Guarantee
Verification
Online Service
eBanking for Corporate
Home

PERSONAL DATA PROTECTION

At BPCE IOM – Ho Chi Minh City Branch (“the Bank”, “we”, “our”), we place the protection of your personal data at the heart of our business values. Safeguarding your privacy is not only a legal requirement but also an essential part of our promise to act with integrity, compliance, and respect for customer trust.

In today’s dynamic digital and banking environment, we recognize that your personal data is more than just information – it is your identity and your confidence in us. This Privacy Notice explains, in a clear and transparent manner, how we collect, use, share, store, and secure your personal data, in compliance with the laws of Vietnam, including:

  • Decree No. 13/2023/NĐ-CP on Personal Data Protection, and
  • Law No. 91/2025/QH15 on Personal Data Protection.

Our commitment is twofold:

  1. To ensure your peace of mind by protecting your data with the highest standards of security and governance; and
  2. To deliver safe, seamless, and customer-centric banking services, while ensuring you remain fully informed and in control of your personal data.

This Notice is designed to provide you with the information you need to make informed decisions, and to reaffirm that your trust is the foundation of our relationship.

1. Types of Personal Data We Collect

To provide you with safe, seamless, and personalized banking services, the Bank may need to collect and process certain categories of your personal data. We do so transparently, lawfully, and only for legitimate business and compliance purposes.

Depending on the products, services, or channels you use, the personal data we collect may include:

  • Identification details: full name, gender, date of birth, nationality, identity card or passport number, place of issuance, and other civil status information.
  • Contact information: residential or mailing address, phone number, email address, and other relevant contact details.
  • Financial details: bank account numbers, payment card details, deposits, loans, credit facilities, income sources, investment information, and transaction history.
  • Employment or business details: occupation, employer, job title, position, tax information, and relevant business registration or corporate documents.
  • Sensitive personal data (collected and processed only when strictly necessary and permitted by law): biometric data (such as fingerprints or facial recognition), information on political exposure, health-related information, and criminal record data.
  • Technical and digital identifiers: IP address, cookies, browsing data, and device information collected when you access or interact with our digital banking platforms.

We always handle your data in line with Vietnamese regulations, and we take special care with sensitive data, ensuring that it is collected only where required by law or essential for our banking relationship with you.

2. How We Collect Your Personal Data

We believe that trust begins with transparency. Your personal data is collected only through legitimate channels and for clear, lawful purposes connected to our banking services. Depending on how you interact with us, we may obtain your data from the following sources:

  • Direct interactions: when you visit our premises, open or maintain an account, apply for loans or credit facilities, or communicate with our staff in person, by phone, or in writing.
  • Use of our services: when you engage with Internet Banking, Mobile Banking, websites, or other digital platforms, or when you perform transactions at our counters.
  • Third-party sources: including credit information centers, correspondent banks, payment networks, service providers, and trusted business partners who support us in delivering banking services.
  • Regulatory and public sources: such as government agencies, supervisory authorities, official registers, sanction or watch lists, and other publicly available databases, as required by law or compliance obligations.
  • Technology interactions: through cookies, IP addresses, device information, and online identifiers when you access our digital platforms, as well as from CCTV and security monitoring systems installed at our offices to safeguard customers and employees.

We handle all data collection in line with Vietnamese regulations and with our global standards of data ethics. Wherever possible, we inform you in advance about why your data is collected and how it will be used.

3. Why We Process Your Personal Data

We process your personal data only for legitimate, clearly defined purposes. These purposes are essential to deliver banking services, protect your interests, and comply with legal obligations. Specifically, we may use your data for:

  • Service delivery: to open, maintain, and administer your accounts, deposits, loans, payment services, and other banking products.
  • Regulatory compliance: to meet requirements under laws and regulations, including anti-money laundering (AML), counter-terrorism financing (CTF), sanctions screening, tax reporting, and supervisory obligations.
  • Risk management: to conduct credit and risk assessments, detect and prevent fraud, safeguard transactions, and strengthen operational and cybersecurity controls.
  • Customer support: to respond to your inquiries, handle requests and complaints, resolve disputes, and provide tailored assistance.
  • Marketing and relationship management: to inform you about banking products, services, and special offers that may interest you. We will only contact you for marketing purposes with your consent, where the law requires it.

We always ensure that your data is processed in accordance with the principles of lawfulness, fairness, transparency, and minimization under Vietnamese regulations and our global standards.

4. Legal Grounds for Processing Your Personal Data

At BPCE IOM – Ho Chi Minh City Branch, every processing activity we conduct is based on clear and lawful grounds, ensuring both compliance with Vietnamese law and protection of your rights. Depending on the nature of our relationship and the services provided, we may rely on one or more of the following legal bases:

  • Performance of a contract: to deliver banking services you request, such as account opening, loan agreements, payment transactions, and other contractual obligations.
  • Compliance with legal and regulatory obligations: to fulfill requirements under banking, tax, anti-money laundering, counter-terrorism financing, sanctions, and other applicable laws and regulations.
  • Legitimate interests: to safeguard the Bank’s operations and your interests, including enhancing customer experience, strengthening fraud detection, ensuring cybersecurity, and maintaining service quality – always balanced against your fundamental rights.
  • Your explicit consent: particularly when processing sensitive personal data (such as biometric information) or when contacting you for marketing and promotional activities, as required by law.

We strictly adhere to the principles of lawfulness, fairness, necessity, and transparency as mandated by Decree No. 13/2023/NĐ-CP and Law No. 91/2025/QH15. This ensures that your personal data is always processed on a foundation you can trust.

5. Who We Share Your Personal Data With

Protecting your confidentiality is our highest priority. We only share your personal data with trusted third parties when it is strictly necessary for delivering our services, fulfilling legal requirements, or protecting your interests. Every sharing arrangement is subject to stringent confidentiality agreements, security safeguards, and compliance with Vietnamese law.

Depending on the circumstances, we may share your personal data with:

  • BPCE Group entities: including our head office and affiliates, to ensure seamless banking operations, group-level compliance, consolidated reporting, and enhanced customer services.
  • Vendors and service providers: such as IT solution providers, payment processors, professional advisers, and outsourcing partners who support our daily operations. All vendors are carefully selected and contractually bound to protect your data.
  • Regulatory authorities and public bodies: including the State Bank of Vietnam, tax authorities, courts, or law enforcement agencies, whenever required by applicable laws and regulations.
  • Auditors, lawyers, and consultants: who assist us in meeting compliance obligations, performing audits, or providing professional advice.
  • Business partners: in cases of co-branded or joint services, but only with your prior and informed consent.

We do not sell your personal data under any circumstances. Any sharing is carried out with the sole objective of delivering value to you, protecting the integrity of the banking system, and upholding our obligations under Decree No. 13/2023/NĐ-CP and Law No. 91/2025/QH15.

6. Cross-Border Transfers of Personal Data

As part of being a member of the global BPCE Group, your personal data may be transferred outside of Vietnam to support seamless international banking operations, including IT hosting, payment processing, compliance reporting, and customer support. Typical destinations may include France (head office) or other jurisdictions where BPCE entities and service providers are located.

Whenever we transfer your data abroad, we ensure that it remains subject to the same high standards of confidentiality and protection that apply in Vietnam. To achieve this, we implement a comprehensive set of safeguards, including:

  • Contractual protections: binding agreements with BPCE Group entities and service providers that require strict adherence to data protection standards.
  • Technical measures: such as encryption, secure transmission protocols, and access controls.
  • Organizational controls: including restricted access on a “need-to-know” basis and continuous monitoring of compliance.

Where Vietnamese law requires, we will notify, seek approval from, or register transfers with the Ministry of Public Security, ensuring that all transfers are carried out lawfully, transparently, and in your best interest.

We do not transfer your data abroad for any purpose unrelated to banking services, and we never compromise your privacy for commercial gain.

7. How Long We Retain Your Personal Data

We keep your personal data only for as long as it is necessary to fulfill the purposes outlined in this Privacy Notice, and always in compliance with Vietnamese law. Retention periods are determined based on:

  • Legal requirements: including those under banking, anti-money laundering, tax, and accounting regulations, which typically require us to store certain records for 5 to 10 years.
  • Contractual obligations: to ensure that we can manage ongoing customer relationships and address post-contract requirements.
  • Legitimate business purposes: such as fraud detection, dispute resolution, safeguarding of financial claims, or compliance with audit requests.

When your personal data is no longer needed, we will take steps to ensure it is securely and responsibly handled, including:

  • Permanent deletion: safely erasing data from our systems and backups.
  • Anonymization: removing identifiers so the data can no longer be linked to you.
  • Secure archiving: where retention is legally mandated, ensuring restricted access and proper safeguards.

We do not keep your data longer than necessary. By applying these principles, we aim to balance legal compliance, operational needs, and your privacy rights, while maintaining the trust you place in us.

  1. Your Rights as a Data Subject

At BPCE IOM – Ho Chi Minh City Branch, we believe that respecting your rights is at the heart of protecting your privacy. Under Vietnamese law, and in line with international best practices, you are entitled to exercise the following rights over your personal data:

  • Access: You may request access to your personal data that we hold, and obtain copies in accordance with the law.
  • Correction and updates: You may request that we correct or update any data that is inaccurate, incomplete, or outdated.
  • Deletion: You may request the deletion of your personal data when it is no longer necessary for the purposes stated, when your consent has been withdrawn, or when retention is no longer legally required.
  • Restriction and objection: In certain cases, you may ask us to restrict or object to the processing of your personal data.
  • Withdrawal of consent: Where processing is based on your consent (e.g., marketing or sensitive data), you have the right to withdraw that consent at any time.
  • Data portability: You may request to receive your personal data in a structured, machine-readable format, and to transfer it to another service provider where technically feasible.
  • Complaints: You have the right to file a complaint with us, and if you are not satisfied with our response, to escalate your complaint to the Ministry of Public Security or other competent authorities.

How to exercise your rights

You may submit your requests:

  • By email to our designated Data Protection Officer (DPO).
  • By filing a form on our website.
  • In person at our registered premises.
  • In writing by post.

For your protection, we will verify your identity before processing any request. In line with the law, we will respond within 15 days of receiving your valid request, free of charge unless otherwise permitted by law.

Our commitment is to make your rights practical, accessible, and effective, ensuring that you remain in control of your personal data at all times.

  1. How We Safeguard Your Personal Data

Your trust is our most valuable asset. That is why we apply the highest standards of security to ensure your personal data is protected against unauthorized access, misuse, disclosure, alteration, or loss.

Our security framework combines advanced technology, strict procedures, and continuous vigilance, including:

  • Encryption & secure communications: all sensitive data is transmitted and stored using strong encryption protocols.
  • Access controls: your data is accessible only to authorized employees and service providers on a strict “need-to-know” basis, protected by authentication systems.
  • Monitoring & testing: we conduct regular monitoring, penetration testing, and system upgrades to detect vulnerabilities and strengthen defenses.
  • Employee awareness: all staff receive ongoing training on their data protection responsibilities and compliance with security standards.
  • Incident response: we maintain clear procedures for managing security incidents. In the unlikely event of a personal data breach, we will notify you and the competent authorities in accordance with Vietnamese law.

By combining these measures, we aim not only to comply with regulatory requirements but also to give you the confidence and peace of mind that your information is safe in our care.

  1. Contact and Complaints Handling

We take your privacy seriously and are committed to addressing your concerns with transparency and fairness. To ensure accountability, we have appointed a dedicated Data Protection Officer (DPO) to oversee our compliance with personal data protection laws and to act as your primary point of contact.

If you wish to exercise your rights or raise a concern or complaint about how we handle your personal data, you may contact us through the following channels:

Data Protection Officer (DPO)
BPCE IOM – Ho Chi Minh City Branch
16th Floor, Pearl 5 Tower, 05 Le Quy Don Street, Xuan Hoa Ward, Ho Chi Minh City
Tel: 028 3932 6069
Email: hochiminh.compliance@bpce-vietnam.com

How we handle your requests and complaints

  • We will acknowledge your request or complaint within 5 working days.
  • We aim to provide a comprehensive response within 15 working days, subject to the complexity of the matter and verification of your identity.
  • If you are not satisfied with our resolution, you have the right to escalate your complaint to the Ministry of Public Security or the State Bank of Vietnam.

Our goal is to resolve all matters promptly, fairly, and in line with Vietnamese regulations, while keeping you fully informed throughout the process.

  1. Updates to This Privacy Notice

We are committed to keeping you informed about how we protect your personal data. From time to time, we may revise this Privacy Notice to reflect:

  • Changes in laws and regulations on personal data protection and banking compliance.
  • Updates to our internal policies or processes, aimed at enhancing security and service quality.
  • New products, services, or technologies that may affect how we collect or use personal data.

Whenever an update is made, the latest version of this Privacy Notice will be published on our official website and made available at our branch offices.

Where material changes significantly affect your rights, we will make reasonable efforts to notify you directly through appropriate channels (such as email, online banking messages, or branch notices), in addition to updating this Notice.

By keeping this Notice current, we ensure that you are always aware of how we manage and safeguard your personal data in line with our commitment to integrity, compliance, and customer trust.