iGuide logo

COMMITMENT TO PROTECTING PERSONAL DATA

Posted on Website: https://iguide.ai/ (According to Decree No. 13/2023/ND-CP of the Government on Personal Data Protection, effective from July 1, 2023)

The commitment to personal data protection is made by and between iGuide and iGuide's Agents/Customers/Supply Partners (hereinafter collectively referred to as the Suppliers).

iGuide and the Supplier voluntarily agree to comply with the regulations on personal data protection with the following terms:

Article 1: Definitions

  • "Contract" means the Contract between the Supplier and iGuide and/or the minutes, agreements, appendices related to such Contracts. It can be a contract for the sale of goods, provision of services, labor contract, other contracts, etc.
  • “Personal Data”means Personal Data of any data subject that iGuide obtains from the Provider, which may be the Provider's own personal data, or personal data of other subjects that the Provider has lawfully collected and is permitted to transfer, provide to iGuide for iGuide to perform the tasks set out in the Contract(s) between iGuide and the Provider.
  • “Data Protection Law”means all laws and regulations on personal data protection or privacy applicable to personal data processing activities in Vietnam, including but not limited to the Law on National Security 2004, Law on Cyber Security 2018; Decree No. 13/2023/ND-CP on personal data protection and amendments, supplements and replacements of the above documents.
  • “iGuide System”means iGuide's data centers, cloud computing systems, servers, networking equipment, hosting software systems and other systems (if any) and used to perform the scope of work under the Contract(s) entered into between iGuide and the Supplier.

The terms “personal data”, “data subject”, “personal data processing”, “controller” and “controller and processor” used in this Commitment have the meanings as set out in Decree No. 13/2023/ND-CP on personal data protection.

Article 2: Content of personal data protection

2.1.

The parties acknowledge and agree as follows::

a.

iGuide is a Processor of Personal Data under Data Protection Laws;

b.

The Supplier is a data subject or controller or controller and processor, in respect of Personal Data under Data Protection Laws; and

c.

Each party shall comply with its obligations under applicable Data Protection Laws in relation to the processing of Personal Data.

2.2. Purpose of data collection and processing:

a.

iGuide will collect, store and process Personal Data as necessary to: perform the Contract signed with the Supplier and work related to the Contract.

b.

The Provider agrees to allow iGuide to process the Provider's data and share the results of data processing for the following purposes:

  1. Send notifications about information exchange activities between the Supplier and iGuide;
  2. Prevent activities that destroy or hijack the Provider's user accounts or activities that impersonate the Provider;
  3. Organizing trade introduction and promotion, market research, public opinion polling, brokerage;
  4. Research, develop new services and provide suitable products and services to the Supplier;
  5. iGuide may use the Supplier's information for the purpose of marketing services, introducing advertising products;
  6. Verify the identity and ensure the confidentiality of the Supplier's information;
  7. iGuide collects, stores and uses the Provider's personal data for the purposes of performing services such as record keeping and compliance with legal and tax obligations. iGuide stores such data for the period prescribed by law;
  8. iGuide other actions as prescribed by law from time to time.

iGuide will not:

  1. Process, retain, use, or disclose Personal Data except as necessary to perform the obligations under the Contract, or as required by law;
  2. Sell Personal Data to any third party;
  3. Retain, use or disclose such Personal Data outside of iGuide's direct business relationship with the Provider, unless required by law or pursuant to a request from the data subject.

c.

For clarity, the Provider's instructions regarding the processing of Personal Data will be consistent with the terms of the Contract and in compliance with all applicable Data Protection Laws. The Provider is responsible for the accuracy, quality and legality of the Personal Data and the manner in which the Provider receives the Personal Data.

d.

If the Provider is not the personal data subject, the Provider acknowledges and agrees as follows:

(i)

The Supplier has obtained the explicit consent (as required by the Data Protection Act) of the data subject for all data collection, sharing and use activities as agreed under the Contract; and

(ii)

The Provider has notified and obtained the explicit consent (as required by Data Protection Laws) of the data subject that Personal Data may be processed outside their country of origin. If the Provider is a controller and processor of Personal Data, the Provider warrants that the Provider’s instructions and actions with respect to Personal Data, including the appointment of iGuide as another processor, have been authorized by the relevant controller. iGuide will not be required to comply with or follow the Provider’s instructions if those instructions would be in breach of Data Protection Laws.

2.3.

Types of Personal Data Protected:

Personal data protected under this Commitment is information in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment that are associated with a specific person or help identify a specific person, which can be basic personal data and sensitive personal data including: name; address, telephone number; date of birth, email address, information about occupation, health status, income or any information that is defined as personal data by law at each time.

2.4. How to protect personal data: 

iGuide will collect, analyze, evaluate, use, store, transfer, process, provide Personal Data to relevant parties or competent state agencies and other activities serving the purposes stated in Clause 2 of this Article.

2.5.

Parties involved in the protection of Personal Data: 

The Provider agrees that, for the purposes set out in Clause 2 of this Article, iGuide may disclose Personal Data to its subsidiaries and/or affiliates to the extent necessary to carry out and implement the purposes or any part thereof, subject to the subsidiaries and/or affiliates undertaking to properly perform equivalent obligations as set out in this Commitment.

2.6. Personal data protection period:

The protection of Personal Data shall commence from the moment iGuide receives the personal information/data as well as the consent of the Provider to the processing of such personal information/data. iGuide shall maintain the processing of Personal Data for the duration of the Contract and in accordance with the provisions of law.

2.7. iGuide's Commitment

  1. iGuide commits to, with all necessary and reasonable efforts, secure and protect Personal Data specified in this Commitment in accordance with the requirements and standards on information security and personal data protection under Vietnamese law and as prescribed in this Commitment. During the process of processing Personal Data, there may be interruptions, delays, disconnections or any incidents due to causes beyond iGuide's reasonable control, including but not limited to interruptions due to upgrades, repairs, transmission errors, technical interruptions caused by iGuide's suppliers/contractors. In such cases, iGuide will make every effort to promptly notify the Supplier of the incident and the Supplier agrees to exempt iGuide from liability in such cases.
  2. In case of detecting a violation of personal data protection regulations, iGuide will notify the Provider as soon as possible after noticing a violation of personal data protection regulations. In addition, the Personal Data Controller, the Personal Data Controller and Processor will notify the Ministry of Public Security (Department of Cyber Security and High-Tech Crime Prevention) no later than 72 hours after the violation occurs.

Article 3: Rights and obligations of data subjects

3.1. Rights of data subjects

  1. Be informed about the processing of Personal Data; agree or disagree to the processing of Personal Data in accordance with this Commitment, unless otherwise required by law.
  2. Access to view, correct or request correction of Personal Data, except where otherwise required by law.
  3. Withdraw your consent, unless otherwise provided by law.
  4. Delete or request deletion of Personal Data as prescribed in Article 4 of this Commitment.
  5. Request restriction of processing of Personal Data, unless otherwise provided by law. Restriction of processing is carried out within 72 hours of the request of the data subject, with respect to all personal data that the data subject requests restriction, unless otherwise provided by law.
  6. The personal data subject is required to provide his/her personal data, unless otherwise provided by law.
  7. Object to data processing to prevent or restrict the disclosure of personal data or its use for advertising or marketing purposes, unless otherwise provided by law. iGuide will comply with the data subject's request within 72 hours of receiving the request, unless otherwise provided by law.
  8. Self-defense, complaint, denunciation, lawsuit, claim for compensation for damages according to the provisions of law.

3.2. Obligations of the data subject

  1. Protect your personal data yourself; request other relevant organizations and individuals to protect your personal data.
  2. Respect and protect the personal data of others.
  3. Provide complete and accurate personal data when agreeing to allow the processing of personal data.
  4. Participate in promoting and disseminating personal data protection skills.
  5. Comply with legal regulations on personal data protection and participate in preventing and combating violations of regulations on personal data protection.

Article 4: Return and Deletion of Personal Data

4.1.

Deployment

a.

Depending on the content of the Contract, the Provider may be provided with control to retrieve or delete Personal Data. If there is no request for deletion of Data from the Provider, the deletion of Personal Data will take place within thirty (30) days after the date of termination of the Contract or such shorter period as specifically provided for in the Contract. If there is no provision in the Contract regarding the time for deletion of personal data, this period will be applied by iGuide according to iGuide's internal regulations from time to time, and in any case, the Provider acknowledges that before the date of termination of the Contract, the Provider is responsible for exporting any Personal Data that it wishes to retain or deleting all unnecessary personal data after the date of termination of the Contract provided that such exporting or deletion must comply with the provisions of law.

4.2.

Data deletion will not be applied upon request of the Provider in the following cases:

  1. The law does not allow data deletion.
  2. Personal data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with the provisions of law.
  3. Personal data has been disclosed in accordance with the law.
  4. Personal data is processed to serve legal requirements, scientific research, and statistics in accordance with the provisions of law.
  5. In case of emergency regarding national defense, national security, social order and safety, major disasters, dangerous epidemics; when there is a threat to national security and defense but not to the extent of declaring a state of emergency; preventing and combating riots, terrorism, preventing and combating crimes and violations of the law.
  6. Respond to an emergency situation that threatens the life, health or safety of the data subject or other individual.

4.3.

Return or deletion of Personal Data upon request of the Provider or upon partial termination of the Contract:

Will be done on condition that it does not adversely affect iGuide's ability to provide the remaining services under the Agreement and that such return or deletion does not violate the provisions of the law on personal data protection and other relevant laws.

Article 5: Supplier's Declaration

    • The Supplier voluntarily agrees and clearly understands the contents specified in each Clause of this Commitment.
    • Where the Provider is a Controller or a Controller and Processor of personal data, the Provider shall ensure that:
  • The data subject has clearly understood and fully agreed to the content of the notification of personal data processing carried out once before proceeding with the personal data processing activities; and the content specified in Article 2 of this Commitment before agreeing to the Provider to collect personal data, in accordance with the provisions of this Commitment and the Law on Data Protection.
  • Has established a record of the impact of the processing of personal data on Personal Data
    • The Supplier guarantees and compensates iGuide for damages caused by the Supplier's failure to comply with the commitments as stipulated in this Article.

Article 6: General terms

    • This Commitment is an integral part of the Contract signed between the Supplier and iGuide to which this Commitment is referred.
    • In the event that iGuide provides personal data that iGuide collects/holds to the Provider, the Provider undertakes to comply with a level of personal data protection no lower than the level of protection that iGuide has committed to in this document.