Privacy Center

HEINEKEN Vietnam feels very strongly about protecting the personal data that it is entrusted with. We strive to handle personal data with care according to our internal standards and applicable local law, to be transparent on how we use personal data and how individuals can exercise their data privacy rights.

 

THE 6 HEINEKEN PRIVACY PRINCIPLES

Everyone at HEINEKEN Vietnam is responsible for adhering to the 'HEINEKEN 6 Privacy Principles' and making them part of their daily business practices.

Principle 1: Use Limitation

Define clear business purposes before you start collecting personal data. Limit the use of personal data to what is needed to achieve your business purposes.

Principle 2: Data Minimisation

Only use the personal data that is necessary for the business purpose and restrict access to ‘need-to-know’. Delete the personal data when no longer needed. Keep the personal data up to date and correct.

Principle 3: Sensitive Data

Be extra careful when using sensitive data such as health, religion, social security numbers. Ask the Privacy Officer for advice if you wish to use sensitive data.

Principle 4: Transparency & Rights of Individuals

Communicate about what you do with personal data by means of privacy notices and other statements. Facilitate individuals exercising their rights in respect of their personal data.

Principle 5: Security

Have appropriate organisational and technical security measures in place to protect the personal data from unauthorised and unwanted access or use. Staff accessing the data must be bound by confidentiality obligations.

Principle 6: Third Party Access

Ensure required safeguards are in place when allowing third parties to access the personal data. Additional measures may be needed for international data transfers.

 

PRIVACY NOTICES 

The responsible HEINEKEN Vietnam will inform the relevant individuals about the processing of personal data in a transparent manner. Depending on how and where the personal data is collected, information, will be presented via the appropriate means, for instance in the form of a Privacy Notice/Policy. 

HEINEKEN Vietnam Website Privacy Policy 

 

YOUR PRIVACY RIGHTS 

Every individual whose personal data we process has the right to request an overview of their personal data. You also have the right to request data rectification or deletion or to revoke your consent for or object to the processing of your personal data. To make a privacy request, please use the process indicate in the applicable Privacy Policy. 

 

NOTICE ON TERMS OF EMPLOYEE DATA PROTECTION WHEN APPLYING THE ACCESS CONTROL PROCESS AND SURVEILLANCE CAMERA SYSTEM AT THE COMPANY WORKPLACES (HEREINAFTER REFERRED AS “NOTICE”) 

HEINEKEN Vietnam Brewery Limited Company and its affiliates, branches & representative offices (hereinafter referred as "HVN" or "We" or "Us" or “the Company”) are committed to protecting the privacy of our employees. 

In order to ensure the Health & Safety of our employees and security at any offices and workplaces (hereinafter referred as “Workplaces”) of the Company, HVN needs to install access control and Surveillance camera system at such Workplaces. To implement this controls, we need to collect and process some personal data of employees and third parties’ employees & contractor’s employees working at HVN premises (hereinafter referred as “Employee” or “you”). Before we process your personal data, we need you to consent for HVN to process such data for the specific purpose mentioned below and in accordance with applicable laws & regulations on personal data protection.

The access control arranges three options to register access control: (1) Face recognition, (2) fingerprint and (3) card scanning. Employees are reserved the right to choose one of three options to register for access control to HVN Workplaces. 

The surveillance camera system (“CCTV system”) is arranged to ensure security and safety at HVN Workplaces. Details of the Notice on personal data protection terms for CCTV system shall be also attached hereto as an integral part of this Notice. You are required to read such Notice carefully and give consent for Us to process your personal data for the surveillance camera system.

We respect your privacy, and we are committed to keeping your Personal Data secure and managing it in accordance with our legal responsibilities under applicable laws and regulations on personal data protection.

In this Notice, we describe how we process and protect your personal data through the use of the Company’s access control equipment. We are the Controller of your personal data.

1. For which purposes do we use your personal data 

We use your personal data for the following purposes:

• To ensure the Health & Safety of employees and to respond to technology application needs in managing access control to HVN offices & working premises effectively.
• Ensure security when entering and leaving the Company’s offices & working premises, protect the assets of employees and the company.
• Protect the legitimate interests of HVN and its employees.

2. Which types of personal data do we use

To register to use this control, we need employees to provide the following information: full name, employee code, and department. 

If you sign up for the Face Recognition option, you will be asked to provide facial recognition data (collecting recognition through the pupil of the eye).

If you sign up for the fingerprint option, you will be asked to provide fingerprint data (collecting recognition through fingerprint sensor).

HVN's workplace has a surveillance camera system to ensure security and safety at the workplace. Therefore, your images will also be recorded and stored by CCTV system with certain period. Please find further details of the Notice on personal data protection terms for surveillance camera system.

Your information that we collect and process will be completed, relevant and only for the specific purposes set out in section 1 of this Notice. Your information needs to be as accurate as possible and needs to comply with current laws on personal data protection. 

3. Methods of processing your personal data

By reading and selecting the facial recognition or fingerprint method or card scanning, you agree that your information will be collected, stored, and used by any method in accordance with the company’s policies and/or practices from time to time, including without limitation, collection, recording, validation, storage, modification, combination, access, retrieval, encryption, copying, transmission, deletion, cancellation, and other related actions. All of these methods must be consistent with the purposes set out in section 1 of this Notice.

4. Who has access to your personal data

Only members of the HVN access control group have the right to access to your personal data to perform the work under their responsibility and any of the purposes described in this Notice.

5. Undesirable consequences and damage that may occur

We consider your personal data as an important asset of the Company and we will ensure confidentiality, safety, legal compliance, and limit possible unwanted consequences and damages that might occur (including but not limited to: data leakage or inappropriate data processing that harms your legitimate rights and interests).

6. Security

We shall take appropriate commercially reasonable technical, physical, and organizational measures to protect personal data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access.

We do not share the personal data of employees collected for this device to any third party.

We shall notify the Employee of a Data Security Breach within a reasonable period following discovery of such breach, unless a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security. In this case, notification shall be delayed as instructed by such authority. We shall respond promptly to inquiries of Employees relating to such Data Security Breaches.

7. How long do we retain your personal data

We will retain your personal data for as long as required by law or for as long as necessary for any of the purposes listed in this Privacy Statement, or to comply with legal requirements to which We are subject, as long as reasonably necessary for archival purposes or as long as consistent with the applicable statute of limitations. We will take reasonable steps to destroy or de-identify the personal data we hold if it is no longer needed for the purposes set out above or after the expiration of the defined retention term.

Time start processing your personal data: after you agreed with this Notice.

Time to end processing your provided personal data: when the employees resign, contractor’s employees completed their jobs at the Company, we will delete the data within 30 days from the time the employee completes the job handover on the last working day excepting surveillance camera data. End time for processing surveillance camera data shall comply with the Notice on personal data protection terms for surveillance camera system (attached hereto).

8. Your rights and obligations

You have rights to your personal data, which include: the right to consent, the right to withdraw consent, the right todeletion, the right to restrict data processing and other rights as prescribed by applicable law on personal data protection.

You have an obligation to: protect your personal data; respect and protect the personal data of others; Provide complete and accurate personal data when giving consent to process personal data; and other obligations according to current laws on personal data protection.

9. Access and correction requests, questions and complaints

Please keep your personal data up to date and inform us of any significant changes.

You have the right to request the provision of aggregate data about your personal data that has been processed by us. You have the right to request your data to be corrected, deleted, or restricted (if necessary), all subject to applicable personal data protection regulations and other relevant policies and guidelines of the Company.

You also have a right, in certain circumstances, to require us to stop processing your personal data or to request to change the method of office access registration. However, we will not be able to process this request if we have a legitimate ground for continuing to process your personal data. When you have provided consent to our use of your personal data, you have the right to withdraw your consent without this effecting the lawfulness of our use of this data before your withdrawal.

In case the staff wants to fulfil the above requests or data breach report, please contact us via hotline 19001845 or privacyvn@heineken.com for further support.

10. The Notice Validity

This Notice is made in Vietnamese and English version. In case where there is a discrepancy in the meaning between Vietnamese and English, Vietnamese shall be the decisive language.

This Notice will be effective from July 01^st, 2023. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent.

------------------------------------------------------------------

Please read the Notice and give us your consent as follows:

• Agreed the Company to process my Fingerprint data for HVN access control.
• Agreed the Company to process my Face ID data for HVN access control.
• Disagreed the Company to process my Fingerprint/Face ID data and selected the alternative option that HVN process the scanning card for HVN access control.

Please read the Notice and give us your consent as follows:

• Agreed the Company to process my images for the surveillance camera system at any Workplaces of HVN
• Disagreed the Company to process my images for the surveillance camera system at any Workplaces of HVN

 

NOTICE ON PERSONAL DATA PROTECTION TERMS FOR SURVEILLANCE CAMERA SYSTEM

HEINEKEN Vietnam Brewery Company Limited, its affiliates, branches & representative offices (“HVN” or “We” or “Company” or “Data Controller & Processor”) is responsible for processing your personal data. HVN has issued a “personal data protection policy for surveillance camera systems”. This notice provides information on the purpose and types of data collected from surveillance camera systems (referred to as “data”), how the data is used and secured, clarifying privacy rights at workplace and contact information in case of need.

This notice complies with applicable laws and HVN's internal policy on protection of personal data. This Notice will be announced at the gates and areas before entering the monitored area. All employees, contractors, and contractors’ employees, third parties and visitors (collectively referred to as “you”) who agree to enter the breweries are deemed to have agreed to this notice. New employees need to be informed before starting their work at the breweries.

1. Definition

Employees are not limited to relationships based on employment contracts. “Employee” in this policy refers to all instances of an employment relationship in the broadest sense for HEINEKEN Vietnam, regardless of whether or not the relationship is based on a formal employment contract (Including: full-time employees, seasonal employees, third-party employees, etc.).

Contractors and visitors include: government officials, consultants, contractor employees, suppliers, freelancers, volunteers, representatives of external organizations, and other individuals come to visit and work at the breweries.

Surveillance camera system is the use of a camera system located at specified locations to record visual images of activities in the breweries area to ensure safety, security, and food safety regulations. Visual surveillance does not include audio recording.

2. Legal basis:

We only process your personal data if there is one of the following legal bases:

• Legitimate interests
  Where we have a legitimate business interest. We will always do so only within the limits of the data protection laws applicable to the processing or your personal data.

• Jury duty
  Where we believe it is necessary to use your information to comply with a legal obligation to which we are subject. For example, if we are required or directed to use camera surveillance in certain premises by applicable law or by license, franchise, administrative consent that we are required in order to operate business action.

• Consensus
  Or with your consent. We will always notify you and request your consent if we need to do so based on data protection laws & regulations applicable to the processing of your data.

3. Types of processed personal data

We process visual data based on which we can identify you based on your appearance or other specific factors when you enter a monitored space. In other words: we process your camera footage if you work at our sites or enter our sites where camera surveillance is active. Normally, we have audio recordings turned off.

4. Purpose:

We use surveillance cameras for the following purposes:

• Protect breweries’ property from damage, vandalism and other crimes;
• Support day-to-day management, including ensuring the health of employees, complying with the commitment to protect the safety of employees and stakeholders;
• Support internal investigations of security & safety and product quality when necessary;
• Assist law enforcement agencies in the prevention, detection and prosecution of crime;
• Assist in the effective resolution of disputes arising in the proceedings and discipline;
• Assist in defense , providing evidence for any civil action, including court proceedings.

5. Scope of application

Object: All HVN employees, contractors’ employees, third parties’ employees, and visitors.

Area: All areas that we are in charge of monitoring the surveillance system, including internal aisles, corridors, offices, production areas, warehouses, yards, canteens, etc. (Except for areas where legitimate privacy is required, such as: toilets, changing rooms).

Monitoring time: 24/7

6. Data handling measures

We strive to minimize the impact of using camera surveillance on your privacy as much as possible. The measures we have taken to achieve this include :

• Where cameras are located at our locations, we will ensure that signs are displayed at the entrance of the surveillance area to warn you that your images may be captured. Such signs will contain our contact details, the intended use of the surveillance system and who to contact for more information.
• When using a video surveillance device, the device will be clearly displayed and there will be a message indicating its presence.
• The monitoring system will not use the audio capture system.
• The data recorded by the monitoring system are automatically deleted after 180 days for food safety points and 30 days for the remaining areas. This is for disciplinary investigations, complaints and quality investigations. Recorded images can only be viewed by individuals or at designated offices.
• We will ensure that live camera feeds and recorded images are only viewed by approved personnel with access to that data. This may include certain employees involved in disciplinary investigations or grievance matters. Recorded images will only be viewed in designated secure offices.
• Employees using the monitoring system have been trained to ensure they understand and comply with the legal requirements regarding data processing.
• No surveillance cameras shall be placed in areas where there is a legitimate and objective expectation of privacy (e.g. in changing rooms or restrooms).

7. Data storage time:

The data recorded by the monitoring system are automatically deleted after 180 days for areas where surveillance cameras are installed for the purpose of ensuring food safety and 30 days for the remaining areas. This is for disciplinary investigations, complaints and products quality investigations. Recorded images can only be viewed by individuals or at designated offices.

At the end of the use period, all images stored in any format will be deleted permanently and in a secure manner. Any material used to store data such as tapes or discs will be disposed of as confidential waste. Any still images and hard copies will be disposed of as confidential waste.

The startg time is the time of first recording in the area with surveillance cameras and the end time is the time of data deletion according to the time limit mentioned above.

8. Individual rights risk assessment 

Before introducing any new surveillance system, including placing a new camera anywhere in the workplace, we will carefully review current data protection laws and implement data privacy impact assessment where appropriate. Such an assessment is intended to assist us in deciding whether new surveillance cameras are necessary and whether they should be used or whether any limitations should be set on their use. We will look at the nature of the problem we are looking to solve at the time and whether surveillance cameras are likely to be an effective solution, or whether there is a better solution. We will look at the effects of surveillance cameras on individuals and to carefully consider the appropriateness of using it to the problem identified.

We will ensure that existing uses of continuous camera surveillance are reviewed regularly, and in the event of any changes, to ensure that their use remains necessary and appropriate, and that any monitoring system is continuing to address the needs that underlie its use. 

9. Data sharing 

Data from surveillance camera can be shared with and transferred to the following: 

• The HEINEKEN group: We are members of HEINEKEN Global. We may share your information within the HEINEKEN group (www.heinekencompany.com ) if it is necessary to achieve the purpose for which we have collected your data. Within HEINEKEN, we can at least share camera material with Proseco BV. Proseco is HEINEKEN's own (internal) global security organization and service provider that provides expert security services and support for HEINEKEN operating companies.
• The organizations and service providers we are working with: With the large amount of data generated by the monitoring system, we can store it using the cloud system. We will take all reasonable steps to ensure any cloud service provider maintains information security in accordance with standards, regulations set by the applicable laws on data privacy protection.
• Our professional advisors;
• Any law enforcement agency, court, regulatory agency, government agency or third party we believe is necessary to comply with a legal obligation or to protect our legal rights and any third parties.

10. Oversea data transfer

Your personal data may be transferred to another country. For example, if your data is being stored in a data center outside your country, if we can remotely access your data from abroad or one of our IT providers provide on-site support and maintenance services from outside your country. The countries to which we transfer personal data may have different privacy standards than your country. We will always comply with applicable personal data protection regulatory requirements in your country with respect to data transfers abroad.

If we transfer your personal data to a country that does not provide an adequate level of protection, we will ensure that we put appropriate safeguards in place to protect your personal data or ensure that we are able to transfer your information in compliance with applicable personal data protection regulations.

11. Data security 

We will take appropriate technical, physical, and organizational measures to protect your personal information collected through the surveillance camera system from misuse or accidental, illegal destruction, lost, alteration, disclosure, acquisition or access, in accordance with applicable privacy and data security laws and practices on data privacy protection. 

When we contract with any service provider, we require the service providers to use appropriate measures to protect the confidentiality and security of your personal data.

12. Undesirable consequences and damage that may occur 

In case of a personal data breach, we have taken and will take internal measures to ensure that such incidents are identified and addressed without undue delay. We take effort to prevent breaches of your personal data, as these can have an effect on your legal rights and interests, such as discrimination; damage to reputation; financial loss; or loss of confidentiality or any other significant economic or social disadvantage. 

13. Your rights and obligations: 

13.1. Rights: 

You have certain rights regarding your personal information. We rely on your consent to process your data, you can withdraw your consent at any time and you can object to some of the ways we use your personal data. You can make inquiries to us using the details below at any time:

• To access your personal information (i.e. get an overview of your personal data that we process).
• To have your personal information corrected, updated, corrected or deleted or to limit the processing of your personal information.
• To receive a copy of your personal information in a normal machine-readable format, or to have this information transmitted directly to another organization (if technically possible).
• Complain to the local privacy authority.

We reserve the right to obscure, pixelate or blur third-party images when disclosing camera surveillance data to you as part of your request to access or receive data.

To efficiently locate the relevant footage and respond to your request as soon as possible, any request for copies of the best recorded images should include:

• Clear time information;
• The location where the footage was recorded;
• Personal information (When necessary).

To ensure that we do not provide information about you to others, we may request your identification before we can process your request.

13.2. Obligations: 

You have all obligations under provisions of the applicable law & regulations on protection of personal data.

14. Contact Info

If you have any questions about how we process personal data or if you would like to exercise your rights regarding the personal data we process, please contact us via our hotline 19001845 or email to privacyvn@heineken.com.

15. Effect of the Notice

This notice is made in two languages: Vietnamese and English. In case there is a difference in meanings between the Vietnamese and English versions, the Vietnamese version will prevail.

This Notice will be applied from July 1st, 2023. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent. 

 

PRIVACY NOTICE FOR SUPPLIERS

This privacy notice applies from 01 July 2023 for HEINEKEN Vietnam Brewery Limited (“HVN/we”)’s suppliers and service providers. Applicable subjects are (i) natural persons, and (ii) the representatives or contact persons of our suppliers and service providers who are legal entities. You are receiving this Privacy Notice because HVN is processing information about you (“Personal Data”) as the controller and/or processor. Please read this Privacy Notice carefully because it sets out in which context we are processing your personal data and explains your rights and our obligations when doing so. 

We respect your privacy and we are committed to secure your Personal Data and manage it under our legal responsibilities under applicable personal data protection regulations (including the Decree 13/2023/ND-CP on Personal Data Protection).

1. What personal data we process and our processing method 

We may collect certain types of your personal data as follows:

• Your general and identification information (i.e. name, date and place of birth, nationality, ID card or passport numbers, email and/or postal address, fixed and/or mobile phone number); 
• Your function (i.e. title, position and name of company); 
• For natural persons acting as suppliers or service providers, financial information (i.e. bank account details);  

This data may either be directly provided by you or provided by our supplier or service provider.

If you intend to provide us with personal data about other individuals, you must provide a copy of this Privacy Notice to the relevant individuals, directly or through your employer. 

The processing of Personal Data may be carried out by us in an automated or non-automated manner, by electronic means or by manual means or in any other manner that we consider appropriate. 

2. Purposes for which we process your Personal data

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In specific, we process your personal data for the following purposes: 

• To manage our suppliers and service providers;
• To organise tender-offers, implement tasks in preparation of or to perform existing contracts;
• To monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place; 
• To grant you access to our training modules allowing you to provide us with certain services; 
• To manage our IT resources, including infrastructure management and business continuity; 
• To defend and exercise our legal rights, and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct of fraud, conducting audits and defending litigation); 
• To archive (including local storage and/or on cloud computing services with servers located outside of Vietnam) and keep record; 
• For Billing and invoicing; 
• Any other purposes imposed by law and authorities

3. Starting and ending time of processing your Personal data

The personal data processing period begins when you provide personal data to us and lasts until the Personal Data is deleted or destroyed in accordance with the provisions of law and/or regulations and our decisions from time to time. We will take reasonable steps to destroy or de-identify the Personal Data we hold if it is no longer required for the purposes set out above or after the expiration of the specified retention period.

4. How we share your personal data

Your personal data can be accessed by or transferred to the following categories of recipients on a need-to-know basis to achieve the above listed purposes. Third parties may be:

• Our personnel (including personnel, departments or other companies of the HEINEKEN group);
• Our independent agents (if any); 
• Our IT systems providers, cloud service providers, database providers and consultants; 
• In case we sell all or some of the assets or shares of a HEINEKEN group company to which Personal Data was transferred to a third party, your Personal data may be provided to this third party; 
• Any national and/or international law enforcement bodies (regulatory authorities, public bodies and judicial bodies) in order to comply with any legal obligation or court order.

These parties may be located in Vietnam, the European Union or other countries in the European Economic Area (“EEA”) or elsewhere in the world. If we transfer your personal data to companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the data privacy laws applicable HVN and (ii) acting in accordance with our policies and standards. 

5. Ensure the security of Personal data

We will take appropriate technical and organizational measures to protect your Personal Data. The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing. 

We also limit access to your Personal Data to those employees, agents, contractors and other third parties on a need-to-know basis to perform the job and these third parties must be responsible for confidentiality.

6. Your options and rights

You have the right to give and withdraw consent to the processing of your Personal data, to access and erase your Personal data, to request restriction of processing of your Personal data, to obtain your Personal data, to file a complaint, denunciations and lawsuits as well as claims for damages, and other rights according to applicable laws on personal data protection.

7. Undesirable consequences and damage that may occur

In case of a personal data breach, we have taken internal measures to ensure that such incidents are identified and addressed without delay. We take effort to prevent breaches of your personal data, as these can have an effect on your legal rights and interests, such as discrimination; damage to reputation; financial loss; or loss of confidentiality or any other significant economic or social disadvantage. 

8. Update

We will review and update this Privacy Notice from time to time. Any changes to this Privacy Notice will be notified to you through a notice via our usual communication channels (i.e. by email).

9. Contact

If you wish to exercise any of the rights listed above, and/or report any privacy breaches, or have any questions or comments about this Notice and our privacy practices, you can contact us at privacyvn@heineken.com or send us a letter to Floor 18 & 19, Vietcombank Building, No. 5 Me Linh Square, Ben Ward Nghe, District 1, City. Ho Chi Minh. Please note that we may require proof of identity.

HEINEKEN VIETNAM DATA SUBJECT RIGHTS POLICY (“DSR Policy”)

1. Introduction

1.1. This Data Subject Rights Policy (“DSR Policy” or “Policy”) specifies how HEINEKEN Vietnam (“HVN”) handle requests of employees and other data subjects exercising their rights under the HEINEKEN Privacy Procedure for Employee Data and HEINEKEN Privacy Procedure for Customers, Suppliers and Business Partners Data (the “Privacy Procedures”) and applicable law, including Decree 13/2023/ND-CP on Personal Data Protection. This DSR Policy includes obligations for HVN to give effect to the rights of data subjects. “Data subjects” are the natural persons whose personal data is subject of the request, e.g. a HVN employee, former employee, job applicant, consumer, individual supplier or business partner or contact person with a business customer or supplier.

1.2. The DSR Policy covers the following rights of data subjects: the right to be informed, the right to give and to withdraw consent, the right to access/rectify and to delete personal data, the right to obtain restriction on and to object to processing, the right to file complaints, denunciations and lawsuits, to claim damage and to self-protection and/or the right of personal data portability. A more detailed description of these rights of data subjects and the criteria for when to accommodate and to what extent can be found in Schedule 3 to this DSR Policy.

1.3. “Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual (‘data subject’). The personal data includes general personal data and sensitive personal data.

2. Content of the DSR Policy and obligations of HVN 

2.1. HVN will be required to ensure overall timely and appropriate response to a request of a data subject to exercise his/her rights under the Privacy Procedures. 

2.2. HVN will ensure that data subjects are adequately informed about where and how to submit requests to exercise any of the rights within the scope of this DSR Policy. Information may be provided by way of a specific option on the website, or through a dedicated e-mail address for the data subject rights requests, or for employees through a dedicated contact point within the local or global HR department. In any event, privacy statements and notices shall include a reference to the relevant contact point for submitting requests.

2.3. This DSR Policy describes which steps to take in case of a request of a data subject to exercise any of his rights and the roles and responsibilities of those involved in handling the request (Schedule 1. includes a flowchart reflecting the steps and roles involved), the criteria for deciding whether it is a valid request and the criteria for verification of identity (Schedule 2) and any exceptions that may apply to or limitations that are relevant when accommodating any such request (Schedule 3).  

3. Roles & Responsibilities for HVN

3.1. The “First Point of Contact” is the dedicated HVN contact point which may include a specific email or other address as indicated in the privacy notices, on the HVN website or intranet or otherwise made known to data subjects, to be contacted by the data subjects in order to submit relevant requests. This is (1) email privacyvn@heineken.com, or (2) hotline 19001845, or (3) IT Helpdesk 

3.2. The ‘Privacy Officer’ is the HVN Privacy Officer who will be in charged of the following responsibility.

3.3. The ‘Local Privacy Team’ is the Personal Data Protection team appointed by HVN MT to ensure compliance with HeiRule Data Privacy, HeiRule Information Security & applicable laws & regulations on personal data protection.

3.4. The ‘contact person’ is the relevant role within HVN which may have been identified to the data subjects (in this case: employees, former employees, retired employees or job applicants) as the contact point for submitting data subject rights requests. 
 
3.5. The ‘Request Handler’ is the relevant HVN role within the Information Security / D&T of HVN who has access to the IT systems that may contain information that is within the scope of the request of the data subject. 
 
3.6. The ‘Global Privacy Officer’ will be consulted in case the Privacy Officer has questions about a specific request and shall be the point of contact for escalation and in case of complaints by data subjects about the handling of their requests.
 
3.7. Roles & responsibilities of HVN Local Privacy Team to handle the data subject right requests shall be depended on how requestors submit their requests.

• Via email privacyvn@heineken.com: 

Role	Responsibility
Privacy Officer	Received requests from data subjects through First Point of Contact together with other members of Local Privacy Team; Ensure follow-up and adequate response; Follow up incoming requests by asking the data subject for further specification of the request and for proof of identity;  Verify the validity of the request and the identity of the data subject as the requestor;  Reject requests for which the identity of the data subject cannot be properly verified or unclear; Contact the Request handler; Oversee that the search for content is handled adequately and advise on which exceptions may be applicable in the data collection process
Local Security Coordinator – Request Handler	When being contacted by the Privacy Officer, collect the relevant information in respect of the data subject’s request and provide assistance by identifying data sources that may be relevant to search for further information
Privacy Champion – Functional Contact Person	Respond and deliver the feedback timely, accurately, adequately and securely to the data subject regarding the request Provide further assistance to the Privacy Officer and Request Handler as required

Via hotline 19001945: 

Role	Responsibility
Privacy Officer	Ensure follow-up and adequate response; Verify the validity of the request and the identity of the data subject as the requestor (if needed); Reject requests for which the identity of the data subject cannot be properly verified or unclear;   Contact the request handler who shall collect the relevant information in respect of the data subject’s request and provide assistance by identifying data sources that may be relevant to search for further information; Oversee that the search for content is handled adequately and advise on which exceptions may be applicable in the data collection process
Local Security Coordinator – Request Handler	When being contacted by the Privacy Officer, collect the relevant information in respect of the data subject’s request and provide assistance by identifying data sources that may be relevant to search for further information
Privacy Champion – Functional Contact Person	Received requests from data subjects through First Point of Contact  Follow up incoming requests by asking the data subject for further specification of the request and for proof of identity Contact the Privacy Officer for verification of the validity of the request (if needed)  Respond and deliver the feedback timely, accurately, adequately and securely to the data subject regarding the request Provide further assistance to the Privacy Officer and Request Handler as required for handling the request

Via IT helpdesk:

Role	Responsibility
Privacy Officer	Verify the validity of the request and the identity of the data subject as the requestor (if needed) Reject requests for which the identity of the data subject cannot be properly verified or unclear   Oversee that the search for content is handled adequately and advise on which exceptions may be applicable in the data collection process;
Local Security Coordinator – Request Handler	Received requests from data subjects through First Point of Contact Ensure follow-up and adequate response Follow up incoming requests by asking the data subject for further specification of the request and for proof of identity Contact the Privacy Officer for verification of the validity of the request (if needed) Respond timely, accurately, adequately and securely to the data subject regarding the request.
Privacy Champion – Functional Contact Person	Provide further assistance to the Privacy Officer and Request Handler as required for handling the request

4. Timing

HVN shall provide a response within 72 hours upon receipt of the request.

4.1. In view of the limited response time of 72 hours, each of the individual steps in this Policy shall be taken without undue delay. Handling the actual request may take time because personal data is divided over several (external) systems and/or throughout different departments within HVN.
 
4.2. In case of more complex data subject rights requests, HVN may extend the response time of 72 hours with a maximum of one more calendar month, which information must be communicated to the data subjects within the 72 hour period, including an explanation of the reasons for the delay.
 
4.3. If data subjects refuse to inform HVN of the reason for making their request or refuse to provide any further specification of their request or (where applicable) have not paid the fee for fulfilling the request, HVN shall be required to process the request nonetheless, unless a) the identity of the data subject has not been properly verified or b) it is not clear what the request is for (see Schedule 2) or c) the request is manifestly unfounded or excessive. 

5. Identification of the data subject

5.1. HVN needs to verify the identity of each data subject to ensure that the correct action is performed on the correct personal data. Schedule 2 includes the criteria for verifying the identity of the data subjects submitting the request. The Privacy Officer will perform the verification of the identity of the data subjects submitting a request in accordance with Schedule 2.
 
5.2. HVN shall not be required to verify the identity of data subjects whose requests are limited to the right to object to the use of their personal data for direct marketing purposes. This is in fact the data subject using the opt-out or unsubscribe for the relevant communication (e.g. newsletter or alerts). For these data subject rights requests no verification of identity shall be needed as the risk of unsubscribing the wrong person is limited. Also, data subjects must be able to execute their right to opt-out / unsubscribe in an easy manner.  
 
5.3. Where the data subject does not provide the required identification, HVN will refuse the request as further described in the process flow (Schedule 1) and in Schedule 2. 

6. Costs (if any), form of request and response 

6.1. In principle, HVN will give effect to all rights free of charge. HVN will charge a reasonable fee for or refuse to act upon manifestly unfounded or excessive (repetitive) requests of all rights to which this Policy applies.  HVN shall inform the data subject of such costs beforehand, in order to give the data subject the option to withdraw her/his request if she/he finds the costs unacceptable.

6.2. HVN will respond in the language in which the data subject has written the relevant request, except where HVN prefers to respond in another language that HVN is confident the data subject will understand and which is generally accepted in the relevant country. HEINEKEN will aim to receive and respond to data subject rights request in written electronic form, using the templates as provided in this Policy. HEINEKEN will respond to the request via post or fax only when the data subject explicitly indicates that he/she wishes to communicate via post or fax. 
 
6.3. Where the information to be provided to a data subject pursuant to the data subject’s request includes personal data of other data subjects and/or HVN confidential information, HVN will black out such information before disclosing the relevant document to the requesting data subject. 
 
6.4. In case of requests for access or data portability, where HVN will need to send personal data to the data subject, the data subject shall be given the option to indicate if he/she wishes to receive the personal data via a secure communication method. HVN shall ensure to only use the requested secure communication method, to the extent reasonably (technically) possible. 

6.5. Under specific circumstances at issue, HVN may deny or refuse requests of data subjects as further specified in Schedule 3, including in case of an ‘overriding interest’, a pressing need for HEINEKEN may exist that outweighs the interest of the data subject. 

7. Managing and storing each request  

7.1. The Privacy Officer is responsible for maintaining a repository of each data subject rights request and all communication exchanged per request, including the verification of identity and the response to confirm that the request has been processed, including the name of the data subjects that have submitted the requests. 

7.2. The Privacy Officer ensures that the repository is accurate and up-to-date and that a retention term is specified during which the requests and all communication exchanged shall be retained. 

 

SCHEDULE 1 WORK FLOW 

DATA PRIVACY RIGHTS REQUEST FORM FOR DATA SUBJECT:  

*You need to correctly provide this information in order for the request to be valid and enable HVN to respond within the required timeframe  

1. Your Information:
   
   • Full name *
   • Phone number *
   • Email *
   • Function (if the data subject is a HVN’s employee) 
2. Your role*: You are a: (i) employee, (ii) consumer, (iii) customer, (iv) supplier, (v) business partner, (vi) other (please specify) 
3. Consent: If you provided us the consent to process your personal data in the past:
   • When did you give us consent: 
   • How did you give us consent (i.e via one of our applications/systems, in writing,…): 
   • Where did you give us consent (i.e at our offline events;…) 
   • For what personal data*: (i.e your name, date of birth, ID number, address,….) 
   • For what purposes*: 
4. Content: What is your request: …………………………………………………………………………………………………………………………………..
5. Identity proof: Attached proof of your identity (i.e. ID card, passport, employee number, ….) 
6. Feedback method: How do you want us to get back to you (i.e email, phone, post): 

Example flow of a data subject request via email privacyvn@heineken.com

SCHEDULE 2 VERIFICATION OF IDENTITY AND ASSESSING REQUESTS

This Schedule includes the process and criteria for verification of the identity of the data subject and for assessing if the request is sufficiently specific, and if the request is not manifestly unfounded or excessive. 

Subject	Verification: reason to reject	Action
Verification of identity by: copy of passport or other identification document.	copy is not clear, does not enable reading the name of data subject; the document is no longer valid, has expired.	Rejection
Optional re-identify check of employees: employees with access to their HVN e-mail address, should send their request via that e-mail address (sufficient proof of identity).      Verification of identity for job applicants, former employees, consultants, temporary workers and other external individuals that do not have a HVN e-mail address: -copy of passport or other identification document.	For employees: not repeating their request via their HVN e-mail address or  alternatively, via verification methods described under 1.       For all external individuals without HVN e-mail address: copy is not clear, does not enable reading the name of data subject; the document is no longer valid, has expired.	Rejection
Request is not sufficiently specified	it is unclear what the data subject is asking for (which type of request) and the data subject has not further specified upon HVN’s request.	Rejection
Request is manifestly unfounded or excessive	same data subject has submitted a request recently, without any reasonable indication that relevant changes in the personal data processing relation to the data subject may have taken place; same data subject has submitted several requests in the past one year; the request violates rights of other data subjects.	Forward to Privacy Officer. Privacy Officer to decide on rejection.

SCHEDULE 3 DATA SUBJECT RIGHTS

This DSR Policy covers the following rights of data subjects: the right to be informed, the right to give and to withdraw consent, the right to access and to delete personal data, the right to obtain restriction on and to object to processing, the right to file complaints, denunciations and lawsuits, to claim damage and to self-protection. A more detailed description of these rights of data subjects and the criteria for when to accommodate and to what extent can be found below: 

1. Right to be informed: The data subject has the right to be informed of his/her personal data processing, unless otherwise provided for by law. 

2. Right to give consent: The data subject has the right to give consent to the processing of his/her personal data, other than cases specified in Article 17 of Decree 13/2023/ND-CP on Protection of Personal Data. 

3. Right to access personal data: The data subject has the right to access his/her personal data in order to look at, rectify or request rectification of his/her personal data, unless otherwise provided for by law. 

4. Right to withdraw consent: The data subject has the right to withdraw his/her consent, unless otherwise provided for by law. 

5. Right to delete personal data: The data subject has the right to delete or request deletion of his/her personal data, unless otherwise provided for by law. 

6. Right to obtain restriction on processing: a) The data subject has the right to obtain restriction on the processing of his/her personal data, unless otherwise provided for by law; b) The restriction on the processing of personal data shall be implemented within 72 hours after receiving request of the data subject, and all personal data that the data subject requests the restriction, unless otherwise provided for by law. 

7. Right to obtain personal data: The data subject has the right to request the Personal Data Controller and the Personal Data Controller-cum-Processor to provide him/her with his/her personal data, unless otherwise provided for by law. 

8. Right to object to processing: a) The data subject has the right to object to the Personal Data Controller and the Personal Data Controller-cum-Processor processing his/her personal data in order to prevent or restrict the disclosure of personal data or the use of personal data for advertising and marketing purposes, unless otherwise provided for by law; b) The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the data subject’s request within 72 hours after receiving the request, unless otherwise provided for by law. 

9. Right to file complaints, denunciations and lawsuits: The data subject has the right to file complaints, denunciations and lawsuits as prescribed by law. 

10. Right to claim damage: The data subject has the right to claim damage as prescribed by law when there are violations against regulations on protection of his/her personal data, unless otherwise agreed by parties or unless otherwise prescribed by law.

11. Right to self-protection: The data subject has the right to self-protection according to regulations in the Civil Code, other relevant laws and the Decree 13/2013/ND-CP, or request competent agencies and organizations to implement civil right protection methods according to regulations in Article 11 of the Civil Code.

12. Right to data portability: The data subject has the right (at his option) to receive a copy of the personal data that it has provided in a common machine-readable format.

 

NOTICE OF EMPLOYEE PERSONAL DATA PROTECTION TERMS 

Pursuant to current laws on personal data protection (“legal regulations”), HEINEKEN Vietnam Brewery Company Limited issues Notice of terms & conditions on employee personal data protection (“Notice”). 

Effective from July 1, 2023

HEINEKEN Vietnam Brewery Company Limited (hereinafter “We”, “Us”, “HEINEKEN” or “Company”) commits to protect the personal information of all employees. “EMPLOYEES” means all current or former employees of us (“You” or “Employee”).

In Part I of this Notice, we will describe how your personal data is collected, managed and used in the SuccessFactors system (MyHR), and other systems (e.g. salary, allowances and bonus management system (HRIS), Telematic Driver, CCTV, health records...).

In Part II, we will explain how to manage the data of unofficial employees, for example: temporary employees, consultants, contractors, interns, etc. (generally called as “Outsourced Employees”), when their information is also included in the SuccessFactors system and other systems/processes implemented, applied and adjusted by the Company from time to time (Including but not limited to systems such as Telematic Driver, CCTV, health record management, office access efficiency control equipment).

In Part III, we will describe how the personal data of your emergency contact or relative is collected and used for limited purposes and in connection with the performance of the employment contract, while this information is also processed on the SuccessFactors system and other systems (For example, compensation management HRIS system).

In general, SuccessFactors - MyHR is the general management system of the global HEINEKEN corporation, to help the corporation can operate consistently and manage a large amount of data of all employees across countries. The data is managed by subsidiaries or branches (generally called as Opco) will be uploaded to this system. Because it is a global system, data processed on this system will be transferred outside of Vietnam. Besides, the Company uses the local system (HRIS) to calculate salaries and bonuses for all employees that managed by the Company. Therefore, data related to salaries, bonuses and benefits, including data of relevant dependents according to labour laws, tax laws and other relevant regulations, will be copied to this system. However, this is the local system of HEINEKEN Vietnam Brewery Co., Ltd., so all of the above data will not be transferred outside the territory of Vietnam. Finally, for internal management, labour safety, employee health and working environment of HEINEKEN, the Company will collect the locations of the subjects listed in this Notice through the location service, images monitored by CCTV, employee health status... These data will also be processed by the Company and will not be shared with third parties or outside the territory of Vietnam, except cases permitted by law.

Over time, these systems may be replaced, supplemented, removed... as the Company's decision. When there are any changes, we will promptly notify you.

This Privacy Notice was issued on 15 January 2019, amended and supplemented on 01 July 2023 and may be updated from time to time, as HEINEKEN employees, outsourced employees and their emergency contact or relatives will be notified.

 

PART I: EMPLOYEE PERSONAL DATA

For what purposes will we use your personal data?

During your employment with the Company, the Company collects a large amount of personal data, business relationship data as well as your emergency contact or relatives. SuccessFactors will enable us to perform Human resources transactions in an efficient and user-friendly manner. To do this, the Company needs to store your personal data (details of which will be listed in this Notice) in SuccessFactors. In addition, a copy of employee information will be transmitted to the compensation management system (HRIS); other systems/processes are deployed, applied and adjusted by the Company from time to time (including but not limited to systems such as Telematic Driver, CCTV, health record management, office access efficiency control equipment) will also process some limited information in accordance with legal regulations.

The Company will use this information for the purpose of managing your employment relationship with the Company. This includes aspects such as processing and accessing working history, leave management, payments, tax matters, insurance, wages and benefits, business travel and costs, processing personal data to implement internal operational and management processes (such as work schedules, timekeeping, providing for central data processing for efficiency purposes, internal audit and control, review and monitoring of compliance with internal processes and in the context of dispute resolution), organizational analysis and development, management reporting; merger management, acquisitions and divestments; for facilitating and managing labour information (e.g. number of employees, job positions,...); talent management and career opportunities (including succession planning), performance assessment, training (including video recording and photography in training programs for the purpose of communication, statistics, course monitoring, and other purposes for recording and taking photos in accordance with current legal regulations); protect the interests of HEINEKEN and its employees (e.g. screening and monitoring of employees, occupational health and safety, authentication of employee status and access and identity management, office access control to comply with current legal regulations).

What types of personal data are stored on the system?

The following categories of personal data will be stored on the system:

1. Personal information: Information related to individual, contact information such as name, gender, marital status, nationality, employee number, date of birth, address information, phone number, email, qualifications, photo, emergency contact information, bank information, dependent information (name, date of birth, relationship, etc.), ID card information or/and Public Identification Card, information related to Visa/Work Permit and social security numbers, personal images are monitored via the Company's CCTV system;
2. Details of Department/Job title: Company name, department, work location, job title, job grade, contract status & type (full-time/part-time), start date and end date of labour contract;
3. Salary and benefits: Payments, regularity of payments, salary, payment currency, non-recurring payments, talent management and performance appraisal (PA) information, such as your PA results, development programs, succession planning data, degrees and certificates, online training, PA assessment and development and information to use for adding to employee’s working history, plans;
4. Data access system and application: Information required to access to the Company's systems and applications such as email addresses, employee code, user identification numbers of other systems and applications;
5. Office access efficiency control equipment: Facial or fingerprint recognition data or information to be issued an office access card (as employee’s agreement).

Does the system contain sensitive personal data?

Sensitive personal data is processed to eliminate or minimize possible inequalities or to ensure diversity of the Company culture from different ethnic/national groups. Besides that, some sensitive data to ensure employee welfare such as: diversity in diet, banquets, annual leaves, etc. in accordance with the customs, practices and culture of different ethnic/national/religious groups as prescribed by law; special treatment for individuals with biological characteristics that require separate remuneration regimes; payment of salaries and bonuses; internal management and supervision; health consulting and assurance; other regimes to avoid discrimination due to the differences of cultural, national/ethnic/religious, unique characteristics... according to appropriate practices and relevant applicable legal regulations. Sensitive employee information handled by the Company includes:

- Religion (optional): The Company will only collect employees' religion when they provide it, to ensure the environment, programs, events, regimes and policies are suitable for each faith community;

- Health condition: The Company only collects health information as required by law on employee’s health safety and may use this information for the purpose of advising employee’s health;

- Ethnicity (optional): to meet labour law regulations, eliminate or minimize possible inequalities related to different ethnic groups;

- Individual biological characteristic: due to the request to provide ID image to compare with the information provided by the employee, the Company may collect information on that ID image, including individual biological characteristic of each employee;

- Bank account information: to pay salaries, bonuses and other benefits to employees;

- Data about the individual's location through location services: when the employee/outsourced employee plays the role of driver/transporter/other tasks assigned to use the vehicle according to the labor contract, whose vehicle is equipped with the Company's positioning device; and other employees using vehicles equipped with the Company's positioning devices will have to share their travel itinerary. These data are only processed when the above data subjects have read and agreed to the Company's Telematic Driver application usage statement;

- Biometric data: to manage/control office access effectively, including facial recognition or fingerprint data;

- Other personal data classified by law as special and requiring necessary security measures;

The employee’s data information that we collect and proceed will be adequate, relevant and limited to specific purposes only. Employee’s information should be as accurate as possible and should comply with applicable laws on personal data protection. 

Who can access your personal data?

Access to your personal data is granted only when it is necessary for the intended purposes and for the related employees to perform their work. Opco/regional/global managers, Opco & global Human Resources Department (including the support staffs for SuccessFactors (MyHR) system and global Human Resources Capacity Development Managers) related to system support, implementation of Opco/global HR processes, such as global mobility and premium benefits services, personal development services, talent management and planning, reporting and succession management, access to your personal data on system, but only for the purposes referenced in this Notice. By completing your Career Profile (e.g. career aspirations, working relocation), you express your expectation to be considered for other positions of HEINEKEN, within or outside your Opco. Your Career Profile is visible to your Opco HR and global HR. Additionally, it is accessible to employees of other departments within the Company because of the global nature of HEINEKEN's operations, such as Legal, IT, Finance and Reporting and other department’s teams in head office can access, e.g. the Internal Control department. All access is restricted to specific and necessary information to the relevant roles of the department or division. This access may also be provided to the  relevant stakeholders in accordance with applicable legal regulations.

For other systems/processes that deployed, applied and adjusted by the Company over the time (including but not limited to systems such as HRIS compensation management system, Telematic Driver, CCTV, health management records, effective control office access equipment...), only the human resources department at Opco that you are under can access limited data, appropriate to their role to perform related work. This data is only accessed and processed within Vietnam’s territory and in compliance with current laws on labor, tax, health and related regulations. However, this access may also be provided to the  relevant stakeholders in accordance with applicable legal regulations.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

From time to time, we may need to provide personal data to third parties such as service providers (companies that provide products and services to us such as payroll, benefits and retirement management services providers, IT service providers, travel and tourism services, performance management, training, expense management or credit card companies, professionals medical/health and background investigations companies), professional consultants (such as accountants, controllers or lawyers), public authorities (authorized public authorities such as management agencies, law enforcement, public opinion and judicial agencies), Trade Union or in the context of corporate transactions (a third party related to any restructuring, merger or acquisition as actual or proposed). We will sign the agreements with service providers and professional consultants to ensure your right to protect your personal data.

Ensure personal data safety

The Company will take appropriate organizational, physical, and technical measures to protect personal data from misuse, change, incidental, or unauthorized destruction, in accordance with current regulations and laws on data privacy & security. 

Unwanted consequences and harm may occur

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

Therefore, we consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems, personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice. The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. In general, employee personal data is securely deleted or disable from the system after 10 (ten) years or sooner depending on the system type, as from the relevant employee who terminates the employment relationship or after a statutory period from the time employee proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with applicable laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of employees

Employees have rights to access their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection.

Employees have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide adequate and accurate personal data when agreeing to personal data processing; and other obligations according to applicable laws and regulations on personal data protection.

Questions and complaints

You have the right to request individual rights of your personal data processed by or on behalf of the Company. You have the right to modify, delete or restrict your data (if appropriate), all subject to applicable personal data protection and other relevant laws, regulations and guidelines of HEINEKEN. In some cases, you also have the right to request the Company to stop processing your personal data base on the reasons relating to your particular situation, but this does not apply when the Company has the lawful right to process. In that case, we will continue to process your personal data. You have the right to receive an overview of the personal data that you have provided to the Company in a common computer format.

To perform your rights or report violations related to data security, please contact HVN's Personal Data Protection Team via email: privacyvn@heineken.com . Besides, we are also developing some features on MyHR system to help you perform the above activities more effectively. We will introduce new features over time and notify you as soon as possible. You also have the right to submit a complain application to the data protection government office as your local laws and regulations.

 

PART II: PERSONAL DATA OF OUTSOURCED EMPLOYEES

For what purposes will we use the personal data of outsourced employees?

SuccessFactors and other systems/processes deployed, applied and adjusted by the Company from time to time (including but not limited to systems such as Telematic Driver, CCTV, health record management, office access efficiency control equipment) may contain some personal data of outsourced employees. This personal data will be used for limited purposes such as: internal reporting when it is necessary to synthesize information of internal and external employees, internal communication purposes and in connection with facilitating and providing access to our systems.

What personal data of outsourced employees is stored on the system:

If there is any personal data of outsourced employees stored on the system, it can be the following types of information:

1. Personal information: information related to personal, contact and working information (name, gender, date of birth, phone number, email), license plate, personal image that is monitored through the Company's CCTV system;
2. Details about the department/job title: working department, working location, job title, job grade, date of employment;
3. Data access system and application: information required to get access to the Company's systems and applications such as email addresses, AD accounts, user IDs of other systems and applications;
4. Office access efficiency control equipment: facial or fingerprint recognition data or information to be issued an office access card.

Does the system contain sensitive personal data?

Sensitive personal data is processed to ensure compliance with labor laws and health advising for outsourced employees when necessary. Besides, to ensure the payment of salaries and benefits to outsourced employees, the Company will also collect information about their bank accounts. The use of this information must ensure objectivity, accuracy and compliance with the provisions of law. Sensitive employee information processed by the Company on the system includes:

- Health condition: the Company only collects health information as required by law on employee’s health safety and may use this information for the purpose of consult employee’s health;

 - Bank account information: to pay salaries, bonuses and other benefits to employees;

- Data about the individual's location through location services: when the employees/outsourced employees play the role of driver/transporter/other tasks assigned to use the vehicle according to the labor contract, whose vehicle is equipped with the Company's positioning device; and other employees using vehicles equipped with the Company's positioning devices will have to share their travel itinerary. These data are only processed when the above data subjects have read and agreed to the Company's Telematic Driver application usage statement;

- Biometric data: to manage/control office access effectively, including facial recognition or fingerprint data;

- Other personal data classified by law as special and requiring necessary security measures;

- The employee’s data information that we collect and proceed will be adequate, relevant and limited to specific purposes only. Employee’s Information should be as accurate as possible and should comply with current law on personal data protection. 

Who can access personal data of outsourced employees on the system?

Access to your personal data is granted only when it is necessary for the intended purposes and for the related employees to perform their work. Only Human Resources Outsourcing managers, Opco & global Human Resources related to system support, implementation and report to global HR have access to personal data of outsourced employees on the system, but only for the purposes referenced in this Notice. In addition, it is accessible to employees of other departments within the Company because of the global nature of HEINEKEN's operations, such as Legal, IT, Finance and Reporting and other department’s teams in head office can access, e.g. the Internal Control department. All access is restricted to specific and necessary information to the relevant roles of the department or division. This access may also be provided to the stakeholders in accordance with applicable legal regulations.

For other systems/processes that deployed, applied and adjusted by the Company over the time (including but not limited to systems such as HRIS compensation management system, Telematic Driver, CCTV, health management records, effective control office access equipment...), only the human resources department at Opco that you are under, can access limited data, appropriate to their role to perform related work. This data is only accessed and processed within Vietnam’s territory and in compliance with current laws on labour, tax, health and related regulations. However, this access may also be provided to the stakeholders in accordance with applicable legal regulations.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

From time to time, we may need to provide personal data to third parties such as service providers, professional consultants (such as accountants, controllers or lawyers), public authorities (authorized public authorities such as management agencies, law enforcement, public opinion and judicial agencies), or in the context of corporate transactions (a third party related to any restructuring, merger or acquisition as actual or proposed). We will sign the agreements with service providers and professional consultants to ensure your right to protect your personal data.

Ensure personal data safety

The Company will take appropriate organizational, physical, and technical measures to protect personal data from misuse, change, incidental, or unauthorized destruction, in accordance with current regulations and laws on data privacy & security.

Unwanted consequences and harm may occur

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

Therefore, we consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall,etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems, personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice. The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. In general, outsourced employee personal data is securely deleted or disable from the system after 10 (ten) years or sooner depending on the system type, as from the relevant employee who terminates the employment relationship or after a statutory period from the time employee proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with applicable laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of outsourced employees

Outsourced employees have rights access to their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection.

Outsourced employees have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide adequate and accurate personal data when agreeing to personal data processing; and other obligations according to applicable laws and regulations on personal data protection.

Questions and complaints

Outsourced employees have the right to request individual rights of their personal data processed by or on behalf of the Company. You have the right to modify, delete or restrict your data (if appropriate), all subject to applicable personal data protection and other relevant laws, regulations and guidelines of HEINEKEN. In some cases, you also have the right to request the Company to stop processing your personal data base on the reasons relating to your particular situation, but this does not apply when the Company has the lawful right to process. In that case, we will continue to process your personal data. You have the right to receive an overview of the personal data that you have provided to the Company in a common computer format.

To perform your rights or report violations related to data security, please contact HVN's Personal Data Protection Team via email: privacyvn@heineken.com . Besides, we are also developing some features on MyHR system to help you perform the above activities more effectively. We will introduce new features over time and notify you as soon as possible. You also have the right to submit a complain application to the data protection government office as your local laws and regulations.

 

PART III: INFORMATION OF INDIVIDUALS RELATED TO EMPLOYEES

1. DATA OF EMERGENCY CONTACTS

For what purposes will we use the personal data of emergency contacts?

To ensure the safety at the workplace and report emergency cases of employees during working hours or at the workplace, the Company may process information of emergency contacts, through employees related to these individuals, fill their information on MyHR system. According to that:

What personal data is processed on the system:

The emergency contact information processed by the Company includes: full name, phone number, relationship with the employees. This information is provided by employees' selection and is intended to serve their legitimate interests. Therefore, employees will manually fill in this information on MyHR system based on the consent of the emergency contacts.

By accepting the Company's data privacy notice, we will collect, store and communicate with emergency contacts when employees are in emergency situations within the scope of employment relations. Employees need to ensure the accuracy and integrity of the data they provide. Employee will also bear all responsibilities and risks arising from inaccuracies, dishonesty, failure to obtain consent from data subjects, or any other errors caused by the employees or emergency contacts. The Company will not be responsible for any errors that are not the Company's fault. 

Who can access personal data of emergency contact personon the system?

Access to your personal data is granted only when it is necessary to ensure labour safety in accordance with labour laws. Only individuals in the OpCo Human Resources Department who manage the employees, have access and use emergency contact information for the above purposes. In addition, for emergency purposes and legal or other issues arising, the Human Resources Department at that OpCo can share this information with relevant departments to resolve arising situations as legal regulations, for example: Legal, IT, Finance and Reporting and other department’s teams in head office can access, e.g. the Internal Control department. All access is restricted to specific and necessary information to the relevant roles of the department or division. This access may also be provided to the stakeholders in accordance with applicable legal regulations.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

Ensure personal data safety

The Company will take appropriate organizational, physical, and technical measures to protect personal data from misuse, change, incidental, or unauthorized destruction, in accordance with current regulations and laws on data privacy & security.

Unwanted consequences and harm may occur

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

Therefore, we consider your personal data to be very important and the Company will ensure confidentiality, security and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also recommends relevant people to be responsible for their personal data: do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems, personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice.  The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. 

In general, the personal data of an emergency contact person will be deleted from the system after 6  (six) months from the employment relationship termination of the relevant employee, or after a statutory period from the time the emergency contact person proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with current laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of emergency contacts

Emergency contacts have rights to access their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection. Emergency contacts have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide complete and accurate personal data when agreeing to process personal data; and other obligations according to current laws on personal data protection.

Questions and complaints

Emergency contacts have the right to request individual rights of their personal data processed by or on behalf of the Company. You have the right to modify, delete or restrict your data (if appropriate), all subject to applicable personal data protection and other relevant laws, regulations and guidelines of HEINEKEN. In some cases, you also have the right to request the Company to stop processing your personal data base on the reasons relating to your particular situation, but this does not apply when the Company has the lawful right to process. In that case, we will continue to process your personal data. You have the right to receive an overview of the personal data that you have provided to the Company in a common computer format.

To perform your rights or report violations related to data security, please contact HVN's Personal Data Protection Team via email: privacyvn@heineken.com. Besides, we are also developing some features on MyHR system to help you perform the above activities more effectively. We will introduce new features over time and notify you as soon as possible. You also have the right to submit a complain application to the data protection government office as your local laws and regulations.

2. EMPLOYEE’S DEPENDENTS/SPOUSES DATA

For what purposes will we use your personal data?

To ensure compliance with legal regulations on tax declaration and other regulations related to requests to provide information of dependents, the Company will process information of these subjects through various method: collect, retain, share with state agencies. In addition, the Company also processes employee's dependent/spouse information to register for optional insurance, which is considered a benefit for employees and their dependents/spouse. Optional insurance registration can only be done with the consent of the insured person and the employee.

Employees need to ensure the accuracy and integrity of the data they provide. Employees will also bear all responsibilities and risks and arising from inaccuracies, dishonesty, or any other errors caused by them. The Company will not be responsible for any errors that are not the Company's fault.

What types of personal data are stored on the system?

The information of the dependents/spouse processed by the Company include: full name, date of birth, relationship with the employees, information of documents attached according to law regulations. This information will be self-provided by employees.

Who can access personal data of dependents/spouse on the system?

Access to your personal data is granted only when it is necessary for tax declaration purposes and other tasks related to tax, company finances and compliance with legal regulations regarding labour dependents data. Only individuals in the OpCo Human Resources Department who manage the employees, can access and use dependents information for the above purposes. In addition, for compliance purpose with tax laws, labour laws and other legal or arising issues, the OPCO Human Resources Department can share this information with relevant departments to resolve arising situations as legal regulations, for example: Legal, IT, Finance and Reporting and other department’s teams at head office with access, e.g. Internal Control Department. Besides, when employee’s dependents/spouse askes to register optional insurance, the Company will share their information with the corporate insurance organizations. This access may also be provided to the stakeholders in accordance with applicable legal regulations.

For other systems (e.g. HRIS), only the HR department at Opco, under which you are managed, can access limited data, appropriate to their role to perform related tasks regarding salaries and bonuses. This data is only accessed and processed within Vietnam territory and in compliance with applicable labour, taxes laws, and related laws and regulations. However, this access may also be provided to the relevant stakeholders in accordance with applicable law.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

Ensure personal data safety

The Company will take appropriate organizational, physical, and technical measures to protect personal data from misuse, change, incidental, or unauthorized destruction, in accordance with current regulations and laws on data privacy & security. 

Unwanted consequences and harm may occur

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee about potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur:

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

Therefore, we consider your personal data to be very important and the Company will ensure confidentiality, security and compliance with current legal regulations on personal data protection. In particular:- Organizational measures: The Company appoints a dedicated team to protect personal data and assigns who is responsible for data protection and who is responsible for data of each process.

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall,etc.;

- In addition, the Company also recommends relevant people to be responsible for their personal data: do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code ; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems and other systems (e.g. HRIS), personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice. The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. In general, employee’s dependent/spouse personal data will be deleted or disable from the system after 10 (ten) years from the employment relationship termination of relevant employee, or after a statutory period from the time the dependent/spouse proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with applicable laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of employee’s dependents/spouse

Employee’s dependents/spouse have rights to access their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection.

Employee’s dependents/spouse have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide complete and accurate personal data when agreeing to process personal data; and other obligations according to current laws on personal data protection.

If dependents are provided information to the Company by their parents, representatives, or guardians, their rights and obligations will be exercised through that parent, representative, or guardian.

Questions and complaints

Employee’s dependents/spouse have the right to request individual rights of their personal data processed by or on behalf of the Company. You have the right to modify, delete or restrict your data (if it’s appropriate), all subject to applicable personal data protection and other relevant laws, regulations and guidelines of HEINEKEN. In some cases, you also have the right to request the Company to stop processing your personal data base on the reasons relating to your particular situation, but this does not apply when the Company has the lawful right to process. In that case, we will continue to process your personal data. You have the right to receive an overview of the personal data that you have provided to the Company in a common computer format.

To perform your rights or report violations related to data security, please contact HVN's Personal Data Protection Team via email: privacyvn@heineken.com . Besides, we are also developing some features on MyHR system to help you perform the above activities more effectively. We will introduce new features by the time and notify you as soon as possible. You also have the right to submit a complain application to the data protection government office as your local laws and regulations.

 

PERSONAL DATA BREACH NOTIFICATION POLICY HEINEKEN VIETNAM

Introduction

Everybody within HEINEKEN Vietnam (“HVN”) has the legal obligation to keep personal data secure. This Personal Data Breach Notification Policy (“Policy”) applies when HVN becomes aware (internally or from a third party) that a security incident that involves personal data has occurred, or is likely to occur.

A personal data breach:

• may result in physical, material and/or non-material harm to individuals;
• may expose HVN to significant fines; and
• where required by law, may need to be reported to the relevant Data Protection Authority and/or individuals affected.

Therefore, if HVN becomes aware that a personal data breach has occurred, or may occur, HVN must immediately take all appropriate technological and organizational measures to remedy the incident and ensure that the personal data is secure. In any event, the Global Privacy Office (GPO) shall be informed of the personal data breach without undue delay. In addition, Decree 13/2023/ND-CP requires that breaches must be reported to the Ministry of Public Safety (“Data Protection Authority”). 

It is important that everyone at HVN knows how to recognize a personal data breach (or potential breach) and what steps to take, whilst understanding the importance of acting quickly to allow HVN to take actions and to comply with the Privacy Procedures and any applicable legal obligations.  

What is personal data?

Personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. Personal data may include general personal data and sensitive personal data.

Examples of personal data are:

• identifiers such as a name, identification number or location data; 
• online identifiers such as an IP address, device identifier or cookie identifier; and
• factors specific to the physical, mental, economic, cultural or social identity of an individual.

As part of its everyday business activities, HVN handles personal data of HVN employees, consumers, customers, visitors, business partners and suppliers.

 

What is a personal data breach?

A personal data breach is a security incident which leads to the unauthorized acquisition, access, use or disclosure of unencrypted personal data that compromises the security or privacy of this information.  This policy is relevant to security incidents involving personal data that is stored, transferred, controlled or otherwise handled (in general “processed”) by HVN. 

Use or access may include:

• Destruction of personal data is where the data no longer exist or no longer exists in a form that is of any use to HVN.
• Loss of personal data is where data may still exist, but HVN has lost control or access to it, or no longer has it in its possession.
• Alteration is where personal data has been altered, corrupted or is no longer complete.
• Unauthorized or unlawful processing may include disclosure of personal data (or access by) recipients who are not authorized to receive (or access) the data, or any other treatment of personal data which violates applicable privacy laws.

Examples:

• HVN’s network is infected by ransomware (malicious software that encrypts the HVN data until a ransom is paid). 
• A non-encrypted device, e.g. a USB stick, containing personal data is lost or stolen.
• HVN has sent an email to the wrong mailing list, or HEINEKEN has made a mistake in BCC/CC
• A briefcase with papers containing personal data is lost or stolen. 
• One of HEINEKEN’s online marketplaces suffers a cyber-attack and usernames and purchase history are published online by the attacker. 
• Personal data is extracted from a secure website managed by HEINEKEN during a cyber- attack. 

 

What are HEINEKEN’s responsibilities?

Where a personal data breach occurs, or is likely to occur, HVN must immediately take all appropriate technological and organizational measures to remedy the incident and ensure the personal data is secure.

If conditions for notification are met, HVN must notify the breach to the relevant Data Protection Authority and/or affected individuals. 

If the personal data breach meets the requirements for such qualification as set out in the Privacy Procedures (a security incident – whereby there has been unauthorized access or other use of personal data – compromising the security or privacy of such information – posing a high risk to the individuals whose data it concerns): the breach must be reported to the HEINEKEN Global Privacy Office (GPO). GPO may also require HVN to inform the individuals concerned. 

HVN must keep a record of all breaches that have occurred in the organisation. This record must include information about the facts relating to the breach, its effects and which actions have been taken to remediate the breach.

 

What are the consequences of non-compliance?

HVN risks reputational damage for failing to keep personal data secure. HVN will be subjected to enormous fine according to the current law for non-compliance.   

 

Colleagues’ responsibilities

Each colleague is responsible for ensuring that they follow the internal process for reporting a breach, or potential breach, set out in this policy as soon as they become aware of it. Each colleague therefore needs to contact the Global Service Desk or local IT Helpdesk immediately in case of a potential personal data breach. 

For a full overview of HVN’s personal data breach process, please see the diagram flow here:

 

Where to report a personal data breach internally?

When a colleague has an indication (internally or from a third party) that a security incident that involves personal data has occurred, or is likely to occur, the colleague must report the incident immediately.  Incidents must be immediately reported by creating a ticket in ServiceNow, either through the GSD Self Service portal or by calling the GSD team or local IT Helpdesk assigned to HVN.

When a Data Processor is involved, the Data Processor immediately reports the security incident either directly to HVN IT Helpdesk or via the contact person that is mentioned in the data processor agreement (DPA).   

 

Global Service Desk or HVN IT Helpdesk 

A colleague should report an incident which is likely to include personal data through the GSD Self Service Portal or by calling GSD or HVN IT Helpdesk:

• In the incident reporting process, the incident reporter is requested to provide particular details, if available, about the potential or actual personal data breach, such as when the incident occurred, which types of personal data might be involved, the individuals that might be involved, et cetera;
• Once the incident has been raised, an automated email notification is sent to the local Security Incident Handling Team, including the local Privacy Officer(s).  

When more than one HEINEKEN entity is (potentially) affected by the breach, the HEINEKEN Global Service Desk (GSD) will also be assigned to the other relevant Security Incident Handling Team(s), as well as to the other relevant Privacy Officer(s) and the Global Privacy Officer.  

 

Security Incident Handling Team 

The “Security Incident Handling Team” consists of the HVN Privacy Officer and the HVN Cyber Security Officer (CSO) depending on whether the security breach is identified at local (Vietnam) level or at Global Function level. The Security Incident Handling Team is responsible for handling the IT related matters of the security incident.  

The Security Incident Handling Team: 

Function	Responsibilities
Security (CSO)	Collects additional information about the breach, including the circumstances of the breach and the affected individuals (if any)  Take necessary steps to remedy the breach, keep track of remedy closing progress Immediately and constantly updates and/or consults the Privacy Officer (email/meetings) both when there is a report and when taking remediation  Ensure that all documentation regarding the breach has been added to Service Now
Legal (PO)	Identify remediation steps and closely follow with the remedy progress  Report the data breach to the Data Protection Authority within 72 hours (including report about the delay in handling the breach when it is impossible to provide remediation within required timeframe)
Functional stakeholder	Collaborate and support CSO and PO when needed

When more than one HEINEKEN entity in more than one country is affected by the breach, the Security Incident Handling Team will also immediately notify and work with the other relevant Privacy Officer(s) and the Global Privacy Officer, and work with the other relevant Security Incident Handling Team(s).

When a Data Processor is involved, the Security Incident Handling Team will also work with the Personal Data Breach Team of the Data Processor. 

 

HVN Privacy Officer

The ‘HVN Privacy Officer’ is responsible for handling the security incident.  When the HVN Privacy Officer is notified that an incident has occurred, the HVN Privacy Officer will need to: 

• validate if the data involved is indeed considered as personal data and assess if the incident concerns a potential personal data breach that requires further investigation and/or potential notification. If so, alert, connect and work together with the Security Incident Handling Team and other relevant Subject Matter Experts. If not, instruct the CSO to close the ticket in ServiceNow;
• establish the facts about the personal data breach, as well as the likelihood and severity of the risk to the affected individuals affected. To do this, the Privacy Officer will work together with the CSO and, where needed, other Subject Matter Experts;
• assess if the incident qualifies as a personal data breach that requires notification to the Data Protection Authority; 
• inform the Global Privacy Office of the personal data breach; 
• ensure to notify the personal data breach as required and within the applicable notification term;
• in case the individuals must or should be informed, ensure to work together with the HVN Corporate Affairs team on the drafting and communication of the notice;  
• identify remediation steps in joint collaboration with the CSO and relevant HEINEKEN teams; 
• document the personal data breach in the register by using the ‘personal data breach register’ template in OneTrust; 
• ensure to always have a back-up for the Privacy Officer role in case the Privacy Officer is not available. The back-up Privacy Officer must be included in the Security Incident Handling Team group in ServiceNow. 

When more than one HEINEKEN entity in more than one country is affected by the breach, the local Privacy Officer will also work with the other relevant Security Incident Handling Team(s), the other relevant Privacy Officer(s), the Global Privacy Officer and Global or Regional Security Operations and the other relevant Corporate Affairs Team(s) and the Global or Regional Corporate Affairs Team.

When a Data Processor is involved, the local Privacy Officer may choose to also work with the Personal Data Breach Team of the Data Processor. 

 

HVN Corporate Affairs

Corporate Affairs shall work with the Privacy Officer to draft and send responses to individuals when required. Corporate Affairs shall use the notification templates provide by the Privacy Officer. Corporate Affairs may always reach out to Global Corporate Affairs when additional support is required.   

When more than one HEINEKEN entity in more than one country is affected by the breach, the local Corporate Affairs Team will also work with the other relevant local Corporate Affairs Team(s), the Global Corporate Affairs Team, the other relevant Privacy Officer(s) and the Global Privacy Officer.

 

Global Privacy Officer 

The Global Privacy Office, headed by the Global Privacy Officer, must be informed without undue delay of all personal data breaches that require notification to the Data Protection Authority. The Global Privacy Officer may instruct HVN to inform affected individuals of the personal data breach, where there is no legal obligation to notify individuals under Vietnam law. The instructions of the Global Privacy Officer must be followed by HVN.

The local Privacy Officer consults the Global Privacy Officer when additional support is required and when a (potential) personal data breach appears to involve more than one country. 

When more than one HEINEKEN entity in more than one country is affected by the breach, the Global Privacy Office coordinates and strives to ensure consistency in personal data breach handling amongst the local Privacy Officers and works with Global or Regional Corporate Affairs in case communication with affected individuals is required.

 

Global / Regional Corporate Affairs

Local Corporate Affairs consults Global or Regional Corporate Affairs when additional support is required for the evaluation of any external and/or internal communication is needed regarding the personal data breach. 

When more than one HEINEKEN entity is affected by the breach, Global and or Regional Corporate Affairs coordinates amongst the Local Corporate Affairs teams and works with the Global Privacy Officer for the handling of the external and/or internal communication. 

 

Crisis Management

HEINEKEN has a Crisis Management process in place which applies to this Personal Data Breach Policy as well. If required, the Crisis Management process will be applied by the Security Incident Handling Teams. 

 

Notifying individuals 

All notifications of personal data breaches to affected individuals must be drafted in joint collaboration by the Corporate Affairs Team and the Privacy Officer.

HVN Corporate Affairs Team will determine how to notify individuals on a case-by-case basis (e.g. who within HEINEKEN the notification should come from, the format and whether it is done by individual or mass communication). 

Where appropriate, the notice should also include specific advice to individuals to protect themselves from possible adverse consequences of the breach, such as resetting passwords in case their log-in credentials have been compromised. 

Notifications to individuals of personal data breaches should be separate from any other communications such as regular updates, newsletters or standard messages. The notification must be clear and transparent.

 

Registration

The HVN Privacy Officer has overall responsibility in ensuring that all relevant information regarding a personal data breach is registered in OneTrust. When no further investigation is required, the HVN Privacy Officer instructs the CSO to close the ServiceNow Incident ticket. 

All personal data breaches follow the above registration process, including those that were not reported to the relevant Data Protection Authority. 

The information required to complete in the register in OneTrust includes: 

• Details of the breach, including:
  - Time
  - Location
  - The cause(s)
  - Description of the incident/Violations:
  - Organizations, individual, types of personal data and the quantity of relevant personal data: 
• Personnel in charge of protections of personal data:
  - Full name:
  - Title:
  - Phone number:
  - Email:  
• the effects and consequences of the breach;
• details of the steps taken to remedy the breach;
• whether or not a local legal requirement to notify personal data breaches to the Data Protection Authority and/ or individuals exists; 
• if such local legal requirement exists: the reasoning for a decision not to notify or not within the required time period and evidence to justify any such delay; 
• where the breach was notified to the relevant Data Protection Authority and / or affected individuals, a copy of the notification(s) and evidence to demonstrate that the notification was provided timely and in a transparent and effective manner.

This information will be held in OneTrust for a period of 3 years following the date on which the personal data breach was registered, unless applicable local law indicates a longer retention period. 

 

Administrative information

Contact person	Nguyen Lan Huong HEINEKEN Vietnam Privacy Officer NguyenLan.Huong@heineken.com
	Bui Duc Thao HEINEKEN Vietnam Data Protection Officer  BuiDuc.Thao@heineken.com
	Nguyen Duc Phat HEINEKEN Vietnam Security Coordinator nguyenduc.phat@heineken.com