Privacy Statement

1. Introduction

FPT Smart Cloud Company Limited (“FPT Smart Cloud” hereinafter) Personal Data Protection Policy, privacy statement, procedures, guidelines, and templates lay out strict requirements for processing personal data pertaining to customers, business partners, employees or any other individual. It meets the requirements of the European Data Protection Regulation (GDPR), Personal Data Protection Decree No. 13/2023/ND-CP as well as other national Data Protection Regulations and ensures compliance with the principles of national and international data protection laws in force all over the world. The policy, privacy statement, procedures, guidelines, and templates set a globally applicable data protection and security standard for FPT Smart Cloud and regulates the sharing of information between FPT Smart Cloud, subsidiaries, legal entities, and partners. FPT Smart Cloud has established guiding data protection principles – among them transparency, data economy and data security – as FPT Smart Cloud guidelines.

1.1. Purpose

The FPT Smart Cloud’s Personal Data Protection Policy, and privacy statement applies worldwide to FPT Smart Cloud, subsidiaries as well legal entities and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of FPT Smart Cloud as a first-class employer.

The Personal Data Protection Policy provides one of the necessary framework conditions for cross-border data transfer among FPT Smart Cloud, subsidiaries, and legal entities. It ensures the adequate level of data protection prescribed by the European Union General Data Protection Regulation, Protection of Personal Data Decree No. 13/2023/ND-CP or other national Personal Data Protection Regulations and the national laws for cross-border data transmission, including in countries that do not yet have adequate data protection laws.

To standardize the collection, processing, transfer, and use of personal data, and promote the reasonable, lawfully, fairly, and transparent use of personal data to prevent personal data from being stolen, altered, damaged, lost or leaked, FPT Smart Cloud establishes the Personal Data Protection Policy, Privacy Statement, and information security policies.

1.2. Application Scope

All processing of personal data by FPT Smart Cloud is within the scope of this procedure.

Means, all FPT Smart Cloud’s business processes and information systems involved in the collection, processing, use and transfer of personal data and all employees, contractors and 3rd party providers involved in the processing of personal data on behalf of FPT Smart Cloud.

This policy is binding for all departments and functions globally which are involved in personal identifiable information processing. Every FPT Smart Cloud department, legal entity or subsidiary must follow this procedure.

In scope are all data subjects whose personal data is collected, in line with the requirements of the Protection of Personal Data Decree No. 13/2023/ND-CP, GDPR and other national/ international data protection regulation.

1.3. Application of national Laws

The Personal Data Protection Policy, privacy statement, procedures, guidelines, and templates comprise the internationally accepted data privacy principles without replacing the existing national/international laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with the Personal Data Protection Policy and guidelines, or it has stricter requirements than this Policy and guidelines. The content of the Personal Data Protection Policy, procedures and guidelines must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed.

Each subsidiary or legal entity of FPT Smart Cloud is responsible for compliance with the Personal Data Protection Policy, this privacy statement, guidelines, and the legal obligations. If there is reason to believe that legal obligations contradict the duties under the Personal Data Protection Policy, privacy statement, procedures or the guidelines, the relevant subsidiary or legal entity must inform the Data Protection Officer. In the event of conflicts between national legislation, the Personal Data Protection Policy, and this privacy statement, FPT Smart Cloud will work with the relevant subsidiary or legal entity of FPT Smart Cloud to find a practical solution that meets the purpose of the Personal Data Protection Policy, guidelines, and this procedure.

1.4. Responsibilities

The Data Protection Officer is responsible for ensuring that the privacy statement is correct and that mechanisms exist such as having the privacy statement on FPT Smart Cloud website to make all data subjects aware of the contents of this notice prior FPT Smart Cloud commencing collection of their data.

The Data Protection Officer is responsible for ensuring that this statement is made available to data subjects prior to FPT Smart Cloud collecting/processing their personal data.

All Employees/ Staff of FPT Smart Cloud who interact with data subjects are responsible for ensuring that this statement is drawn to the data subject’s attention and their consent to the processing of their data is secured.

2. Privacy Statement

FPT Smart Cloud is part of FPT Corporation (FPT – HoSE) – the global leading technology and IT services group headquartered in Vietnam. Qualified with ISO 9001: 2015, ISO 27001:2022, ISO 27027: 2015; ISO 27018: 2019, PCI DSS, FPT Smart Cloud delivers world-class services in Cloud Computing services, Artificial Intelligence (Al) services, AI Infrastructure, AI Platform, AI as a Service, Data as a Service and Consolidation of Financial Statements solution globally from delivery centers across the Japan, Vietnam and the Asia Pacific.

Personal data type

  • Name, email address, designation, company, country and telephone number
  • IP address, demographics, your device operating system, and browser type

Source (FPT Smart Cloud obtained the personal data from if it has not been collected directly from you, the data subject)

FPT Smart Cloud WEB page

2.1. Personal Information we may collect and process

You can assess or visit our website at any time without informing us who you are or providing us any personal information. However, we may collect information at our websites in two ways: (1) directly (for example, when you provide information, such as your name, email address, designation, company, country and telephone number, to sign up for a newsletter or register to comment on a forum website); and (2) indirectly (for example, through our website’s technology, we may collect certain information such as your IP address, demographics, your computers’ operating system, and browser type).

We do not attempt to track your personal information in order to identify you, but gathering these contact information in order to make up the web traffic routing, to diagnose problems with server for administration of our website, to better understand how you interact with our website and services and to re-design and upgrade the website for better use. If you choose not to provide your personal information that is mandatory to process your request, we may not be able to provide the corresponding service.

2.2. Use of collected information

We use personal data to provide you with information you request, process online job applications, and for other purposes which we would describe to you at the point where it is collected or which will be obvious to you. For example:

  • To further fulfil your requirements on products and services
  • To contact you with the aim of developing a business relationship
  • To feedback to your idea and/or to provide you relevant information at your requirements
  • To contact you for marketing purpose such as customer surveys
  • To inform you about our company
  • To obey regulations in applicable laws

2.3. Consent

By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified.

Consent is required for FPT Smart Cloud to process personal data, but it must be explicitly given. Where we ask you for personal data, we will always tell you why and how the information will be used.

Means: FPT Smart Cloud will inform you about the purpose of the processing, contact details of the Data controller or its representative, lawful basis of the processing, personal data was obtained, if not obtained directly from the data subject.

FPT Smart Cloud provides updated information without any undue delay and before continuing with the processing if the purposes for the processing of the personal data are changed or extended. In this case FPT Smart Cloud will ask for a new consent.

You may withdraw consent at any time by email, a written letter or telephone call to our Data Protection Officer.

2.4. Data recipients, transfer, and disclosure of personal information

We do not share your personal information with third parties without seeking your prior permission. We will seek your consent prior to using or sharing personal information for any purpose beyond the requirement for which it was originally collected. However, we may share your personal information within FPT Smart Cloud or with any of its subsidiaries, business partners, service vendors, authorized third-party agents, or contractors located in any part of the world for the purposes of data processing, storage, or to provide a requested service or transaction, after ensuring that such entities are contractually bound by data privacy obligations. When required, we may disclose personal information to external law enforcement bodies or regulatory authorities, in order to comply with legal obligations.

We do not intend for our websites or online services to be used by anyone under the age of 13. If you are a parent or guardian and believe we may have collected information about a child, please contact us as described in this Privacy Statement.

FPT Smart Cloud considers that, as a general rule, a child of 16 and over is mature enough to understand giving of consent, they are giving and should be in a position to give that consent. All Data subjects will be required to verify their identity. Where personal data is sought in respect of a child below the age of 16, a parent or guardian must give the consent on behalf of the child. Any response will be directed to the parent or guardian. FPT Smart Cloud will need to be satisfied as to the identity of the parent or guardian, and that they are acting in the best interests of the child, before excepting the consent in respect of the child. Parent or guardian has the obligation to explain the process and the content to the child and if it is legally required (PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP) to get the consent of a child, it is parent, agent or guardian responsibility.

If parent applying on behalf of a child under 16 years of age, FPT Smart Cloud will require proof of identity and address of parent and that of the child, together with the birth certificate of the child.
If a legal guardian applying on behalf of a child under 16 years of age, FPT Smart Cloud will require proof of guardian identity and address and that of the data subject, together with proof of authority to act as legal guardian and the birth certificate of the child.

If you are an agent acting on someone’s behalf (e.g. a solicitor applying on behalf of a client), FPT Smart Cloud may require proof of agent identity and address and that of the data subject, and proof that the data subject has given consent to act on their behalf.

2.5. Disclosure

FPT Smart Cloud will pass on your personal data to third parties.

Third country (non-EU) / international organisation:

FPT Smart Cloud subsidiaries and legal entities globally

Safeguards in place to protect your personal data:

Processing agreement including Standard Contract Clause

Retrieve a copy of the safeguards in place here:

Data Protection Officer

2.6. Retention period

FPT Smart Cloud will process personal data for one year. Retention period 2 years or based on applicable national laws/regulations.

2.7. Cookies policy

Like many websites, when you access to our websites, we will use “website assessment diary”- a cookie technology to collect additional website usage data. A cookie is a small data file that we transfer to your computer to facilitate your assessment to our websites. We may use information collected from our cookies to identify user behavior and to serve content and offers based on your profile, and for the other purposes described below, to the extent legally permissible in certain jurisdictions. In addition, when you visit our websites, our advertisement partners, whom we have engaged for re-marketing, may introduce cookies. Based on your browsing of our website you may see our advertisements while browsing through our advertisement partner websites and/or their network websites.

Such cookies would allow us to monitor the effectiveness of the advertisements and to make the advertisements more relevant to you. By using our site, you agree that we can place cookies on your device as explained herein. If you want to remove existing cookies from your device, you can do this using your browser options. Most Internet browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit.

2.8. Data Security

FPT Smart Cloud commits to secure your personal information with securities measures in place. The measures will help protecting data from the misuse, loss, leakage and/or alteration of information. Your personal information is access restricted to authorize FPT Smart Cloud’s personnel for the sake of providing service at your requirements and/or for FPT Smart Cloud’s audit, internal audit and for the purpose of law obligation. We strictly require our personnel, in any way, to protect your personal information and have use all measurements, technology and recognized security process for this purpose in compliance with government authorizations’ regulations. Regarding your use of our websites, you should understand that the open nature of the Internet is such that information and personal data may flow over networks connecting you to our systems without security measures and may be accessed and used by people other than those for whom the data is intended.

2.9. Links to other websites

This site contains links to other websites, but they are neither FPT Smart Cloud’s websites nor under control of FPT Smart Cloud. FPT Smart Cloud is not responsible for the privacy practices or the content and transactions of such websites. You are required to read carefully the Privacy part of those linked websites to assure that you have fully understood the way of personal information collection and sharing before providing your own information. You shall take all responsibility of risk that may incur when using those websites.

2.10. Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

  • Right to be informed – you have the right to request information what kind of your personal data are collect, use, processed, for what purpose, from which source, lawful basis of processing
  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten/erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
  • Right to judicial review: if FPT Smart Cloud refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in below.
  • Right to claim damages: The data subject has the right to claim damage as prescribed by law when there are violations against regulations on protection of his/her personal data, unless otherwise agreed by parties or unless otherwise prescribed by law.
  • Right to self-protection: The data subject has the right to self-protection according to regulations in the Civil Code, other relevant laws and this Decree, or request competent agencies and organizations to implement civil right protection methods according to regulations in Article 11 of the Civil Code.

All the above requests will be forwarded on should there be a third party involved in the processing of your personal data.

FPT Smart Cloud accepts the following forms of ID when information on your personal data or data subject rights is requested: ID card.

2.11. Complaints

If you wish to make a complaint about how your personal data is being processed by FPT Smart Cloud or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and FPT Smart Cloud’s Data Protection Officer.

2.12. Contact details

Supervisory authority Vietnam contact details:
Contact name: Ministry of Public Security.
Address: 30 Tran Binh Trong Street, Hai Ba Trung, Ha Noi, Vietnam
Telephone: + 84 692343647

Data Protection Officer (DPO):
Contact name: Pham The Minh.
Address: FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Vietnam
Email: MinhPT@fpt.com
Telephone: +84 913571357
Contact details of other countries supervisory authorities you can get form DPO at any time without any undue delay.

2.13. Changes on Privacy Statements

FPT Smart Cloud reserves the rights to change, modify, add or remove in whole or in part this Privacy Statement at its sole discretion, at any time. Therefore, you are responsible for regularly reviewing this statement. Changes of this Privacy Statements will be posted on this website. These changes will also be effective when they are posted. Your continued use of this statement constitutes your agreement to all such terms.

2.14. Contact

If you have any questions about our Privacy Statement or about how to protect your personal information, you can contact the Data Protection Officer of FPT Smart Cloud.
Data Protection Officer: Mr. Pham The Minh, Data Protection Officer.

Address: FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Vietnam.
Email: MinhPT@fpt.com.
Telephone: +84 913571357.

2.15. Document Owner and Approval

The Data Protection Officer (DPO) is the owner of this document and is responsible for ensuring that this statement is reviewed in line with the review requirements of the Personal Data Protection Policy.

This statement was approved by a Board member responsible for Data Protection.

3. Appendix

3.1. Definition

Abbreviations Description
Personal Identifiable Information (PII),
Personal Data		 ‘“Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. The personal data includes general personal data and sensitive personal data.

“Information used for identification of an individual” refers to information that results from an individual’s activities and may identify an individual when it is combined with other stored information and data.
General personal data General personal data includes:

a) Last name, middle name and first name, other names (if any);

b) Date of birth; date of death or going missing;

c) Gender;

d) Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;

dd) Nationality;

e) Personal image;

g) Telephone number, identity card number, personal identification number, passport number, driver’s license number, personal tax identification number, social insurance number, health insurance card number

h) Marital status;

i) Information about the individual’s family relationship (parents, children);

k) Digital account information; personal data that reflects activities and activity history in cyberspace;

l) Information associated with an individual or used to identify an individual other than that specified in Clause 4 of this Article.

 
Sensitive personal data Sensitive personal data refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests, including:

a) Political and religious opinions;

b) Health condition and personal information stated in health record, excluding information on blood group;

c) Information about racial or ethnic origin;

d) Information about genetic data related to an individual’s inherited or acquired genetic characteristics;

dd) Information about physical attributes, unique biological characteristics of individuals;

e) Information about an individual’s sex life or sexual orientation.

g) Data on crimes and criminal activities collected and stored by law enforcement agencies;

h) Information on customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;

i) Personal location identified via location services;

k) Other specific personal data as prescribed by law that requires special protection.
Data Subject or
PII Principals		 Data subject refers to an individual to whom the data relates.
Data Controller Data Controller means the natural or legal person, public authority, agency or anybody which alone or jointly with others, determines the purpose and means of processing of personal data; where the purpose and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor Personal Data Processor refers to an organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller.
Personal Data Controller-cum-Processor Personal Data Controller-cum-Processor refers to an organization or individual that jointly decides purposes and means, and directly processes personal data.
Recipient A natural or legal person, public authority, agency or anybody, to which the personal data are disclosed, whether third party or not.
Third Party Refers to an organization or individual other than the data subject, Personal Data Controller, Personal Data Processor, Personal Data Controller-cum-Processor that is permitted to process personal data.
Personal data protection Personal data protection refers to an act of preventing, detecting and handling violations related to personal data in accordance with the law
Personal data processing Personal data processing refers to one or multiple activities that impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities.
Consent Consent of a data subject refers to an act that the data subject permits the processing of his/her personal data in a clear, voluntary and affirmative manner.
Data masking Data masking is techniques used to protect sensitive data (e.g. personal data).

Where the protection of sensitive data is a concern, we should consider hiding such data by using techniques such as data masking, pseudonymization or anonymization.
DPO Data Protection Officer

3.2. Related Documents

No Code Name of documents
1 EU GDPR EU General Data Protection Regulation
2 Protection of Personal Data Decree No. 13/2023/ND-CP Protection of Personal Data Decree No. 13/2023/ND-CP, passed by the National Assembly on April 17, 2023 and took effect on July 1, 2023.
3 PCI DSS The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

3.3. Data Protection Law, Vietnam, Overview

There is no single data protection law in Vietnam. Regulations on data protection and privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in Constitution 2013 (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law.
Regarding personal data, the guiding principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and documents:

  • Data Law No. 60/2024/QH15, passed by the National Assembly on 30 November 2024 and took effect on July 1, 2025.
  • Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015
  • Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”);
  • Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Network Information Security Law”);
  • Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”);
  • Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated 14 November 2017 on planning (“IT Law”);
  • Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”);
  • Protection of Personal Data Decree No. 13/2023/ND-CP, passed by the National Assembly on April 17, 2023 and took effect on July 1, 2023.
  • Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“Decree 85”);
  • Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No.150/2018/ND-CP dated 7 November 2018 (“Decree 72”);
  • Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree No. 08/2018/ND-CP dated 15 January 2018, on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade and Decree No. 85/2021/ND-CP dated 25 September 2021 (“Decree 52”);
  • Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions (“Decree 15”);
  • Circular No. 03/2017/TT-BTTTT of the Ministry of Information and Communications dated 24 April 2017 on guidelines for Decree 85 (“Circular 03”);
  • Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”);
  • Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”);
  • Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources, as amended by Circular No. 06/2019/TT-
  • BTTTT dated 19 July 2019 (“Circular 25”); and
  • Decision No. 05/2017/QD-TTg of the Prime Minister dated 16 March 2017 on emergency response plans to ensure national cyber-information security (“Decision 05”).

Applicability of the legal documents will depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2019 (“Labour Code”).