DATA PROTECTION POLICY

Version: 01

 

OVERVIEW

Your Personal Data is important to us, and we want to make sure you understand how we will process your Personal Data and protect it.

As a Personal Data Controller and/or Personal Data Controller-cum-Processor (as defined in Decree No. 13/2023/ND-CP dated April 17, 2023, effective from July 1, 2023, hereinafter referred to as “Decree 13”), this Data Protection Policy (“Policy”) will describe how we process the Personal Data that you provide to us or that we collect from you.

Within the scope of this Policy, the following terms shall have the following meanings

"Central Retail Vietnam Group" or "we" refers to all companies established in Vietnam to invest, operate, manage, exploit, operate supermarkets and/or shopping malls and/or retail stores under the brands "GO!"/ "Big C", "Nguyễn Kim", "SuperSports", "Tops Market", "Come Home", "Robins", "Lan Chi" and our other brands at any given time.

"You" refers to any individual or organization that interacts with us in certain contexts to carry out Data Processing, such as: customers, suppliers, business partners, contractors, agents, applicants, employees, etc.

"Data Processing" means one or more operations performed on Personal Data, such as: collecting, recording, analyzing, verifying, storing, editing, disclosing, combining, accessing, retrieving, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying Personal Data or other related actions.

"Personal Data" is information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment associated with a specific person or helps to identify a specific person. Personal Data includes basic personal data and sensitive personal data.

Our website (“website”), application, and other platforms may contain links to other websites/applications/platforms of third parties that are not owned or controlled by us. We are not responsible for the operation of these websites, applications, and/or platforms or the processing of your Personal Data by them, so we recommend that you carefully read the Policy and other security-related terms of these third parties.

 

  1. PERSONAL DATA WE COLLECT

We collect Personal Data from a variety of sources, which may include:

  • Personal Data You Provide to Us

    We collect data about how you use our services and products, such as the types of products/services you view or are interested in, or how often you use the services. We also collect Personal Data that you provide to us when you sign up for our marketing newsletter, complete a survey, or create an account to purchase our products/services. When doing so, we may ask you to provide Personal Data, such as your name, gender, date of birth, address, email address, phone number, or credit card details. Please note that the credit card details are sensitive personal data in accordance with Decree 13.

  • Personal Data We Collect Automatically

    We also receive and store certain types of Personal Data each time you interact with us online. For example, we use cookies and other technologies to collect Personal Data when your web browser visits our websites or our advertising templates and other content provided by or on our behalf on other websites. Your Personal Data is also collected when you search, make a purchase, post a message, participate in an event program, or respond to a survey or communicate with our customer service teams. Examples of the types of Personal Data we collect include; IP address, device identifier, location data, computer and connection information such as browser type and version, time zone settings, browser plug-in type and version, operating system, and purchase history – which at times we aggregate with similar information from other consumers. Please note that the location data is sensitive personal data in accordance with Decree 13.

  • Personal data collected from other legitimate sources.

    We collect personal data from other sources, including trusted partnerships with third parties and when we operate our branded accounts on third-party platforms. For example, when you use the "Like" feature on Facebook or the +1 feature on Google+. In addition, we receive information about you and other visitors' interactions with our ads to measure the effectiveness of our ads and whether they are relevant and successful. We also collect information about you and your activities from a third party when we provide products or services together.

The types of Personal Data that we collect depend on the contexts as mentioned above, which may include but are not limited to the following information:

    1. Identification and Personal Information

      For example: Personal image, name, date of birth, passport number, identity card number, citizen identification card number, personal identification number, driver’s license number, license plate number, personal tax code, social insurance number, health insurance card number, image, voice, fingerprint, signature, nationality, and other general personal data as prescribed in Decree 13. Please note that the fingerprint is sensitive personal data in accordance with Decree 13.

    2. Contact information

      For example: billing address, delivery address, email address, phone number, work address, permanent address, temporary address …

    3. Information about personal relationships

      For example: marital status, family relationships (parents, spouses, children), labour relationships …

    4. Member information

      For example: membership card number, personal information of members, reward points, date and month of joining/ registering as a member …

    5. Financial information

      For example, bank account/debit card/credit card number, account holder name, type of payment card or account used … Please note that this information is sensitive personal data in accordance with Decree 13.

    6. Transaction information

      For example: detailed information about the payments from you (payment time, payment amount, refund details, refund amount) and the place of purchase, order number, appointment date for service, warranty details, transaction status and/or any information arising from the use of products/services provided by us …

    7. Information from computer/mobile device

      For example, any information about the computer system or other technology device that you use to access one of our websites or applications or other platforms, such as the IP address used to connect your computer or device to the Internet, operating system, type and version of web browser. If you access our website or application by a mobile device such as a smartphone, the information collected, if permitted, will also include your device’s unique ID, advertising ID, and similar mobile device data.

    8. Behavioral information

      For example:

      Information about your purchasing behavior: We collect information about the products/services that you have purchased from us. This information helps us understand your preferences and provide you with more suitable product/service suggestions.

      Information about your online search behavior: We collect information about the keywords that you have searched on the search engines, as well as the websites that you have visited. This information helps us understand your preferences and provide you with more relevant ads.

      Information about how you interact with our products/ services: We collect information about how you use, such as the websites you have visited, the products/services you have viewed and the actions you have taken to interact. This information helps us understand how to improve our products/services.

    9. Profile information

      For example, your username and password, details of your profile and purchase history of our products/services (including product/service prices, purchase time and quantity).

    10. Marketing and communication information

      For example, feedback on your level of interest when receiving surveys about promotional programs, media events from us …

    11. Other information being sensitive data

      For example, health and personal status recorded in medical records (except blood type), information on racial, ethnic, religious views, biometric data, genetic data, information on crimes, criminal behavior, customer data of credit organizations, intermediary payment services, personal location data identified through location services … and/or other sensitive information as prescribed by law.

 

  1. PROVIDING PERSONAL DATA OF THIRD PARTIES BY YOU

When you provide us with Personal Data of individual(s) other than yourself, you warrant and represent to us and hereby confirm that:

  • Before disclosing such Personal Data to us, you have obtained the valid consent of the individuals whose Personal Data is being disclosed to us, to Process the Data under this Policy; and
  • Any Personal Data of the individuals that you disclose is accurate and complete; and
  • You are acting on behalf of such individuals in a lawful manner and you have the lawful authorization of such individuals to provide their Personal Data to us and for us to collect, use, disclose and process such Personal Data for the Purposes set forth in this Policy; and
  • This Policy has been known to and agreed to in its entirety by such individuals.

In the event that you do not meet any of the representations and warranties set forth above, please do not provide the Personal Data of such individual to us.

 

  1. PURPOSE OF DATA PROCESSING

 Within the scope of your consent and/or within the scope of the law requiring or permitting, we may use your Personal Data for one or more of the following purposes (“Purposes”):

    1. Providing products and services

      We may Process your Personal Data for the purpose of operating to provide products/services to you, which may include but not limited to: signing contracts and managing our contractual relationship with you; to support and perform other activities related to the products/services that you request; to perform services and financial transactions related to payments, including transaction verification, confirmation and cancellation; to process orders, delivery, collection - refund and exchange; to provide updated information and delivery of products, as well as perform internal warehouse activities, including picking, packing and labeling packages; to verify warranty period; to provide after-sales services, including maintenance, repair, transportation.

    2. Cooperation with third parties

      We may Process your Personal Data for or in connection with the purposes of third parties (including our agents, suppliers, contractors, partners, and any other individuals/organizations that have a business relationship or provide services to us or you) performing functions on our behalf to participate in, perform, and process your transactions. This may include allowing those third parties to introduce or provide products/services to you, authenticate you or connect to your account, or conduct other activities, including marketing, research, analysis, and product development, customer service, etc.

    3. Marketing and communications

      With your consent, we may Process your Personal Data to carry out the purpose of sending you promotional information, product/service updates, announcements of new product/service launches, sales programs, promotional programs, advertising, notifications, news, and any marketing and communications activities about our products/services. The specific details of the above programs, including content, methods, forms, and frequency of product/goods/service introductions, will be announced specifically at each program.

                  We may market and communicate with you through various channels, if appropriate, including on our website/application and/or chat applications (e.g., SMS, Whatsapp, Telegram, LINE, Viber, WeChat, Zalo, etc.), calls, and e-mail.

    4. Registration and authentication

      We may Process your Personal Data to carry out the purpose of registering, verifying, or authenticating your identity when we provide products/services to you and/or to serve other purposes in accordance with the law and this Policy.

    5. Relationship management

      We may Process your Personal Data to serve the purpose of contacting, communicating, managing personnel, managing customer files, processing information queries, requests, feedback, and complaints at your request related to the products/services that we provide to you.

    6. Data analysis

      We may Process your Personal Data to carry out the purpose of recommending products/services that you may be interested in, identifying your preferences, and personalizing your experience; to learn more about you, the products and services you receive, as well as other products and services you may want to receive; to measure your level of engagement, conduct data analysis, create data profiles, market research, surveys, behavioral evaluation, statistics and segmentation, trends, and consumer models.

    7. Improving products/services

      We may Process your Personal Data for the purpose of remedying and diagnosing problems, errors, damages, defects of products/services as well as providing customer care and support services; To evaluate, improve and develop products/services based on your satisfaction and consumption behavior; to measure the effectiveness of marketing, communication campaigns as well as business models.

    8. To perform functions on online pages (website), mobile applications and social media platforms

      We may Process your Personal Data for the purpose of managing, operating, monitoring, supervising and managing websites and online platforms, ensuring that websites operate properly, efficiently and safely; to facilitate your experience on our websites and online platforms.

    9. Information technology management

      We may Process your Personal Data for the purpose of managing operations, improving, developing information technology systems which may include ensuring information security and data protection, ensuring availability, integrity and security of the system, ensuring system performance meets user needs.

    10. Protecting common interests

      We may process your Data for the purpose of protecting the security, integrity, and safety of our data, our business operations; to exercise our rights or protect our legitimate interests where necessary. For example, to resolve disputes, claims, detect, prevent, and address illegal activities; to ensure compliance with our terms and conditions under the Contract and/or any third-party agreement

    11. Risk management, fraud detection

      We may Process your Personal Data for the purpose of verifying your identity and conducting compliance checks of employees and parties related to us according to our internal regulations and/or legal regulations, for example: to comply with anti-money laundering and anti-corruption regulations, detect and prevent fraud, detect and prevent violations of internal rules, regulations …

    12. Security

      At retail stores, supermarkets, shopping centers, transaction offices, offices, warehouses, parking lots, workplaces and other places where we conduct part or all of our business operations (hereinafter referred to as “Places of Operation”), we may use CCTV monitoring system (surveillance camera). Our CCTV monitoring system may be placed at some locations at the Places of Operation to record, capture in real time for the purpose of contributing to the protection of order, safety and protection of your rights, our legitimate interests at the Places of Operation; as well as serving for the prevention, detection and investigation of violations at the Places of Operation when we see signs of violation or when requested by competent state agencies.

      By continuing to use products/services, operating at our Places of Operation, you agree, allow us to collect data through CCTV system and Process Data according to the purpose mentioned above.

    13. Labor Relations Management

      We may process your Data for the purpose of fulfilling the rights and obligations of Employers and Employees as prescribed by current law; to manage labor relations, including but not limited to: evaluating and processing job applications, verifying candidates, managing employee records, reporting labor usage on the territory (salary survey, bonus, etc.), participating in insurance programs (social insurance, health insurance, etc.), periodic medical examinations, etc.

    14. Compliance with legal regulations

      We may process your Personal Data for the purpose of complying with legal regulations and other requirements from competent government authorities in Vietnam as well as other countries where we are legally conducting business.

 

  1. PERSONAL DATA SHARING

We may disclose or transfer your Personal Data to the following third parties for the purposes of this Policy. The third parties as mentioned below may locate/domicile in Vietnam or other areas outside Vietnam.

    1. Companies in the corporation

      We are part of the Central Group data ecosystem, which includes many different companies. Companies in the ecosystem share some relevant information and Personal Data to perform one or more of the purposes mentioned in the Policy, as well as to serve the operation and management of the entire system in accordance with the general direction. This means that we may need to disclose, share or transfer your Personal Data to other companies in the ecosystem for the purposes mentioned.

      We will only disclose or transfer your Personal Data to companies in the ecosystem that we have reason to believe will protect your privacy and security. We will also have security measures in place to prevent your Personal Data from being misused.

    2. Service providers

      We may share your Personal Data with partners and service providers, including but not limited to: technical infrastructure, internet, software, websites, and IT service providers; Warehousing and logistics service providers; Event and media organization service providers; Telecommunications service providers; Insurance service provider; Financial service providers, Transportation service providers; Other goods/service providers.

    3. Business partners

      We may share your Personal Data with commercial partners in several sectors, including but not limited to retail, real estate, finance and banking, investment, insurance, telecommunications, marketing, e-commerce, logistics, and IT.

    4. Websites and social media platforms

      We may optionally provide you with the ability to log in to our websites and platforms without entering information into a form. When you use the social media login system, you agree to allow us to access and store publicly available data on your social media accounts (such as Facebook, Google, Instagram, etc.) and any other data that you have authorized during the use of that social media login system. In addition, we may connect your email address with social media to verify whether you are a user of the relevant social media and to display relevant, personalized advertisements on your social media account when necessary.

    5. Third parties as required by competent government authorities and/or as required by law

      We are committed to protecting your Personal Data and will only disclose or share it when required by a competent government authority and/or as required by law. In such cases, we will cooperate with competent government authorities or other third parties to comply with the law, protect our rights and yours, and prevent fraud, security, or information security issues.

    6. Advisors

      The advisory team may include lawyers, engineers, accountants, investment consultants, appraisal firms, and/or any other professional advisor that we deem necessary to support the operation of our business.

    7. Transferee of rights and/or obligations

      We may transfer your Personal Data to relevant third parties in the event that we conduct or participate in any form of restructuring, merger, acquisition, joint venture, assignment, transfer, or divestment of all or part of our capital, shares, assets, or business operations.

 

  1. DATA OUTBOUND TRANSFER

Your Personal Data may be transferred by us from Vietnam (“Country of Residence”) to another location, city, country outside the territory of Vietnam (“Alternative Country”). When we transfer your Personal Data from the Country of Residence to the Alternative Country, we will comply with the legal obligations and regulations related to your Personal Data, including having a legal basis to transfer Personal Data and applying appropriate protection measures to ensure the full level of protection of Personal Data.

The legal basis for our transfer of the Personal Data specified in this clause will be your consent to the Policy and the legal protection measures.

 

  1. DATA RETENTION AND PROCESSING PERIOD

We only retain and process your Personal Data for as long as we need it for the Purposes set out in this Policy for you or to comply with our legal obligations. Your Personal Data shall be processed as from our receipt of your Personal Data.

We will cease retaining your Personal Data by securely destroying it in accordance with applicable law and this Policy as soon as (i) there is reasonable grounds to believe that retention is no longer necessary for the purposes for which the Personal Data was collected and is no longer necessary for any legal or business purpose and/or (ii) the retention period for the information has expired under applicable law and/or (iii) you request that the Personal Data be destroyed or you object, restrict, withdraw your consent on the Data Processing.

Notwithstanding the foregoing, we may retain certain of your Personal Data to exercise our rights or to comply with the requirements of this Policy or applicable law.

 

  1. YOUR RIGHTS AND OBLIGATIONS

 

    1. Right to be informed

      You have the right to know clearly, transparently, and fully how we process your Personal Data, including information on what rights and obligations you have over your Personal Data when it is processed by us, unless otherwise provided by laws.

    2. Right to consent and withdraw consent

      You have the right to consent to allow us to process your Personal Data under this Policy (specifically, we rely on consent as the legal basis for processing your Personal Data).

      You have the right to withdraw your consent, unless otherwise provided by laws, at any time by notifying us of such withdrawal (although if you withdraw your consent, this does not mean that the processing of your Personal Data that has already been undertaken with your consent up to that point is unlawful).

    3. Right to access and rectification

      You have the right to access, to rectify, or to request us to rectify any Personal Data about you that we are processing, unless otherwise provided by laws.

      We are not responsible for any issues arising in the event that the Personal Data provided by you is (i) fraudulent/inaccurate (in part or in whole) or (ii) misleading or (iii) incomplete/insufficient or (iv) you do not update us on any changes to your Personal Data as informed to us and/or other cases as regulated by law.

      For the sake of your own privacy and information security, we may request you to verify your identity before responding to your request for access and rectification.

    4. Right to delete personal data

      You have the right to request that we erase all or part of your Personal Data, unless otherwise provided by laws. Please note that this is not an absolute right in all cases, as we may have legal grounds to retain your personal information for the purpose of complying with applicable laws and/or requests from competent government authorities.

    5. Right to obtain restriction on processing

      You have the right to request that we restrict our processing of your Personal Data, unless otherwise provided by laws. This right means that the scope of our processing of your Personal Data will be limited, so we may store the information but may not use or process it further.

    6. Right to obtain personal data

      You can request us to provide a copy of your Personal Data that we have.

    7. Right to object to processing

      You have the right to object to the Processing of your Personal Data to prevent or restrict the disclosure of personal data or the use of personal data for advertising and marketing purposes unless otherwise provided for by law.

    8. Right to file complaints, denunciations and lawsuits

      You have the right to contact the competent authority for data protection to file a complaint, denunciation and lawsuit in accordance with the laws.

    9. Right to claim damage

      You have the right to claim compensation for damages in accordance with the law if there is evidence that we have violated our Personal Data protection regulations, unless otherwise agreed by the parties or provided by laws.

    10. Right to self-protection

      You have the right to self-protection under the provisions of the Civil Code and current laws, or to request competent agencies and organizations to implement methods of protecting your civil rights in accordance with the provisions of the Civil Code.

      We always try to process your requests quickly, fairly, and transparently. However, we reserve the right to refuse requests that are unfounded, duplicate, or violate our legitimate rights and interests or those of any third party or are out of our competence/scope of data processing. We will inform you of the reason for the refusal and how to remedy it if possible.

      You can exercise these rights by sending us an email at “Contact Us” and attaching relevant documents (when we request and/or the law allows). If a request is made by someone other than you but this person cannot provide evidence that the request has been made on your behalf and subject to your valid consent, we will not be able to comply with the request.

      To protect your privacy and security, we may ask you to verify your identity before we can fulfill any requests made under Article 7 of this Policy.

    11. Your obligations
      • To provide complete and accurate Personal Data when agreeing to allow our Data Processing;
      • To respect and protect the Personal Data of others;
      • To implement other requirements or obligations of data subject in accordance with the laws.
    12. Note on consequences and unexpected damages that are likely to occur

      If you exercise one or more of your rights as stipulated in Articles 7.2, 7.4, 7.5, and 7.7 of the Policy, then we (i) may not be able to perform the necessary actions to achieve the processing purposes described in the Policy for you; and/or (ii) may not be able to perform, sign the contract that we have or are trying to sign with you; and/or (iii) may not be able to provide you with our products/services.

      Your exercise of your rights and the unintended consequences as stated in section 7.12 will be considered as your termination of any relationship you have with us, and/or a violation of obligations, commitments under the contract. To clarify, we explicitly reserve our legal rights and remedies in such cases and will not be liable to you for any losses, damages, complaints, or lawsuits arising from your exercise of the aforementioned rights.

 

  1. DATA PROTECTION

We are committed to protecting the privacy and security of your personal data. We have implemented a number of technical and organizational measures to protect and secure your Personal Data, including:

      • Implementing information security policies and procedures and technical measures to protect Personal Data and comply with legal requirements;
      • Implementing cybersecurity inspection for systems and devices and equipment serving the processing of personal data before processing, irreversibly deleting or destroying devices containing personal data.
      • Training and requiring our employees who have access to your Personal Data to comply with our data security and privacy standards;
      • Requiring our service providers, or other third parties with whom we collaborate and to whom we disclose your Personal Data, to implement similar data security, privacy, and security standards when they Process your Data.

 

  1. CHILDREN'S PRIVACY

In Vietnam, a child is defined as a person under the age of 16. This definition may change from time to time depending on the laws in effect.

We have, are currently, and will always continue to implement additional, appropriate protective measures to help ensure the safety of children's personal data, based on the principle of protecting their rights and best interests.

Before processing the personal data of a child, we must have the consent of the child if the child is at least 7 years old, and the consent of the child's parent, legal guardian, or guardian, as required by law.

We will take the necessary measures, as required by law, to verify the age of the child before processing their personal data. You need to understand that if you provide us with personal data about a child, you must prove that you are the child's parent, legal guardian, or have the consent and authorization of the child's parent, legal guardian, before providing the information.

We will stop processing, and may delete, or destroy the personal data of a child in cases where it is necessary to protect the legal rights and interests of the child in accordance with the law and our business practices, such as (i) when the child or the child's parent, legal guardian withdraws their consent to allow the processing of the child's personal data; or (ii) at the request of a competent authority.

If the personal data of a child is disclosed to us by you in violation of the above regulations and we are not and/or cannot know or verify at the time of disclosure, you hereby agree to the processing of the child's personal data and accept and agree to be bound by this Policy and assume all liability for any issues arising in relation to that child's personal data. We will not be liable for any unauthorized use of any products/services (provided by us) by you or any related persons when violating the regulations of this Policy.

 

  1. COOKIE

A cookie is a small text file that is placed on your hard drive by a website's server. Cookies are not used to run programs or deliver viruses to your computer. Cookies are assigned to your computer and can only be read by a web server in the domain that issued the cookie to you.

We use cookies to help personalize and maximize your online experience when visiting our website/app without having to re-enter your existing information.

You can accept or decline cookies. Most browsers automatically accept cookies, but you can change your settings to refuse all cookies if you prefer. However, if you choose to refuse cookies, this may hinder and negatively impact some services and features that depend on cookies on the website/app.

 

  1. UPDATE DATA PROTECTION POLICY

We may review, modify, or automatically update this Policy on our other applications/websites/platforms at our discretion from time to time to ensure that updates are appropriate for our business operations and comply with changes in legal regulations. If these changes are significant, we will provide a more visible notice (by a general notice published on other applications/websites/platforms or to the email address provided by you).

You agree that you are responsible for reviewing this Policy regularly to obtain the latest information about how we process your data and therefore, your continued use of our applications/websites/platforms or use of the products/services we provide after any modifications to this Policy will constitute your acceptance of this Policy and all of its modifications (if any) and the processing of your Personal Data following this Policy and all of its modifications (if any).

The translation if for information purposes only, and is not a substitute for the official policy. In case of any discrepancy between the Vietnamese and English version, the Vietnamese version shall prevail.

 

  1. CONTACT US

If you have any questions, complaints, or feedback about how we process your data or if you want to exercise any rights as mentioned in the Policy, please contact us at the following contact information:

Personal Data Protection Department
Mailing address: 163 Phan Dang Luu, Ward 01, Phu Nhuan District, Ho Chi Minh City, Vietnam.
Email address: CRV.dpo@vn.centralretail.com

 

 

CONSENT

Please read this Policy carefully. By checking the statement “I AGREE WITH THE DATA PROTECTION POLICY” or similar statements displayed on our website/other platforms or signing the confirmation form provided by us in each specific case, you confirm that you have read, understood the entire content of this Policy and agree, allow us to Process your Data in accordance with the provisions of this Policy.

If you do not agree to any content of this Policy, please do not continue to access our website/other platform or provide/send Personal Data to us. You have the right to send your feedback, complaints, and inquiries to the “CONTACT US” section for further clarification.