Privacy Statement

    1. Introduction 

     FPT Smart Cloud Company Limited (“FPT FPT Smart Cloud” hereinafter) Personal Data Protection Policy, privacy statement, procedures, guidelines, and templates lay out strict requirements for processing personal data pertaining to customers, business partners, employees or any other individual. It meets the requirements of the European Data Protection Regulation, Personal Data Protection Decree No. 13/2023/ND-CP as well as other national Data Protection Regulations and ensures compliance with the principles of national and international data protection laws in force all over the world. The policy, privacy statement, procedures, guidelines, and templates set a globally applicable data protection and security standard for FPT Smart Cloud and regulates the sharing of information between FPT Smart Cloud, subsidiaries, legal entities, and partners. FPT Smart Cloud há eestablished guiding data protection principles – among them transparency, data economy and data security – as FPT Smart Cloud guidelines.   

    1.1. Purpose 

     The FPT Smart Cloud Personal Data Protection Policy, and privacy statement applies worldwide to FPT Smart Cloud, subsidiaries as well legal entities and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of FPT Smart Cloud as a first-class employer. 

    The Personal Data Protection Policy provides one of the necessary framework conditions for cross-border data transfer among FPT Smart Cloud, Subsidiaries, and legal entities. It ensures the adequate level of data protection prescribed by the European Union General Data Protection Regulation, Protection of Personal Data Decree No. 13/2023/ND-CP or other national Personal Data Protection Regulations and the national laws for cross-border data transmission, including in countries that do not yet have adequate data protection laws.  

    To standardize the collection, processing, transfer, and use of personal data, and promote the reasonable, lawfully, fairly, and transparent use of personal data to prevent personal data from being stolen, altered, damaged, lost or leaked, FPT Smart Cloud establishes the Personal Data Protection Policy, Privacy Statement, and information security policies. 

    1.2. Application Scope 

    All processing of personal data by FPT Smart Cloud is within the scope of this procedure. 

    Means, all FPT Smart Cloud’s business processes and information systems involved in the collection, processing, use and transfer of personal data and all employees, contractors and 3rd party providers involved in the processing of personal data on behalf of FPT Smart Cloud. 

    This policy is binding for all departments and functions globally which are involved in personal identifiable information processing. Every FPT Smart Cloud department, legal entity or subsidiary must follow this procedure. 

    In scope are all data subjects whose personal data is collected, in line with the requirements of the Protection of Personal Data Decree No. 13/2023/ND-CP, GDPR and other national/ international data protection regulation. 

    1.3. Application of national Laws 

    The Personal Data Protection Policy, privacy statement, procedures, guidelines, and templates comprise the internationally accepted data privacy principles without replacing the existing national/international laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with the Personal Data Protection Policy and guidelines, or it has stricter requirements than this Policy and guidelines. The content of the Personal Data Protection Policy, procedures and guidelines must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed.  

    Each subsidiary or legal entity of FPT Smart Cloud is responsible for compliance with the Personal Data Protection Policy, this privacy statement, guidelines, and the legal obligations. If there is reason to believe that legal obligations contradict the duties under the Personal Data Protection Policy, privacy statement, procedures or the guidelines, the relevant subsidiary or legal entity must inform the Data Protection Officer. In the event of conflicts between national legislation, the Personal Data Protection Policy, and this privacy statement, FPT Smart Cloud will work with the relevant subsidiary or legal entity of FPT Smart Cloud to find a practical solution that meets the purpose of the Personal Data Protection Policy, guidelines, and this procedure.  

     1.4. Responsibilities 

    The Data Protection Officer is responsible for ensuring that the privacy statement is correct and that mechanisms exist such as having the privacy statement on FPT Smart Cloud website to make all data subjects aware of the contents of this notice prior FPT Smart Cloud commencing collection of their data.  

    The Data Protection Officer is responsible for ensuring that this statement is made available to data subjects prior to FPT Smart Cloud collecting/processing their personal data. 

    All Employees/ Staff of FPT Smart Cloud who interact with data subjects are responsible for ensuring that this statement is drawn to the data subject’s attention and their consent to the processing of their data is secured. 

    2. Privacy Statement 

    FPT Smart Cloud is part of FPT Corporation (FPT – HoSE) – the global leading technology and IT services group headquartered in Vietnam with nearly US$2.5 billion in revenue and 54,687 employees. Qualified with ISO 9001: 2015, ISO 27001:2022, ISO 27027: 2015; ISO 27018: 2019, PCI DSS, FPT Smart Cloud delivers world-class services in Cloud Computing services, Artificial Intelligence (Al) services, AI Infrastructure, AI Platform, AI as a Service, Data as a Service and Consolidation of Financial Statements solution globally from delivery centers across the Japan, Vietnam and the Asia Pacific. 

    Personal data type 

    Name, email address, designation, company, country and telephone number 

    IP address, demographics, your device operating system, and browser type 

     

    Source (FPT Smart Cloud obtained the personal data from if it has not been collected directly from you, the data subject) 

    FPT Smart Cloud WEB page 

    2.1. Personal Information we may collect and process 

    You can assess or visit our website at any time without informing us who you are or providing us any personal information. However, we may collect information at our websites in two ways: (1) directly (for example, when you provide information, such as your name, email address, designation, company, country and telephone number, to sign up for a newsletter or register to comment on a forum website); and (2) indirectly (for example, through our website’s technology, we may collect certain information such as your IP address, demographics, your computers’ operating system, and browser type). 

    We do not attempt to track your personal information in order to identify you, but gathering these contact information in order to make up the web traffic routing, to diagnose problems with server for administration of our website, to better understand how you interact with our website and services and to re-design and upgrade the website for better use. If you choose not to provide your personal information that is mandatory to process your request, we may not be able to provide the corresponding service. 

      2.2. Use of collected information 

    We use personal data to provide you with information you request, process online job applications, and for other purposes which we would describe to you at the point where it is collected or which will be obvious to you. For example: 

    • To further fulfil your requirements on products and services 
    • To contact you with the aim of developing a business relationship 
    • To feedback to your idea and/or to provide you relevant information at your requirements 
    • To contact you for marketing purpose such as customer surveys 
    • To inform you about our company 
    • To obey regulations in applicable laws 

    2.3. Consent 

    By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified. 

    Consent is required for FPT Smart Cloud to process personal data, but it must be explicitly given. Where we ask you for personal data, we will always tell you why and how the information will be used.  

    Means: FPT Smart Cloud will inform you about the purpose of the processing, contact details of the Data controller or its representative, lawful basis of the processing, personal data was obtained, if not obtained directly from the data subject. 

    FPT Smart Cloud provides updated information without any undue delay and before continuing with the processing if the purposes for the processing of the personal data are changed or extended. In this case FPT Smart Cloud will ask for a new consent. 

    You may withdraw consent at any time by email, a written letter or telephone call to our Data Protection Officer. 

    2.4. Data recipients, transfer, and disclosure of personal information 

    We do not share your personal information with third parties without seeking your prior permission. We will seek your consent prior to using or sharing personal information for any purpose beyond the requirement for which it was originally collected. However, we may share your personal information within FPT Smart Cloud or with any of its subsidiaries, business partners, service vendors, authorized third-party agents, or contractors located in any part of the world for the purposes of data processing, storage, or to provide a requested service or transaction, after ensuring that such entities are contractually bound by data privacy obligations. When required, we may disclose personal information to external law enforcement bodies or regulatory authorities, in order to comply with legal obligations. 

    We do not intend for our websites or online services to be used by anyone under the age of 13. If you are a parent or guardian and believe we may have collected information about a child, please contact us as described in this Privacy Statement. 

    FPT Smart Cloud considers that, as a general rule, a child of 16 and over is mature enough to understand giving of consent, they are giving and should be in a position to give that consent. All Data subjects will be required to verify their identity. Where personal data is sought in respect of a child below the age of 16, a parent or guardian must give the consent on behalf of the child. Any response will be directed to the parent or guardian. FPT Smart Cloud will need to be satisfied as to the identity of the parent or guardian, and that they are acting in the best interests of the child, before excepting the consent in respect of the child. Parent or guardian has the obligation to explain the process and the content to the child and if it is legally required (PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP) to get the consent of a child, it is parent, agent or guardian responsibility. 

    If parent applying on behalf of a child under 16 years of age, FPT Smart Cloud will require proof of identity and address of parent and that of the child, together with the birth certificate of the child.
    If a legal guardian applying on behalf of a child under 16 years of age, FPT Smart Cloud will require proof of guardian identity and address and that of the data subject, together with proof of authority to act as legal guardian and the birth certificate of the child. 

    If you are an agent acting on someone’s behalf (e.g. a solicitor applying on behalf of a client), FPT Smart Cloud may require proof of agent identity and address and that of the data subject, and proof that the data subject has given consent to act on their behalf. 

     2.5. Disclosure 

    FPT Smart Cloud will pass on your personal data to third parties. 

    Third country (non-EU) / international organisation: 

    FPT Smart Cloud subsidiaries and legal entities globally 

    Safeguards in place to protect your personal data: 

    Processing agreement including Standard Contract Clause 

    Retrieve a copy of the safeguards in place here: 

    Data Protection Officer  

    2.6. Retention period 

    FPT Smart Cloud will process personal data for one year. Retention period 2 years or based on applicable national laws/regulations. 

    2.7. Cookies policy 

    Like many websites, when you access to our websites, we will use “website assessment diary”- a cookie technology to collect additional website usage data. A cookie is a small data file that we transfer to your computer to facilitate your assessment to our websites. We may use information collected from our cookies to identify user behavior and to serve content and offers based on your profile, and for the other purposes described below, to the extent legally permissible in certain jurisdictions. In addition, when you visit our websites, our advertisement partners, whom we have engaged for re-marketing, may introduce cookies. Based on your browsing of our website you may see our advertisements while browsing through our advertisement partner websites and/or their network websites. 

    Such cookies would allow us to monitor the effectiveness of the advertisements and to make the advertisements more relevant to you. By using our site, you agree that we can place cookies on your device as explained herein. If you want to remove existing cookies from your device, you can do this using your browser options. Most Internet browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. 

    2.8. Data Security 

    FPT Smart Cloud commits to secure your personal information with securities measures in place. The measures will help protecting data from the misuse, loss, leakage and/or alteration of information. Your personal information is access restricted to authorize FPT Smart Cloud’s personnel for the sake of providing service at your requirements and/or for FPT Smart Cloud’s audit, internal audit and for the purpose of law obligation. We strictly require our personnel, in any way, to protect your personal information and have use all measurements, technology and recognized security process for this purpose in compliance with government authorizations’ regulations. Regarding your use of our websites, you should understand that the open nature of the Internet is such that information and personal data may flow over networks connecting you to our systems without security measures and may be accessed and used by people other than those for whom the data is intended. 

    2.9. Links to other websites 

    This site contains links to other websites, but they are neither FPT Smart Cloud’s websites nor under control of FPT Smart Cloud. FPT Smart Cloud is not responsible for the privacy practices or the content and transactions of such websites. You are required to read carefully the Privacy part of those linked websites to assure that you have fully understood the way of personal information collection and sharing before providing your own information. You shall take all responsibility of risk that may incur when using those websites. 

    2.10. Your rights as a data subject 

    At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights: 

    • Right to be informed – you have the right to request information what kind of your personal data are collect, use, processed, for what purpose, from which source, lawful basis of processing 
    • Right of access – you have the right to request a copy of the information that we hold about you. 
    • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete. 
    • Right to be forgotten/erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records. 
    • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing. 
    • Right of portability – you have the right to have the data we hold about you transferred to another organisation. 
    • Right to object – you have the right to object to certain types of processing such as direct marketing. 
    • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling. 
    • Right to judicial review: if FPT Smart Cloud refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in below. 
    • Right to claim damages: The data subject has the right to claim damage as prescribed by law when there are violations against regulations on protection of his/her personal data, unless otherwise agreed by parties or unless otherwise prescribed by law. 
    • Right to self-protection: The data subject has the right to self-protection according to regulations in the Civil Code, other relevant laws and this Decree, or request competent agencies and organizations to implement civil right protection methods according to regulations in Article 11 of the Civil Code.  

    All the above requests will be forwarded on should there be a third party involved in the processing of your personal data. 

    FPT Smart Cloud accepts the following forms of ID when information on your personal data or data subject rights is requested: Passport, driving license, ID card. 

    2.11. Complaints 

    If you wish to make a complaint about how your personal data is being processed by FPT Smart Cloud or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and FPT Smart Cloud’s Data Protection Officer. 

    2.12. Contact details 

    Supervisory authority Vietnam contact details:  

    Contact name: Ministry of public security. 

    Address: 30 Tran Binh Trong, Hai Ba Trung Ward, Ha Noi, Vietnam 

    Telephone: + 84 692343647 

     

    Data Protection Officer (DPO):  

    Contact name: Pham The Minh. 

    Address: FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Vietnam 

    Email: MinhPT@fpt.com 

    Telephone: +84 913571357 

    Contact details of other countries supervisory authorities you can get form DPO at any time without any undue delay. 

    2.13. Changes on Privacy Statements 

    FPT Smart Cloud reserves the rights to change, modify, add or remove in whole or in part this Privacy Statement at its sole discretion, at any time. Therefore, you are responsible for regularly reviewing this statement. Changes of this Privacy Statements will be posted on this website. These changes will also be effective when they are posted. Your continued use of this statement constitutes your agreement to all such terms. 

    2.14. Contact 

    If you have any questions about our Privacy Statement or about how to protect your personal information, you can contact the Data Protection Officer of FPT Smart Cloud. 
    Data Protection Officer: Mr. Pham The Minh, Data Protection Officer. 

    Address: FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Vietnam. 

    Email: MinhPT@fpt.com. 

    Telephone: +84 913571357. 

    2.15. Document Owner and Approval 

    The Data Protection Officer (DPO) is the owner of this document and is responsible for ensuring that this statement is reviewed in line with the review requirements of the Personal Data Protection Policy. 

    This statement was approved by a Board member responsible for Data Protection.  

    3. Appendix 

     3.1. Definition 

     

    Abbreviations 

    Description 

     

    PII, Personal Identifiable Information, Personal Data 

    Refer to the personal data defined by the EU GDPR (Article 4 (1)), ‘personal data’ means any information relating to an identified  or identifiable natural person (‘data  subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person  

     

    Data Subject 

    EU GDPR (Article 4 – 1),
    Data subject refers to any individual person who can be identified, directly or indirectly. 

     

    Data Controller 

    EU GDPR (Article 4 – 7),
    Refer to the personal data defined by the EU GDPR (Article 4 (1)), ‘personal data’ means any information relating to an identified  or identifiable natural person (‘data  subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

     

    Data Processor 

    EU GDPR (Article 4 – 8),
    Data Processor means a natural or legal person, public authority, agency or anybody which processes data on behalf of the controller. 

     

    Recipient 

    EU GDPR (Article 4 – 9),
    A natural or legal person, public authority, agency or anybody, to which the personal data are disclosed, whether third party or not. 

     

    Third Party 

    EU GDPR (Article 4 – 10),
    A natural or legal person, public authority, agency or anybody other than the data subject, controller, processor and persons who under direct authority of controller or processor, are authorized to process personal data 

     

    DPO 

    Data Protection Officer 

     

    DPIA 

    Data Protection Impacted Assessment 

     

    EU 

    European Union 

       

    3.2. Related Documents 

    No 

    Code 

    Name of documents 

    1 

    EU GDPR 

    EU General Data Protection Regulation 

    2 

    PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP, VN 

    Decree of the Vietnamese Government: PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP 
    Nghị Định Quy Định Về Bảo Vệ Dữ Liệu Cá Nhân 07/2023 

    3 

    PCI DSS 

    Payment Card Industry Data Security Standard, 

    3.3. Data Protection Law, Vietnam, Overview 

    There is no single data protection law in Vietnam. Regulations on data protection and privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in Constitution 2013 (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law.
    Regarding personal data, the guiding principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and documents: 

    • Data Law No. 60/2024/QH15, passed by the National Assembly on 30 November 2024. This Law comes into force as of July 1, 2025. 
    • Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015 
    • Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”); 
    • Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Network Information Security Law”); 
    • Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”); 
    • Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated 14 November 2017 on planning (“IT Law”); 
    • Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”); 
    • Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“Decree 85”); 
    • Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No.150/2018/ND-CP dated 7 November 2018 (“Decree 72”); 
    • Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree No. 08/2018/ND-CP dated 15 January 2018, on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade and Decree No. 85/2021/ND-CP dated 25 September 2021 (“Decree 52”); 
    • Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions (“Decree 15”); 
    • Circular No. 03/2017/TT-BTTTT of the Ministry of Information and Communications dated 24 April 2017 on guidelines for Decree 85 (“Circular 03”); 
    • Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”); 
    • Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”); 
    • Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources, as amended by Circular No. 06/2019/TT-BTTTT dated 19 July 2019 (“Circular 25”); and 
    • Decision No. 05/2017/QD-TTg of the Prime Minister dated 16 March 2017 on emergency response plans to ensure national cyber-information security (“Decision 05”). 

    Applicability of the legal documents will depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2019 (“Labour Code”). 

    Subscribe now!

    Sign up to receive more information about products and services offered by FPT Smart Cloud!
    Register now