COMMITMENT to
Personal Data Protection
Icetea Software Co., Ltd. (“ITS”) has developed this Personal Data Protection Commitment (“Commitment”) to help our customers better understand the purpose and scope of the information we process, the measures we apply to protect personal data, and your rights regarding these activities.
(Pursuant to Decree No. 13/2023/NĐ-CP of the Government on Personal Data Protection, effective from July 1, 2023)
This Personal Data Protection Commitment is made by and between ITS and ITS’s customers/service providers (hereinafter collectively referred to as the Provider).
ARTICLE 1: DEFINITIONS
“Contract” means the agreement between the Provider and ITS, and/or any related minutes, agreements, or appendices attached to such agreements. This may include but is not limited to contracts for the sale of goods, service agreements, labor contracts, or other types of agreements.
“Personal Data” means the personal data of any data subject that ITS receives from the Provider. This may include the personal data of the Provider itself or the personal data of other data subjects that the Provider has lawfully collected and is authorized to transfer or disclose to ITS for the purpose of performing the work specified in the Contract(s) between ITS and the Provider.
“Data Protection Law” means all laws and regulations relating to the protection of personal data or privacy applicable to the processing of personal data in Vietnam, including but not limited to the 2004 Law on National Security, the 2018 Cybersecurity Law, Decree No. 13/2023/NĐ-CP on Personal Data Protection, and any amendments, supplements, or replacements thereof.
“Products and Services” refer to any products or services provided by ITS and/or in collaboration with ITS’s partners that Customers seek, access, register for, or use.
The terms “personal data,” “data subject,” “processing of personal data,” “data controller,” and “data controller and processor” used in this Commitment shall have the meanings as defined in Decree No. 13/2023/NĐ-CP on Personal Data Protection.
ARTICLE 2: PERSONAL DATA PROTECTION CONTENT
1. The Parties acknowledge and agree as follows: (i) ITS is the personal data processor under the Data Protection Law; (ii) The Provider is the data subject or the data controller or both controller and processor, with respect to the Personal Data under the Data Protection Law; and (iii) Each Party shall comply with its respective obligations under applicable Data Protection Laws relating to the processing of Personal Data.
2. Purpose of data collection and processing:
ITS will collect, store, and process Personal Data as necessary for: executing the Contract signed with the Provider and performing related tasks under that Contract.
The Provider consents to ITS processing the Provider’s data and sharing the processed data for the following purposes:
– Sending notifications regarding communication activities between the Provider and ITS;
– Preventing acts of account theft, impersonation, or malicious attacks against the Provider’s user accounts;
– Organizing trade promotion, market research, public opinion surveys, and brokerage activities;
– Researching and developing new services and offering appropriate products and services to the Provider;
– Using the Provider’s information for marketing services and product advertising purposes;
– Verifying identity and ensuring the confidentiality and security of the Provider’s information;
– Collecting, storing, and using the Provider’s personal data to provide services such as record keeping and fulfilling legal and tax compliance obligations. ITS will retain such data for the period prescribed by law;
– Performing other actions as required by law from time to time.
ITS will not: (a) Process, store, use, or disclose Personal Data except as necessary to fulfill contractual obligations or as required by law; (b) Sell Personal Data to any third party; (c) Retain, use, or disclose such Personal Data outside the direct business relationship between ITS and the Provider, unless it is pursuant to the data subject’s instructions or legal requirements.
For clarity, the Provider’s instructions regarding Personal Data processing must align with the terms of the Contract and comply with all Data Protection Laws. The Provider is responsible for the accuracy, quality, and legality of the Personal Data and the means by which such Personal Data was obtained.
If the Provider is not the data subject, the Provider acknowledges and agrees that: (i) The Provider has obtained the data subject’s explicit consent (as required under the Data Protection Law) for all data collection, sharing, and usage as agreed in the Contract; and (ii) The Provider has informed the data subject and obtained explicit consent (as required under the Data Protection Law) for the possibility that their Personal Data may be processed outside their original country.
If the Provider is both the controller and processor of Personal Data, the Provider warrants that its instructions and actions with respect to the Personal Data — including the designation of ITS as a sub-processor — have been duly authorized by the relevant data controller.
ITS shall not be obligated to comply with or follow any instructions from the Provider that violate the Data Protection Law.
3. Types of Personal Data Protected: The Personal Data protected under this Commitment includes information in the form of symbols, letters, numbers, images, sounds, or similar forms in electronic environments that are associated with or help identify a specific individual. This may include both basic personal data and sensitive personal data, such as: name; address, phone number; date of birth, email address, information about occupation, health status, income, or any other information that, under the law at any given time, is defined as personal data.
4. Methods of Personal Data Protection: ITS shall collect, analyze, assess, use, store, transfer, process, and provide Personal Data to relevant parties or competent state authorities, and carry out other activities for the purposes stated in Clause 2 of this Article.
5. Parties involved in the protection of Personal Data: The Provider agrees that, for the purposes set out in Clause 2 of this Article, ITS may disclose Personal Data to its subsidiaries and/or affiliates to the extent necessary to apply and implement the purposes or any part thereof, subject to the subsidiaries and/or affiliates undertaking to properly perform equivalent obligations as stipulated in this Commitment.
6. Personal Data Protection Period: Personal Data protection shall commence from the time ITS receives the personal information/data as well as the consent of the Provider to the processing of such personal information/data. ITS shall maintain the processing of Personal Data for the duration of the Contract and in accordance with the provisions of law.
7. ITS Commitment: ITS commits to use all necessary and reasonable efforts to secure and protect Personal Data specified in this Commitment in accordance with the requirements and standards on information security and personal data protection under Vietnamese law and as prescribed in this Commitment. During the processing of Personal Data, there may be interruptions, delays, disconnections or any incidents due to causes beyond the reasonable control of ITS, including but not limited to interruptions due to upgrades, repairs, transmission errors, technical interruptions caused by ITS provider/contractors. In such cases, ITS will use its best efforts to promptly notify the Provider of the incident and the Provider agrees to indemnify ITS from liability in such cases.
In case of detecting a violation of the personal data protection regulations, ITS will notify the Provider as soon as possible after noticing a violation of the personal data protection regulations. In addition, the Personal Data Controller, the Personal Data Controller and Processor will notify the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention) no later than 72 hours after the violation occurs.
ARTICLE 3: RIGHTS AND OBLIGATIONS OF DATA SUBJECTS
a. Rights of the data subject
1. To be informed about the processing of Personal Data; to consent or not to consent to the processing of Personal Data in accordance with this Commitment, unless otherwise provided by law.
2. To access, edit or request the editing of Personal Data, unless otherwise provided by law.
3. To withdraw his/her consent, unless otherwise provided by law.
4. To delete or request the deletion of Personal Data in accordance with Article 4 of this Commitment.
5. Request for restriction of processing of Personal Data, unless otherwise provided by law. Restriction of data processing is carried out within 72 hours of the request of the data subject, with all personal data that the data subject requests restriction, unless otherwise provided by law.
6. Personal data subjects are required to provide themselves with their personal data, unless otherwise provided by law.
7. Objection to data processing to prevent or restrict the disclosure of personal data or use for advertising, marketing purposes, unless otherwise provided by law. ITS implements the request of the data subject within 72 hours of receiving the request, unless otherwise provided by law.
8. Self-defense, complaint, denunciation, lawsuit, claim for compensation for damages according to the provisions of law.
b. Obligations of data subjects
1. Protect your personal data yourself; request other relevant organizations and individuals to protect your personal data.
2. Respect and protect the personal data of others.
3. Provide complete and accurate personal data when agreeing to allow the processing of personal data.
4. Participate in the dissemination and popularization of personal data protection skills.
5. Implement the provisions of the law on personal data protection and participate in preventing and combating violations of regulations on personal data protection.
ARTICLE 4: RETURN AND DELETION OF PERSONAL DATA
1. Depending on the content of the Contract, the Provider may be provided with control to retrieve or delete Personal Data. If there is no request for deletion of Data from the Provider, deletion of Personal Data will take place within thirty (30) days after the termination date of the Contract or such shorter period as specifically provided for in the Contract. If there is no provision in the Contract regarding the time for deleting personal data, this time will be applied by ITS according to ITS’s internal regulations from time to time, and in any case, the Provider acknowledges that before the date of termination of the Contract, the Provider is responsible for exporting any Personal Data that it wants to retain or deleting all unnecessary personal data after the date of termination of the Contract, provided that such exporting or deleting must comply with the provisions of law.
2. Data deletion will not be applied upon request of the Provider in the following cases:
a) The law does not allow data deletion;
b) Personal data is processed by a competent state agency for the purpose of serving the activities of the state agency as prescribed by law;
c) Personal data has been made public as prescribed by law;
d) Personal data is processed to serve legal requirements, scientific research, statistics according to the provisions of law;
e) In case of emergency regarding national defense, national security, social order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of the law;
f) Responding to emergency situations that threaten the life, health or safety of data subjects or other individuals.
3. The return or deletion of Personal Data upon request of the Provider or upon partial termination of the Contract shall be made on the condition that it does not adversely affect ITS’s ability to provide the remaining services under the Contract and that such return or deletion does not violate the provisions of law on personal data protection and other relevant laws.
ARTICLE 5: PROVIDER’S STATEMENT
1. The Provider voluntarily agrees and clearly understands the contents specified in each Clause of this Commitment.
2. In case the Provider is the Controller or the Controller and Processor of Personal Data, the Provider ensures that:
– The Data Subject has clearly known and fully agreed to the content of the notification of personal data processing made once before proceeding with the personal data processing activities; and the content specified in Article 2 of this Commitment before agreeing to the Provider to collect personal data, in accordance with the provisions of this Commitment and the Law on Data Protection.
– Has established a profile assessing the impact of the processing of personal data on Personal Data
3. The Provider guarantees and compensates ITS for damages caused by the Provider’s failure to comply with the commitments as stipulated in this Article.
ARTICLE 6: GENERAL PROVISIONS
This Commitment is publicly posted by ITS on the official website so that relevant parties can access and monitor. The Parties confirm that they have carefully read, understood and agreed to the entire content of this Commitment.
ITS has the right to update, amend or supplement this Commitment at any time to comply with current legal regulations without prior approval from the Provider. This Commitment is interpreted and governed by Vietnamese law.
This Commitment is an integral part of the Agreement signed between the Provider and ITS to which this Commitment is referred. In the event that ITS provides personal data that ITS collects/holds to the Provider, the Provider undertakes to comply with a level of personal data protection no lower than the level of protection that ITS has committed to in this document.
Revolutionize Your Tech Journey!
We Code The Future For Your Success!