1. Introduction 

 FPT Smart Cloud Company Limited ("FPT FPT Smart Cloud" hereinafter) Personal Data Protection Policy, privacy statement, procedures, guidelines, and templates lay out strict requirements for processing personal data pertaining to customers, business partners, employees or any other individual. It meets the requirements of the European Data Protection Regulation, Personal Data Protection Decree No. 13/2023/ND-CP as well as other national Data Protection Regulations and ensures compliance with the principles of national and international data protection laws in force all over the world. The policy, privacy statement, procedures, guidelines, and templates set a globally applicable data protection and security standard for FPT Smart Cloud and regulates the sharing of information between FPT Smart Cloud, subsidiaries, legal entities, and partners. FPT Smart Cloud há eestablished guiding data protection principles – among them transparency, data economy and data security – as FPT Smart Cloud guidelines.   

1.1. Purpose 

 The FPT Smart Cloud Personal Data Protection Policy, and privacy statement applies worldwide to FPT Smart Cloud, subsidiaries as well legal entities and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of FPT Smart Cloud as a first-class employer. 

The Personal Data Protection Policy provides one of the necessary framework conditions for cross-border data transfer among FPT Smart Cloud, Subsidiaries, and legal entities. It ensures the adequate level of data protection prescribed by the European Union General Data Protection Regulation, Protection of Personal Data Decree No. 13/2023/ND-CP or other national Personal Data Protection Regulations and the national laws for cross-border data transmission, including in countries that do not yet have adequate data protection laws.  

To standardize the collection, processing, transfer, and use of personal data, and promote the reasonable, lawfully, fairly, and transparent use of personal data to prevent personal data from being stolen, altered, damaged, lost or leaked, FPT Smart Cloud establishes the Personal Data Protection Policy, Privacy Statement, and information security policies. 

1.2. Application Scope 

All processing of personal data by FPT Smart Cloud is within the scope of this procedure. 

Means, all FPT Smart Cloud’s business processes and information systems involved in the collection, processing, use and transfer of personal data and all employees, contractors and 3rd party providers involved in the processing of personal data on behalf of FPT Smart Cloud. 

This policy is binding for all departments and functions globally which are involved in personal identifiable information processing. Every FPT Smart Cloud department, legal entity or subsidiary must follow this procedure. 

In scope are all data subjects whose personal data is collected, in line with the requirements of the Protection of Personal Data Decree No. 13/2023/ND-CP, GDPR and other national/ international data protection regulation. 

1.3. Application of national Laws 

The Personal Data Protection Policy, privacy statement, procedures, guidelines, and templates comprise the internationally accepted data privacy principles without replacing the existing national/international laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with the Personal Data Protection Policy and guidelines, or it has stricter requirements than this Policy and guidelines. The content of the Personal Data Protection Policy, procedures and guidelines must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed.  

Each subsidiary or legal entity of FPT Smart Cloud is responsible for compliance with the Personal Data Protection Policy, this privacy statement, guidelines, and the legal obligations. If there is reason to believe that legal obligations contradict the duties under the Personal Data Protection Policy, privacy statement, procedures or the guidelines, the relevant subsidiary or legal entity must inform the Data Protection Officer. In the event of conflicts between national legislation, the Personal Data Protection Policy, and this privacy statement, FPT Smart Cloud will work with the relevant subsidiary or legal entity of FPT Smart Cloud to find a practical solution that meets the purpose of the Personal Data Protection Policy, guidelines, and this procedure.  

 1.4. Responsibilities 

The Data Protection Officer is responsible for ensuring that the privacy statement is correct and that mechanisms exist such as having the privacy statement on FPT Smart Cloud website to make all data subjects aware of the contents of this notice prior FPT Smart Cloud commencing collection of their data.  

The Data Protection Officer is responsible for ensuring that this statement is made available to data subjects prior to FPT Smart Cloud collecting/processing their personal data. 

All Employees/ Staff of FPT Smart Cloud who interact with data subjects are responsible for ensuring that this statement is drawn to the data subject’s attention and their consent to the processing of their data is secured. 

2. Privacy Statement 

FPT Smart Cloud is part of FPT Corporation (FPT – HoSE) – the global leading technology and IT services group headquartered in Vietnam with nearly US$2.5 billion in revenue and 54,687 employees. Qualified with ISO 9001: 2015, ISO 27001:2022, ISO 27027: 2015; ISO 27018: 2019, PCI DSS, FPT Smart Cloud delivers world-class services in Cloud Computing services, Artificial Intelligence (Al) services, AI Infrastructure, AI Platform, AI as a Service, Data as a Service and Consolidation of Financial Statements solution globally from delivery centers across the Japan, Vietnam and the Asia Pacific. 

 Personal data type 

Name, email address, designation, company, country and telephone number 

IP address, demographics, your device operating system, and browser type 

Source (FPT Smart Cloud obtained the personal data from if it has not been collected directly from you, the data subject) 

FPT Smart Cloud WEB page 

2.1. Personal Information we may collect and process 

You can assess or visit our website at any time without informing us who you are or providing us any personal information. However, we may collect information at our websites in two ways: (1) directly (for example, when you provide information, such as your name, email address, designation, company, country and telephone number, to sign up for a newsletter or register to comment on a forum website); and (2) indirectly (for example, through our website’s technology, we may collect certain information such as your IP address, demographics, your computers’ operating system, and browser type). 

We do not attempt to track your personal information in order to identify you, but gathering these contact information in order to make up the web traffic routing, to diagnose problems with server for administration of our website, to better understand how you interact with our website and services and to re-design and upgrade the website for better use. If you choose not to provide your personal information that is mandatory to process your request, we may not be able to provide the corresponding service. 

  2.2. Use of collected information 

We use personal data to provide you with information you request, process online job applications, and for other purposes which we would describe to you at the point where it is collected or which will be obvious to you. For example: 

• To further fulfil your requirements on products and services 

• To contact you with the aim of developing a business relationship 

• To feedback to your idea and/or to provide you relevant information at your requirements 

• To contact you for marketing purpose such as customer surveys 

• To inform you about our company 

• To obey regulations in applicable laws 

2.3. Consent 

By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified. 

Consent is required for FPT Smart Cloud to process personal data, but it must be explicitly given. Where we ask you for personal data, we will always tell you why and how the information will be used.  

Means: FPT Smart Cloud will inform you about the purpose of the processing, contact details of the Data controller or its representative, lawful basis of the processing, personal data was obtained, if not obtained directly from the data subject. 

FPT Smart Cloud provides updated information without any undue delay and before continuing with the processing if the purposes for the processing of the personal data are changed or extended. In this case FPT Smart Cloud will ask for a new consent. 

You may withdraw consent at any time by email, a written letter or telephone call to our Data Protection Officer. 

2.4. Data recipients, transfer, and disclosure of personal information 

We do not share your personal information with third parties without seeking your prior permission. We will seek your consent prior to using or sharing personal information for any purpose beyond the requirement for which it was originally collected. However, we may share your personal information within FPT Smart Cloud or with any of its subsidiaries, business partners, service vendors, authorized third-party agents, or contractors located in any part of the world for the purposes of data processing, storage, or to provide a requested service or transaction, after ensuring that such entities are contractually bound by data privacy obligations. When required, we may disclose personal information to external law enforcement bodies or regulatory authorities, in order to comply with legal obligations. 

We do not intend for our websites or online services to be used by anyone under the age of 13. If you are a parent or guardian and believe we may have collected information about a child, please contact us as described in this Privacy Statement. 

FPT Smart Cloud considers that, as a general rule, a child of 16 and over is mature enough to understand giving of consent, they are giving and should be in a position to give that consent. All Data subjects will be required to verify their identity. Where personal data is sought in respect of a child below the age of 16, a parent or guardian must give the consent on behalf of the child. Any response will be directed to the parent or guardian. FPT Smart Cloud will need to be satisfied as to the identity of the parent or guardian, and that they are acting in the best interests of the child, before excepting the consent in respect of the child. Parent or guardian has the obligation to explain the process and the content to the child and if it is legally required (PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP) to get the consent of a child, it is parent, agent or guardian responsibility. 

If parent applying on behalf of a child under 16 years of age, FPT Smart Cloud will require proof of identity and address of parent and that of the child, together with the birth certificate of the child. 
If a legal guardian applying on behalf of a child under 16 years of age, FPT Smart Cloud will require proof of guardian identity and address and that of the data subject, together with proof of authority to act as legal guardian and the birth certificate of the child. 

If you are an agent acting on someone’s behalf (e.g. a solicitor applying on behalf of a client), FPT Smart Cloud may require proof of agent identity and address and that of the data subject, and proof that the data subject has given consent to act on their behalf. 

 2.5. Disclosure 

FPT Smart Cloud will pass on your personal data to third parties. 

Third country (non-EU) / international organisation: 

FPT Smart Cloud subsidiaries and legal entities globally 

Safeguards in place to protect your personal data: 

Processing agreement including Standard Contract Clause 

Retrieve a copy of the safeguards in place here: 

Data Protection Officer  

2.6. Retention period 

FPT Smart Cloud will process personal data for one year. Retention period 2 years or based on applicable national laws/regulations. 

2.7. Cookies policy 

Like many websites, when you access to our websites, we will use “website assessment diary”- a cookie technology to collect additional website usage data. A cookie is a small data file that we transfer to your computer to facilitate your assessment to our websites. We may use information collected from our cookies to identify user behavior and to serve content and offers based on your profile, and for the other purposes described below, to the extent legally permissible in certain jurisdictions. In addition, when you visit our websites, our advertisement partners, whom we have engaged for re-marketing, may introduce cookies. Based on your browsing of our website you may see our advertisements while browsing through our advertisement partner websites and/or their network websites. 

Such cookies would allow us to monitor the effectiveness of the advertisements and to make the advertisements more relevant to you. By using our site, you agree that we can place cookies on your device as explained herein. If you want to remove existing cookies from your device, you can do this using your browser options. Most Internet browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. 

2.8. Data Security 

FPT Smart Cloud commits to secure your personal information with securities measures in place. The measures will help protecting data from the misuse, loss, leakage and/or alteration of information. Your personal information is access restricted to authorize FPT Smart Cloud’s personnel for the sake of providing service at your requirements and/or for FPT Smart Cloud’s audit, internal audit and for the purpose of law obligation. We strictly require our personnel, in any way, to protect your personal information and have use all measurements, technology and recognized security process for this purpose in compliance with government authorizations’ regulations. Regarding your use of our websites, you should understand that the open nature of the Internet is such that information and personal data may flow over networks connecting you to our systems without security measures and may be accessed and used by people other than those for whom the data is intended. 

2.9. Links to other websites 

This site contains links to other websites, but they are neither FPT Smart Cloud’s websites nor under control of FPT Smart Cloud. FPT Smart Cloud is not responsible for the privacy practices or the content and transactions of such websites. You are required to read carefully the Privacy part of those linked websites to assure that you have fully understood the way of personal information collection and sharing before providing your own information. You shall take all responsibility of risk that may incur when using those websites. 

2.10. Your rights as a data subject 

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights: 

• Right to be informed – you have the right to request information what kind of your personal data are collect, use, processed, for what purpose, from which source, lawful basis of processing 

• Right of access – you have the right to request a copy of the information that we hold about you. 

• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete. 

• Right to be forgotten/erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records. 

• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing. 

• Right of portability – you have the right to have the data we hold about you transferred to another organisation. 

• Right to object – you have the right to object to certain types of processing such as direct marketing. 

• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling. 

• Right to judicial review: if FPT Smart Cloud refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in below. 

• Right to claim damages: The data subject has the right to claim damage as prescribed by law when there are violations against regulations on protection of his/her personal data, unless otherwise agreed by parties or unless otherwise prescribed by law. 

• Right to self-protection: The data subject has the right to self-protection according to regulations in the Civil Code, other relevant laws and this Decree, or request competent agencies and organizations to implement civil right protection methods according to regulations in Article 11 of the Civil Code.  

All the above requests will be forwarded on should there be a third party involved in the processing of your personal data. 

FPT Smart Cloud accepts the following forms of ID when information on your personal data or data subject rights is requested: Passport, driving license, ID card. 

2.11. Complaints 

If you wish to make a complaint about how your personal data is being processed by FPT Smart Cloud or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and FPT Smart Cloud’s Data Protection Officer. 

2.12. Contact details 

Supervisory authority Vietnam contact details:  

Contact name: Ministry of public security. 

Address: 30 Tran Binh Trong, Hai Ba Trung Ward, Ha Noi, Vietnam 

Telephone: + 84 692343647 

Data Protection Officer (DPO):  

Contact name: Pham The Minh. 

Address: FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Vietnam 

Email: [email protected] 

Telephone: +84 913571357 

Contact details of other countries supervisory authorities you can get form DPO at any time without any undue delay. 

2.13. Changes on Privacy Statements 

FPT Smart Cloud reserves the rights to change, modify, add or remove in whole or in part this Privacy Statement at its sole discretion, at any time. Therefore, you are responsible for regularly reviewing this statement. Changes of this Privacy Statements will be posted on this website. These changes will also be effective when they are posted. Your continued use of this statement constitutes your agreement to all such terms. 

2.14. Contact 

If you have any questions about our Privacy Statement or about how to protect your personal information, you can contact the Data Protection Officer of FPT Smart Cloud.  
Data Protection Officer: Mr. Pham The Minh, Data Protection Officer. 

Address: FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Vietnam. 

Email: [email protected]. 

Telephone: +84 913571357. 

2.15. Document Owner and Approval 

The Data Protection Officer (DPO) is the owner of this document and is responsible for ensuring that this statement is reviewed in line with the review requirements of the Personal Data Protection Policy. 

This statement was approved by a Board member responsible for Data Protection.  

3. Appendix 

 3.1. Definition 

Abbreviations 

Description 

PII, Personal Identifiable Information, Personal Data 

Refer to the personal data defined by the EU GDPR (Article 4 (1)), ‘personal data’ means any information relating to an identified  or identifiable natural person (‘data  subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person  

Data Subject 

EU GDPR (Article 4 – 1), 
Data subject refers to any individual person who can be identified, directly or indirectly. 

Data Controller 

EU GDPR (Article 4 – 7), 
Refer to the personal data defined by the EU GDPR (Article 4 (1)), ‘personal data’ means any information relating to an identified  or identifiable natural person (‘data  subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Data Processor 

EU GDPR (Article 4 – 8), 
Data Processor means a natural or legal person, public authority, agency or anybody which processes data on behalf of the controller. 

Recipient 

EU GDPR (Article 4 – 9), 
A natural or legal person, public authority, agency or anybody, to which the personal data are disclosed, whether third party or not. 

Third Party 

EU GDPR (Article 4 – 10), 
A natural or legal person, public authority, agency or anybody other than the data subject, controller, processor and persons who under direct authority of controller or processor, are authorized to process personal data 

DPO 

Data Protection Officer 

DPIA 

Data Protection Impacted Assessment 

EU 

European Union 

3.2. Related Documents 

No 

Code 

Name of documents 

1 

EU GDPR 

EU General Data Protection Regulation 

2 

PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP, VN 

Decree of the Vietnamese Government: PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP  
Nghị Định Quy Định Về Bảo Vệ Dữ Liệu Cá Nhân 07/2023 

3 

PCI DSS 

Payment Card Industry Data Security Standard, 

3.3. Data Protection Law, Vietnam, Overview 

There is no single data protection law in Vietnam. Regulations on data protection and privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in Constitution 2013 (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law. 
Regarding personal data, the guiding principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and documents: 

• Data Law No. 60/2024/QH15, passed by the National Assembly on 30 November 2024. This Law comes into force as of July 1, 2025. 

• Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015 

• Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”); 

• Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Network Information Security Law”); 

• Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”); 

• Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated 14 November 2017 on planning (“IT Law”); 

• Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”); 

• Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“Decree 85”); 

• Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No.150/2018/ND-CP dated 7 November 2018 (“Decree 72”); 

• Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree No. 08/2018/ND-CP dated 15 January 2018, on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade and Decree No. 85/2021/ND-CP dated 25 September 2021 (“Decree 52”); 

• Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions (“Decree 15”); 

• Circular No. 03/2017/TT-BTTTT of the Ministry of Information and Communications dated 24 April 2017 on guidelines for Decree 85 (“Circular 03”); 

• Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”); 

• Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”); 

• Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources, as amended by Circular No. 06/2019/TT-BTTTT dated 19 July 2019 (“Circular 25”); and 

• Decision No. 05/2017/QD-TTg of the Prime Minister dated 16 March 2017 on emergency response plans to ensure national cyber-information security (“Decision 05”). 

Applicability of the legal documents will depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2019 (“Labour Code”). 

I. General Policies and Regulations

FPT Cloud is owned by FPT Smart Cloud – a leading enterprise providing Artificial Intelligence (AI) & Cloud Computing (Cloud) solutions through a consolidated technology platform, diverse product ecosystem, and global connectivity. The website https://fptcloud.com/ is a property of FPT Smart Cloud with a mission to provide detailed information regarding Cloud-based products and solutions for businesses, helping them to deploy digital transformation solutions, save capital costs, and enhance operational efficiency.

Upon your visit to our website, you have agreed to the terms stated on the website. The website has the right to adjust, modify, add or delete any terms within the Terms & Conditions section at any time, and the changes will apply immediately when updated on the website without prior notice. Please check frequently for our updates.

1. Agreement on Conditions of Use

2. Features of Information Display

All information displayed on the website https://fptcloud.com/ is to clarify FPT Smart Cloud product and service information. Other related information to provide knowledge for customers will clearly cite sources.

II. Conditions of Payment Method

Terms of use | FPT Smart Cloud  

Terms and conditions agreement 

FPT Smart Cloud’s website is available for any user world wide. FPT Smart Cloud creates and maintains this website for information purposes only. By using this web site you shall be deemed to have accepted, and agreed to be bound by these terms and conditions and to comply with all applicable laws and regulations. You agreed not to interrupt or attempt to interrupt the operation of this website in any manner. You may not use this website if you do not accept these terms. 

Limited license 

This website and all content of this website, patents, copyright, trademark and other intellectual property rights are property of FPT Smart Cloud and are protected by world wide intellectual property rights laws. You agreed to comply with all intellectual property rights laws world wide in your use of this website. FPT Smart Cloud grants no express or implied rights under any patents, trademarks, copyrights or trade secret information. You may not modify, copy, transmit, sell or distribute in whole or in part of this website except that FPT Smart Cloud grants you not-exclusive, non-commercial, limited use of this website. You may not use any part or a whole of this website in order to create a part of new website and/or when you use even links on the Internet to create it without FPT Smart Cloud’s prior written consent. Notwithstanding the foregoing, any software and other materials that are made available for downloading, access, or other use from this site with their own license terms, conditions, and notices will be governed by such terms, conditions, and notices. 
 
Violation of any of these agreements will result in automatically termination of any rights granted to you without prior notice. While FPT Smart Cloud prohibits such conduct and content on its website, you understand and agree that FPT Smart Cloud cannot be responsible for the content posted on its website and you nonetheless may be exposed to such materials and that you are solely responsible for any content that you create, transmit or display while using the website and for the consequences of your actions (including any loss or damage which FPT Smart Cloud may suffer) by doing so. 

Blog 

The intent of FPT Smart Cloud’s blogs is to share information with the community. We invite you to submit comments or posts for consideration. However, before you begin using blog service, we need to make clear our respective rights and responsibilities related to this service. By accessing, creating or contributing to any blog hosted at this website, and in consideration for the service we provide to you, you must read and agree to these blog terms of service and the following terms and conditions and policies, including any future amendments. FPT Smart Cloud reserves the rights to remove any comment or user from FPT Smart Cloud blogs when it or that user violates the terms and conditions of use listed below. 

• You shall accept and agree that all content posted to FPT Smart Cloud’s blog service is the sole responsibility of the individual who originally posted the content. You understand also, that all opinions expressed by users of this site are expressed strictly in their individual capacities, and not as representatives of FPT Smart Cloud and any of its affiliates. 

• You shall not violate or threaten to violate intellectual property rights such as trademarks, copyrights of FPT Smart Cloud or any third party. 

• You shall not violate or threaten to violate the legal rights, image copyrights of FPT Smart Cloud or any third party. 

• You shall not defame, abuse, harass or discriminate FPT Smart Cloud or any third party. 

• You shall not create a false identity for the purpose of misleading others or pretend to be another person of any organization or cooperation’s representative in order to use this service. 

• You shall not in any manner post, publish or upload unlawful topic that could result in or lead to crime such as children prostitution, regulated chemical transaction, fraud, bank account transaction. 

• You shall not use obscene, racist, or sexually explicit language. 

• You shall not upload or otherwise make available, files that contain images, photographs, software or other material protected by intellectual property laws, and not as limitation, copyrights or trademarks laws unless you own or control the rights thereto or have received all necessary consent to do the same. 

• You shall not conduct any contests or publish or propagate any forwards. 

• You shall not post or publish a commercial nature designed to promote a service or product. 

• You shall not copy and distribute, upload files that contain virus, code, files or any other similar software or programs that may result in the damage of software or hardware and/or hinder the operation of FPT Smart Cloud or another user’s computer. 

• You shall not distribute promotion information or spam mails in contradiction with FPT Smart Cloud’s regulations. 

• You accepted and agreed that FPT Smart Cloud may, at its sole discretion, modify, monitor, remove or edit any content that you contribute. 

• You shall indemnify and hold harmless FPT Smart Cloud from any claims and loss incurred by FPT Smart Cloud as a result of your violation of these terms of use. 

Links to other websites 

You shall not create links to any part of FPT Smart Cloud’s website or directly to website itself from any other websites unless FPT Smart Cloud grants approval in writing, and, as a further condition to being permitted to link to this website, you agree that FPT Smart Cloud at any time, in its sole discretion, terminate permission to link to this website. 
This site contains links to other websites which have their own terms of use and provisions. We do not control any content or operation on those websites and therefore take no responsibility of those websites’ content and/or any harm or damage to you that may incur during your using of those websites. These links are created in order to facilitate your using only. FPT Smart Cloud does not imply any other third party and/or any product or service and therefore we takes no responsibility of the accuracy or, in other word, any content or safety of any operation of those websites. You accepted and agreed that we do not take any direct or indirect responsibility of any harm or damage or any expense that resulted from your trust and using of those linked websites’ content, product or service. You understand that your use of those links and websites is at your sole risk. 

Text provided in different languages 

FPT Smart Cloud’s website makes available certain posted information under text format not only in English but also in other languages. You shall understand, accept and agree that the information provided on the website is translated either by a person or by computer software with no human review, and therefore FPT Smart Cloud takes no responsibility to assure the accuracy or completeness of the translation no matter what in which way the translation is performed. Additional conditions are provided in Disclaimer of Warranty part below. 

DISCLAIMER OF WARRANTY 

YOU UNDERSTAND THAT YOUR USE OF THIS WEBSITE IS THE SOLE RESPONSIBILITY OF YOUR OWN. WE ARE ALWAYS CAREFUL DURING CONSTRUCTION AND MAINTAINANCE OF THIS WEBSITE. ALL OF THE INFORMATION, INSTRUCTIONS, SOFTWARE, PRODUCTS, PROGRAM, AND SERVICES ARE OFFERED ON A STRICTLY “AS IS” BASIS. THE WEBSITE IS OFFERED AS A FREE PUBLIC RESOURCE, WITHOUT ANY WARRANTIES, EXPRESS OR IMPLIED WHATSOEVER. IN PARTICULARLY, ANY AND ALL WARRANTIES OF FITNESS FOR USE OR MERCHANTABILITY ARE DISCLAIMED TO THE FULLEST EXTENT PERMITTED BY LAW. WITHOUT LIMITATION, FPT SMART CLOUD MAKES NO WARRANTY OR GUARANTEES THAT THIS WEBSITE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE. THE CONTENT ON THE WEBSITE IS FOR THE PURPOSE OF INFORMATION PROVISION ONLY AND SHOULD NOT BE CONSTRUED AS TECHNICAL ADVICE OF ANY MANNER. FPT SMART CLOUD ASSUMES NO RESPONSIBILITY FOR UPDATING THIS WEBSITE TO KEEP YOUR INFORMATION CURRENT OR TO ENSURE THE ACCURACY OR COMPLETENESS OF ANY POSTED INFORMATION. 

LIABILITY LIMITATION 

YOU UNDERSTAND AND AGREE THAT YOU USE THE WEBSITE AT YOUR OWN DISCRETION AND AT YOUR SOLE RISK. YOU UNDERSTAND AND AGREE THAT, IN NO EVENT, FPT CORPORATION, FPT SMART CLOUD AND ALL OF ITS AFFILIATES WILL BE LIABLE TO YOU OR ANY PARTY ON ALL HARMS AND DAMAGES (INCLUDING DIRECT AND INDIRECT DAMAGES, SPECIAL DAMAGES OR CONSEQUENTIAL DAMAGES OF ANY TYPE WHATSOEVER) RELATED TO OR ARISING FROM THE USE OF OUR WEBSITE, EVEN IF FPT SMART CLOUD IS EXPERSSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BY USING OUR WEBSITE, YOU WILL BE SOLELY RESPONSIBLE FOR: 

• ANY LOSS OR INJURY CAUSED, IN WHOLE OR IN PARTY, BY ITS ACTIONS, OMISSIONS, OR NEGLIGENCE, OR FOR CONTIGENCIES BEYOND ITS CONTROL, IN PROCURING, COMPLILING OR DELIVERING OR THE POSTED INFORMATION IN THIS WEBSITE; 

• ANY ERRORS, OMISSONS, OR INACCURACIES IN THE INFORMATION REGARDLESS OF HOW CAUSED, OR DELAYS OR INTERRUPTIOS IN DELIVERY OF THE INFORMATION; OR 

• ANY DOWNLOAD OR OTHERWISE OBTAIN MATERIALS, INFORMATION, PRODUCTS, SOFTWARE, PROGRAMS THAY MAY RESULT, INCLUDING LOSS OF DATA OR DAMAGE TO YOUR COMPUTER SYSTEM YOU SHALL COMMIT TO MAKE COMPESATION TO FPT SMART CLOUD FOR ANY RESPONSIBILITY, HARM, DAMAGE, JURISDICTION, LEGAL PROCEEDING, EXPENSES (INCLUDING LEGAL EXPENSES) RELATED TO OR ARISING DIRECTLY OR INDIRECTLY TO YOUR VIOLATION OR FAILURE TO COMPLY WITH ANY TEMRS AND CONDITIONS ON USING OF THIS WEBSITE. 

Violation & Service Termination 

Should you violate and against any applicable laws, in any manner, these Terms of Use, provisions or Privacy Statement relating to your use of this website, FPT Smart Cloud reserves the rights to postpone or terminate the authorization, rights and license given to you for accessing and using of this website at any point of time at its sole discretion. 

Choice of Laws 

These Terms of Use and provisions stated herewith will be governed by and construed in accordance with the laws of Socialist Republic of Vietnam, without giving effect to its conflict of laws provisions or your actual country, territory of residence. Any claims, legal proceeding or litigation arising in connection with these Terms of Use will be brought solely in Vietnam, and you consent to the jurisdiction of such courts. 

Privacy Policy 

Please be sure to read our Privacy Statement, which is incorporated herein by reference. 

Change of these Terms of Use 

FPT Smart Cloud reserves the rights, at its sole discretion, to modify or terminate this service for any reason, without notice at any time. You are responsible for regularly reviewing these terms. Your continued use of this website constitutes your agreement to all such terms. 

Copyright Notice 

© 2025 FPT Smart Cloud Co.Ltd. All rights reserved. FPT Smart Cloud respects the intellectual property of others, and requires that you do the same. 
This website is provided by FPT Smart Cloud as a service to its customers and may be used for informational purposes only and should not be construed as legal advice. If you need legal advice, contact a lawyer. 

Vulnerability Disclosure | FPT Smart Cloud 

Report a security or privacy vulnerability 

If you believe you have discovered a security or privacy vulnerability in an FPT Smart Cloud product, please report it to us. 
 
I. How to report a security or privacy vulnerability 
 
If you believe you have discovered a security or privacy vulnerability that affects FPT Smart Cloud products, software, services, or web servers, please report it to us. We welcome reports from everyone, including security researchers, developers, and customers. 
 
To report a security or privacy vulnerability, please send an email to [email protected] that includes: 
• The specific product and software version(s) which you believe are affected 
• A description of the behavior you observed as well as the behavior that you expected 
• A numbered list of steps required to reproduce the issue and a video demonstration, if the steps may be hard to follow 
 
Please encrypt sensitive information that you send by email. You’ll receive a reply from FPT Smart Cloud to acknowledge that we received your report, and we’ll contact you if we need more information. 
 
II. How FPT Smart Cloud handles these reports 
 
For the protection of our customers, FPT Smart Cloud doesn’t disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available. 
 
FPT Smart Cloud uses security advisories and our security-announce mailing list to publish information about security fixes in our products and to publicly credit people or organizations that have reported security issues to us. 
 
For more information on CVD, please review the information provided in the following links: 
https://www.iso.org/standard/72311.html 

Security Advisories 

FPT Smart Cloud Security Advisories are a supplement to the FPT Smart Cloud Security bulletins. They address security changes that may not require a security bulletin but that may still affect customers’ overall security. 
 
FPT Smart Cloud Security Advisories are a way for FPT Smart Cloud to communicate security information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin. Each advisory is accompanied by an FPT Smart Cloud Knowledge Base Article to provide additional information about any changes or updates being delivered with the advisory’s release. 
 
Help protect your computing environment by keeping up to date on FPT Smart Cloud technical security notifications. For more information, see FPT Smart Cloud Technical Security Notifications. 

I. General Policies and Regulations

FPT Cloud is owned by FPT Smart Cloud – a leading enterprise providing Artificial Intelligence (AI) & Cloud Computing (Cloud) solutions through a consolidated technology platform, diverse product ecosystem, and global connectivity. The website https://fptcloud.com/ is a property of FPT Smart Cloud with a mission to provide detailed information regarding Cloud-based products and solutions for businesses, helping them to deploy digital transformation solutions, save capital costs, and enhance operational efficiency.

Upon your visit to our website, you have agreed to the terms stated on the website. The website has the right to adjust, modify, add or delete any terms within the Terms & Conditions section at any time, and the changes will apply immediately when updated on the website without prior notice. Please check frequently for our updates.

1. Agreement on Conditions of Use

2. Features of Information Display

All information displayed on the website https://fptcloud.com/ is to clarify FPT Smart Cloud product and service information. Other related information to provide knowledge for customers will clearly cite sources.

II. Conditions of Payment Method

 1. Introduction 

FPT Smart Cloud Limited Company ("FPT Smart Cloud" hereinafter) Corporate Data Protection Policy lays out strict requirements for processing personal data pertaining to customers, business partners, employees or any other individual. It meets the requirements of the European Data Protection Directive and ensures compliance with the principles of national and international data protection laws in force all over the world. The policy sets a globally applicable data protection and security standard for FPT Smart Cloud and regulates the sharing of information between FPT Smart Cloud, subsidiaries, and legal entities. FPT Smart Cloud have established guiding data protection principles – among them transparency, data economy and data security – as FPT Smart Cloud Personal Data Protection Policy and Information security management guidelines.  

FPT Smart Cloud managers and employees are obligated to adhere to the Corporate Data Protection Policy and observe their local data protection laws. As the Data Protection Officer, it is my duty to ensure that the rules and principles of data protection at FPT Smart Cloud are followed around the world.  

I will be pleased to answer any questions you have about data protection and international personal data transfer. 

Pham The Minh 

Data Protection Officer, [email protected], +84 913571357 

1.1. Purpose 

 This Data Protection Policy applies worldwide to FPT Smart Cloud, Subsidiaries as well as legal entities and is based on globally accepted, basic principles of data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of the FPT Smart Cloud as a first-class employer.  
The Data Protection Policy provides one of the necessary framework conditions for cross-border data transfer among FPT Smart Cloud, subsidiaries, and legal entities. It ensures an adequate level of data protection prescribed by the European Union General Data Protection Regulation, Personal Data Protection Decree No. 13, APPI, PDPA or other national Personal Data Protection Regulations and national laws for cross-border data transmission, including to countries which do not have adequate data protection law, yet.  
In order to standardize the collection, processing, transfer, and use of personal data, and promote the reasonable, lawfully, fairly and transparent use of personal data to prevent personal data from being stolen, altered, damaged, lost or leaked, FPT Smart Cloud establishes the personal data protection management policy and information security policies. 

 1.2. Application Scope 

 All processing of personal data by FPT Smart Cloud is within the scope of this procedure. 

Means, all FPT Smart Cloud’s business processes and information systems involved in the collection, processing, use and transfer of personal data and all employees, contractors and 3rd party providers involved in the processing of personal data on behalf of FPT Smart Cloud. 
This policy is binding for all departments and functions globally which are involved in personal identifiable information processing. Every FPT Smart Cloud department, legal entity or subsidiary must follow this procedure. 
In scope are all data subjects whose personal data is collected, in line with the requirements of the GDPR, Personal Data Protection Decree No. 13 and other national/ international data protection regulation.  

1.3. Application of national Laws 

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed.  
Each subsidiary or legal entity of FPT Smart Cloud is responsible for compliance with this Data Protection Policy and the legal obligations. If there is reason to believe that legal obligations contradict the duties under this Data Protection Policy, the relevant subsidiary or legal entity must inform the Data Protection Officer. In the event of conflicts between national legislation and the Data Protection Policy, FPT Smart Cloud in person the Data Protection Officer will work with the relevant subsidiary or legal entity of FPT Smart Cloud to find a practical solution that meets the purpose of the Data Protection Policy. 

1.4 Prevention of national and international Data Protection Laws Violations 

 The Data Protection Officer DPO reporting to the board member responsible for Data Protection oversees the compliance and regulatory functions FPT Smart Cloud, with the goal to identify, reduce, and monitor all areas of possible regulatory and reputational risk regarding personal data processing. 
The Personal Data Protection Policy and guidelines, procedures, templates is revised and supplemented once a year. The DPO and board member reviews and approves the Handbook promptly in the event of any material change in laws. regulations or business practices. 
DPO provides periodically an online personal data protection education programs on online training platform to keep employees informed about current regulatory developments, updates of policies and procedures, and legal requirements.  
If a violation of the Personal Data Protection policies, guidelines, procedures, templates occurs or a preliminary determination is made that a violation may have occurred, a report must be made to the DPO and Senior Management. 
The Senior Management should impose adequate sanctions on employees violating the policies. Sanctions may include any or all of the following: a letter of censure, a fine, temporary suspension of employment, termination of employment, or any other sanction deemed appropriate by Senior Management. 

2. Policy 

 2.1. Guiding principles 

2.2.1 Rules for protection of personal data 

1. The personal data shall be processed as prescribed by law. 

1. Data subjects are informed about activities related to the processing of their personal data, unless otherwise provided for by law. 

1. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Data Controller-cum-Processor and the Third Party. 

1. The collected personal data shall be appropriate for the scope and purposes of processing.  The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law. 

1. The personal data shall be updated and added for the processing purposes. 

1. The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures. 

1. The personal data shall be stored within a period of time that is appropriate for the processing purposes, unless otherwise provided for by law. 

1. The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the rules for data processing specified in Clauses 1 through 7 of this Article and prove their compliance. 

2.2.2 Ensuring Data Subject’s Rights 

1. Right to be informed 

The data subject has the right to be informed of his/her personal data processing, unless otherwise provided for by law. 

1. Right to give consent 

The data subject has the right to give consent to the processing of his/her personal data, other than cases specified in Article 17 of Decree No 13/2023/NĐ-CP. 

1. Right to access personal data 

The data subject has the right to access his/her personal data in order to look at, rectify or request rectification of his/her personal data, unless otherwise provided for by law. 

1. Right to withdraw consent 

The data subject has the right to withdraw his/her consent, unless otherwise provided for by law. 

1. Right to delete personal data 

The data subject has the right to delete or request deletion of his/her personal data, unless otherwise provided for by law. 

1. Right to obtain restriction on processing 

1. The Data Subject has the right to obtain restriction on the processing of his/her personal data, unless otherwise provided for by law. 

1. The restriction of data processing shall be carried out within 72 hours after the request of the Data Subject, with respect to all personal data requested by the data subject, unless otherwise provided for by law. 

1. Right to obtain personal data 

The Data Subject has the right to request the Personal Data Controller and the Personal Data Controller-cum-Processor to provide him/her with his/her personal data, unless otherwise provided for by law. 

1. Right to object to processing 

1. a) The data subject has the right to object to the Personal Data Controller and the Personal Data Controller-cum-Processor processing his/her personal data in order to prevent or restrict the ddisclosure of personal data or the use of personal data for advertising and marketing purposes, unless otherwise provided for by law.
2. b) The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the data subject’s request within 72 hours after receiving the request, unless otherwise provided for by law.

1. Right to file complaints, denunciations, and lawsuits  

The Data Subject has the right to file complaints, denunciations and lawsuits as prescribed by law. 

1. Right to claim damage 

The Data Subject has the right to claim damage as prescribed by law when there are violations against regulations on protection of his/her personal data, unless otherwise agreed by parties or unless otherwise prescribed by law. 

1. The right to self-protection 

The Data Subject has the right to self-protection according to regulations in the Civil Code, other relevant laws and Decree No 13/2023/NĐ-CP, or request competent agencies and organizations to implement civil right protection methods according to regulations in Article 11 of the Civil Code. 

2.2. Customer and Provider Data (3rd party) 

2.2.1 Data processing for a contractual relationship 

Personal Data of customers and providers (3rd party) can be processed in order to establish, execute and terminate a contract. Prior to a contract – during the contract initiation phase – Personal Data can be processed to prepare bids or purchase orders or to fulfill other requests that relate to contract conclusion. Customers or providers can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by customers or providers must be complied with.  

FPT Smart Cloud does not need the consent of the Data Subject to perform contractual obligations.  

The public, means every customer, provider, data subjects must have access to information about the FPT Smart Cloud's Personal Data Protection principles and activities and must be able to communicate with FPT Smart Cloud’s Data Protection Officer in an easy way:  

Pham The Minh | Data Protection Officer, | FPT SMART CLOUD 

Address: FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Vietnam 
Cell: +84 913571357 | Tel: 1900638399 
URL: https://fptsmartcloud.com/  

2.2.2 Consent to data processing 

Data can be processed following consent by the Data Subject. Before giving consent, the data subject must be informed in accordance with company’s Personal Data Protection Policy. In order to obtain the consent of the data subject, the following contents must be notified to the data subject:  

a) The type of personal data to be processed;

b) Purpose of processing personal data;

c) Organizations and individuals may process personal data;

d) Rights and obligations of the data subject.

The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.  

2.2.3 Data processing pursuant to legal authorization 

The processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions.   

2.2.4 Data processing pursuant to legitimate interest 

Personal Data can also be processed if it is necessary for a legitimate interest of FPT Smart Cloud. Legitimate interests are generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal Data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection. 

2.2.5 User data and internet 

If Personal Data is collected, processed and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects.  

If use profiles (tracking) are created to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement.  

If websites or apps can access Personal Data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access.  

2.3. Employee Data 

2.3.1 Data processing for the employment relationship 

In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent must be given by every candidate before processing their personal data in FPT Smart Cloud systems. Consent is also needed to use the data for further application processes or before sharing the application with other FPT Smart Cloud legal entities.  

In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized data processing apply. 

If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the data subject.  

There must be a legal authorization to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This includes legal requirements, collective regulations with employee representatives, consent of the employee, or the legitimate interest of the company. 

Employee can also provide information about other people, such as employees’ dependents and families, so that the Company can provide relevant benefits or contract them in case of need. Before employee provide information to the company about other people, employee must inform them of the information they intend to provide to the company and must be responsible for the consent collection from their dependents and families. If employee share their information with the company, they may also need to read this Policy. 

2.3.2 Data processing pursuant to legal authorization 

The processing of personal employee data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.   

2.3.3 Collective agreements on data processing 

If a data processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorized through a collective agreement. Collective agreements are pay scale agreements or agreements between employers and employee representatives, within the scope allowed under the relevant employment law. The agreements must cover the specific purpose of the intended data processing activity and must be drawn up within the parameters of national data protection legislation.  

2.3.4 Consent to data processing 

 Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in this case it must be properly documented. In the event of informed, voluntary provision of data by the relevant party, consent can be assumed if national laws do not require express consent. Before giving consent, the data subject must be informed in accordance with this Data Protection Policy. 

2.3.5 Data processing pursuant to legitimate interest 

Personal Data can also be processed if it is necessary for a legitimate interest of FPT Smart Cloud. Legitimate interests are generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal Data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection. 

2.3.6 Telecommunications and Internet 

Telephone equipment, e-mail addresses, intranet, and internet along with internal social networks are provided by the company primarily for work-related assignments. They are company tools and company resources. They can be used within the applicable legal regulations and internal company policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable. 

There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the FPT Smart Cloud network that block technically harmful content or that analyze the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of laws or policies of FPT Smart Cloud. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed.  

2.4. Access Request of state/government or federal agency or other regulatory body 

 Requests for Personal Data Access of state/government or federal agency or other regulatory body are handled in the same way and under the same conditions as international data transfer by strictly following the requirements of the national law of the respective country. All access requests are registered in the access request register. All requests are managed by the DPO and are subject to agreement with the FPT Smart Cloud board member responsible for data protection. The DPO is responsible for communication with state/government or federal agency or other regulatory body. The DPO is responsible for the access request register. FPT Smart Cloud will inform the data subject about a request for personal data without any undue delay if it is not in contradiction to the national laws.    

2.5. Policy Review and Evaluation 

 This policy must be reviewed and evaluated twice a year to reflect the latest status of international standards, legal regulations, technologies, and businesses, and to ensure the timeliness of personal data management practices. 

2.6. Announce and Release 

This policy is based on an announcement process that will enable personnel to understand the relevant principles and provisions of the personal data protection management policy so that they can follow it.  
 
This policy must be revised and reviewed by the Data Protection Officer and the responsible FPT Smart Cloud board member. The Data Protection Officer is responsible for implementation and internal audits.   

3. Data Protection Control 

Compliance with the Data Protection Policy and the applicable data protection laws is checked annually with data protection audits and other controls. The performance of these controls is the responsibility of the Data Protection Representatives. The results of the data protection controls must be reported to the Data Protection Officer and the responsible FPT Smart Cloud board member. On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.   

4. Technical and Organizational Measures 

As non-public company processing Personal Data within a scope of an agreement for commissioned data processing, the FPT Smart Cloud must take technical and organizational procedures to ensure the compliance with the European Data Protection Regulation and other international Data Protection laws. On top of such procedure, confidentiality, integrity, availability and resilience of systems and components must be guaranteed by FPT Smart Cloud. 
 
The following groups of measures tackle all aspects of current minimum-security level. They aim at assessing FPT Smart Cloud’s level of data protection when processing personal data on behalf of the Controller. If FPT Smart Cloud connects to the Controller’s systems, FPT Smart Cloud must complete at least the confidentiality part, whereby FPT Smart Cloud will need to have the access and access authorization controls as well as the segregation of duties controls completed (sections b) c) d) below).   
 
Below the technical and organizational measures currently realized within FPT Smart Cloud. A continuous improvement process is implemented: 

4.1. Confidentiality 

a) Access Control / Building Security 

The aim of the Access Control is to prevent unauthorized use of data processing systems which are used for the processing and the use of Personal Data. 

Each employee’s user master data and individual identification code are registered in the contact directory. Admission to the data processing systems is only possible after identification and authentication by using the identification code and the password for the particular system. 

☒ Alarm system 

☒ Protection of building shafts 

☒ Automatic access control system 

☒ Access control by chip card transporter 

☒ Locking system with code lock 

☒ Manual locking system 

☐ Biometric access control 

☒ Video surveillance of entrances 

☐ Light barriers / motion sensors 

☒ Safety locks 

☒ Key transfer regulation (hand-over of keys etc.) 

☒ Identity check by janitor/reception 

☒ Recording visitors 

☒ Commitment of special selected cleaning staff 

☒ Commitment of special selected security 

☒ Commitment to wear authorization card staff 

b) Physical Access Control/ System Protection 

The aim of the Physical Access Control is to prevent unauthorised people from physically accessing such data processing equipment which processes or uses Personal Data. 

Due to their respective security requirements, business premises and facilities are subdivided into different security zones with different access authorizations. They are monitored by security personnel. 

Access to special security areas such as the service centre for remote maintenance or ODC is additionally protected by a separate access area. The constructional and substantive security standards comply with the security requirements for data centers. 

☒ Internal access control 

☒ Isolation control (permission for user rights) 

☒ Strong password specification 

☐ Biometric authentication 

☒ Authentication a username/password 

☒ Assignment of user profiles to IT Systems 

☒ Locking server housing/computers 

☒ Use of VPN technology (remote access) 

☒ Locking external interfaces (USB etc.) 

☒ Encryption of mobile data media 

☒ Intrusion detection system 

☐ Central smartphone administration (e.g., remote deletion) 

☐ Encryption of smartphone content 

☐ Secure passwords for smartphones 

☒ Encryption of data media on laptop computers 

☒ Assignment of individual usernames 

☐ Or else, please specify: 

c) Electronic Access Control/Securing Access Authorization 

Measures regarding Electronic Access Control are to be targeted on the fact that only such data can be accessed for which an access authorization exists, and that Personal Data cannot be read, copied, changed, or deleted in an unauthorized manner during the processing, use and after the saving of such data. 

Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept. 

 ☒ Rights authorization concept 

☒ Rights management by system administrator 

☒ Number of system administrators “reduced to a minimum” 

☒ Recording of deletion 

☒ Logging of system access events, especially entries, changes and deletions of data 

☒ Application of virus protection 

☒ Physical deletion of media prior to reuse 

☒ Application of software firewall 

☒ Secure storage of data carriers 

☒ Password policies (incl. defined password length, password changes) 

☒ Encryption of data carriers 

☒ Use of appropriate shredders resp. specialized service providers 

☒ Application of hardware firewall 

☒ Proper destruction of data carriers 

☐ Or else, please specify: 

☒ Access logs 

d) Separation control/ Measures to safeguard the separation of purposes for which Personal Data have been collected 

The aim of the Separation Control is to ensure that data which have been collected for different purposes can be processed separately. 

Personal Data is used by the Processor for internal purposes only. A transfer to a third party such as a Sub-Contractor is solely made under consideration of contractual arrangements and European Data Protection Regulation. 

Processor’s employees are instructed to collect, process, and use Personal Data only within the framework and for the purposes of their duties (e.g., service provision). At a technical level, multi-client capability, the separation of functions as well as the separation of testing and production systems are used for this purpose. 

☒ Physically separate storing using separate systems or data carrier 

☒ Definition of an authorization concept 

☒ Division between productive and testing systems 

☒ Encryption of data records, processed for the same purpose 

☒ No productive data in testing systems 

☒ Logical client separation (software based) 

☐ Or else, please specify: 

e) Pseudonymizing 

The processing of Personal Data in such a way that the data cannot be associated with a specific Data Subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures. 

 ☒ Pseudonymously (or anonymous) processing of data 

☒ Separation of assignment file and storage in a separate, secure IT system 

4.2. Integrity 

 a) Data Transfer Control/Data Transfer Security 

The aim of the Data Transfer Control is to ensure that Personal Data cannot be read, copied, changed, or deleted without authorization during their transfer and that it can be monitored and determined to which recipients a transfer of Personal Data is intended. 

The transfer of Personal Data by FPT Smart Cloud to a third party (e.g., customers, sub-contractors, service provider) is only made if a corresponding contract exists, and only for a specific purpose. If Personal Data is transferred to companies with their seat outside the EU/EEA or the original country, FPT Smart Cloud provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union’s Data Protection Regulation, e.g., by employing contracts based on the EU model contract clauses. 

 ☒ Establishment of dedicated lines resp. VPN-tunnel 

☒ Email encryption 

☒ Recording of data recipients as well as periods of scheduled transmission resp. agreed deletion periods 

☒ Physical transport: selection of special transport staff and carrier 

☐ Or else, please specify: 

☒ Data transfer in an anonymous or pseudonymous way 

☒ Creation of an overview of regular data request as well as data transfer 

☒ Physical transport: Use of secure transport containers/-packing 

☒ Use of encrypted external devices when transferring data (CD, USB, stick etc.) 

b) Input control 

 The aim of the Input Control is to make sure with the help of appropriate measures that the circumstances of the data entry can be reviewed and monitored retroactively. 

System inputs are recorded in the form of log files. By doing so, it is possible at a later stage to review whether and by whom Personal Data was entered, altered or deleted 

☒ Creation of an overview proving which application entitles to input, modify or remove which data 

☒ Permission settings to entitle to input, modify and delete data in accordance with a right allocation concept 

☒ Continual logging of inputs, modification and deletion of data 

☒ Use of individually assigned usernames to ensure access control or input, modification or deletion of data 

☒ Retention of a filing system to evaluate the origin of data transmitted to automatically processed data 

☒ Activity logs 

☐ Or else, please specify. 

4.3. Availability and Resilience 

a) Availability control and protection to prevent accidental or willful destruction or loss 

The aim of the availability control is to ensure that Personal Data is protected against accidental destruction and loss. 

If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done to prevent accidental deletions or possible intentional damage. 

☒ Server rooms equipped with air conditioning, protective plugs, fire extinguishers 

☒ Back-ups stored separately in a safe place 

☒ Emergency plan 

☒ Business continuity plan 

☒ No server rooms below sanitary facilities 

☒ Regular data file back-ups 

☒ Supervision emergency plan 

☐ Or else, please specify: 

b) Rapid Recovery 

 ☒ Recovery acc, back-up and recovery concept 

☒ Recovery testing 

☒ Supervision emergency plan 

4.4. Procedures to handle regular review, valuation and evaluation 

a) Data Protection Management 

 ☒ The principles relating to processing of personal data (collection, processing or use) are subject to an internal company policy 

☒ The data protection officer has been designated in written form 

☒ Employees are committed to data confidentiality/handling of personal data 

☒ Employees are committed to comply with the regulations regarding the secrecy of telecommunications 

☒ An internal list of processing operations is available.   

☒ The data protection officer is involved in the data protection impact assessment 

☒ The data protection officer is member of the organizational chart 

☒ Employee training courses.   

☒ Implementation of a control system designed to detect unauthorized access to personal data 

☐ Or else, please specify: 

b) Incident Response Management 

 It corresponds to incident management in case of detected or suspected security incidents resp. failure related to IT sectors. 

☒ Processing scheme for incident management 

☒ Team practicing realistic exercises 

☒ Security team designated and trained 

☐ Or else, please specify: 

c) Data protection by implementation of appropriate technical measures and privacy by default settings (as per EU Regulation) 

☒ Adherence to privacy by Design/data protection by appropriate technologies 

☒ Selection of privacy-enhancing technologies for future requirements 

☒ Adherence to privacy by Default/data protection by appropriate settings 

☐ Or else, please specify: 

d) Supervision/Engagement of sub-contractors 

No data processing is to be carried out without prior specific authorization of the Controller, e.g. clear contractual obligation, formalized order management, strict selection of the service provider, obligation for advance verification, follow-up inspection. 

☒ Selection of (sub)contractors subject to professional diligence (in particular with regard to data security) 

☒ Guidelines drawn up for processor documented in writing (e.g. by data processing agreement) 

☒ Processor designated data protection officer (if necessary) 

☒ Effective controller’s supervision rights agreed 

☒ Prior to engagement, verification of security measures recorded by sub-contractor 

☒ Processor’s employees are committed to sign a secrecy/confidentiality agreement 

☒ Ensure erasure or destruction of data after termination of the contract 

☒ Continuous review of processor and his activities 

☐ Or else, please specify: 

 5. Personal Data Protection Training 

Every new employee must join the first day Personal Data Protection training. 

For every employee processing personal data, it is mandatory to join the Personal Data Protection training including a successful exam before starting personal data processing. An annually refresh training is also mandatory. 

6. Data Protection Officer 

The Data Protection Officer, being internally independent of professional orders, works towards the compliance with national and international data protection regulations. He is responsible for the Data Protection Policy and supervises its compliance. The Data Protection Officer is appointed by the FPT Smart Cloud Board. 

Any data subject may approach the Data Protection Officer, at any time to raise concerns, ask questions, request information, or make complaints relating to data protection or data security issues. If requested, concerns and complaints will be handled confidentially. 

Contact details for the Data Protection Officer and staff are as follows: 

FPT Smart Cloud Company, Ltd. 

Data Protection Officer, Pham The Minh 

FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Viet Nam   

Cell: +84 913571357 

E-mail: [email protected]   

7. Responsibilities and Disciplinary 

The executive bodies of FPT Smart Cloud, subsidiaries and legal entities are responsible for data processing in their area of responsibility. Therefore, they are required to ensure that the legal requirements, and those contained in the Data Protection Policy, for data protection are met (e.g., national reporting duties). Board of Managers are responsible for ensuring that organizational, HR and technical measures are in place so that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of the relevant employees. If external agencies perform data protection controls, the Data Protection Officer must be informed immediately. 

Improper processing of personal data, or other violations of the data protection laws, can be criminally prosecuted in many countries, and result in claims for compensation of damage. Violations for which individual employees are responsible can lead to sanctions under employment law. 

If you do not understand the implications of this policy or how it may apply to you, seek advice from the DPO via the phone or email (Pham The Minh, phone: +84913571357, email: [email protected]). 

8. Supplementary Guidelines and Documents 

Personal Data Protection Policy  

Every FPT Smart Cloud employee can find these Policies, Guidelines, procedures  and templates on the platform QMS.  

9. Exceptions 

Any exception must be reviewed and approved by Data Protection Officer and also approved by the responsible board member of FPT Smart Cloud. 

10. Appendix 

 10.1. Definition 

Abbreviations 

Description 

 PII, Personal Identifiable Information, Personal Data 

Refer to the personal data defined by the EU GDPR (Article 4 (1)), ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  

Data Subject 

EU GDPR (Article 4 – 1), Data subject refers to any individual person who can be identified, directly or indirectly. 

Data Controller 

EU GDPR (Article 4 – 7), Data Controller means the natural or legal person, public authority, agency or anybody which alone or jointly with others, determines the purpose and means of processing of personal data; where the purpose and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

Data Processor 

EU GDPR (Article 4 – 8), Data Processor means a natural or legal person, public authority, agency or anybody which processes data on behalf of the controller. 

Recipient 

EU GDPR (Article 4 – 9), A natural or legal person, public authority, agency or anybody, to which the personal data are disclosed, whether third party or not. 

Third Party 

EU GDPR (Article 4 – 10), A natural or legal person, public authority, agency or anybody other than the data subject, controller, processor and persons who under direct authority of controller or processor, are authorized to process personal data 

DPO 

Data Protection Officer 

DPIA 

Data Protection Impacted Assessment 

EU 

European Union 

10.2. Related Documents 

No 

Code 

Name of documents 

1 

EU GDPR 

EU General Data Protection Regulation 

2 

PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP, VN 

Decree of the Vietnamese Government: PERSONAL DATA PROTECTION DECREE NO. 13/2023/ND-CP  
Nghị Định Quy Định Về Bảo Vệ Dữ Liệu Cá Nhân 07/2023 

3 

PCI DSS 

Payment Card Industry Data Security Standard, 

10.3. Data Protection Law, Vietnam, Overview 

There is no single data protection law in Vietnam. Regulations on data protection and privacy can be found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of such rights are currently provided for in Constitution 2013 (“Constitution”) and Civil Code 2015 (“Civil Code”) as inviolable and protected by law. 
Regarding personal data, the guiding principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and documents: 

• Data Law No. 60/2024/QH15, passed by the National Assembly on 30 November 2024. This Law comes into force as of July 1, 2025. 

• Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015 

• Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“Cybersecurity Law”); 

• Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“Network Information Security Law”); 

• Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws (“CRPL”); 

• Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated 14 November 2017 on planning (“IT Law”); 

• Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions Law”); 

• Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“Decree 85”); 

• Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree No.150/2018/ND-CP dated 7 November 2018 (“Decree 72”); 

• Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree No. 08/2018/ND-CP dated 15 January 2018, on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade and Decree No. 85/2021/ND-CP dated 25 September 2021 (“Decree 52”); 

• Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions (“Decree 15”); 

• Circular No. 03/2017/TT-BTTTT of the Ministry of Information and Communications dated 24 April 2017 on guidelines for Decree 85 (“Circular 03”); 

• Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide (“Circular 20”); 

• Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing cross-border provision of public information (“Circular 38”); 

• Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources, as amended by Circular No. 06/2019/TT-BTTTT dated 19 July 2019 (“Circular 25”); and 

• Decision No. 05/2017/QD-TTg of the Prime Minister dated 16 March 2017 on emergency response plans to ensure national cyber-information security (“Decision 05” ). 

Applicability of the legal documents will depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2019 (“Labour Code”). 

FPT Corporation Data protection Regulation: 

 Vietnamese: Chinh sach bao mat du lieu ca nhan (01-CS/TT/HDCV/FPT v1.0) Chính sách bảo mật dữ liệu cá nhân 

 Vietnamese: Chinh sach bao mat du lieu ca nhan cua can bo nhan vien (02-CS/TT/HDCV/FPT v1.0) Chính sách bảo mật dữ liệu cá nhân của cán bộ nhân viên 

Any risk and violation you want to inform, please report immediately by following:

Data Protection Officer, Pham The Minh 

FPT Tower, 10 Pham Van Bach Street, Cau Giay Ward, Ha Noi, Viet Nam   

Cell: +84 913571357 

E-mail: [email protected]   

個人情報保護方針 

（プライバシーステートメント）について 

制定年月日 2009年2月12日 

最終改正年月日 2025年2月24日 

ＦＰＴジャパンホールディングス株式会社 

代表取締役社長 ド・ヴァン・カック

当社は、ＦＰＴジャパンホールディングス株式会社および子会社（以下総称して「当社グループ」）、取り扱う全ての個人情報の保護について、社会的使命を十分に認識し、本人の権利の保護、個人情報に関する法規制等を遵守します。また、以下に示す方針を具現化するための個人情報保護マネジメントシステムを構築し、最新のＩＴ技術の動向、社会的要請の変化、経営環境の変動等を常に認識しながら、その継続的改善に、全社を挙げて取り組むことをここに宣言します。 

       2. 個人情報保護方針 

• 個人情報は、ソフトウェア開発および情報サービス業務における当社の正当な事業遂行上並びに従業員の雇用、人事管理上必要な範囲に限定して、取得・利用及び提供をし、特定された利用目的の達成に必要な範囲を超えた個人情報の取扱い（目的外利用）を行いません。また、目的外利用を行わないための措置を講じます。 
• 個人情報保護に関する法令、国が定める指針及びその他の規範を遵守致します。 
• 個人情報の漏えい、滅失、毀損などのリスクに対しては、合理的な安全対策を講じて防止すべく事業の実情に合致した経営資源を注入し、個人情報セキュリティ体制を継続的に向上させます。また、個人情報保護上、問題があると判断された場合には速やかに是正措置を講じます。 
• 個人情報取扱いに関する苦情及び相談に対しては、迅速かつ誠実に、適切な対応をさせていただきます。 
• 個人情報保護マネジメントシステムは、国内外に適用される法令、ガイドライン等の当社を取り巻く環境の変化を踏まえ、適時・適切に見直してその改善を継続的に推進します。 

当社が事業で取扱う全ての個人情報に関する取扱いを定めるものです。 

        4. 個人情報の取扱い方針（取得、利用目的、共同利用、第三者提供等） 
         (1) 個人情報の取得 

当社は、以下の方法で個人情報を取得します。 
(ア)お客様や従業員から直接個人情報の提供を受ける場合（名刺、契約等の書面、Webサイト、口頭など）
(イ)お客様が当社へのお問い合わせ、または当社サービスを利用する際に自ら個人情報を登録する場合

(ウ)業務委託先、ビジネスパートナーを含む第三者からお客様の個人情報の提供を受ける場合

(エ)刊行物やインターネット等で公開された個人情報を取得する場合

(オ)公的機関に照会して入手する場合

当社は、以下の目的で個人情報を利用します。 

営業、マーケティング、研究開発等の活動およびお客様との関係維持に関する管理のため例として、以下のような利用が含まれます。

• お客様からのお問い合わせ対応、記録またはその他のカスタマーサポートの提供のため 
• 当社および当社グループが取り扱うサービスやソリューション、イベント等に関する情報のご案内のため（ダイレクトメール、メールマガジン等の方法で）
• 当社および当社グループより依頼したアンケートの回答結果やサービスの利用状況、Webサイト上の行動履歴等を分析し、お客様に適切と判断する情報の提供のため、また得られた傾向・知見等を当社が発信するリリース情報や事例等で公開するため

              (イ) 従業員、及びそのご家族に関する個人情報 

雇用及び人事管理のため

例として、以下のような利用が含まれます

• 入社や退職手続き等の雇用および人事管理のため 
• 勤怠や給与等の労務管理のため
• 社員証の発行やオフィスビルの入館手続き、防犯のため 

              (ウ) 業務委託先、ビジネスパートナー、その他関係会社の従業員に関する個人情報 

委託業務、関連取引の実施およびの関係維持に関する管理のため例として、以下のような利用が含まれます 

• 見積書、契約書等の送付先・事務連絡先を把握するため 
• 委託業務の円滑な遂行のための連絡手段を整備するため
• イベントの企画や共催、また結果の報告等を当社が発信するリリース情報や事例等で公開するため 

              (エ) 弊社、及び弊グループの人材採用活動における応募者に関する個人情報

選考および採否に関する連絡のため例として、以下のような利用が含まれます

• 応募者の適格性を評価するため 
• 応募者に当社および当社グループの雇用機会やイベント等を案内するため
• 当社および当社グループより依頼したアンケートの回答結果やサービスの利用状況、Webサイト上の行動履歴等を分析し応募者に有益と判断する情報の提供のため、また得られた傾向・知見等を当社が発信するリリース情報や採用情報サイト等で公開するため 

当社は、前記「（２）取得した個人情報の利用目的」にて定める個人情報をその利用目的の範囲内において、ベトナムにあるＦＰＴスマートクラウドを中心とする各グループ各社と共同利用する場合があります。この場合の共同利用する個人情報の管理責任は、当社となります。なお、ＦＰＴスマートクラウドにおけるデータ保護ポリシーおよび当該国の個人情報保護に関する制度は以下の通りです。

• 当社は、次に掲げる場合を除き、取得した個人情報を本人の同意を得ることなく、第三者に提供することはありません。また、利用目的を遂行するために外部に委託する場合があります。委託先については、情報保護に関するセキュリティ対策、管理方法を評価の上、必要な安全対策を実施している企業に限定することとし、当社は適切に管理・監督を行ないます。 
• 事前にお客さまに同意をいただいている場合 
• 個人を特定できない統計情報、または匿名加工情報に処理した上でその結果を提供する場合
• 法令に基づく開示を要求された場合 
• 人の生命、身体又は財産の保護のために必要があり、本人の同意を得ることが困難である場合 
• 当社が個人情報の取扱について評価・監督している委託先へ業務を委託する場合 

当社で保有している保有個人データに関して、ご本人様又はその代理人様からの利用目的の通知、開示、内容の訂正、追加又は削除、利用の停止、消去及び第三者への提供の停止および第三者提供記録の開示の請求（以下、「開示等の請求」といいます）につきましては、以下の要領にて対応させていただきます。 

会社名：ＦＰＴジャパンホールディングス株式会社 

代表者：ド・ヴァン・カック

住所：東京都港区三田3丁目5−19 住友不動産東京三田ガーデンタワー33階 

個人情報保護管理者：ファン・ティ・タイン・ホア

役職：取締役 執行役員 兼 最高執行責任者

連絡先：[email protected]

       (3) 保有個人データの取扱いに関する苦情の申し出先 

ＦＰＴジャパンホールディングス株式会社 

個人情報問合せ窓口 

電話番号：03-6634-6868 

【当社の商品・サービスに関する問合せ先ではございません】 

認定個人情報保護団体の名称：一般社団法人日本情報システム・ユーザー協会（JUAS） 

苦情の解決の申出先：認定個人情報保護団体事務局 

住所：認定個人情報保護団体事務局 

電話番号：03-6264-1318 

受付時間 10:00〜16:00（土、日、祝日休み） 

       (5) 保有個人データの開示等の求めに応じる手続き

             (ア)開示等の求めの申し出先 
                  開示等のお求めは、上記個人情報問合せ係にお申し出ください。
             (イ)開示等の求めに関するお手続き 

• • • お申し出受付け後、当社からご利用いただく所定の請求書様式「保有個人データ開示等請求書」を郵送いたします。
    • ご記入いただいた請求書、代理人によるお求めの場合は代理人であることを確認する書類、手数料分の郵便為替（利用目的の通知並びに開示の請求の場合のみ）を上記個人情報問合せ係までご郵送ください。 
    • 上記請求書を受領後、ご本人確認のため、当社に登録していただいている個人情報のうちご本人確認可能な2項目程度（例：電話番号と生年月日等）の情報をお問い合わせさせていただきます。
    • 回答は原則としてご本人に対して書面（封書郵送）にておこないます。

             (ウ) 代理人によるお求めの場合、代理人であることを確認する資料

開示等をお求めになる方が代理人様である場合は、代理人である事を証明する資料及び代理人様ご自身を証明する資料を同封してください。各資料に含まれる本籍地情報は都道府県までとし、それ以降の情報は黒塗り等の処理をしてください。また各資料は個人番号を含まないものをお送りいただくか、全桁を墨塗り等の処理をしてください。 

1回のお求めにつき1,000円

（お送りいただく請求書等に郵便為替を同封していただきます。） 

当社は、お客様へのサービスのためクッキーを使用することがあります。お客様がブラウザの設定でクッキーの送受信を許可している場合、当社はお客様のコンピュータに保存されたクッキーを取得し、収集した行動履歴と個人情報を紐付ける場合があります。

なお、お客様はご使用されているWebブラウザの設定により、Cookieの受け取りを拒否したり、警告を表示することが可能です。

ただし、Cookieの受け取りを拒否された際には、当社および他社がCookieを使用して提供するサービスの一部もしくは全てのサービスがご利用できなくなる場合もありますので、ご了承ください。 

Cookie（クッキー）とは

当社のWebサイトでは、一部のページで「Cookie」という技術を使用しています。CookieはWebサイトを管理するWebサーバーとお客様のWebブラウザとの間で相互にやり取りされる情報のことです。Cookieを使用すると、Webサーバーは特定のコンピュータがWebサイト上のどのページを閲覧したのかなどの情報を記録することが可能となります。

Webビーコンとは

Cookieと一緒に機能し、お客様が当社の特定のページに何回アクセスしたのかを知ることができる技術です。