PERSONAL DATA PROTECTION AND PROCESSING POLICY​

(Issued together with Decision No. 08-26/QĐ-VUS, signed and promulgated by the Chief Executive Officer on April 3, 2026.)

This Policy takes effect on April 3, 2026, and supersedes all previously published versions.

VUS – The English Center, the owner and operator of language centers and short-term training institutions under the VUS – The English Center brand, with its registered headquarters at 189 Nguyen Thi Minh Khai Street, Ben Thanh Ward, Ho Chi Minh City, Vietnam (hereinafter referred to as “VUS“), recognizes the importance of the Personal Data entrusted to us by Data Subjects/Customers.

VUS is committed to managing, protecting, and processing such Personal Data responsibly and in accordance with applicable laws. This Personal Data Protection and Processing Policy outlines VUS’s commitment to complying with legal requirements when collecting and processing the Personal Data of Data Subjects/Customers.

Please read this Policy carefully before providing your Personal Data to VUS to ensure that you understand how VUS collects, uses, stores, and otherwise processes your Personal Data.

Table of Contents

Article 1. General Provisions

1.1. This Policy is established to comply with the requirements of the Law on Personal Data Protection, the Law on Protection of Consumer Rights, and other applicable laws and regulations.

1.2. This Policy applies to:

(a) All VUS employees working at VUS departments, divisions, campuses, business locations, language centers, and short-term training institutions operated by VUS.

(b) Collaborators, candidates, existing and prospective customers, and any other individuals whose Personal Data is collected and processed by VUS.

(c) Personal Data processing activities conducted through communication channels, social media platforms, closed-circuit television (CCTV), service operations, human resources management, legal reporting, and other activities related to the provision and use of VUS services by Data Subjects/Customers.

(d) Other individuals or entities as specified in this Policy.

Article 2. Definitions

The following terms used in this Policy shall have the meanings set forth below:

2.1. Personal Data

Personal Data means digital data or information in any other form that identifies or can be used to identify a specific individual, as further specified in Section 5.1 of this Policy.

2.2. VUS Products and Services

VUS Products and Services (collectively referred to as the “Products and Services“) include the products, services, and utilities provided by VUS and/or those provided by third parties in collaboration with VUS.

2.3. Data Subject

A Data Subject means an individual to whom Personal Data relates, including but not limited to:

  • individuals registering to inquire about or use the Products and Services;
  • users of VUS digital platforms (including the OVI application);
  • employees;
  • collaborators;
  • prospective candidates;
  • shareholders; and
  • any other individuals who establish or may establish a relationship with VUS through the use or provision of Products and Services, employment, or any other legal relationship.
 
2.4. Personal Data Provider

A Personal Data Provider (“Provider“) means any individual or organization acting on behalf of, or with the consent of, a Data Subject to provide that individual’s Personal Data to VUS.

2.5. Customer

A Customer includes existing and prospective individual or corporate customers of VUS.

2.6. Personal Data Processing

Personal Data Processing means any operation or set of operations performed on Personal Data, including but not limited to the collection, analysis, aggregation, encryption, decryption, modification, deletion, destruction, anonymization, provision, disclosure, transfer, or any other activity involving Personal Data.

2.7. Cross-Border Transfer of Personal Data

A Cross-Border Transfer of Personal Data means the transfer or processing of the Personal Data of Vietnamese citizens outside the territory of Vietnam through cyberspace, electronic devices, electronic means, or any other method, including but not limited to:

(a) Transferring the Personal Data of Vietnamese citizens to overseas organizations, enterprises, or management entities for processing in accordance with the purposes consented to by the Data Subject.

(b) Processing the Personal Data of Vietnamese citizens through automated systems located outside the territory of Vietnam in accordance with the purposes consented to by the Data Subject.

2.8. Personal Data Controller

A Personal Data Controller means any agency, organization, or individual that determines the purposes and means of processing Personal Data. 

2.9. Personal Data Processor

A Personal Data Processor means any agency, organization, or individual that processes Personal Data on behalf of a Personal Data Controller or a Personal Data Controller and Processor under a contractual agreement.

2.10. Personal Data Controller and Processor

A Personal Data Controller and Processor means any agency, organization, or individual that determines the purposes and means of processing Personal Data and directly carries out such processing.

2.11. Third Party

A Third Party means any agency, organization, or individual other than the Data Subject, the Personal Data Controller, the Personal Data Controller and Processor, or the Personal Data Processor that participates in the processing of Personal Data in accordance with applicable laws.

2.12. Personal Data Protection and Processing Policy

This Personal Data Protection and Processing Policy (the “Policy“) constitutes the agreement between VUS and the Data Subject/Customer regarding the protection and processing of Personal Data. It explains:

(a) The categories of Personal Data processed by VUS and the methods by which such data is collected.

(b) The purposes and methods of processing Personal Data.

(c) The organizations and individuals involved in the processing of Personal Data.

(d) How Data Subjects may exercise their rights and fulfill their obligations relating to their Personal Data.

(e) The potential consequences and risks that may arise from the processing of Personal Data.

(f) The commencement and duration of Personal Data processing.

(g) Other matters set out in this Policy.

Article 3. Effectiveness

3.1. By registering to inquire about, registering to use, or using the Products and Services, entering into contracts, and/or providing Personal Data to VUS on any platform and/or in any form, the Data Subject/Customer authorizes VUS to process their Personal Data. The Data Subject/Customer confirms that they have read, understood, and accepted all contents set out in this Policy and any amendments or updates thereto from time to time.

3.2. This Policy forms an integral part of, and shall be read and interpreted consistently with, all contracts, agreements, terms, conditions, and other documents established between the Data Subject/Customer and VUS. In the event of any conflict or inconsistency between this Policy and any contracts, agreements, terms, or conditions governing the relationship between the Data Subject/Customer and VUS, whether entered into before, on, or after the date on which the Data Subject/Customer accepts this Policy, this Policy shall prevail.

3.3. All rights and obligations of the Parties under this Policy shall not replace, terminate, or modify, but shall be cumulative to, the rights and obligations that VUS and the Data Subject/Customer may have under any other agreed documents.

3.4. This Policy may be updated, amended, supplemented, or replaced by VUS from time to time. Before any such amendment takes effect, VUS shall notify the Data Subject/Customer at least one (01) business day in advance through one of the following methods: sending a message to the Data Subject’s/Customer’s mobile phone number; sending a letter or email directly to their address; publishing the notice on the website at https://vus.edu.vn or on VUS applications; posting the notice at VUS campuses or business locations; or using any other method in accordance with applicable laws. If the Data Subject/Customer does not agree with the amended or supplemented contents, they may contact VUS for further clarification.

Article 4. Principles for Personal Data Processing

VUS is committed to complying with the following principles when processing Personal Data:

4.1. VUS processes and protects Personal Data in accordance with Vietnamese laws, this Policy, and any contracts, agreements, terms, conditions, and other documents established with the Data Subject/Customer. Depending on the specific context, VUS may act as a Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, or Third Party, and shall exercise the corresponding rights and fulfill the corresponding obligations in accordance with applicable laws.

4.2. VUS collects Personal Data for specific, clear, and lawful purposes, within the scope of the purposes stated in this Policy, any contracts, agreements, terms, conditions, and other documents established with the Data Subject/Customer, and in accordance with Vietnamese laws.

4.3. Personal Data shall be updated and supplemented as appropriate for the purposes of processing.

4.4. VUS applies and updates appropriate technical measures in accordance with Vietnamese laws to ensure the safety and confidentiality of Personal Data, including measures to protect Personal Data against unauthorized or unlawful access and/or to prevent the destruction, loss, or damage of Personal Data.

4.5. VUS retains Personal Data for a period appropriate to the purposes of processing.

4.6. VUS is committed to complying with regulations relating to the protection of children’s data, always acting in the best interests of children and ensuring compliance with applicable data protection laws from time to time.

4.7. VUS may record audio, capture images, and process Personal Data collected from closed-circuit television cameras (CCTV) installed in designated areas, including lobby areas, corridors, entrances/exits, and other areas of VUS campuses, business locations, language centers, or short-term training institutions. Such processing is conducted for the purposes of maintaining security, order, and social safety at VUS; protecting the lawful rights and interests of Data Subjects/Customers; and preventing, detecting, identifying, and investigating violations in accordance with applicable laws.

Article 5. Categories of Personal Data Processed and Methods of Collection

In order for VUS to process Personal Data for the purposes set out in Article 6 of this Policy, and to comply with other applicable laws and regulations governing VUS’s operations, VUS may need to collect and process the categories of Personal Data listed below from Data Subjects. These categories of Personal Data may vary from time to time, depending on the relevant circumstances and the relationship between the Data Subject/Customer and VUS.

5.1. Categories of Personal Data Processed

(a) Full name, including family name, middle name, given name, and any other names, if applicable.

(b) Date of birth.

(c) Gender.

(d) Place of birth, place of birth registration, permanent address, temporary residence address, current residential address, hometown, and contact address.

(e) Nationality.

(f) Personal images and information obtained from security systems, including audio recordings and video recordings of the Data Subject captured by surveillance cameras or CCTV systems at VUS campuses and business locations.

(g) Phone number, personal identification number, citizen identification number, passport number, driver’s license number, vehicle license plate number, social insurance number, health insurance card number, and other related information, such as tax information and insurance information.

(h) Occupation, workplace, and other detailed employment-related information.

(i) Marital status.

(j) Information about family relationships, including parents, spouse, children, and other family members.

(k) Information about an individual’s digital accounts and Personal Data reflecting their activities and activity history in cyberspace.

(l) Information associated with a specific individual or information that can be used to identify a specific individual.

(m) Information automatically collected when the Data Subject uses VUS websites, mobile applications, and other communication channels, such as IP address, device ID, device type, operating system, browser type, date and time of connection, cookies, and other technical information.

(n) Information/data generated from the operation of online accounts, data on how the Data Subject manages and uses online accounts, and the Data Subject’s behaviors, actions, or preferences as reflected on digital platforms.

(o) Handwriting and signatures, including electronic signatures.

(p) Biometric data.

(q) Information about education, qualifications, degrees, diplomas, and certificates.

(s) Political opinions and religious beliefs.

(t) Information relating to racial or ethnic origin.

(u) Information about health status and private life recorded in medical records, including blood type.

(v) Information about inherited or acquired genetic characteristics of an individual.

(w) Information about the physical attributes and unique biological characteristics of an individual.

(x) Data relating to crimes and criminal acts collected and stored by law enforcement agencies.

(y) Customer information at VUS, including customer identification information as required by law; account information, including individual accounts or accounts jointly owned with any other party; duration of the relationship with VUS; Products and Services regularly used; information about organizations or individuals acting as guarantors at VUS; and information about individuals or organizations related to customers at VUS, including but not limited to information about individuals who control or influence the operation of a customer’s account, founders, legal representatives, members of the executive board, chief accountants, and other relevant persons of the customer.

(z) Other information that is related to, affects, arises from, or is connected with the establishment, provision, and assessment of VUS’s Products and Services, employment relationships, or other legal relationships with VUS, in accordance with applicable laws.

5.2. Methods of Collection

VUS, in its capacity as a Personal Data Controller or through VUS’s Personal Data Processor, may collect the categories of Personal Data specified in Section 5.1 of this Policy from the following sources:

5.2.1. Through Interactions with the Data Subject

(a) From documents, agreements, contracts, records, transaction documents, and/or transaction supporting materials submitted to VUS.

(b) From interactions when the Data Subject accesses, enters information, selects options, or registers through browsers, the OVI application or other applications, websites, fanpages, social media platforms, and other digital platforms of VUS or its Personal Data Processor. This includes files automatically generated by the browser or application accessed by the Data Subject/Customer, or by similar monitoring devices/tools.

(c) From audio and video files stored by audio recording systems, video recording systems, surveillance cameras, and CCTV systems at VUS campuses, business locations, short-term training institutions, call centers, and telephone systems of VUS or its Personal Data Processor.

(d) From the Data Subject’s interactions with individuals or entities authorized by VUS, including in-person interactions at VUS transaction locations; verbal and/or written communications between the Data Subject and VUS; conversations via landline and/or mobile phone; emails; messages; or other means of communication.

(e) From analyses of how the Data Subject uses and manages the Products and Services.

(f) From any other means through which VUS may collect Personal Data when the Data Subject interacts with VUS or VUS’s Personal Data Processor.

Where VUS or VUS’s Personal Data Processor interacts directly with the Data Subject, VUS is responsible for obtaining the Data Subject’s consent for the processing of Personal Data in accordance with this Policy. Depending on the agreement between VUS and its Personal Data Processor, the collection of the Data Subject’s consent may be carried out by VUS or by VUS’s Personal Data Processor.

5.2.2. Through Personal Data Providers

(a) Personal Data Providers include, but are not limited to, the following parties:

(i) Individual Customers who provide information about another person who is a Data Subject, including but not limited to information about dependents, related persons as prescribed by law, spouse, children, parents, siblings, guardians, persons related by blood, adoption or support obligations, friends, acquaintances, authorized persons, partners, customers, emergency contacts, or other relevant individuals of the Customer whose information VUS is required to collect in order to fulfill requests and provide Products and Services to the Customer in accordance with VUS regulations and applicable laws.

(ii) Corporate Customers who provide information about other persons, including but not limited to information about persons related to the organization; legal representatives of the organization conducting transactions for Products and Services at VUS, such as legal representatives, authorized representatives, accountants, managers, owners, employees, individuals or groups of individuals who are customers of the organization, beneficial owners, and other individuals whose information VUS is required to collect in order to fulfill requests and provide Products and Services to the Customer in accordance with VUS regulations and applicable laws.

(iii) VUS service providers, partners, and consultants, including but not limited to organizations and individuals conducting surveys, social media communications, marketing, fraud prevention, data aggregation, infrastructure support, system support, technological services and facilities, information services, VUS’s agent banks and payment intermediaries, transaction processing parties, parties supporting identification and verification of identification information, brokers, and other third parties related to VUS’s business operations.

(iv) Third parties that have a relationship with the Data Subject, including but not limited to employers, co-owners of accounts, credit providers, parties registering and providing information on security measures, co-partners, co-managers, and service providers of the Data Subject who provide Personal Data to VUS.

(v) Any providers of reports, credit references, credit information, credit scoring services, and parties permitted to provide information services in accordance with applicable laws.

(vi) The Ministry of Education and Training, Departments of Education and Training, or other competent authorities in Vietnam or overseas.

(vii) Any third party to whom the Data Subject has given consent to collect and transfer information to VUS.

(b) When providing another person’s Personal Data to VUS, the Provider represents, warrants, and is responsible to VUS that:

(i) The information provided to VUS is accurate and complete, and the Provider shall notify VUS of any changes or errors relating to the Personal Data provided to VUS.

(ii) The Provider has informed the individual who is the Data Subject and ensured that such individual clearly understands and has given lawful consent/approval or valid authorization, including through the establishment of personal data protection policies and terms, for the provision of their Personal Data to VUS and for VUS to process such Personal Data for the purposes stated in this Policy. The Provider agrees that VUS is not responsible for verifying the legality or validity of such consent, approval, or authorization, and that the retention of supporting evidence shall be the responsibility of the Provider. The Provider must provide such evidence upon VUS’s request. VUS shall be released from liability and may request compensation for any damages and related costs if the Provider fails to properly fulfill the commitments set out in this Section.

(iii) With respect to children’s Personal Data, the Provider must provide documents proving that they are the child’s parent or lawful guardian, or that they have obtained the consent of the child’s parent or lawful guardian before providing such data to VUS. For children over seven (07) years of age, the Provider must also provide the child’s consent to the processing of their Personal Data in accordance with this Policy.

5.2.3. From Other Information Sources

Other information sources include publicly available and widely accessible sources of data, such as websites, social media platforms, online newspapers, printed newspapers, and other similar sources where access to the subjects and content is not restricted, in accordance with applicable laws. Such information may be generated or combined with other information obtained by VUS

Article 6. Purposes of Personal Data Processing

Personal Data may be processed by VUS, its Personal Data Processor, or a Third Party for one or more of the following purposes:

6.1. To assess, provide, and improve the quality of Products and Services, including but not limited to:

(a) Identifying, verifying, and maintaining accurate identification information of the Data Subject/Customer, and authenticating the Data Subject/Customer.

(b) Assessing, determining, and verifying the legal profile, credit profile, assets, and eligibility of the Data Subject/Customer for any Products and Services proposed or provided by VUS.

(c) Considering and approving the provision or continued provision of any Products and Services based on registration forms, proposals, requests, and other documents submitted by the Data Subject/Customer.

(d) Appraising, developing, and assessing the level of reliability in the Data Subject’s/Customer’s use of Products and Services.

(e) Assessing the Data Subject’s/Customer’s needs for Products and Services, their current and future financial status, and conducting research, planning, analysis, and data statistics for the purposes of personalization, customization, development, enhancement, or improvement of the quality of Products and Services, including online services, as well as developing new Products and Services, advertising strategies, or other strategies of VUS.

(f) Carrying out other activities related to VUS’s operations and management concerning Data Subjects/Customers in general, and other purposes that VUS considers appropriate from time to time.

6.2. To fulfill requests from Data Subjects/Customers and perform obligations under contracts, agreements, terms, conditions, and other documents between VUS and the Data Subject/Customer, including but not limited to:

(a) Providing information and consultation on the contents of Products and Services as requested by the Data Subject/Customer.

(b) Performing obligations under contracts, agreements, and other documents with the Data Subject/Customer relating to the provision of Products and Services to the Data Subject/Customer, including providing information to VUS service providers, such as legal advisors, financial advisors, auditors, and other relevant parties, in order to fulfill such obligations.

(c) Monitoring, reminding, and assessing the Data Subject’s/Customer’s fulfillment of their obligations to VUS.

(d) Implementing terms relating to care policies; managing benefits or entitlements related to VUS’s relationship with the Data Subject/Customer or arising from the Data Subject’s/Customer’s participation in events, advertising/marketing campaigns, or similar programs.

(e) Handling and investigating complaints and lawsuits involving the Data Subject/Customer.

(f) Monitoring and providing timely support to the Data Subject/Customer in emergency situations.

(g) Contacting the Data Subject/Customer to exchange information and learning-related content; provide updates on changes to Products and Services; and deliver invoices, statements, reports, general transaction terms and conditions, or other relevant documents.

6.3. For marketing and promotional purposes, including but not limited to:

(a) Directly or indirectly marketing to the Data Subject/Customer Products and Services that may be of interest to them or may provide them with offers or benefits.

(b) Sending information to the Data Subject/Customer regarding promotional programs, gift redemption, prize awarding, gift delivery, benefits, and collecting the Data Subject’s/Customer’s feedback through surveys and other forms of trade promotion in accordance with applicable laws.

6.4. To operate VUS’s internal activities, business operations, and internal risk management, including but not limited to:

(a) Ensuring VUS’s lawful business purposes in circumstances where VUS considers it necessary, including exchanging information with VUS partners and service providers.

(b) Entering data and verifying the completeness, accuracy, and legality of the Personal Data collected by VUS.

(c) Complying with agreements and contracts between VUS and other third parties.

(d) Performing reporting, financial, accounting, and tax obligations.

(e) Conducting activities for audit, risk management, compliance, and record-keeping purposes.

(f) Serving the requirements of VUS’s internal operations or those of VUS business units and campuses, including establishing, maintaining, and managing VUS infrastructure, auditing, and operations.

(g) Developing and managing human resources.

(h) Verifying applicant eligibility; assessing application profiles, documents, and records for the purposes of due diligence, evaluating applicant qualifications, registering applicant profiles, and supporting the recruitment process.

(i) Entering into and managing employment contracts and agreements with applicants and employees.

(k) Conducting training, testing, and evaluation of work quality and compliance with obligations under contracts, agreements, and commitments between employees and VUS.

6.5. To comply with applicable laws and international treaties to which Vietnam is a member, including but not limited to:

(a) Complying with obligations to provide information to competent state authorities in accordance with applicable laws.

(b) Performing obligations under applicable laws, regulations, rules, and international treaties with which VUS is required to comply, including but not limited to the disclosure of information and reporting to regulatory authorities, tax authorities, and other competent bodies.

(c) Completing data, reports, and statistics upon request from the Ministry of Education and Training, Departments of Education and Training, or other competent authorities in accordance with applicable laws.

(d) Complying with all applicable laws and legal instruments, including but not limited to legislative documents, laws, decrees, decisions, official letters, and/or requests from any competent authority.

6.6. To protect the lawful rights and interests of VUS and the community, including but not limited to:

(a) Protecting or enforcing VUS’s lawful rights and interests, including the right to collect fees, recover and handle debts owed to VUS by the Data Subject/Customer and other relevant parties, and other rights.

(b) Fulfilling VUS’s responsibilities to the community and society.

6.7. To carry out merger and acquisition activities

(a) Carrying out merger and acquisition transactions at VUS.

(b) For the avoidance of doubt, by accepting this Policy, the Data Subject/Customer agrees that VUS may process their Personal Data, including Personal Data updated in the future, for all of the purposes stated above. VUS shall obtain the Data Subject’s/Customer’s consent before using their Personal Data for any purpose other than those stated in this Policy and in any contracts, agreements, terms, conditions, or other documents established with the Data Subject/Customer.

Article 7. Personal Data Processors, Third Parties, and Other Relevant Organizations and Individuals

For the purpose of carrying out the purposes and Personal Data processing activities set out in Article 6 of this Policy, VUS may provide or transfer Personal Data to the following Personal Data Processors, Third Parties, and other relevant organizations and individuals:

7.1. VUS employees and member units

Any employees, campuses, or business locations of VUS; subsidiaries, joint venture companies, and affiliated companies as determined by VUS from time to time.

7.2. Third parties supporting the verification of Data Subject information

(a) Entities licensed or authorized to provide credit information services and other information service providers.

(b) The Ministry of Education and Training; Departments of Education and Training; or any agency or organization established by the Ministry of Education and Training or Departments of Education and Training.

7.3. Competent authorities

(a) Competent authorities requesting the provision of information in accordance with applicable laws.

(b) Any court, arbitration body, mediator, proceeding authority, enforcement authority, and/or any competent authority that requires VUS to perform its responsibilities.

(c) The police or any competent authority conducting investigations relating to any violations, including suspected violations.

(d) Any individual, competent authority, regulatory authority, or third party to whom VUS is permitted or required to disclose information, or pursuant to any contract or other commitment between such third party and VUS.

7.4. Service providers to VUS and parties cooperating with VUS in service provision

The provision of data shall comply with the principle that the data recipient may only process Personal Data necessary for the purposes of performing the functions and tasks assigned or engaged by VUS, in accordance with this Policy, the contracts, agreements, and other documents established with the Data Subject/Customer, applicable laws, and/or the regulations, rules, or international treaties with which VUS is required to comply.

(a) Any contractor, agent, seller, service provider, consultant, or cooperating party of VUS, including their employees and management personnel, including but not limited to:

(i) Companies providing support services for VUS’s business operations, such as organizations providing administrative services, correspondence services, telemarketing, direct sales, call center services, business services, travel services, visa services, human resources management, data processing, information technology, computer services, payment network services, market research, data modeling, reward redemption, records storage and management, data entry, social media services, telecommunications, messaging or email services, network connectivity, telephone services, infrastructure and technology support, workforce management, information security, software and license maintenance, data centers, conferences and seminars, training, consulting services, including study-abroad consulting, and other activities supporting VUS’s business operations.

(ii) Organizations involved in processing transactions for the Data Subject/Customer, whether such organizations are established and operating in Vietnam or overseas.

(iii) Business partners and relevant partners cooperating with VUS to develop, provide, or participate in the development or provision of Products and Services to the Data Subject/Customer and/or to support VUS’s business operations.

(b) Contractors, agents, sellers, service providers, consultants, or cooperating parties of the organizations specified in Section 7.4(a).

7.5. Third parties representing the Data Subject

(a) Any person authorized or permitted by the Data Subject to provide information for transaction purposes on behalf of the Data Subject.

(b) Other organizations and individuals permitted to receive data pursuant to the Data Subject’s consent/authorization or applicable laws.

(c) Other third parties, including:

(i) Other relevant parties that VUS considers necessary to satisfy, protect, or safeguard the lawful rights and interests of the Data Subject/Customer.

(ii) Parties involved in transactions for the purchase or sale of VUS’s debts or assets, or assets of a guarantor/security provider.

(iii) Any individual who intends to pay any outstanding amount in any account of the Data Subject/Customer at VUS.

(iv) Parents, spouse, children, or heirs of the Data Subject in the event that the Data Subject has passed away or has been declared missing.

(v) Personal Data Processors approved by the Data Subject when using the Products and Services.

(vi) Other Personal Data Processors or Third Parties.

(d) The provision of Personal Data to such parties shall comply with the principle that the recipient of Personal Data may only process Personal Data necessary for the purposes of performing the functions and tasks assigned or engaged by VUS, in accordance with this Policy, the contracts, agreements, and other documents established with the Data Subject/Customer, applicable laws, and/or the regulations, rules, or international treaties with which VUS is required to comply.

Article 8. Methods of Personal Data Processing

Depending on the purposes of Personal Data processing, VUS, VUS’s Personal Data Processor, or a Third Party may apply appropriate processing methods, including but not limited to automated, manual, or other methods of Personal Data processing in accordance with applicable laws and VUS’s regulations from time to time.

Article 9. Potential Unintended Consequences and Damages

9.1. When VUS Processes Personal Data

The processing of Personal Data always carries potential risks of data leakage or inappropriate data processing. VUS recognizes the importance of, and its responsibility for, protecting Personal Data. VUS is committed to applying appropriate protective measures in accordance with applicable laws and to regularly reviewing and updating optimal technical measures to ensure the security of Personal Data processing, make its best efforts to prevent risks, and limit any unintended consequences or damages that may arise, thereby protecting the lawful rights and interests of both the Data Subject and VUS.

9.2. When VUS Processes Requests Relating to Data Subject Rights

9.2.1. The Data Subject’s withdrawal of consent, request for data deletion, restriction of processing, objection to Personal Data processing, and/or exercise of other related rights in respect of any or all Personal Data may affect VUS’s ability to provide or maintain Products and Services for the Data Subject/Customer. Depending on the nature of the Data Subject’s request, VUS may consider and decide to refuse or discontinue the provision of Products and Services to the Data Subject/Customer.

Actions taken by the Data Subject under this provision shall be deemed a unilateral termination by the Data Subject/Customer of any relationship between the Data Subject/Customer and VUS, and may result in a breach of obligations or commitments under contracts, agreements, or other documents between the Data Subject/Customer and VUS. Accordingly, the Data Subject/Customer shall be responsible for any losses arising therefrom, and VUS’s lawful rights shall be expressly reserved with respect to the limitation, restriction, suspension, cancellation, or prevention of any request relating to such Personal Data.

9.2.2. Requests for data deletion, withdrawal of consent, restriction of processing, or objection to data processing shall not affect the lawfulness of any Personal Data processing activities previously carried out by VUS.

9.2.3. With respect to requests to access or modify Personal Data, the Data Subject understands and agrees that, in certain cases, technical reasons, system or infrastructure limitations of VUS, requirements to verify Personal Data before modification in accordance with applicable laws, or other reasons may affect and limit the scope of Personal Data that the Data Subject may access, view, and modify, as well as the methods by which such access, viewing, and modification may be carried out.

Article 10. Cross-Border Transfer of Personal Data

For the purpose of carrying out Personal Data processing activities, VUS may need to provide or transfer Personal Data to relevant third parties of VUS, and such third parties may be located in Vietnam or outside the territory of Vietnam.

When conducting a Cross-Border Transfer of Personal Data, VUS shall require the receiving third party to ensure the safety and confidentiality of the Personal Data provided or transferred. VUS is committed to fully complying with Vietnamese laws to safeguard Personal Data when conducting Cross-Border Transfers of Personal Data.

Article 11. Marketing and Advertising

11.1. The Data Subject/Customer understands that, by accepting this Policy, VUS, VUS member units, VUS’s strategic investors/shareholders, VUS marketing partners, VUS service providers, and/or third parties cooperating with VUS may contact the Data Subject/Customer by email, message, or other means to provide information about Products and Services that may be of interest to the Data Subject/Customer or may offer benefits or incentives to the Data Subject/Customer.

11.2. The Data Subject/Customer may receive notifications, view advertisements, or see other content on any website, personal email account, or any device that may be linked to websites or services of VUS partners or other third parties cooperating with VUS. VUS is not responsible for controlling such content or links, nor is VUS responsible for the practices used by the websites or services of such partners or third parties.

11.3. If the Data Subject/Customer wishes to unsubscribe from receiving notifications, advertisements, or other content, the Data Subject/Customer may contact VUS using the contact information provided in Article 18 of this Policy.

Article 12. Notice of Personal Data Processing

The Data Subject confirms that, by accepting this Policy, they have been notified by VUS of the processing of Personal Data before such processing takes place, including but not limited to notices regarding the processing of sensitive Personal Data, possible consequences and damages that may arise from withdrawal of consent, and notice that the Data Subject is being audio-recorded or video-recorded. The Data Subject confirms that they have understood and agreed to all contents set out in this Policy.

The Data Subject/Customer agrees that VUS is not required to provide a repeated notice before processing Personal Data or before processing the Data Subject’s request to withdraw consent at VUS.

Article 13. Rights and Obligations of Data Subjects

13.1. Rights of Data Subjects

(a) The Data Subject may request VUS to provide detailed information regarding the provisions of this Policy or request the correction of their Personal Data in accordance with VUS’s instructions.

(b) VUS shall respect and make efforts to protect the rights of the Data Subject, including:

(i) The right to be informed of Personal Data processing activities.

(ii) The right to give or refuse consent, and to request the withdrawal of consent for the processing of Personal Data.

(iii) The right to access, correct, or request the correction of Personal Data.

(iv) The right to request the provision, deletion, or restriction of processing of Personal Data, and to submit a request objecting to the processing of Personal Data.

(v) The right to file complaints, denunciations, lawsuits, and claims for damages in accordance with applicable laws.

(vi) The right to request competent authorities or agencies, organizations, and individuals involved in Personal Data processing to implement measures and solutions to protect their Personal Data in accordance with applicable laws.

(c) When exercising their rights, the Data Subject understands and agrees that:

VUS maintains measures to protect against unauthorized or unlawful access to Personal Data and/or the destruction, loss, or damage of Personal Data, while taking into account the legitimate interests of the Data Subject and VUS’s capabilities and systems from time to time. Using reasonable efforts, VUS shall process lawful and valid requests from the Data Subject within its capabilities and within a timeframe in accordance with applicable laws.

(i) Requests from the Data Subject must be made in accordance with the processes, procedures, and applicable fees prescribed by VUS, and may be received at VUS’s headquarters, campuses, business locations, or through other methods prescribed by VUS from time to time.

(ii) For security purposes, the Data Subject may be required to submit their request in writing or use another method to prove and authenticate their identity. VUS may require the Data Subject to verify and authenticate their identity before processing the Data Subject’s request.

(iii) VUS has the right to refuse a request from the Data Subject in certain cases, including where:

  1. the Data Subject fails to follow the procedures and processes instructed by VUS;
  2. VUS is unable to identify the Data Subject or verify the accuracy and completeness of the Personal Data, and/or the Data Subject fails to provide or provides insufficient documents and materials to verify their identity or the accuracy and completeness of the Personal Data;
  3. VUS determines that there are signs of impersonation, fraud, or violations relating to Personal Data protection;
  4. there is a dispute, including any suspected dispute, between the Provider and the Data Subject;
  5. the Data Subject/Customer does not accept the consequences or damages arising under Article 9.2 of this Policy; or
  6. applicable laws do not permit the fulfillment of the Data Subject’s request.
13.2. Obligations of Data Subjects

The Data Subject has the following obligations:

(a) To protect their own Personal Data.

(b) To respect and protect the Personal Data of others.

(c) To provide complete and accurate Personal Data and documents required to verify such Personal Data in accordance with this Policy.

(d) To promptly notify VUS of any corrections, updates, changes, or errors relating to the Personal Data provided to VUS, together with supporting documents evidencing such correction or change of Personal Data.

(e) To participate in the communication and dissemination of Personal Data protection skills.

(f) To comply with applicable laws on Personal Data protection and participate in the prevention and combat of violations of Personal Data protection regulations.

(g) To immediately notify VUS if the Data Subject discovers or suspects that their Personal Data has been disclosed, which may lead to risks during their use of Products and Services at VUS, or if the Data Subject becomes aware of any violation of Personal Data protection under this Policy.

(h) To regularly check VUS’s official website to stay updated on and comply with any changes, if any, relating to this Policy.

(i) To fulfill other obligations as prescribed by applicable laws.

13.3. Process and Procedures for Exercising Data Subject Rights

(a) Steps to request VUS to process Data Subject rights

Step Action
1
The Data Subject/Customer completes all required information and signs the Request Form using the prescribed template
2

The Data Subject/Customer submits the Request Form and any accompanying documents to the Personal Data Protection Officer of Vietnam USA Society English Centers Joint Stock Company through one of the following methods:

  • Submit a copy of the Request Form by email to: legalsupport@vus-etsc.edu.vn
  • Send by post to: Personal Data Protection Officer - Legal Department, Vietnam USA Society English Centers Joint Stock Company, 189 Nguyen Thi Minh Khai Street, Ben Thanh Ward, Ho Chi Minh City, Vietnam.
3

VUS receives the Request Form and accompanying documents from the Data Subject/Customer. VUS shall only review and process the request from the time it receives a valid and properly submitted Request Form that complies with applicable laws on Personal Data protection.

4

Within the period prescribed by law:

  • VUS shall respond to the Data Subject/Customer regarding the validity of the request and the next procedures required to process the Request Form.
  • Depending on the nature and complexity of the request, the processing period may be extended, and VUS shall clearly state the reason for such extension.

(b) Processing timeline upon receipt of a valid and properly submitted Request Form from the requester

Data Subject Right Acknowledgement of Request (Business Days) Processing by VUS Processing by Third Party Extension

1. Withdrawal of consent for Personal Data processing

2
15
20
15
2. Restriction of Personal Data processing
2
15
20
15
3. Objection to Personal Data processing
2
15
20
15
4. Request to access, correct, or have Personal Data corrected
2
10
15
10
5. Request for provision of Personal Data
2
10
15
10
6. Request for deletion of Personal Data
2
20
30
20
7. Request to implement measures and solutions to protect Personal Data
2
15
Not applicable
15
8. Complaints, denunciations, lawsuits, claims for damages, and other requests in accordance with applicable laws
2
Subject to the relevant applicable laws on a case-by-case basis
Subject to the relevant applicable laws on a case-by-case basis
Subject to the relevant applicable laws on a case-by-case basis

Items (1), (2), and (3) shall not be carried out if the processing of Personal Data falls under cases where the Data Subject’s consent is not required under the Law on Personal Data Protection, the Law on Protection of Consumer Rights, and other relevant applicable laws.

Note: The processing timeline, process, procedures, and forms may be changed by VUS to comply with relevant applicable laws.

Article 14. Processing of Personal Data Without the Data Subject's Consent

In accordance with applicable laws, the Data Subject understands that VUS is permitted to process Personal Data without the Data Subject’s consent, and VUS may continue to process Personal Data even if the Data Subject requests to withdraw consent, objects to processing, or restricts processing in the following cases:

14.1. In emergency situations where it is necessary to immediately process relevant Personal Data to protect the life or health of the Data Subject or another person.

14.2. Where Personal Data is disclosed in accordance with the law.

14.3. Where Personal Data is processed by a competent state authority in cases of emergency relating to national defense, national security, social order and safety, major disasters, or dangerous epidemics; where there is a risk threatening national security or national defense but not yet to the extent of declaring a state of emergency; or for the prevention and combat of riots, terrorism, crimes, and violations of the law in accordance with applicable laws.

14.4. Where the processing is necessary to perform contractual obligations of the Data Subject/Customer with VUS, or with relevant agencies, organizations, or individuals in accordance with applicable laws.

14.5. Where the processing serves the operations of state authorities as prescribed by specialized laws.

Article 15. Processing of Children's Personal Data

15.1. The processing of children’s Personal Data shall always be carried out based on the principle of ensuring the best interests of the child in decisions relating to children. The child’s legal representative, including the child’s parent or lawful guardian, shall exercise the rights of the Data Subject/Customer on behalf of the child, except where applicable laws permit the processing of Personal Data without the consent of the Data Subject/Customer.

15.2. In certain cases prescribed by law, such as the publication or disclosure of children’s Personal Data, VUS shall require the consent of both the child and the child’s legal representative, including the child’s parent or lawful guardian, when processing the Personal Data of children aged seven (07) years or older.

The individual acting as the child’s legal representative is responsible for verifying the child’s age and ensuring that consent has been obtained from the child aged seven (07) years or older for VUS to process the child’s Personal Data before providing such data to VUS. Upon request, the child’s legal representative must provide VUS with a copy of the child’s consent.

15.3. If VUS receives a request to cease processing children’s Personal Data in certain cases prescribed by law, such as a notice of withdrawal of consent for the processing of children’s Personal Data or a request from a competent authority, VUS shall process such request in accordance with this Policy and relevant applicable laws.

Article 16. Retention of Personal Data

16.1. Personal Data shall be retained by VUS in accordance with applicable laws.

16.2. Personal Data shall be retained for the period necessary to fulfill the purposes agreed with the Data Subject under this Policy, and under any contracts, agreements, or other documents established with the Data Subject, unless a longer retention period is permitted or required by applicable laws from time to time.

16.3. Upon receiving a request from the Data Subject to withdraw consent, object to processing, or restrict processing, VUS may continue to retain and shall not delete Personal Data in the following cases:

(a) Where applicable laws do not permit the deletion of data, such as requirements on statutory retention periods, retention for VUS to continue processing Personal Data in the cases specified in Article 14 of this Policy, or regulations on the safety and security of information systems in operations.

(b) Where Personal Data is processed by a competent state authority for the purpose of serving the operations of state authorities in accordance with applicable laws.

(c) Where Personal Data has been disclosed in accordance with applicable laws.

(d) Where Personal Data is processed for legal requirements, scientific research, or statistical purposes in accordance with applicable laws.

(e) In cases of emergency relating to national defense, national security, social order and safety, major disasters, or dangerous epidemics; where there is a risk threatening national security or national defense but not yet to the extent of declaring a state of emergency; or for the prevention and combat of riots, terrorism, crimes, and violations of the law.

(f) To respond to emergency situations that threaten the life, health, or safety of the Data Subject or another individual.

Article 17. Duration of Personal Data Processing

17.1. Commencement

VUS shall begin processing Personal Data upon receiving the Personal Data with the consent of the Data Subject, or with the Provider’s commitment that the Data Subject has given consent to the processing of Personal Data in accordance with this Policy.

17.2. Termination

VUS shall cease processing Personal Data upon the occurrence of the latest of the following events, as applicable:

(a) Upon written request from the Data Subject.

(b) When the legal agreements between the Data Subject/Customer and VUS expire or are terminated, or when the Parties have fulfilled all obligations relating to such agreements.

(c) When any dispute or complaint has been resolved by agreement, or by a legally effective judgment or decision of a competent state authority.

(d) When the processing purpose consented to by the Data Subject has been completed.

(e) When the statutory retention obligations have been fulfilled.

(f) As otherwise prescribed by applicable laws.

Article 18. Contact Information

If the Data Subject/Customer has any requests or questions relating to this Policy, or wishes to exercise any Data Subject rights, please contact VUS using the following information:

VUS – THE ENGLISH CENTER

Address: 189 Nguyen Thi Minh Khai Street, Ben Thanh Ward, Ho Chi Minh City, Vietnam
Telephone: (028) 7102 9999
Email: legalsupport@vus-etsc.edu.vn