01. Introduction

Objective

We, ENEOS VIETNAM COMPANY LIMITED incorporated in Vietnam whose registered office is at Suites 701-703 Central Building, No. 31 Hai Ba Trung Street, Cua Nam Ward, Hanoi, Vietnam (“Company”, “we” or “us”, “our”), will process Personal Data (which may be held electronically or otherwise) about our Website Visitors and Users (each, “Data Subject” or “you”), and we recognise the importance of treating such Personal Data in a lawful and appropriate manner, in accordance with the applicable laws of Vietnam and its prevailing personal data protection policy.

The purpose of this Privacy Policy (“Policy”) is to make you aware of how we will collect, use, and process your Personal Data and the measures and processes we have put in place in order to ensure that we comply with Decree No. 13/2023/ND-CP on personal data protection and other relevant applicable laws and regulations (“Data Protection Regulations”).

Definitions used in this Policy can be found in ANNEX 1.

Scope

This Policy applies to the Company.  We act as a Data Controller or Data Processor-Controller for the Personal Data we collect about you.

02. Fair and lawful processing

We may process your Personal Data only upon receipt of your valid consent or in one of the following cases where your consent is not required:

1. In emergency cases where it is necessary to immediately process relevant Personal Data to protect your or others’ lives and health, unless otherwise provided by the Data Protection Regulations;
2. Public disclosure of Personal Data in accordance with the Data Protection Regulations;
3. Fulfilling your contractual obligations with relevant agencies, organisations, and individuals as prescribed by the Data Protection Regulations;
4. Serving the activities of state agencies prescribed by specialised laws; and
5. Other cases as permitted by the Data Protection Regulations.

03. What personal data we collect about you

We may process the following types of Personal Data for the purposes in Section 5 below:

1. Your name, work email address, personal email address, geographic location, telephone number, and other work contact details;
2. Your company name, role, position, and/or job title within your employment.
3. Your area of employment (e.g. marketing, sales, procurement);
4. Details of your preferences for types of marketing events;
5. Details of your visits to our premises and the Website.

It may be mandatory for you to provide us with your Personal Data in the cases listed in Section 2 of this Policy, to enable us to manage and improve our operations or the Website, to bring you a better experience on our Website, to provide services to your employer, to provide you with our responses, or to comply with our legal obligations, for example. In other circumstances, it will be at your discretion whether you provide us with Personal Data or not. However, unless we have another legal basis for processing your Personal Data under the Data Protection Regulations, failure to supply any of the Personal Data we may request may mean that we are unable to provide assistance, responses, services, or products to you or your employer.

We make every effort to maintain the accuracy and completeness of your Personal Data which we store and ensure all of your Personal Data is up to date. However, you can assist us with this considerably by promptly contacting us if there are any changes
to your Personal Data or if you become aware that we have inaccurate Personal Data relating to you (see Sections 10 and 13 below). We shall not be responsible for any losses arising from any inaccurate, inauthentic, deficient, or incomplete Personal Data that you provide to us.

04. How we collect and process your personal data

We usually collect your Personal Data when you visit and use the Website from the information you submit to us via the Website, during the course of your, or your employer’s relationship with us. This will typically be through business cards, the forms and documents used when you sign up for our marketing or market data news lists, are named as an authorised person to trade on behalf of your employer, or sign up for access to any of our products or services either on your own behalf or on behalf of your employer. The collected Personal Data will be input manually or automatically into our information technology system for further processing. This Personal Data, together with that collected electronically, will be Transferred to and then stored electronically and securely on servers operated by us, our group companies, or authorised third-party vendors in Vietnam or other places where our group companies or the authorised third-party vendors are located in accordance with the Data Protection Regulations and the relevant law of the relevant jurisdictions as noted in Section 7 below. Your Personal Data will be processed electronically in such servers for the Purposes (as hereunder defined). In addition, we may store backups of your Personal Data electronically and securely on a server in a location designated by us from time to time and in accordance with the Data Protection Regulations (where applicable). We, our group companies, and any other authorised parties set forth herein will access and process, if necessary, the Personal Data electronically and securely for the Purposes in accordance with this Policy.

05. What we process personal data for

We will Process your Personal Data for the following purposes (“Purposes”):

1. to respond to inquiries that you submit to us via the Website or otherwise communicate with you in relation to your inquiries;
2. to manage and improve the Website;
3. to monitor, audit, and assess compliance with any applicable laws, the Company’s policies, and standards;
4. for promotional and marketing materials and activities, including photos and videos, with the content, methods, forms, and frequency of those activities to be notified to you in advance in an appropriate manner;
5. to carry out money laundering, financial and credit checks, and for fraud and crime prevention and detection purposes;
6. to provide you or your employer with requested products or services;
7. to receive products or services from you or your employer;
8. to identify persons authorised to trade on behalf of our Customers, Suppliers and/or Service Providers;
9. for administrative purposes in relation to the security and access of our systems, premises, platforms, and secured websites and applications;
10. to contact you or your employer, our Customers, Suppliers and/or Service Providers about the services and products we offer or receive;
11. to facilitate the transfer of funds between customers and parties to transactions;
12. to comply with our legal and regulatory obligations and requests anywhere in the world, including reporting to and/or being audited by national and international regulatory bodies;
13. to comply with court orders and exercise and/ or defend our legal rights;
14. for any other legitimate business purpose; and
15. as otherwise permitted or required by the Data Protection Regulations.

We will not further process this Personal Data in a way that does not fit these Purposes. If we do intend to process your Personal Data for other purposes, we will inform you of the new purpose and will ensure that there is a valid legal basis for such processing.

06. Technical measures used on the website

Upon your access to and use of our Website, the Company shall use cookies (the technology for saving and reusing the information about the user who accessed the website) and web beacons (the technology for measuring how many times access was performed to the specific page) for the following reasons:

1. to enable the Website Visitors and Users who use our membership services  to skip inputting their password each time they visit the Website;
2. to statistically process data on Website Visitors and Users’ activity on the Website for the purpose of improving our services; and
3. to provide the Website Visitors and Users with services that are relevant to their interests and to customize services to satisfy each individual Website Visitor and User.

Please note that these technologies cannot be used to ascertain an individual user’s identity. Also, your browser can be set to block cookies or to display a warning message when cookies are received and most services on the Company’s Website can be used without cookies.  However, without cookies the services may be limited, and you may not be able to use some services.

We may also use the IP address of Website Visitors and Users’ computers for the following reasons:

1. to identify the source of and solve any server related problems that arise; and
2. for administration of the Website.

Please note that IP addresses cannot be used to ascertain an individual user’s identity.

To protect Personal Data, Secure Sockets Layer (SSL) is used for online inquiry forms on the Website.

07. International transfers of personal data

The Personal Data we collect from you may be Transferred to (including accessed in or stored in) a country or territory outside Vietnam in accordance with this Policy and the Data Protection Regulations.

08. When we may disclose your personal data

As a rule, we do not share Personal Data with third parties. However, in the circumstances listed hereafter, the Personal Data may be shared with or disclosed to third parties. In these circumstances, we impose on the third parties the same responsibility of appropriately handling the information as we are subject to, and in line with the Data Protection Regulations:

1. If valid consent has been obtained from the Data Subject; or
2. If we have legal grounds as mentioned in Section 2 above.

In the above circumstances, the Company must not sell, rent, or trade your Personal Data in any case. We will only disclose your Personal Data to the following recipients for the Purposes, and for other purposes as required by the Data Protection Regulations in the ways set out in this Policy:

1. to any group company of ENEOS Holdings, Inc., including, without limitation, (i) JX NIPPON OIL & ENERGY VIETNAM COMPANY LIMITED incorporated in Vietnam whose registered office at Land lot CN5.3G, Dinh Vu Industrial Zone, belonging to Dinh Vu - Cat Hai Economic Zone, Dong Hai 2 Ward, Hai An District, Hai Phong City; and (ii) ENEOS Xplora Consulting Service Vietnam Limited incorporated in Vietnam whose registered office at Lim Tower 3, 29A Nguyen Dinh Chieu, Sai Gon Ward, Ho Chi Minh City;
2. to third parties who Process your Personal Data on our behalf (such as our systems providers);
3. to third parties who Process your Personal Data on their own behalf but through providing us or your employer with a service on behalf of us (such as our suppliers);
4. to third parties who Process your Personal Data on their own behalf in order to actually or potentially do business with us, you, or your employer (such as our customers, distributors, suppliers, toll manufacturers, or service providers);
5. to financial institutions or regulatory bodies with whom information is shared for money laundering checks, credit risk reduction, and other fraud and crime prevention purposes;
6. to any third party to whom we assign or novate any of our rights or obligations;
7. to any prospective buyer in the event we sell any part of our business or assets; and
8. to any government, regulatory agency, enforcement or exchange body, or court where we are required to do so by applicable law or regulation or at their request.

09. How we protect your personal data and where we store it

The Company is committed to safeguarding and protecting Personal Data and maintains appropriate security to protect any Personal Data you provide us from improper or accidental disclosure, use, access, loss, modification, or damage. The Company has created and maintains a system designed to properly protect Personal Data. We have also established a compliance program, which is continually implemented and updated, that requires board members and employees to protect Personal Data. In addition, we are careful to ensure that the Personal Data is managed securely when acquiring, using, storing, and cancelling/deleting such Personal Data, and we ensure that the information will not be leaked or wrongly accessed. However, you acknowledge that no data transmission over the internet is completely secure and any transmission may be exposed to cyberattacks causing leakage of or unauthorised access to your Personal Data, and that you transmit such information to the Company at your own risk.

10. Your rights and obligations in relation to the personal data we collect

Below are the key rights and obligations with regard to the processing of the Personal Data we collect pursuant to the Data Protection Regulations:

Your rights

• To be informed of the processing of your Personal Data;
• To consent or not consent to the processing of your Personal Data, unless otherwise provided by applicable law;
• To access, review, amend, or request amendment of your Personal Data, unless otherwise provided by applicable law;
• To withdraw your consent, unless otherwise provided by applicable law;
• To delete, or request the deletion of, your Personal Data, unless otherwise provided by applicable law;
• To request restrictions on the processing of your Personal Data, unless otherwise provided by applicable law;
• To request that we provide you with your Personal Data that we store and process, unless otherwise provided by applicable law;
• To object to the processing of your Personal Data for the purposes of preventing or restricting disclosure of your Personal Data or using your Personal Data for advertising or marketing purposes, unless otherwise provided by applicable law;
• To complain, denounce, or initiate lawsuits;
• To claim for damages; and
• To self-defence.

If you have any inquiry, complaint, or request (including a request for the exercise of any of the above rights), you can make such a request by writing to the address set out below. We will respond to your request within the time prescribed by the Data Protection Regulations.

In any of the situations listed above, in order for us to comply with our security obligations and to prevent unauthorised disclosure of data, we may request that you prove your identity by providing us with a copy of a valid means of identification.

If there is a legitimate reason for us to reject such request as permitted by law, we will inform you and record the rejection together with the reason(s) for the rejection. In this situation, you agree to waive all rights with respect to liability claims against us in connection with our non-performance of any rejected request under the applicable laws and regulations.

Your obligations

• To respect and protect others’ personal data;
• To provide your Personal Data fully and accurately once you consent to the processing of your Personal Data; and
• To comply with, and to prevent and combat violations of the Data Protection Regulation.

11. How long we will hold your personal data for

Unless indicated otherwise or provided by the Data Protection Regulations, we will start processing your Personal Data from the date we receive your consent or have a legal basis for processing and retain your Personal Data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory, or internal guideline and requirements, including the Data Protection Regulations.

12. How we update or change this policy

We may change or update parts of this Policy in order to maintain our compliance with the Data Protection Regulations or following an update to our internal practices. We will do this by updating the Privacy Policy on the Website. Please be aware that you will not necessarily be directly notified of such a change. Therefore, please ensure that you regularly check this Policy on the Website so you are fully aware of any changes or updates.

This Policy was last updated on [01/07/2023].

13. How you can contact us

If you would like to contact us in relation to this Policy or anything else in connection with the Personal Data we collect on you, including, without limitation, where you would like to update your Personal Data, would like a copy of the data we collect on you or would like to raise a complaint or comment, please contact us using the details set out below.

14. How to lodge a complaint to the regulator

If you believe that we have breached the Data Protection Regulations, you are entitled to lodge a complaint with the competent regulator in accordance with applicable law.

Definitions (Annex1)

• Customers, Suppliers and/or Service Providers means corporate customers, suppliers and/or service providers of the Company (together with its employees, agents, directors, officers and shareholders).
• Data Controller means any organisation or individual that determines the purposes and means of Processing of Personal Data.
• Data Processor-Controller means a Data Controller that directly Processes the Personal Data.
• Personal Data means any information in the form of symbols, letters, numbers, images, sounds, or the like in an electronic medium that is associated with an individual or that helps to identify an individual. Personal Data comprises basic personal data and sensitive personal data. For the purposes of this definition, “information that helps to identify an individual” means information formed from an individual’s activities that allows for the identification of an individual when combined with other stored data or information
• Processing means any operation or set of operations that is performed on Personal Data such as collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, Transfer, deletion, destruction, or other relevant activities, and “Process”, “process”, “Processes”, or “Processed” shall be construed accordingly.
• Transfer and its cognates means transferring, or making available, Personal Data to another entity by any means.
• Website means the Company’s website at address https://www.eneos.vn/
• Website Visitors and Users means any individual who visits and uses the Website, including the Customers, Suppliers and/or Service Providers.