other business process support services;
f) Any person acting on behalf of the Customer (payment recipients, beneficiaries, persons designated in relation to the Account, intermediary banks, confirming banks, and agent banks, etc.);
g) Business partners and related partners cooperating with VPBank in developing or providing, or related to the development or provision of, VPBank’s products and services; or related to the provision or development of such partners’ products and services to Customers;
h) Any individual, competent authority, regulatory authority, or third party that VPBank is permitted or required to disclose information to under the laws of any country or under any contract or other commitment between such third party and VPBank;
i) Other related parties that VPBank deems necessary to satisfy or protect the lawful rights and interests of the Customer;
j) The Customer’s advisors, including accountants, auditors, lawyers, and financial advisors;
k) Any person notified, authorized, or permitted by the Customer to provide information for transaction purposes on behalf of the Customer;
l) The police or any public official conducting investigations related to any violations, including suspected violations;
m) Disclosure of data made with the Customer’s consent; or
n) Disclosure of information consented to by the Customer when the Customer uses other products or services of the Bank.
4. In addition to VPBank, member companies and organizations of VPBank, subsidiaries of VPBank, and VPBank’s strategic partners may contact the Customer regarding products and services that VPBank believes may be of interest to the Customer or may offer incentives or financial benefits to the Customer.
5. Cross‑border transfer of Personal Data: In order to carry out the purposes of Personal Data processing as agreed with the Customer under the General Transaction Terms and Conditions set out in this Part P and other documents and agreements entered into with the Customer, VPBank may share or transfer the Customer’s Personal Data to VPBank’s related third parties, which may be located in Vietnam or in any other jurisdiction. When transferring Personal Data abroad, VPBank shall require the receiving party to ensure the security of the transferred data. VPBank commits to fully complying with Vietnamese legal regulations and compliance requirements to ensure the safety and protection of the Customer’s Personal Data.
6. Duration of Personal Data processing: Depending on each specific activity, Personal Data may be processed by VPBank after it is provided or collected and shall terminate upon completion of processing in accordance with the applicable purposes, or until the Customer requests the deletion of the Personal Data provided.
7. Possible unintended consequences or damages: The processing of Personal Data may involve risks of data leakage or improper data processing. VPBank always regards the Customer’s Personal Data as a valuable asset requiring confidentiality and therefore places great importance on ensuring the security of the Customer’s Personal Data. VPBank commits to applying appropriate protective measures and to regularly reviewing and updating the managerial and technical measures for processing the Customer’s Personal Data.
Article 4. Data Processing Notification
The Customer confirms that, by accepting the General Transaction Terms and Conditions set out in this Part P, the Customer has been informed by VPBank, has acknowledged, and has agreed to all contents required to be notified prior to VPBank’s processing of data, as detailed in Article 3 of the General Transaction Terms and Conditions set out in this Part P. Accordingly, VPBank is not required to repeat such notifications prior to processing the Customer’s Personal Data.
Article 5. Customer Rights and Obligations
1. Right to be informed and Right to consent: VPBank respects the Customer’s right to be informed and right to consent with respect to data processing activities. Documents and communications relating to data protection, together with the General Transaction Terms and Conditions set out in this Part P, are provided by VPBank and fully communicated to the Customer so that the Customer may clearly express consent and confirm authorization for VPBank to process the data.
2. Right of access, provision, and rectification of Data:
a) Except where otherwise provided by law, the Customer has the right to request VPBank to confirm the Customer’s Personal Data and/or to request rectification of the Customer’s Personal Data held by VPBank;
b) For security purposes, the provision, access, and rectification of the Customer’s Data may be required to be carried out in appropriate forms, processes, and procedures. The Customer is requested to fully comply with the procedures and requirements as notified by VPBank in order to receive support;
c) Using reasonable efforts, VPBank shall comply with the Customer’s request to provide or rectify Personal Data within seventy‑two (72) hours from receipt of a complete, valid request and any related processing fees (if any) from the Customer;
d) VPBank reserves the right to refuse access in certain cases, for example where VPBank is unable to verify the Customer’s identity, where the requested Data is of a commercial or confidential nature, or where VPBank determines that there is a violation or indication of violation of Personal Data protection regulations;
e) VPBank reserves the right to allow the Customer to rectify Personal Data as requested or to require the Customer to provide additional documents or evidence to verify the accuracy of the new data.
3. Right to withdraw consent, right to erasure of data, right to restriction of data processing, and right to object to data processing:
a) The Customer may withdraw his/her consent to any or all data processing activities agreed with VPBank; may request the erasure of data, restriction of data processing, and/or object to data processing;
b) The Customer’s requests must be made in the prescribed written request form and in accordance with the processes and procedures stipulated by VPBank. Such requests shall be received at VPBank’s business locations or through other methods as stipulated by VPBank from time to time;
c) When the Customer withdraws consent for any or all purposes, requests the erasure of Personal Data, requests restriction of data processing, or objects to data processing, depending on the Customer’s request, the implementation of such requests may result in VPBank’s provision of products and services being limited, restricted, suspended, terminated, obstructed, or prohibited, on a case‑by‑case basis. For the avoidance of doubt, VPBank may be unable to provide the Customer with products and services in a complete manner or with the usual quality, or may, at its discretion, decide to discontinue or not continue providing certain products or services. VPBank shall not be liable to the Customer for any losses arising therefrom, and VPBank’s lawful rights shall be expressly reserved with respect to such limitation, restriction, suspension, termination, obstruction, or prohibition;
d) In cases where the Personal Data provided by the Customer constitutes a prerequisite for the provision of products or services, any request by the Customer to withdraw consent, erase data, or restrict data processing may be deemed by VPBank as the Customer’s decision to terminate any contractual relationship between the Customer and VPBank;
e) The Customer’s requests under this Clause 3 shall not affect the lawfulness of VPBank’s prior data processing activities.
4. Right to lodge complaints and provide feedback in the event of incidents or arising requests:
a) The Customer may provide feedback, comments, or lodge complaints with VPBank regarding any violation or suspected violation of data protection that the Customer becomes aware of. The Customer’s feedback, comments, or complaints should be submitted to VPBank via the communication and information‑exchange methods agreed with the Customer as set out in Article 4 and Article 5, Part A – General Terms and Conditions;
b) The Customer has the right to lodge a complaint with the competent authorities in the event that VPBank violates applicable laws relating to data protection.
5. VPBank fully respects all other rights of the Customer relating to the protection of Personal Data in accordance with applicable laws.
6. Obligations of the Customer: The Customer is required to fully comply with data confidentiality obligations as prescribed by law. In this regard, the Customer acknowledges that VPBank relies on the Customer’s Personal Data to provide products and services to the Customer and the Customer’s related parties. Accordingly, the Customer must ensure that, at all times, the information and data provided to VPBank are true, accurate, and complete. The Customer must promptly update VPBank on any changes to the data previously provided.
7. Customer’s Undertakings
Where the Customer provides information of any individual to VPBank, the Customer must ensure that:
a) The Customer has been authorized by the Data Subject to represent the Data Subject (through a power of attorney in accordance with applicable laws from time to time) in:
-
Providing the Data Subject’s information to VPBank; and
-
Permitting VPBank to process the data in accordance with the General Transaction Terms and Conditions set out in this Part P.
b) The Data Subject has been fully informed of and has agreed that:
-
Personal Data is processed by VPBank in accordance with the General Transaction Terms and Conditions set out in this Part P and applicable laws;
-
The Data Subject has been informed of activities relating to the processing of his/her Personal Data by VPBank;
-
Personal Data is processed strictly for the purposes stated in the General Transaction Terms and Conditions set out in this Part P;
-
Personal Data is updated and supplemented in accordance with the processing purposes;
-
Personal Data is subject to protective and security measures during processing, including protection against violations of Personal Data protection regulations and prevention of loss, destruction, or damage caused by incidents through the application of technical measures;
-
Personal Data is stored at VPBank in accordance with the provisions of the General Transaction Terms and Conditions set out in this Part P.
The Customer is responsible for retaining evidence proving the Data Subject’s consent to the matters stated in this Article and for providing such evidence at VPBank’s request. The Customer must compensate VPBank for any material damages incurred by VPBank arising from the Customer’s performance of the provisions set out in this Section 7.
8. Limitations on the exercise of Data Subject rights
a) The Customer agrees that the implementation of requests made by the Data Subject is subject to VPBank’s capabilities and systems.
b) During the use of products and services, the Customer may only change his/her decision (including restriction of data processing, change of decision, withdrawal of consent, objection to data processing, request for data erasure, etc.) when all of the following conditions are satisfied:
-
The Customer has terminated the use of the products and services by submitting a written request for termination to VPBank; and
-
All obligations arising from the contracts/documents entered into by the Customer with VPBank have been fully settled; and
-
The change of decision/withdrawal of consent/objection to data processing/request for data erasure does not affect the lawfulness of the data processing that was consented to prior to the withdrawal of consent and does not fall within cases prohibited by law.
Article 6. Storage and Security of Personal Data
1. The Customer’s Personal Data stored by VPBank shall be kept confidential. VPBank shall apply reasonable measures to protect the Customer’s Personal Data. To the extent permitted by law, VPBank may store the Customer’s Personal Data in Vietnam or abroad, including through cloud‑based storage solutions. VPBank applies global data security standards in accordance with applicable laws.
2. VPBank retains the Customer’s Personal Data for the period necessary to fulfill the purposes agreed with the Customer under the General Transaction Terms and Conditions set out in this Part P and other documents entered into with the Customer, unless a longer retention period is required or permitted under applicable laws.
Article 7. Personal Data of Children
VPBank processes children’s Personal Data in accordance with the principle of protecting children’s best interests and in compliance with applicable laws
Share:
