Personal Data Protection

BPCE IOM Ho Chi Minh City Branch (collectively referred to as “BPCE,” “we,” “us,” or “our”) understands the importance of safeguarding your privacy and are committed to protecting your personal data in accordance with the laws of Vietnam, including Decree No. 13/2023/ND-CP dated 17 April 2023 on personal data protection (as amended or superseded from time to time).
This Personal Data Protection Notice (hereafter refer to as “Privacy Notice”) aims to provide you with a clear understanding of our data collection and processing practices. It covers the following key aspects:
• Types and Scope of Personal Data Processed;
We delineate the categories of personal data we gather.
• Personal Data Processing;
Our data processing processes are clearly elucidated to illustrate how we leverage your personal data to deliver exceptional products and services while safeguarding your privacy rights.
• Specific Parties in Relation to Data Processing;
We elucidate the circumstances under which we may share your personal data with designated parties, abiding by prescribed purposes and legal requirements.
• Your Rights and Obligations;
We emphasize your rights concerning the personal data we collect from you, allowing you to make informed decisions and exercise your rights in compliance with data protection laws. We illuminate the array of options at your disposal, including how to access and update your personal data, ensuring you remain in control of your information.
• Retention of Personal Data
We outline the duration for which we retain your personal data, the commencement, and conclusion of the data retention period.
This Privacy Notice strives to facilitate your comprehension of how we generally collect, utilize, disclose, and/or process the personal data you entrust to us. It is purposefully designed to aid you in making informed decisions before divulging any of your personal data.
For the sake of clarity, we wish to clarify that BPCE assumes no responsibility for the processing of any personal data that you might directly provide to third parties.

I. TYPES AND SCOPE OF PERSONAL DATA PROCESSED

1. Types of Personal Data Processed
In the course of our operations and with the aim of delivering exceptional personalized products and services, we may collect, use, disclose, or otherwise process your personal data in accordance with the laws and regulations (“process”). Personal data refers to any information that identifies or allows for the identification of you as an individual, including
a) Identification Data: Your family name, middle name, first name as stated in the birth certificate, and any other names if applicable.
b) Date of Birth: Your date of birth, date of death (if applicable), or date of disappearance (if applicable).
c) Gender: Your gender.
d) Contact Information: Your place of birth, place of birth registration, place of permanent residence, place of temporary residence, place of current residence, hometown, and contact address.
e) Nationality: Your nationality.
f) Visual Data: Personal photos and images captured on security systems, including Closed Circuit Television (CCTV) recordings.
g) Identification Numbers: Phone numbers, people’s identity card numbers, personal identification numbers, passport numbers, driver’s license numbers, license plate numbers, personal tax identification numbers, social insurance numbers, and health insurance card numbers.
h) Marital Status: Information about your marital status.
i) Family Relationship Information: Information on family relationships, such as parents and children.
j) Digital Account Information: Information about your personal digital accounts and activities in cyberspace.
k) Transaction Data: Data created as a result of transaction process, information on accounts, customer behaviors, actions, or interests demonstrated across digital platforms.
l) Interaction Data: Data created from your interactions with us, our internet websites, our apps, our social media pages, connection and tracking data such as cookies, connection to online services, IP address, meeting, call, chat, email, interview, phone conversation, Wi-Fi connection at our office.
m) Political and Religious Views: Information relating to your political and religious views.
n) Racial and Ethnic Origin: Information relating to your racial and ethnic origin.
o) Distinctive Physical Attributes and Biological Characteristics: Information on distinctive physical attributes and biological characteristics.
p) Criminal Data: Data about crimes and criminal acts obtained and kept by law enforcement agencies.
q) Financial Data: Transaction information and information contained in any of your account(s) with us, as well as information on deposits and assets.
r) Other Relevant Data: Any other data that is relevant to the provision of our products and services.
2. Scope of Personal Data Processed
We collect your personal data as our client or shareholder, director, representative, or personnel of our clients, prospective clients, contractors, or suppliers. This data is collected when you contact us, visit our office, use our website or apps, participate in surveys or events, or utilize our products and services.
Additionally, we may collect personal data about other individuals from you (“third-party personal data”), particularly when they have no direct relationship with us but are associated with you, our clients, prospective clients, suppliers, or contractors. This includes personal data related to the following individuals:
a) Successors and Right Holders;
b) Co-Borrowers / Guarantors;
c) Legal Representatives (power of attorney);
d) Beneficiaries of Your Payment Transactions;
e) Beneficiaries of Your Insurance Contracts or Policies and Trusts;
f) Landlords;
g) Ultimate Beneficial Owners;
h) Debtors or Creditors (e.g. in case of bankruptcy);
i) Agents, Personnel, Employees, or Staff;
j) Third-Party Service Providers’ Personnel, Employees, or Staff;
k) Company Shareholders;
l) Company’s Directors;
m) Relevant Parties in Transactions with Our Corporate Clients;
n) Senior Managing Officials;
o) Professional Advisors, such as auditors or consultants.
In instances where you provide us with third-party personal data, as exemplified above, we kindly request that you inform the individuals who are providing the data that we will process their personal data. We recommend you to direct them to review our current Personal Data Protection Notice to gain a clear understanding of how their personal data will be processed and protected. Transparency and compliance with data protection regulations are of utmost importance to us, and we appreciate your cooperation in ensuring that all individuals involved are well-informed.

II. PERSONAL DATA PROCESSING

1. Data Collection Sources
We collect your personal data from various sources, including but not limited to:
a) Information provided by you: Data provided by you when applying for our products or services, during customer surveys, competitions, promotions, and financial reviews.
b) Verbal and Written Communications: Data obtained from your verbal and written communications with us or our authorized agents.
c) Third-Party Sources: Data obtained from suppliers, service providers, partners, and other third parties connected to our business, including social media, credit reference, and fraud prevention agencies.
d) Related Entities: Data obtained from third parties related to you, such as employers, joint account holders, guarantors, and co-shareholders.
e) Publicly Available Sources: Data collected from credit reporting agencies, governmental sources, and directories.
f) Regulatory Authorities: data obtained from State Bank of Vietnam or other competent authorities.
g) CCTV Recordings: Data obtained through CCTV footage at our premises.
h) Account Usage and Transactions: Data analyzed from your account usage and transactions.
2. Purposes of Processing
We and the data processor(s) we engage may process your personal data for one or more of the following purposes:
a) Identity Verification and Screening: To verify your identity, conduct background checks, and authenticate your information.
b) Application Processing: To assess and process your applications or requests for our products and services, including third-party products.
c) Credit Assessments: To verify your financial standing through credit reference checks and evaluate your creditworthiness.
d) Account Management: To manage and maintain your accounts and facilities with us.
e) Personalized Services: To personalize your experience with our products and services, including access to digital/electronic accounts, and to monitor your access and membership with related third parties.
f) Fraud Detection and Prevention: To detect and deter suspicious, inappropriate, or unauthorized use of our facilities, products, services, and premises, and to investigate criminal behavior and incidents.
g) Compliance and Risk Management: To undertake and comply with contractual arrangements, audit, compliance, and risk management purposes, including data processing for statistical, credit, risk, and anti-money laundering analyses.
h) Marketing and Promotion: To offer and conduct marketing and promotional activities related to products, services, offers, or events provided by BPCE and BPCE’s business partners, which we believe may be of interest to you.
i) Responding to Inquiries and Disputes: To respond to your inquiries, complaints, and disputes and to generally resolve issues.
j) Data Reports and Statistics: To produce data, reports, statistics, responses for ourselves, related third parties, or requests from regulatory authorities.
k) Market Research and Analysis: To conduct market research, surveys, and data analysis relevant to our products and services.
l) Other Activities: To undertake other activities in connection with our provision, operation, processing, and administration of products and services, or as deemed appropriate by us from time to time.
3. Consent
Before utilizing your personal data for any purposes beyond those explicitly stated in this Privacy Notice and the privacy terms outlined in your agreements with BPCE, we will seek your consent. It is essential to highlight that you have the right to revoke your consent at any time.

III. SPECIFIC PARTIES IN RELATION TO DATA PROCESSING

1. Parties to Whom We Disclose
To provide you with our products and services and for the purposes outlined in this Privacy Notice, we may disclose your personal data or personal data of third parties related to you to the following parties:
a) BPCE Group Companies: Entities within BPCE Group.
b) Vendors and Service Providers: Companies and organizations that act as our vendors, suppliers, partners, agents, and professional advisers in connection with our business operations.
c) Your Advisers: Any of your advisers, such as accountants, auditors, lawyers, or financial advisers, where authorized by you.
d) Authorized Parties: Any person authorized by you to give instructions or to use the account(s)/facility(ies) or products or services on your behalf, including your joint account holders.
e) Assignees and Third Parties: Any actual or proposed assignee or third party in the event of restructuring, sale of debts, acquisition or sale of any company or assets by us.
f) Law Enforcement and Regulatory Authorities: The police or any public officer conducting investigations related to offenses or suspected offenses, courts, tribunals, and authorities with jurisdiction over BPCE.
g) Credit Reporting Agencies: Credit reporting agencies and credit reference agencies.
h) Financial Institutions: Credit institutions, foreign bank agencies and branches, financial institutions, merchants, and other associations in relation to products and services provided by us.
i) Disclosures Required or Permitted by Law: Any person, authorities, or third parties to whom we are permitted or required to disclose under the laws of any country or under any contractual or other commitment between third parties and BPCE.
j) Debt Settlers: Any person intending to settle outstanding moneys under any of your account(s) with us.
k) Rights Enforcement: Any person in connection with the enforcement or preservation of our rights under your agreement(s) with us or otherwise.
2. Marketing Communications
Individual entities within BPCE Group, our merchants, and strategic partners may contact you about products, services, and offers that we believe may be of interest to you or benefit you financially.
3. Non-Disclosure
Apart from the parties stated above, we will treat your personal data as private and confidential, and we will not disclose your data to any other party except:
a) With Your Consent: Where we obtain your explicit consent for specific disclosures.
b) Legal Requirements: When we are required or authorized by law to disclose your personal data.

IV. PERSONAL DATA SECURITY

1. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data and prevent unauthorized access, disclosure, or misuse. These measures include encryption, access controls, firewalls, secure communication channels, and other security technologies. We regularly review and update our security measures to ensure their effectiveness.
2. Employee Training
Our employees are trained to handle personal data securely and with utmost respect. Failure to comply with data protection policies may result in disciplinary action.

V. YOUR RIGHTS AND OBLIGATIONS

In accordance with applicable law or regulations and where applicable, you may have the following rights:
1. Access, Be Provided, and Modification
You have the right to access, be provided, and modify your personal data held by us. To exercise any of these rights, you can contact us through our office, or any other channel made available by BPCE.
2. Withdrawal of Consent
You may withdraw your consent for specific uses of your personal data at any time by using the prescribed form available at our premises. Please note that withdrawing consent may limit our ability to continue providing products or services to you.
3. Specific Withdrawal
Your withdrawal of consent under this Notice will not affect any consent you may have provided to BPCE regarding the use of your Vietnam telephone number(s), emails, and other personal data for receiving marketing or promotional information. You may withdraw your consent to receive such marketing communications at any time.
4. Data Erasure
In certain circumstances, you may request the deletion of your personal data, to the extent permitted by law. However, please note that this right does not apply universally to all your personal data. Each deletion request will be evaluated diligently, taking into account the requirements of applicable laws concerning the processing of your personal data.
5. Data Restriction or Objection
You have the right to request the restriction of or to object to processing your personal data, in accordance with applicable law. Upon receiving your request, we will implement the restriction within 72 hours, applicable to all personal data requested to be restricted, to the extent permitted by law.
6. Data Completeness
To ensure the provision of products and services, you must ensure that the information provided to us is accurate, complete, and up to date. You should promptly inform us of any changes to the information provided.
7. Consent Withdrawal Consequences
If you withhold or withdraw your consent for BPCE to collect, use, and disclose your personal data in accordance with this Notice, our ability to provide services may be limited, restricted, suspended, cancelled, prevented, or prohibited, and we shall not be liable for any losses incurred as a result.

VI. RETENTION OF PERSONAL DATA

We may record and monitor communications (e.g., phone calls, emails, chats) between you and our staff for legitimate purposes and as allowed by law. These recordings are used for record-keeping, compliance, administration, support, security, and anti-fraud purposes.
We will keep your personal data for the longer of: (i) the period required by law; or (ii) the necessary period to meet operational obligations, including account maintenance and client relationship management. Personal data related to a client is typically retained for the contractual relationship’s duration plus a specified period afterward, as required by law.

VII. REVISIONS TO THE PRIVACY NOTICE

This Privacy Notice may be revised from time to time. Notice of any such revision will be given on our website and/or by other suitable means of communication.
For written requests to exercise your rights concerning your personal data, kindly direct them to the following address:

BPCE IOM – Ho Chi Minh City Branch
16th Floor, Pearl 5 Tower,
05 Le Quy Don Street, Vo Thi Sau Ward,
District 3, Ho Chi Minh City.

Your data protection rights are of utmost importance to us, and we will promptly address any requests you make in accordance with applicable data protection laws.