Privacy Center


Privacy Center

HEINEKEN Vietnam feels very strongly about protecting the personal data that it is entrusted with. We strive to handle personal data with care according to our internal standards and applicable local law, to be transparent on how We use personal data and how individuals can exercise their data privacy rights.

 

CONTENTS:

I. THE 6 HEINEKEN PRIVACY PRINCIPLES

II. NOTICE OF EMPLOYEE PERSONAL DATA PROTECTION TERMS

III. NOTICE OF APPLICANT PERSONAL DATA PROTECTION TERMS

IV. NOTICE OF DISTRIBUTORS PERSONAL DATA PROTECTION TERMS

V. NOTICE OF CUSTOMER PERSONAL DATA PROTECTION TERMS

VI. NOTICE OF EMPLOYEE DATA PROTECTION TERMS WHEN APPLYING THE ACCESS CONTROL PROCESS AT THE COMPANY WORKPLACES

VII. NOTICE OF VISITOR PERSONAL DATA PROTECTION TERMS WHEN ACCESSING WORKPLACES

VIII. NOTICE ON PERSONAL DATA PROTECTION TERMS FOR SURVEILLANCE CAMERA SYSTEM

IX. HEINEKEN VIETNAM DATA SUBJECT RIGHTS POLICY (“DSR Policy”)

X. HEINEKEN VIETNAM PERSONAL DATA BREACH NOTIFICATION POLICY

XI. CONTACT INFORMATION

 

I. THE 6 HEINEKEN PRIVACY PRINCIPLES

Everyone at HEINEKEN Vietnam is responsible for adhering to the 'HEINEKEN 6 Privacy Principles' and making them part of their daily business practices.

Principle 1: Use Limitation

Define clear business purposes before you start collecting personal data. Limit the use of personal data to what is needed to achieve your business purposes.

Principle 2: Data Minimisation

Only use the personal data that is necessary for the business purpose and restrict access to ‘need-to-know’. Delete the personal data when no longer needed. Keep the personal data up to date and correct.

Principle 3: Sensitive Data

Be extra careful when using sensitive data such as health, religion, social security numbers. Ask the Privacy Officer for advice if you wish to use sensitive data.

Principle 4: Transparency & Rights of Individuals

Communicate about what you do with personal data by means of privacy notices and other statements. Facilitate individuals exercising their rights in respect of their personal data.

Principle 5: Security

Have appropriate organisational and technical security measures in place to protect the personal data from unauthorised and unwanted access or use. Staff accessing the data must be bound by confidentiality obligations.

Principle 6: Third Party Access

Ensure required safeguards are in place when allowing third parties to access the personal data. Additional measures may be needed for international data transfers.

 

II. NOTICE OF EMPLOYEE PERSONAL DATA PROTECTION TERMS

Pursuant to current laws on personal data protection (“legal regulations”), HEINEKEN Vietnam Brewery Company Limited issues Notice of terms & conditions on employee personal data protection (“Notice”). 

Effective from July 1, 2023

HEINEKEN Vietnam Brewery Company Limited (hereinafter “We”, “Us”, “HEINEKEN” or “Company”) commits to protect the personal information of all employees. “EMPLOYEES” means all current or former employees of us (“You” or “Employee”).

In Part I of this Notice, We will describe how your personal data is collected, managed and used in the SuccessFactors system (MyHR), and other systems (e.g. salary, allowances and bonus management system (HRIS), Telematic Driver, CCTV, health records...).

In Part II, We will explain how to manage the data of unofficial employees, for example: temporary employees, consultants, contractors, interns, etc. (generally called as “Outsourced Employees”), when their information is also included in the SuccessFactors system and other systems/processes implemented, applied and adjusted by the Company from time to time (Including but not limited to systems such as Telematic Driver, CCTV, health record management, office access efficiency control equipment).

In Part III, We will describe how the personal data of your emergency contact or relative is collected and used for limited purposes and in connection with the performance of the employment contract, while this information is also processed on the SuccessFactors system and other systems (For example, compensation management HRIS system).

In general, SuccessFactors - MyHR is the general management system of the global HEINEKEN corporation, to help the corporation can operate consistently and manage a large amount of data of all employees across countries. The data is managed by subsidiaries or branches (generally called as Opco) will be uploaded to this system. Because it is a global system, data processed on this system will be transferred outside of Vietnam. Besides, the Company uses the local system (HRIS) to calculate salaries and bonuses for all employees that managed by the Company. Therefore, data related to salaries, bonuses and benefits, including data of relevant dependents according to labour laws, tax laws and other relevant regulations, will be copied to this system. However, this is the local system of HEINEKEN Vietnam Brewery Co., Ltd., so all of the above data will not be transferred outside the territory of Vietnam. Finally, for internal management, labour safety, employee health and working environment of HEINEKEN, the Company will collect the locations of the subjects listed in this Notice through the location service, images monitored by CCTV, employee health status... These data will also be processed by the Company and will not be shared with third parties or outside the territory of Vietnam, except cases permitted by law.

Over time, these systems may be replaced, supplemented, removed... as the Company's decision. When there are any changes, We will promptly notify you.

This Privacy Notice was issued on 15 January 2019, amended and supplemented on 01 July 2023 and may be updated from time to time, as HEINEKEN employees, outsourced employees and their emergency contact or relatives will be notified.

PART I: EMPLOYEE PERSONAL DATA

For what purposes will We use your personal data?

During your employment with the Company, the Company collects a large amount of personal data, business relationship data as well as your emergency contact or relatives. SuccessFactors will enable us to perform Human resources transactions in an efficient and user-friendly manner. To do this, the Company needs to store your personal data (details of which will be listed in this Notice) in SuccessFactors. In addition, a copy of employee information will be transmitted to the compensation management system (HRIS); other systems/processes are deployed, applied and adjusted by the Company from time to time (including but not limited to systems such as Telematic Driver, CCTV, health record management, office access efficiency control equipment) will also process some limited information in accordance with legal regulations.

The Company will use this information for the purpose of managing your employment relationship with the Company. This includes aspects such as processing and accessing working history, leave management, payments, tax matters, insurance, wages and benefits, business travel and costs, processing personal data to implement internal operational and management processes (such as work schedules, timekeeping, providing for central data processing for efficiency purposes, internal audit and control, review and monitoring of compliance with internal processes and in the context of dispute resolution), organizational analysis and development, management reporting; merger management, acquisitions and divestments; for facilitating and managing labour information (e.g. number of employees, job positions,...); talent management and career opportunities (including succession planning), performance assessment, training (including video recording and photography in training programs for the purpose of communication, statistics, course monitoring, and other purposes for recording and taking photos in accordance with current legal regulations); protect the interests of HEINEKEN and its employees (e.g. screening and monitoring of employees, occupational health and safety, authentication of employee status and access and identity management, office access control to comply with current legal regulations).

What types of personal data are stored on the system?

The following categories of personal data will be stored on the system:

  1. Personal information: Information related to individual, contact information such as name, gender, marital status, nationality, employee number, date of birth, address information, phone number, email, qualifications, photo, emergency contact information, bank information, dependent information (name, date of birth, relationship, etc.), ID card information or/and Public Identification Card, information related to Visa/Work Permit and social security numbers, personal images are monitored via the Company's CCTV system;
  2. Details of Department/Job title: Company name, department, work location, job title, job grade, contract status & type (full-time/part-time), start date and end date of labour contract;
  3. Salary and benefits: Payments, regularity of payments, salary, payment currency, non-recurring payments, talent management and performance appraisal (PA) information, such as your PA results, development programs, succession planning data, degrees and certificates, online training, PA assessment and development and information to use for adding to employee’s working history, plans;
  4. Data access system and application: Information required to access to the Company's systems and applications such as email addresses, employee code, user identification numbers of other systems and applications;
  5. Office access efficiency control equipment: Facial or fingerprint recognition data or information to be issued an office access card (as employee’s agreement). 

Does the system contain sensitive personal data?

Sensitive personal data is processed to eliminate or minimize possible inequalities or to ensure diversity of the Company culture from different ethnic/national groups. Besides that, some sensitive data to ensure employee welfare such as: diversity in diet, banquets, annual leaves, etc. in accordance with the customs, practices and culture of different ethnic/national/religious groups as prescribed by law; special treatment for individuals with biological characteristics that require separate remuneration regimes; payment of salaries and bonuses; internal management and supervision; health consulting and assurance; other regimes to avoid discrimination due to the differences of cultural, national/ethnic/religious, unique characteristics... according to appropriate practices and relevant applicable legal regulations. Sensitive employee information handled by the Company includes:

- Religion (optional): The Company will only collect employees' religion when they provide it, to ensure the environment, programs, events, regimes and policies are suitable for each faith community;

- Health condition: The Company only collects health information as required by law on employee’s health safety and may use this information for the purpose of advising employee’s health;

- Ethnicity (optional): to meet labour law regulations, eliminate or minimize possible inequalities related to different ethnic groups;

- Individual biological characteristic: due to the request to provide ID image to compare with the information provided by the employee, the Company may collect information on that ID image, including individual biological characteristic of each employee;

- Bank account information: to pay salaries, bonuses and other benefits to employees;

- Data about the individual's location through location services: when the employee/outsourced employee plays the role of driver/transporter/other tasks assigned to use the vehicle according to the labor contract, whose vehicle is equipped with the Company's positioning device; and other employees using vehicles equipped with the Company's positioning devices will have to share their travel itinerary. These data are only processed when the above data subjects have read and agreed to the Company's Telematic Driver application usage statement;

- Biometric data: to manage/control office access effectively, including facial recognition or fingerprint data;

- Other personal data classified by law as special and requiring necessary security measures;

The employee’s data information that We collect and proceed will be adequate, relevant and limited to specific purposes only. Employee’s information should be as accurate as possible and should comply with applicable laws on personal data protection. 

Who can access your personal data?

Access to your personal data is granted only when it is necessary for the intended purposes and for the related employees to perform their work. Opco/regional/global managers, Opco & global Human Resources Department (including the support staffs for SuccessFactors (MyHR) system and global Human Resources Capacity Development Managers) related to system support, implementation of Opco/global HR processes, such as global mobility and premium benefits services, personal development services, talent management and planning, reporting and succession management, access to your personal data on system, but only for the purposes referenced in this Notice. By completing your Career Profile (e.g. career aspirations, working relocation), you express your expectation to be considered for other positions of HEINEKEN, within or outside your Opco. Your Career Profile is visible to your Opco HR and global HR. Additionally, it is accessible to employees of other departments within the Company because of the global nature of HEINEKEN's operations, such as Legal, IT, Finance and Reporting and other department’s teams in head office can access, e.g. the Internal Control department. All access is restricted to specific and necessary information to the relevant roles of the department or division. This access may also be provided to the  relevant stakeholders in accordance with applicable legal regulations.

For other systems/processes that deployed, applied and adjusted by the Company over the time (including but not limited to systems such as HRIS compensation management system, Telematic Driver, CCTV, health management records, effective control office access equipment...), only the human resources department at Opco that you are under can access limited data, appropriate to their role to perform related work. This data is only accessed and processed within Vietnam’s territory and in compliance with current laws on labor, tax, health and related regulations. However, this access may also be provided to the  relevant stakeholders in accordance with applicable legal regulations.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

From time to time, We may need to provide personal data to third parties such as service providers (companies that provide products and services to us such as payroll, benefits and retirement management services providers, IT service providers, travel and tourism services, performance management, training, expense management or credit card companies, professionals medical/health and background investigations companies), professional consultants (such as accountants, controllers or lawyers), public authorities (authorized public authorities such as management agencies, law enforcement, public opinion and judicial agencies), Trade Union or in the context of corporate transactions (a third party related to any restructuring, merger or acquisition as actual or proposed). We will sign the agreements with service providers and professional consultants to ensure your right to protect your personal data.

Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems, personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice. The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. In general, employee personal data is securely deleted or disable from the system after 10 (ten) years or sooner depending on the system type, as from the relevant employee who terminates the employment relationship or after a statutory period from the time employee proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with applicable laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of employees

Employees have rights to access their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection.

Employees have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide adequate and accurate personal data when agreeing to personal data processing; and other obligations according to applicable laws and regulations on personal data protection.

PART II: PERSONAL DATA OF OUTSOURCED EMPLOYEES

For what purposes will We use the personal data of outsourced employees?

SuccessFactors and other systems/processes deployed, applied and adjusted by the Company from time to time (including but not limited to systems such as Telematic Driver, CCTV, health record management, office access efficiency control equipment) may contain some personal data of outsourced employees. This personal data will be used for limited purposes such as: internal reporting when it is necessary to synthesize information of internal and external employees, internal communication purposes and in connection with facilitating and providing access to our systems.

What personal data of outsourced employees is stored on the system:

If there is any personal data of outsourced employees stored on the system, it can be the following types of information:

1) Personal information: information related to personal, contact and working information (name, gender, date of birth, phone number, email), license plate, personal image that is monitored through the Company's CCTV system;

2) Details about the department/job title: working department, working location, job title, job grade, date of employment;

3) Data access system and application: information required to get access to the Company's systems and applications such as email addresses, AD accounts, user IDs of other systems and applications;

4) Office access efficiency control equipment: facial or fingerprint recognition data or information to be issued an office access card.

Does the system contain sensitive personal data?

Sensitive personal data is processed to ensure compliance with labor laws and health advising for outsourced employees when necessary. Besides, to ensure the payment of salaries and benefits to outsourced employees, the Company will also collect information about their bank accounts. The use of this information must ensure objectivity, accuracy and compliance with the provisions of law. Sensitive employee information processed by the Company on the system includes:

- Health condition: the Company only collects health information as required by law on employee’s health safety and may use this information for the purpose of consult employee’s health;

 - Bank account information: to pay salaries, bonuses and other benefits to employees;

- Data about the individual's location through location services: when the employees/outsourced employees play the role of driver/transporter/other tasks assigned to use the vehicle according to the labor contract, whose vehicle is equipped with the Company's positioning device; and other employees using vehicles equipped with the Company's positioning devices will have to share their travel itinerary. These data are only processed when the above data subjects have read and agreed to the Company's Telematic Driver application usage statement;

- Biometric data: to manage/control office access effectively, including facial recognition or fingerprint data;

- Other personal data classified by law as special and requiring necessary security measures;

- The employee’s data information that We collect and proceed will be adequate, relevant and limited to specific purposes only. Employee’s Information should be as accurate as possible and should comply with current law on personal data protection.

Who can access personal data of outsourced employees on the system?

Access to your personal data is granted only when it is necessary for the intended purposes and for the related employees to perform their work. Only Human Resources Outsourcing managers, Opco & global Human Resources related to system support, implementation and report to global HR have access to personal data of outsourced employees on the system, but only for the purposes referenced in this Notice. In addition, it is accessible to employees of other departments within the Company because of the global nature of HEINEKEN's operations, such as Legal, IT, Finance and Reporting and other department’s teams in head office can access, e.g. the Internal Control department. All access is restricted to specific and necessary information to the relevant roles of the department or division. This access may also be provided to the stakeholders in accordance with applicable legal regulations.

For other systems/processes that deployed, applied and adjusted by the Company over the time (including but not limited to systems such as HRIS compensation management system, Telematic Driver, CCTV, health management records, effective control office access equipment...), only the human resources department at Opco that you are under, can access limited data, appropriate to their role to perform related work. This data is only accessed and processed within Vietnam’s territory and in compliance with current laws on labour, tax, health and related regulations. However, this access may also be provided to the stakeholders in accordance with applicable legal regulations.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

From time to time, We may need to provide personal data to third parties such as service providers, professional consultants (such as accountants, controllers or lawyers), public authorities (authorized public authorities such as management agencies, law enforcement, public opinion and judicial agencies), or in the context of corporate transactions (a third party related to any restructuring, merger or acquisition as actual or proposed). We will sign the agreements with service providers and professional consultants to ensure your right to protect your personal data.

Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems, personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice. The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. In general, outsourced employee personal data is securely deleted or disable from the system after 10 (ten) years or sooner depending on the system type, as from the relevant employee who terminates the employment relationship or after a statutory period from the time employee proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with applicable laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of outsourced employees

Outsourced employees have rights access to their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection.

Outsourced employees have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide adequate and accurate personal data when agreeing to personal data processing; and other obligations according to applicable laws and regulations on personal data protection.

PART III: INFORMATION OF INDIVIDUALS RELATED TO EMPLOYEES

DATA OF EMERGENCY CONTACTS

For what purposes will We use the personal data of emergency contacts?

To ensure the safety at the workplace and report emergency cases of employees during working hours or at the workplace, the Company may process information of emergency contacts, through employees related to these individuals, fill their information on MyHR system. According to that:

What personal data is processed on the system:

The emergency contact information processed by the Company includes: full name, phone number, relationship with the employees. This information is provided by employees' selection and is intended to serve their legitimate interests. Therefore, employees will manually fill in this information on MyHR system based on the consent of the emergency contacts.

By accepting the Company's data privacy notice, We will collect, store and communicate with emergency contacts when employees are in emergency situations within the scope of employment relations. Employees need to ensure the accuracy and integrity of the data they provide. Employee will also bear all responsibilities and risks arising from inaccuracies, dishonesty, failure to obtain consent from data subjects, or any other errors caused by the employees or emergency contacts. The Company will not be responsible for any errors that are not the Company's fault.

Who can access personal data of emergency contact person the system?

Access to your personal data is granted only when it is necessary to ensure labour safety in accordance with labour laws. Only individuals in the OpCo Human Resources Department who manage the employees, have access and use emergency contact information for the above purposes. In addition, for emergency purposes and legal or other issues arising, the Human Resources Department at that OpCo can share this information with relevant departments to resolve arising situations as legal regulations, for example: Legal, IT, Finance and Reporting and other department’s teams in head office can access, e.g. the Internal Control department. All access is restricted to specific and necessary information to the relevant roles of the department or division. This access may also be provided to the stakeholders in accordance with applicable legal regulations.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems, personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice.  The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. 

In general, the personal data of an emergency contact person will be deleted from the system after 6  (six) months from the employment relationship termination of the relevant employee, or after a statutory period from the time the emergency contact person proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with current laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of emergency contacts

Emergency contacts have rights to access their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection. Emergency contacts have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide complete and accurate personal data when agreeing to process personal data; and other obligations according to current laws on personal data protection.

EMPLOYEE’S DEPENDENTS/SPOUSES DATA

For what purposes will We use your personal data?

To ensure compliance with legal regulations on tax declaration and other regulations related to requests to provide information of dependents, the Company will process information of these subjects through various method: collect, retain, share with state agencies. In addition, the Company also processes employee's dependent/spouse information to register for optional insurance, which is considered a benefit for employees and their dependents/spouse. Optional insurance registration can only be done with the consent of the insured person and the employee.

Employees need to ensure the accuracy and integrity of the data they provide. Employees will also bear all responsibilities and risks and arising from inaccuracies, dishonesty, or any other errors caused by them. The Company will not be responsible for any errors that are not the Company's fault.

What types of personal data are stored on the system?

The information of the dependents/spouse processed by the Company include: full name, date of birth, relationship with the employees, information of documents attached according to law regulations. This information will be self-provided by employees.

Who can access personal data of dependents/spouse on the system?

Access to your personal data is granted only when it is necessary for tax declaration purposes and other tasks related to tax, company finances and compliance with legal regulations regarding labour dependents data. Only individuals in the OpCo Human Resources Department who manage the employees, can access and use dependents information for the above purposes. In addition, for compliance purpose with tax laws, labour laws and other legal or arising issues, the OPCO Human Resources Department can share this information with relevant departments to resolve arising situations as legal regulations, for example: Legal, IT, Finance and Reporting and other department’s teams at head office with access, e.g. Internal Control Department. Besides, when employee’s dependents/spouse askes to register optional insurance, the Company will share their information with the corporate insurance organizations. This access may also be provided to the stakeholders in accordance with applicable legal regulations.

For other systems (e.g. HRIS), only the HR department at Opco, under which you are managed, can access limited data, appropriate to their role to perform related tasks regarding salaries and bonuses. This data is only accessed and processed within Vietnam territory and in compliance with applicable labour, taxes laws, and related laws and regulations. However, this access may also be provided to the relevant stakeholders in accordance with applicable law.

SuccessFactors is an SAP data cloud application and is hosted on servers in Germany and backup servers located in the Netherlands, and therefore, your personal data will be transferred outside of Vietnam. SuccessFactors will access the system when they provide hosting, maintenance and support services, but as your personal data on the system is encrypted, SuccessFactors will not be able to view your personal data. Only in exceptional cases and with HEINEKEN's approval, SuccessFactors has access to your encrypted personal data for technical support and SuccessFactors system management. We also have agreements with SuccessFactors to ensure your personal data’s safety and security.

Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

Data retention and integrity

The Company will take reasonable steps to ensure that when using the Company's systems and other systems (e.g. HRIS), personal data processed is reliable for its intended use and is accurate, adequate and up to date to carry out the purposes described in this Notice. The Company will only retain personal data that is necessary for its relevant purposes to be used in the system or as legally required or recommended limits of applicable time. In general, employee’s dependent/spouse personal data will be deleted or disable from the system after 10 (ten) years from the employment relationship termination of relevant employee, or after a statutory period from the time the dependent/spouse proactively requests data deletion or withdraws consent to data processing, except the cases that the Company must continue to process data to fulfill its obligations of the Company in accordance with applicable laws.

The time to start processing data is calculated from the time the data subject agrees with this data security notice and provides the data to the Company. The end of data processing is the actual time the Company no longer stores the data of data subject on the system (the data is securely deleted or disable) according to the time described above.

Rights and obligations of employee’s dependents/spouse

Employee’s dependents/spouse have rights to access their personal data, which include: right to give and to withdraw consent, right to erasure, right to restrict data processing and other rights as prescribed by current laws on personal data protection.

Employee’s dependents/spouse have obligations to: protect their personal data by themselves; respect and protect the personal data of others; provide complete and accurate personal data when agreeing to process personal data; and other obligations according to current laws on personal data protection.

If dependents are provided information to the Company by their parents, representatives, or guardians, their rights and obligations will be exercised through that parent, representative, or guardian.

 

III. NOTICE OF APPLICANT PERSONAL DATA PROTECTION TERMS

Pursuant to current laws on personal data protection (“legal regulations”), HEINEKEN Vietnam Brewery Company Limited issues Notice of terms & conditions on Applicant personal data protection (“Notice”).

Effective from July 1, 2023

INTRODUCTION

HEINEKEN Vietnam Brewery Company Limited, together with its branches and affiliates (hereinafter referred to as "HEINEKEN" or “Company” or "We" or “Us”) is the Personal Data Controller of Applicant (or “You”).

HEINEKEN, your potential employer, is the controller and processor of your personal data. When Applicant visits the HEINEKEN career website or uses the internal job vacancies site, HEINEKEN collects information (personal data) about the Applicant: via web forms; or the Applicant’s CV or application letter submitted directly or via HEINEKEN's official career websites or from other sources that HEINEKEN may lawfully collect with the Applicant's consent; via interviews and discussions between Applicant and HEINEKEN; or via other official tools to Applicant's personal information with the Applicant's consent. HEINEKEN uses the Applicant's personal data in a lawful and fair manner, which means that HEINEKEN collects and processes personal data in compliance with applicable regulations on personal data protection. Protecting the privacy and personal data of Applicant is of the utmost importance to HEINEKEN and is a significant aspect of the way HEINEKEN creates, organizes and implements its recruiting activities.

This privacy statement is intended to inform Applicant regarding HEINEKEN’s processing of recruitment data and is applicable to HEINEKEN recruitment and selection activities.

This Notice may be updated from time to time, of which you shall be informed. If there are any amendments, additions, or updates to this Notice, Applicant is fully entitled to choose whether to continue allowing Company to retain their personal data or restrict the company's rights in accordance with applicable laws.

PURPOSES

Personal information (Applicant data) submitted by the Applicant to HEINEKEN or collected by HEINEKEN via any source and with the consent of the Applicant will be used by HEINEKEN to support a responsible, effective, and efficient recruitment and selection process. HEINEKEN will collect and process Applicant data from unsolicited applications, via interviews and discussions or via other official tools to Applicant's personal information with the consent from the Applicant. HEINEKEN will process Applicant data for recruitment purposes. These purposes are: assessment of your application, matching Applicant data with HEINEKEN current open positions, and contacting Applicant for future positions that suit the Applicant’s skills and capabilities, evaluating your eligibility to work at HEINEKEN (e.g. legal working age), communicating HEINEKEN recruitment and selection procedures, contacting Applicant to schedule interviews/tests and responding to questions the Applicant may raise, verifying information received via the application and for performing pre-employment screening.

In addition, HEINEKEN will process your personal data for the following purposes:

  • Personalization purposes, such as providing information on relevant vacancies (Job alerts) on the basis of the profile you created of yourself. This includes sending emails notifying you on Job alerts and other relevant HEINEKEN recruitment messages;
  • Information about your visit to and use of our Website/official recruitment system. We collect certain information when you visit our Website, such as your IP address, which web pages you visit, device category, browser, and type of internet browser, clicks and views. The information about your use of our Website and services enables us to build segments, which are groups of website visitors or customers with a number of common characteristics such as age group or region. We will likely add you to one of our segments. Segments are used by us to customize the Website and to change the order of search results, or where We place certain offers so you are more likely to see these. In addition, We may analyse anonymous measurement of response to our vacancies; 

Before being accepted to work at HEINEKEN, you will be required to have a Pre-Employment Health Check-up. The purpose of this is to assess whether your health meets the requirements of the work environment, and to prevent the risk of spreading infectious diseases within Company. To do this, Company will provide instructions and seek your consent before conducting the health examination and consultation. 

APPLICANT DATA

HEINEKEN collects and processes Applicant data (required and optional) which the Applicant provides directly, via creating a profile and by attaching relevant documents (such as resume), on the HEINEKEN recruitment system. We also collect and process Applicant data through recruitment agencies, personal referrals, phone calls, e-mail or reference contacts who have the consent of the Applicant to share information, interviews, discussions with the Applicant and other legal forms with the Applicant's consent. Examples of Applicant data collected and processed by HEINEKEN for the purposes listed in section 2 include but  not limited to:

  • Personal details (e.g. name, contact details, language spoken, legal working age, nationality);
  • Work related information (e.g. details contained in your letter of application and CV, other details on education and development and work history); 
  • Position (e.g. position of interest, title, location, full-time/part-time possible terms of employment);
  • Compensation (e.g. current and required salary and currency);
  • Immigration status (e.g. citizenship and details of residency or work permit).

APPLICANT SENSITIVE PERSONAL DATA

During the recruitment and selection process, We may need to collect certain data viewed as ‘sensitive’ according to laws & regulations because they may reveal intimate characteristics or personal privacy. Any use of sensitive Applicant data shall be used by us only within the strict limits set out by applicable local law.

Sensitive personal data in the recruitment process may include one or all the information listed below:

- Health status & records: to check whether the Applicant's health meets occupational health standards according to relevant laws;

- Data related to ethnic origin: if permitted or required by law, Applicant’s personal information may be used to eliminate or minimize potential inequalities or to ensure diversity in recruitment for Applicant from racial/ethnic minority groups, however, the use of this personal information must ensure objective recruitment decisions and not violate steps in the Company recruitment process;

- Other personal data specified by law are special and require necessary security measures.

The Applicant data that We collect and process will be adequate, relevant and not excessive relative to the specified purposes for which the Applicant data are collected and processed. Applicant data will be as accurate as possible and, as necessary in accordance with applicable laws, kept up to date by Applicant.

REFERENCE CHECK

Reference check is a process applied by HEINEKEN to certain specific recruitment cases according to Company policy. In specific, if required, Applicant will be requested to provide data of the referees. The referees will be people related to the Applicant's work history (for example: former colleagues, former bosses,). Applicant will be sent an access link and forwarded to the referees so they can fill in their own contact information after reading and accepting HEINEKEN's data privacy terms. Data collected from the referees includes:

- Confirmation of the Applicant's basic data (name, contact information);

- Job-related data: position, title at the old company, work process and effectiveness at the old company, comments on the Applicant's personality;

- Other data related to the Applicant's job that is approved for collection by the Applicant.

When receiving a link to enter information, referee can only fill in basic information as outlined above after consenting to the data privacy notice. A copy of instructions on how to use myHR for the above purposes will be sent to the referee’s registered email. Referees’ data will include Full name, company, relationship with the consulted employee, phone number, email.

By reading, accepting this notice, and forwarding the access link to fill in the referee’s data,  Applicant consents to these individuals providing  Applicant's personal data to HEINEKEN and allows HEINEKEN share limited data related to the Applicant's basic information and work history. These discussions and sharings will be controlled responsibly, legally, and effectively, ensuring information security for Applicant. The data provided by the referee will be used for reference and will be carefully and responsibly evaluated and screened by the HEINEKEN recruitment team. This data does not have any value in deciding the Applicant application result. The referee’s data will be automatically deleted after 6 months from the end of the reference check activity.

COOKIES ORSIMILARTECHNOLOGIES

Our website uses ‘cookies’, which are small text files stored on your device, to help operate the site and collect information about your online activity. Our website uses cookies for several purposes, including:

  • Storing your Preferences & Settings;
  • Age gate verification;
  • Sign-in and Authentication;
  • Site Analytics;
  • Targeted Advertising.

Through cookies or similar technologies, We may collect the following personal data:

  • IPaddress;
  • Age gate data (your birthdate);
  • Cookie ID;
  • Browser type;
  • Language settings;
  • The website you came from and the website you visit; and
  • The links you click while using our sites and services.

You can find more information in our cookie policy as published on our website(s).

QUALITY AND LIABILITY

When you provide your personal data to HEINEKEN, you are responsible for the accuracy of your personal data and to make sure that your personal data remains accurate and up to date. HEINEKEN is, except for gross negligence or unlawful intent, not liable for errors, consequences or activities taken as a result of inaccurate or incomplete information that you provided to us.

TRANSFER OF & ACCESS TO YOUR PERSONAL DATA 

To operate as a global business and to promote an Applicant’s career within HEINEKEN, it is in both the job Applicant and HEINEKEN’s interests to enter Applicant data in an international database that may either be limitedly available or available for all HEINEKEN recruiters worldwide. A third party service provider of HEINEKEN may also be located outside your home jurisdiction. Where such international data transfer takes place to a country that has a different data protection regime, HEINEKEN will ensure that the international data transfer will not negatively affect the level of protection of your personal data. Where required, HEINEKEN will inform you of any additional details on the international data transfers.

As part of the application process, Applicant is asked to select any of the following choices:

  1. Only the HEINEKEN recruiters managing the relevant jobs;
  2. Any HEINEKEN recruiter in the country of residence of the Applicant;
  3. Any HEINEKEN recruiter worldwide.

By reading and accepting this recruitment privacy statement, Applicant agree to allow HEINEKEN to upload Applicant's personal data to the SuccessFactors system - HEINEKEN's data storage service according to the statement below. However, subject to the Applicant's choice above, only those individuals limited to that choice will have access to the Applicant's personal data and to have it processed for the purposes noted in the Notice. HEINEKEN will ensure adequate security measures and valid transfer mechanisms for the transfer to and processing of Applicant data in the HEINEKEN locations in the various countries where HEINEKEN operates.

During the recruitment process, Applicant information will be accessed internally only by those HEINEKEN employees (including employees of HEINEKEN affiliates) who are involved in the recruitment process. Where your information is submitted to, or processed on behalf of,

HEINEKEN by a contracted and trusted third party provider, We put in place an agreement with such third party service provider to protect your personal data. The provider will only use Applicant information to process HEINEKEN employment applications and not for its own purposes.

The recruitment website runs on SuccessFactors. SuccessFactors is a SAP cloud application owned by SAP and stored on servers in Germany with back up servers in the Netherlands. SuccessFactors has access to the system when providing hosting, maintenance, and support services. We have agreements in place with SuccessFactors to protect the confidentiality and security of your personal data. 

From time to time, We may need to make personal data available to other unaffiliated third parties, such as recruitment agencies or IT systems suppliers, professional advisors (such as accountants, auditors, or lawyers), public and governmental authorities (entities that regulate or have jurisdiction over us such as regulatory authorities, law enforcement, public bodies and judicial bodies), or in the context of corporate transactions (a third party in connection with any proposed or actual reorganization, merger or sale). We require third parties and professional advisors to use appropriate measures to protect the confidentiality and security of the personal data. Where such international data transfer takes place from an EEA country to a recipient in a country that has a different data protection regime, We will ensure that this international data transfer will not negatively affect the level of protection of your personal data, and is based on appropriate safeguards including EU Model Clauses or Binding Corporate Rules.

RETENTION

HEINEKEN will retain Applicant data during the recruitment and selection process. HEINEKEN will only retain Applicant data in relation to a particular vacancy as long as legally allowed after the recruitment and selection process. If there is a legal obligation to retain personal data longer, HEINEKEN will do so (e.g. equal opportunity requirements in local labour laws).

HEINEKEN may also retain Applicant data in relation to a particular vacancy if you have given your consent to keep the Applicant data, e.g. keepinganApplicant’sresumeonfileifasuitablepositionarises.Inaddition,youmaycreateaprofilewithoutactuallyapplyingtoaparticular vacancy. In those cases, HEINEKEN will generally delete your data after 05 (five) years – or shorter when legally required based on local law - of inactivity in our recruitment system (i.e. after not having logged-in to your account/profile). In addition, Applicant can also request that the Company delete data and exercise the right to withdraw the Applicant's consent within a prescribed period from the date of receipt of the request. However, Applicant will still be asked (every 6 months) whether to allow HEINEKEN to store their data in the future. By accepting or declining, HEINEKEN will continue to securely retain or delete Applicant data on the system in accordance with the law.

The time to start processing data is calculated from the time  data subject agrees to this data security notice and provides data to the Company. The end time of data processing is the actual time the Company no longer stores the data subject's data on the system according to the time described above.

After the retention period the Applicant data will be completely deleted from HEINEKEN’s system. Applicant is entitled to request deletion of his or her personal data at any time.

SECURITY

HEINEKEN uses a number of technical, physical and organizational security measures to assure the integrity, confidentiality and availability of AApplicant data, taking into account the nature, scope, context, purposes and risks involved. HEINEKEN has implemented security technologies to protect the stored Applicant data from unauthorized access, improper use, alteration, unlawful or accidental destruction and accidental loss.

HEINEKEN continues to enhance its security procedures as new technology becomes available. An Applicant has an important role to play in assisting HEINEKEN in keeping Applicant data secure. Applicant should at all times keep his or her password confidential and use the correct procedure to log in and out of the HEINEKEN recruitment system.

The Company is committed to ensuring the security of personal data are implemented and complied. However, because the processing activities of these types of data are mainly carried out in the cyber environment, it is impossible to absolutely guarantee that potential risks, unwanted consequences, and damages do not occur. Here are some examples of unwanted consequences and damages that may occur:

- Disclosure of personal data: When personal data is disclosed illegally, the data subject may be subject to risks related to possible privacy impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to commit fraud or illegal activities;

- Data loss: If personal data is lost due to a system crash, the data subject may lose important information and have difficulty recovering the data.

Therefore, We consider your personal data to be very important and We will ensure its confidentiality, security, and compliance with applicable laws on personal data protection. In details:

- Organizational measures: The Company appoints a dedicated team to protect Applicant data and assign individuals responsible for data protection, and individuals responsible for data for each process;

- Physical measures: The Company commits to using the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of separation locks and limiting the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall,etc.;

- In addition, the Company also recommends that relevant stakeholders be responsible for their personal data: do not open browsers, emails with unknown senders, applications, etc. which relevant parties suspect to contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures.

The Company will notify the government agencies of a Data Security Breach within the prescribed period after discovering such breach.

RIGHTS AND OBLIGATIONS OF APPLICANT

Applicant has the right to request access to his or her Applicant data that HEINEKEN holds. Applicant also have the right to have your data rectified, deleted, or restricted (as appropriate). Applicant can correct or delete their Applicant data themselves by making changes to their profile. Applicant also have the right to have the processing of their data restricted (as appropriate) or object to the use of their personal data by HEINEKEN. Please note that requests that do not meet the requirements set out by applicable law or HEINEKEN guidelines may be requested to be re-issued or ultimately denied and that certain personal data may be exempt from an Applicant’s request pursuant to applicable data protection laws and other laws and regulations. 

You also have the right to submit a complaint to the data protection authority in accordance with your local laws and regulations.

You have obligations to: protect your personal data; respect and protect the personal data of others; provide complete and accurate personal data when agreeing to process personal data; and other obligations according to current legal regulations on personal data protection.

The application process may include an automated rejection of your application. Where this is the case, the criteria used to make such automated decision shall be included in the relevant job requirements. You have the right to ask us to look at your application notwithstanding the automated response you have received, or to inform us that you do not agree with the rejection of your application and the reasons why.

 

IV. NOTICE OF DISTRIBUTORS PERSONAL DATA PROTECTION TERMS

The Notice of Personal Data Protection Terms for Distributors (hereinafter referred to as the “Notice”) is effective from July 1, 2023, and applies to product distributors (hereinafter referred to as “Distributors” or “you”) of HEINEKEN Vietnam Brewery & Beverage Company Limited (hereinafter referred to as “HVBB” or “we” or “the Company”). This Notice applies to (i) individuals, and/or (ii) representatives or contact persons of the Distributors, in case the Distributor is a legal entity.

You are receiving this Notice because HVBB is currently processing and will process your personal information (hereinafter referred to as “Personal Data”) as a data controller and/or data processor. Please read this Notice carefully as it outlines the context in which We process your Personal Data and explains your rights and obligations as well as ours regarding such data processing.

We respect your privacy and are committed to keeping your Personal Data secure and managing it in accordance with our legal obligations under applicable personal data protection laws.

1. What personal data We process and how

We may collect and process the following types of your Personal Data:

- General and identifiable information (e.g. full name, gender, date and place of birth, nationality, ID card/passport number, email and/or address, phone number);

- Bank account information;

- Marital status and family relationship information;

- Voice (if recorded through our customer service hotline);

- Image (if captured at annual customer conferences and/or other Company events);

- Location data, GPS data;

- Signature.

If you intend to provide us with personal data of other individuals (e.g., your colleagues), you must share a copy of this Notice with them and obtain their consent.

We may process Personal Data by automated or non-automated means, through electronic or manual methods, or any other means We deem appropriate.

2. Purpose of processing your personal data

We always process your Personal Data for one or more specific purposes and only process data relevant to achieving those purposes. In particular, We process your Personal Data for the following:

- Managing our Distributors across the supply chain;

- Organizing tenders, preparing for or executing existing contracts;

- Organizing annual customer conferences;

- Monitoring activities at our premises, including compliance with applicable policies and health and safety regulations;

- Granting you access to our applications/systems;

- Managing our IT resources, including infrastructure and business continuity;

- Protecting and exercising our legal rights, ensuring compliance and reporting (e.g., complying with internal policies, legal/tax obligations, managing alleged fraud or misconduct, audits, litigation processes);

- Implementing, applying, and adjusting applications/systems/processes for business management, payment processing, and internal policy/regulatory compliance (including but not limited to: customer record management, DIS, GIS, HVN Ordering, Distributor 2.0 (TMS), Call Center, Base, DOT, SEM, VMI, JBP, Mendix and other systems implemented or adjusted by the Company from time to time);

- Collecting financial information from Distributors to analyze and share development strategies with HVN;

- Storing (including local storage and/or cloud-based services) and tracking records;

- Any other purposes as required by law or competent authorities.

3. Duration of personal data processing

Processing begins when you provide your Personal Data to us and continues until the data is deleted or destroyed in accordance with applicable laws and/or our internal policies or decisions from time to time. We will take reasonable steps to delete or anonymize your Personal Data when it is no longer required for the stated purposes or upon expiration of the retention period.

4. How We share your personal data

Your Personal Data may be accessed or transferred to the following third parties on a need-to-know basis to fulfill the purposes outlined above. These may include:

- Our personnel (including departments and affiliated companies within the HEINEKEN group);

- Independent agents (if any);

- Event service providers selected by us for annual customer conferences;

- Financial service providers selected by us (for example: banks), in case you agree to join our credit support projects;

- Our customer service and delivery providers;

- IT system providers, cloud service providers, database providers, and consultants;

- In the event We sell part or all of the assets/shares of a HEINEKEN Group company, your Personal Data may be disclosed to the acquiring party;

- Any national and/or international law enforcement authorities, regulators, or judicial bodies to fulfill our legal obligations or court orders.

These parties may be located in Vietnam, the European Union, other countries in the European Economic Area (EEA), or elsewhere in the world. If We transfer your data to such jurisdictions, We will ensure it is protected by (i) applying the required level of protection under applicable data protection law and (ii) acting in accordance with our policies and standards.

5. Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

6. Your choices and rights

You have the right to give or withdraw your consent to the processing of Personal Data, to access or delete your Personal Data, to request processing restrictions, to data portability, to file complaints, denounce or initiate lawsuits, to seek compensation, and other rights as prescribed under current personal data protection laws. Withdrawal of consent and the exercise of these rights do not affect the legality of the data processed by the Company prior to such withdrawal.

7. Updates

We will periodically review and update this Notice. Any changes will be communicated to you via our usual communication channels (e.g., email).


V. NOTICE OF CUSTOMER PERSONAL DATA PROTECTION TERMS

This Notice of Customer Personal Data Protection Terms (hereinafter referred to as the “Notice”) has been effective since 01 July 2023 and applies to all product sales outlets (hereinafter referred to as “you”) of Heineken Vietnam Brewery Company Limited (hereinafter referred to as “HVN,” “we,” or “the Company”), including its subsidiaries, branches, and representative offices.
This Notice applies to:
(i) individuals, and/or
(ii) authorized representatives or contacts of the sales outlets if the sales outlet is a legal entity.

You are receiving this Notice because HVN is and will be processing your personal data (hereinafter referred to as “Personal Data”) in its capacity as a data controller and/or data processor. Please read this Notice carefully as it outlines the context in which We process your Personal Data and explains both your rights and our obligations regarding such processing.

We respect your privacy and are committed to safeguarding and managing your Personal Data in accordance with our legal obligations under applicable personal data protection regulations.

1. The Personal Data We Process and How We Process It

We may collect various types of your Personal Data, including:

  • Your general and identifying information (e.g., name, gender, date and place of birth, nationality, ID card/citizen ID number, email and/or address, phone number);
  • Your voice (if recorded through our customer service hotlines or call centers);
  • Your images;
  • Location, GPS information.

If you intend to provide us with personal data relating to other individuals, you must provide them with a copy of this Notice and obtain their consent.

Processing activities may be conducted automatically or manually, by electronic means, or by any other methods We deem appropriate.

2. Purposes for Which We Process Your Personal Data

We always process your Personal Data for one or more specific purposes and only process data relevant to achieving those purposes. Specifically, We process your Personal Data to:

  • Manage our customer relationships;
  • Organize tenders, prepare for or perform existing contracts;
  • Organize annual customer conferences;
  • Monitor activities at our facilities, including compliance with applicable policies as well as health and safety regulations;
  • Grant you access to and participation in our applications/processes;
  • Manage our IT resources, including infrastructure administration and business continuity;
  • Protect and enforce our legal rights, ensure compliance, conduct investigations, audits, and reporting (e.g., compliance with our policies, applicable laws and regulations, tax and withholding requirements, managing suspected fraud or misconduct, conducting audits and legal proceedings);
  • Implement, apply, and adjust application systems and processes to support business administration, payment processes under applicable law, and compliance with HEINEKEN internal policies and regulations (including but not limited to systems for: order management, customer records management, payment processes, signage installation, draught beer system installation, advertising & promotion management, loyalty programs, data storage and analytics, branded fridge installation management, customer service hotlines, and other applications deployed or adjusted by HEINEKEN from time to time);
  • Store and track records;
  • Any other purposes permitted by applicable laws.

3. Commencement and Duration of Personal Data Processing

The processing of your Personal Data begins when you provide it to us and continues until such data is deleted or destroyed in accordance with applicable laws and/or our policies and decisions at the relevant time. We will take reasonable steps to delete or anonymize Personal Data when it is no longer necessary for the purposes specified above or upon expiry of any applicable retention period.

4. How We Share Your Personal Data

Your Personal Data may be accessed by or transferred to the following third parties on a need-to-know basis to fulfill the purposes outlined above:

  • Our personnel (including employees, departments, or other HEINEKEN Group companies);
  • Distributors and secondary distributors;
  • Providers of customer event services selected by us from time to time;
  • Other companies We control or co-control, third parties such as our business partners and service providers, or when required by law;
  • IT system providers, cloud service providers, database providers, and our consultants;
  • In the event of a sale of all or part of the assets or shares of a HEINEKEN Group company, your Personal Data may be transferred to the third party acquiring such assets or shares;
  • Any national and/or international law enforcement authority (regulatory, public, or judicial authority) to comply with our legal obligations or court orders.

These parties may be located in Vietnam, the European Union, other European Economic Area (“EEA”) countries, or anywhere else in the world. Where We transfer your Personal Data to entities in other jurisdictions, We will ensure adequate safeguards are in place by (i) applying the required level of protection as set out in applicable data privacy laws and (ii) acting in accordance with our policies and standards.

5. Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

- Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;

- Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;

- Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;

- In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

- Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;

- Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;

- Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

6. Your rights and choices

You have the right to grant or withdraw consent for processing, access and delete Personal Data, request restrictions on processing, obtain a copy of your data, file complaints, make denunciations and initiate legal proceedings, request compensation, and exercise other rights as provided by applicable personal data protection laws.

Withdrawal of consent and exercise of other rights does not affect the lawfulness of any data processing conducted prior to such withdrawal.

7. Updates

We will periodically review and update this Notice. Any changes will be communicated to you via our usual communication channels (e.g., email).

 

VI. NOTICE OF EMPLOYEE DATA PROTECTION TERMS WHEN APPLYING THE ACCESS CONTROL PROCESS AT THE COMPANY WORKPLACES

HEINEKEN Vietnam Brewery Limited Company and its affiliates, branches & representative offices (hereinafter referred as "HVN" or "We" or "Us" or “the Company”) are committed to protecting the privacy of our employees. 

In order to ensure the Health & Safety of our employees and security at any offices and workplaces (hereinafter referred as “Workplaces”) of the Company, HVN needs to install access control and Surveillance camera system at such Workplaces. To implement this controls, We need to collect and process some personal data of HVN’s employees working at all HVN’s working locations and third parties’ employees & contractor’s employees working all HVN’s working locations (hereinafter referred as “Employee” or “you”). Before We process your personal data, We need you to consent for HVN to process such data for the specific purpose mentioned below and in accordance with applicable laws & regulations on personal data protection.

The access control arranges three options to register access control: (1) Face recognition, (2) fingerprint and (3) card scanning. Employees are reserved the right to choose one of three options to register for access control to HVN Workplaces. 

The surveillance camera system (“CCTV system”) is arranged to ensure security and safety at HVN Workplaces. Details of the Notice of personal data protection terms for CCTV system shall be also attached hereto as an integral part of this Notice: 2023_CCTV Privacy notice_EN.docx. You are required to read such Notice carefully and give consent for Us to process your personal data for the surveillance camera system.

We respect your privacy, and We are committed to keeping your Personal Data secure and managing it in accordance with our legal responsibilities under applicable laws and regulations on personal data protection.

In this Notice, We describe how We process and protect your personal data through the use of the Company’s access control equipment. We are the Controller of your personal data.

1. For which purposes do We use your personal data

We use your personal data for the following purposes:

  • To ensure the Health & Safety of employees and to respond to technology application needs in managing access control to HVN offices & working premises effectively.
  • Ensure security when entering and leaving the Company’s offices & working premises, protect the assets of employees and the company.
  • Protect the legitimate interests of HVN and its employees.

2. Which types of personal data do We use

To register to use this control, We need employees to provide the following information: full name, employee code, and department. Additionally, through the access control system, We may also collect and process your activity history, such as the times you enter and exit the workplace areas.

If you sign up for the Face Recognition option, you will be asked to provide facial recognition data. 

If you sign up for the fingerprint option, you will be asked to provide fingerprint data. 

HVN's workplace has a surveillance camera system to ensure security and safety at the workplace. Therefore, your images will also be recorded and stored by CCTV system with certain period. Please find further details of the Notice on personal data protection terms for surveillance camera system: 2023_CCTV Privacy notice_EN.docx.

Your information that We collect and process will be completed, relevant and only for the specific purposes set out in section 1 of this Notice. Your information needs to be as accurate as possible and needs to comply with current laws on personal data protection. 

The sensitive personal data We may process includes:

  • Individual biological characteristics: identification characteristics on ID card/ID card, fingerprint shape, facial recognition data
  • Other data is considered sensitive personal data according to applicable laws & regulations on personal data protection.

3. Methods of processing your personal data 

By reading and selecting the facial recognition or fingerprint method or card scanning, you agree that your information will be collected, stored, and used by any method in accordance with the company’s policies and/or practices from time to time, including without limitation, collection, recording, validation, storage, modification, combination, access, retrieval, encryption, copying, transmission, deletion, cancellation, and other related actions. All of these methods must be consistent with the purposes set out in section 1 of this Notice. 

4. Who has access to your personal data

Only members of the HVN access control group have the right to access to your personal data to perform the work under their responsibility and any of the purposes described in this Notice.

In addition, some workplaces are located inside complex buildings/office buildings/restricted access areas managed by third parties, We will also share your data with those parties. This is to control access to those restricted places. This sharing will include limited data, for control, security purposes and the purposes stated in this Notice. Whenever your data is shared with or processed by a third party service provider contracted with the Company, We sign an agreement with that service provider regarding the security of your data in accordance with applicable laws & regulations on personal data protection. 

5. Security 

We consider your personal data as an important asset of the Company and We will ensure confidentiality, safety, legal compliance, and limit possible unwanted consequences and damages that might occur (including but not limited to: data leakage or inappropriate data processing that harms your legitimate rights and interests).

Because We cannot rule out the above unwanted possibilities, We consider your personal data to be very important to the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. Details as follow:

  • Organizational measures: The company has appointed a dedicated team to protect employee data and assigned individuals responsible for data protection, individuals responsible for data for each process.
  • Physical measures: The Company is committed to using the best physical measures to protect servers and data backup devices, which contain the Company's personal data. These physical measures include adding surveillance camera systems, create multiple layers for security block and limit the number of people who can access, a sufficient and qualified staff.
  • Technical measures: The Company is committed to using the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall (Firewall)…
  • In addition, the Company also recommends that relevant entities be responsible for their personal data and the Company's general data: limit the use of other devices than approved company devices to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the device support tools (anti-virus, management, etc.) is properly installed as safe as recommended by the Company's personal data protection department. Do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; Immediately report to the data protection team when suspecting a data breach or detecting a data security violation. Implement other data security measures and recommend that Company employees fully participate in data security awareness courses as recommended by the Company.

The Company shall notify the competent state authority of the Data Security Breach within a statutory period of time after such breach is discovered.

6. How long do We retain your personal data

We will retain your personal data for as long as required by law or for as long as necessary for any of the purposes listed in this Privacy Statement, or to comply with legal requirements to which We are subject, as long as reasonably necessary for archival purposes or as long as consistent with the applicable statute of limitations. We will take reasonable steps to destroy or de-identify the personal data We hold if it is no longer needed for the purposes set out above or after the expiration of the defined retention term.

Time start processing your personal data: after you agreed with this Notice.

Time to end processing your provided personal data: when the employees resign, contractor’s employees completed their jobs at the Company, We will delete the data within 30 days from the time the employee completes the job handover on the last working day excepting surveillance camera data. End time for processing surveillance camera data shall comply with the Notice on personal data protection terms for surveillance camera system (2023_CCTV Privacy notice_EN.docx).

7. Your rights and obligations 

You have rights to your personal data, which include: the right to consent, the right to withdraw consent, the right to delete, the right to restrict data processing and other rights as prescribed by applicable law on personal data protection.

You have an obligation to: protect your personal data; respect and protect the personal data of others; Provide complete and accurate personal data when giving consent to process personal data; and other obligations according to current laws on personal data protection.

8. The Notice Validity

This Notice is made in Vietnamese and English version. In case where there is a discrepancy in the meaning between Vietnamese and English, Vietnamese version shall prevail.

This Notice will be effective from July 01st, 2023. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent.

  

VII. NOTICE OF VISITOR PERSONAL DATA PROTECTION TERMS WHEN ACCESSING WORKPLACES

HEINEKEN Vietnam Brewery Limited Company and its affiliates, branch(s) & representative office(s) ("HVN" or "We" or "The Company") are committed to protecting the privacy of our visitors (visitors for business purposes, visitors for tours, and other individuals who come to the Company not in the capacity of employees or outsourced employees of HVN - hereinafter referred as “you”).

Workplaces according to the Notice of Terms & Conditions for Visitor’s Personal Data Privacy When Accessing Workplace (hereinafter referred to as “Notice”) includes but are not limited to: Subsidiaries, Branches, Head office, Regional offices, Sales offices, Breweries, Warehouses, and other workplaces with limited access to visitors (hereinafter referred as “Workplace”).

To ensure Safety and Security at our workplace, you are requested to register with our administrator at the workplace you need to visit before accessing. For this purpose, We need to collect and process some of your data. Before processing, We need you to confirm your consent to use this data. We respect your privacy and commit to keep your Personal Data secured and manage it with our legal responsibility under applicable laws & regulations on personal data protection. 

Additionally, We have installed a surveillance camera system (“CCTV system”) to ensure security and safety at HVN Workplaces. When you agree to access our Workplaces, your images will also be recorded and stored in accordance with applicable laws & regulations on personal data protection. Details of the Notice on personal data protection terms for CCTV system shall be also attached hereto as an integral part of this Notice: 2023_CCTV Privacy notice_EN.docx. You are required to read such Notice carefully and consent HVN to process your personal data for the surveillance camera system. If you disagree HVN to process your images for the surveillance camera system, you may not enter HVN Workplaces having surveillance cameras installed. 

In this Notice, We describe how We process and protect your personal data through registration and access to the workplace. We are the controller and processor of your personal data.

We use your personal data for these purposes as below:

  • Ensure security when accessing the workplace, protect the assets of yourself, our employees, and Company.
  • Protect the legitimate interests of yourself, our employees, and the company.
  • Register to access the building to comply with the Building Management’s regulation (if any).
  • Other purposes from time to time and in accordance with applicable laws & regulations on personal data protection.

Which types of personal data do We process?

To be able to access the workplace, you are requested to register with the administration department at the workplace. During the registration process, We may collect and process some of the following data:

  • Image of ID card/Citizen identification card.
  • Personal data: full name, date of birth, gender, nationality, permanent residence, date of issuance of Citizen identification card/ID card, place of issuance of Citizen identification card /ID card, Citizen identification card /ID card validity, reason for access, contact person at work, data relating to your health and other data are considered personal data according to applicable personal data protection law.
  • HVN's workplace has a CCTV system (surveillance camera system) to ensure security and management at the workplace. Therefore, your images will also be recorded and stored by the surveillance camera system with a certain period of time. Please find further details of the Notice on personal data protection terms for surveillance camera system at the link: 2023_CCTV Privacy notice_EN.docx.

Do We process sensitive personal data?

The Citizen identification card /ID card image contains personal data that is considered sensitive according to the personal data protection law. We will also process such data as part of workplace registration and comply with applicable laws & regulations on personal data protection. The sensitive personal data We process includes:

  • Individual biological characteristics: identification characteristics on ID card/ID card, fingerprint shape, data relating to your health. 
  • Other data is considered sensitive personal data according to applicable laws & regulations on personal data protection.

Methods of processing your personal data

By reading and consenting to this Notice, you accept that your data will be collected, stored, and used in any method according to the Company's policies and/or operations as outlined in this Notice which will be adjusted from time to time, including but not limited to: collection, recording, validation, storage, encryption, decryption, copying, deletion, destruction and other related actions. All of these methods are consistent with the purposes stated in section 1 of this Notice.

Who has the access to your personal data

Only members of the administration department at the workplace to which you are registered will have access to your personal data to carry out work within their responsibilities and to carry out any of the purposes described in this Notice. 

In addition, some workplaces are located inside complex buildings/office buildings/restricted access areas managed by third parties, We will also share your data with those parties. This is to control access to those restricted places. This sharing will include limited data, for control, security purposes and the purposes stated in this Notice. Whenever your data is shared with or processed by a third party service provider contracted with the Company, We sign an agreement with that service provider regarding the security of your data in accordance with applicable laws & regulations on personal data protection.

Security

We consider your personal data as an important asset of the Company and We will ensure confidentiality, safety, legal compliance, and limit possible unwanted consequences and damages that might occur (including but not limited to: data leakage or inappropriate data processing that harms your legitimate rights and interests).

Because We cannot rule out the above unwanted possibilities, We consider your personal data to be very important to the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. Details as follow:

  • Organizational measures: The company has appointed a dedicated team to protect employee data and assigned individuals responsible for data protection, individuals responsible for data for each process.
  • Physical measures: The Company is committed to using the best physical measures to protect servers and data backup devices, which contain the Company's personal data. These physical measures include adding surveillance camera systems, create multiple layers for security block and limit the number of people who can access, a sufficient and qualified staff.
  • Technical measures: The Company is committed to using the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall (Firewall)…
  • In addition, the Company also recommends that relevant entities be responsible for their personal data and the Company's general data: limit the use of other devices than approved company devices to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the device support tools (anti-virus, management, etc.) is properly installed as safe as recommended by the Company's personal data protection department. Do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; Immediately report to the data protection team when suspecting a data breach or detecting a data security violation. Implement other data security measures and recommend that Company employees fully participate in data security awareness courses as recommended by the Company.

The Company shall notify the competent state authority of the Data Security Breach within a statutory period of time after such breach is discovered.

How long do We retain your personal data

We will retain your personal data for as long as required by law or for as long as necessary for any of the purposes listed in this Notice, or to comply with legal requirements to which We are subject, as long as reasonably necessary for archival purposes or as long as consistent with the applicable statute of limitations. We will take reasonable steps to destroy or de-identify the personal data We hold if it is no longer needed for the purposes set out above or after the expiration of the defined retention term.

Time starts processing your personal data: after you agreed with this Notice.

End time for processing your provided personal data: We will delete the data within 30 days from the time you complete your work and leave our workplace, excepting surveillance camera data. End time for processing surveillance camera data shall comply with the Notice on personal data protection terms for surveillance camera system (2023_CCTV Privacy notice_EN.docx).

Your rights and obligations

You have rights to your personal data, which include: the right to consent, the right to withdraw consent, the right to data deletion, the right to restrict data processing and other rights as prescribed by applicable laws & regulations on personal data protection.

You have an obligation to: protect your personal data; respect and protect the personal data of others; provide complete and accurate personal data when giving consent to process personal data; and other obligations according to applicable laws & regulations on personal data protection.

The Notice Validity

This Notice is made in Vietnamese and English version. In case where there is a discrepancy in the meaning between Vietnamese and English, Vietnamese version shall prevail.

This Notice will be effective from July 01st, 2023. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent.

 

VIII. NOTICE ON PERSONAL DATA PROTECTION TERMS FOR SURVEILLANCE CAMERA SYSTEM

HEINEKEN Vietnam Brewery Company Limited, its affiliates, branches & representative offices (“HVN” or “We” or “Company” or “Data Controller & Processor”) is responsible for processing your personal data. HVN has issued a “personal data protection policy for surveillance camera systems”. This notice provides information on the purpose and types of data collected from surveillance camera systems (referred to as “data”), how the data is used and secured, clarifying privacy rights at workplace and contact information in case of need.

This notice complies with applicable laws and HVN's internal policy on protection of personal data. This Notice will be announced at the gates and areas before entering the monitored area. All employees, contractors, and contractors’ employees, third parties and visitors (collectively referred to as “you”) who agree to enter the breweries are deemed to have agreed to this notice. New employees need to be informed before starting their work at the breweries.

1. Definition

Employees are not limited to relationships based on employment contracts. “Employee” in this policy refers to all instances of an employment relationship in the broadest sense for HEINEKEN Vietnam, regardless of whether or not the relationship is based on a formal employment contract (Including: full-time employees, seasonal employees, third-party employees, etc.).

Contractors and visitors include: government officials, consultants, contractor employees, suppliers, freelancers, volunteers, representatives of external organizations, and other individuals come to visit and work at the breweries.

Surveillance camera system is the use of a camera system located at specified locations to record visual images of activities in the breweries area to ensure safety, security, and food safety regulations. Visual surveillance does not include audio recording.

2. Legal basis:

We only process your personal data if there is one of the following legal bases:

  • Legitimate interests

Where we have a legitimate business interest. We will always do so only within the limits of the data protection laws applicable to the processing or your personal data.

  • Jury duty

Where we believe it is necessary to use your information to comply with a legal obligation to which we are subject. For example, if we are required or directed to use camera surveillance in certain premises by applicable law or by license, franchise, administrative consent that we are required in order to operate business action.

  • Consensus 

Or with your consent. We will always notify you and request your consent if we need to do so based on data protection laws & regulations applicable to the processing of your data.

3. Types of processed personal data

We process visual data based on which we can identify you based on your appearance or other specific factors when you enter a monitored space. In other words: we process your camera footage if you work at our sites or enter our sites where camera surveillance is active. Normally, we have audio recordings turned off.

4. Purpose:

We use surveillance cameras for the following purposes:

  • Protect breweries’ property from damage, vandalism and other crimes;
  • Support day-to-day management, including ensuring the health of employees, complying with the commitment to protect the safety of employees and stakeholders;
  • Support internal investigations of security & safety and product quality when necessary;
  • Assist law enforcement agencies in the prevention, detection and prosecution of crime;
  • Assist in the effective resolution of disputes arising in the proceedings and discipline;
  • Assist in defense , providing evidence for any civil action, including court proceedings.

5. Scope of application

Object: All HVN employees, contractors’ employees, third parties’ employees, and visitors.

Area: All areas that we are in charge of monitoring the surveillance system, including internal aisles, corridors, offices, production areas, warehouses, yards, canteens, etc. (Except for areas where legitimate privacy is required, such as: toilets, changing rooms).

Monitoring time: 24/7

6. Data handling measures

We strive to minimize the impact of using camera surveillance on your privacy as much as possible. The measures we have taken to achieve this include :

  • Where cameras are located at our locations, we will ensure that signs are displayed at the entrance of the surveillance area to warn you that your images may be captured. Such signs will contain our contact details, the intended use of the surveillance system and who to contact for more information.
  • When using a video surveillance device, the device will be clearly displayed and there will be a message indicating its presence.
  • The monitoring system will not use the audio capture system.
  • The data recorded by the monitoring system are automatically deleted after 180 days for food safety points and 30 days for the remaining areas. This is for disciplinary investigations, complaints and quality investigations. Recorded images can only be viewed by individuals or at designated offices.
  • We will ensure that live camera feeds and recorded images are only viewed by approved personnel with access to that data. This may include certain employees involved in disciplinary investigations or grievance matters. Recorded images will only be viewed in designated secure offices.
  • Employees using the monitoring system have been trained to ensure they understand and comply with the legal requirements regarding data processing.
  • No surveillance cameras shall be placed in areas where there is a legitimate and objective expectation of privacy (e.g. in changing rooms or restrooms).

7. Data storage time:

The data recorded by the monitoring system are automatically deleted after 180 days for areas where surveillance cameras are installed for the purpose of ensuring food safety and 30 days for the remaining areas. This is for disciplinary investigations, complaints and products quality investigations. Recorded images can only be viewed by individuals or at designated offices.

At the end of the use period, all images stored in any format will be deleted permanently and in a secure manner. Any material used to store data such as tapes or discs will be disposed of as confidential waste. Any still images and hard copies will be disposed of as confidential waste.

The startg time is the time of first recording in the area with surveillance cameras and the end time is the time of data deletion according to the time limit mentioned above.

8. Individual rights risk assessment 

Before introducing any new surveillance system, including placing a new camera anywhere in the workplace, we will carefully review current data protection laws and implement data privacy impact assessment where appropriate. Such an assessment is intended to assist us in deciding whether new surveillance cameras are necessary and whether they should be used or whether any limitations should be set on their use. We will look at the nature of the problem we are looking to solve at the time and whether surveillance cameras are likely to be an effective solution, or whether there is a better solution. We will look at the effects of surveillance cameras on individuals and to carefully consider the appropriateness of using it to the problem identified.

We will ensure that existing uses of continuous camera surveillance are reviewed regularly, and in the event of any changes, to ensure that their use remains necessary and appropriate, and that any monitoring system is continuing to address the needs that underlie its use. 

9. Data sharing 

Data from surveillance camera can be shared with and transferred to the following: 

  • The HEINEKEN group: We are members of HEINEKEN Global. We may share your information within the HEINEKEN group (www.heinekencompany.com ) if it is necessary to achieve the purpose for which we have collected your data. Within HEINEKEN, we can at least share camera material with Proseco BV. Proseco is HEINEKEN's own (internal) global security organization and service provider that provides expert security services and support for HEINEKEN operating companies.
  • The organizations and service providers we are working with: With the large amount of data generated by the monitoring system, we can store it using the cloud system. We will take all reasonable steps to ensure any cloud service provider maintains information security in accordance with standards, regulations set by the applicable laws on data privacy protection.
  • Our professional advisors;
  • Any law enforcement agency, court, regulatory agency, government agency or third party we believe is necessary to comply with a legal obligation or to protect our legal rights and any third parties.

10. Oversea data transfer

Your personal data may be transferred to another country. For example, if your data is being stored in a data center outside your country, if we can remotely access your data from abroad or one of our IT providers provide on-site support and maintenance services from outside your country. The countries to which we transfer personal data may have different privacy standards than your country. We will always comply with applicable personal data protection regulatory requirements in your country with respect to data transfers abroad.

If we transfer your personal data to a country that does not provide an adequate level of protection, we will ensure that we put appropriate safeguards in place to protect your personal data or ensure that we are able to transfer your information in compliance with applicable personal data protection regulations.

11. Data security 

We will take appropriate technical, physical, and organizational measures to protect your personal information collected through the surveillance camera system from misuse or accidental, illegal destruction, lost, alteration, disclosure, acquisition or access, in accordance with applicable privacy and data security laws and practices on data privacy protection. 

When we contract with any service provider, we require the service providers to use appropriate measures to protect the confidentiality and security of your personal data.

In case of a personal data breach, we have taken and will take internal measures to ensure that such incidents are identified and addressed without undue delay. We take effort to prevent breaches of your personal data, as these can have an effect on your legal rights and interests, such as discrimination; damage to reputation; financial loss; or loss of confidentiality or any other significant economic or social disadvantage. 

12. Your rights and obligations: 

12.1 Rights: 

You have certain rights regarding your personal information. We rely on your consent to process your data, you can withdraw your consent at any time and you can object to some of the ways we use your personal data. You can make inquiries to us using the details below at any time:

  • To access your personal information (i.e. get an overview of your personal data that we process).
  • To have your personal information corrected, updated, corrected or deleted or to limit the processing of your personal information.
  • To receive a copy of your personal information in a normal machine-readable format, or to have this information transmitted directly to another organization (if technically possible).
  • Complain to the local privacy authority.

We reserve the right to obscure, pixelate or blur third-party images when disclosing camera surveillance data to you as part of your request to access or receive data.

To efficiently locate the relevant footage and respond to your request as soon as possible, any request for copies of the best recorded images should include:

  • Clear time information;
  • The location where the footage was recorded;
  • Personal information (When necessary).

To ensure that we do not provide information about you to others, we may request your identification before we can process your request.

12.2 Obligations: 

You have all obligations under provisions of the applicable law & regulations on protection of personal data.

13. Effect of the Notice

This notice is made in two languages: Vietnamese and English. In case there is a difference in meanings between the Vietnamese and English versions, the Vietnamese version will prevail.

This Notice will be applied from July 1st, 2023. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent.

 

IX. HEINEKEN VIETNAM DATA SUBJECT RIGHTS POLICY (“DSR Policy”)

1. Introduction

1.1. This Data Subject Rights Policy (“DSR Policy” or “Policy”) specifies how HEINEKEN Vietnam (“HVN”) handle requests of employees and other data subjects exercising their rights under the HEINEKEN Privacy Procedure for Employee Data and HEINEKEN Privacy Procedure for Customers, Suppliers and Business Partners Data (the “Privacy Procedures”) and applicable law, including Decree 13/2023/ND-CP on Personal Data Protection. This DSR Policy includes obligations for HVN to give effect to the rights of data subjects. “Data subjects” are the natural persons whose personal data is subject of the request, e.g. a HVN employee, former employee, job applicant, consumer, individual supplier or business partner or contact person with a business customer or supplier.
1.2. The DSR Policy covers the following rights of data subjects: the right to be informed, the right to give and to withdraw consent, the right to access/rectify and to delete personal data, the right to obtain restriction on and to object to processing, the right to file complaints, denunciations and lawsuits, to claim damage and to self-protection and/or the right of personal data portability. A more detailed description of these rights of data subjects and the criteria for when to accommodate and to what extent can be found in Schedule 3 to this DSR Policy. 
1.3. “Personal data” refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual (‘data subject’). The personal data includes general personal data and sensitive personal data.

2. Content of the DSR Policy and obligations of HVN

2.1. HVN will be required to ensure overall timely and appropriate response to a request of a data subject to exercise his/her rights under the Privacy Procedures. 
2.2. HVN will ensure that data subjects are adequately informed about where and how to submit requests to exercise any of the rights within the scope of this DSR Policy. Information may be provided by way of a specific option on the website, or through a dedicated e-mail address for the data subject rights requests, or for employees through a dedicated contact point within the local or global HR department. In any event, privacy statements and notices shall include a reference to the relevant contact point for submitting requests.
2.3. This DSR Policy describes which steps to take in case of a request of a data subject to exercise any of his rights and the roles and responsibilities of those involved in handling the request (Schedule 1. includes a flowchart reflecting the steps and roles involved), the criteria for deciding whether it is a valid request and the criteria for verification of identity (Schedule 2) and any exceptions that may apply to or limitations that are relevant when accommodating any such request (Schedule 3). 

3. Roles & Responsibilities for HVN

3.1. The “First Point of Contact” is the dedicated HVN contact point which may include a specific email or other address as indicated in the privacy notices, on the HVN website or intranet or otherwise made known to data subjects, to be contacted by the data subjects in order to submit relevant requests. This is (1) email privacyvn@heineken.com, or (2) hotline 19001845, or (3) IT Helpdesk 

3.2. The ‘Privacy Officer’ is the HVN Privacy Officer who will be in charged of the following responsibility.

3.3. The ‘Local Privacy Team’ is the Personal Data Protection team appointed by HVN MT to ensure compliance with HeiRule Data Privacy, HeiRule Information Security & applicable laws & regulations on personal data protection.

3.4. The ‘contact person’ is the relevant role within HVN which may have been identified to the data subjects (in this case: employees, former employees, retired employees or job applicants) as the contact point for submitting data subject rights requests. 

3.5. The ‘Request Handler’ is the relevant HVN role within the Information Security / D&T of HVN who has access to the IT systems that may contain information that is within the scope of the request of the data subject. 

3.6. The ‘Global Privacy Officer’ will be consulted in case the Privacy Officer has questions about a specific request and shall be the point of contact for escalation and in case of complaints by data subjects about the handling of their requests.

3.7. Roles & responsibilities of HVN Local Privacy Team to handle the data subject right requests shall be depended on how requestors submit their requests:

  • Via email privacyvn@heineken.com: 

Role

Responsibility

Privacy Officer

  • Received requests from data subjects through First Point of Contact together with other members of Local Privacy Team;
  • Ensure follow-up and adequate response;
  • Follow up incoming requests by asking the data subject for further specification of the request and for proof of identity; 
  • Verify the validity of the request and the identity of the data subject as the requestor; 
  • Reject requests for which the identity of the data subject cannot be properly verified or unclear;
  • Contact the Request handler;
  • Oversee that the search for content is handled adequately and advise on which exceptions may be applicable in the data collection process

Local Security Coordinator – Request Handler

  • When being contacted by the Privacy Officer, collect the relevant information in respect of the data subject’s request and provide assistance by identifying data sources that may be relevant to search for further information

Privacy Champion – Functional Contact Person

  • Respond and deliver the feedback timely, accurately, adequately and securely to the data subject regarding the request
  • Provide further assistance to the Privacy Officer and Request Handler as required 
  • Via hotline 19001945: 

Role

Responsibility

Privacy Officer

  • Ensure follow-up and adequate response;
  • Verify the validity of the request and the identity of the data subject as the requestor (if needed);
  • Reject requests for which the identity of the data subject cannot be properly verified or unclear;  
  • Contact the request handler who shall collect the relevant information in respect of the data subject’s request and provide assistance by identifying data sources that may be relevant to search for further information;
  • Oversee that the search for content is handled adequately and advise on which exceptions may be applicable in the data collection process

Local Security Coordinator – Request Handler

  • When being contacted by the Privacy Officer, collect the relevant information in respect of the data subject’s request and provide assistance by identifying data sources that may be relevant to search for further information

Privacy Champion – Functional Contact Person

  • Received requests from data subjects through First Point of Contact 
  • Follow up incoming requests by asking the data subject for further specification of the request and for proof of identity
  • Contact the Privacy Officer for verification of the validity of the request (if needed) 
  • Respond and deliver the feedback timely, accurately, adequately and securely to the data subject regarding the request
  • Provide further assistance to the Privacy Officer and Request Handler as required for handling the request 
  • Via IT helpdesk:

Role

Responsibility

Privacy Officer

  • Verify the validity of the request and the identity of the data subject as the requestor (if needed)
  • Reject requests for which the identity of the data subject cannot be properly verified or unclear  
  • Oversee that the search for content is handled adequately and advise on which exceptions may be applicable in the data collection process;

Local Security Coordinator – Request Handler

  • Received requests from data subjects through First Point of Contact
  • Ensure follow-up and adequate response
  • Follow up incoming requests by asking the data subject for further specification of the request and for proof of identity
  • Contact the Privacy Officer for verification of the validity of the request (if needed)
  • Respond timely, accurately, adequately and securely to the data subject regarding the request.

Privacy Champion – Functional Contact Person

  • Provide further assistance to the Privacy Officer and Request Handler as required for handling the request

4. Timing 

HVN shall provide a response within 72 hours upon receipt of the request.

4.1. In view of the limited response time of 72 hours, each of the individual steps in this Policy shall be taken without undue delay. Handling the actual request may take time because personal data is divided over several (external) systems and/or throughout different departments within HVN.

4.2. In case of more complex data subject rights requests, HVN may extend the response time of 72 hours with a maximum of one more calendar month, which information must be communicated to the data subjects within the 72 hour period, including an explanation of the reasons for the delay.

4.3. If data subjects refuse to inform HVN of the reason for making their request or refuse to provide any further specification of their request or (where applicable) have not paid the fee for fulfilling the request, HVN shall be required to process the request nonetheless, unless a) the identity of the data subject has not been properly verified or b) it is not clear what the request is for (see Schedule 2) or c) the request is manifestly unfounded or excessive. 

5. Identification of the data subject

5.1. HVN needs to verify the identity of each data subject to ensure that the correct action is performed on the correct personal data. Schedule 2 includes the criteria for verifying the identity of the data subjects submitting the request. The Privacy Officer will perform the verification of the identity of the data subjects submitting a request in accordance with Schedule 2.

5.2. HVN shall not be required to verify the identity of data subjects whose requests are limited to the right to object to the use of their personal data for direct marketing purposes. This is in fact the data subject using the opt-out or unsubscribe for the relevant communication (e.g. newsletter or alerts). For these data subject rights requests no verification of identity shall be needed as the risk of unsubscribing the wrong person is limited. Also, data subjects must be able to execute their right to opt-out / unsubscribe in an easy manner.  

5.3. Where the data subject does not provide the required identification, HVN will refuse the request as further described in the process flow (Schedule 1) and in Schedule 2. 

6. Costs (if any), form of request and response 

6.1.In principle, HVN will give effect to all rights free of charge. HVN will charge a reasonable fee for or refuse to act upon manifestly unfounded or excessive (repetitive) requests of all rights to which this Policy applies.  HVN shall inform the data subject of such costs beforehand, in order to give the data subject the option to withdraw her/his request if she/he finds the costs unacceptable.

6.2. HVN will respond in the language in which the data subject has written the relevant request, except where HVN prefers to respond in another language that HVN is confident the data subject will understand and which is generally accepted in the relevant country. HEINEKEN will aim to receive and respond to data subject rights request in written electronic form, using the templates as provided in this Policy. HEINEKEN will respond to the request via post or fax only when the data subject explicitly indicates that he/she wishes to communicate via post or fax. 

6.3. Where the information to be provided to a data subject pursuant to the data subject’s request includes personal data of other data subjects and/or HVN confidential information, HVN will black out such information before disclosing the relevant document to the requesting data subject. 

6.4. In case of requests for access or data portability, where HVN will need to send personal data to the data subject, the data subject shall be given the option to indicate if he/she wishes to receive the personal data via a secure communication method. HVN shall ensure to only use the requested secure communication method, to the extent reasonably (technically) possible. 

6.5. Under specific circumstances at issue, HVN may deny or refuse requests of data subjects as further specified in Schedule 3, including in case of an ‘overriding interest’, a pressing need for HEINEKEN may exist that outweighs the interest of the data subject.

7. Managing and storing each request 

7.1. The Privacy Officer is responsible for maintaining a repository of each data subject rights request and all communication exchanged per request, including the verification of identity and the response to confirm that the request has been processed, including the name of the data subjects that have submitted the requests. 

7.2. The Privacy Officer ensures that the repository is accurate and up-to-date and that a retention term is specified during which the requests and all communication exchanged shall be retained. 

SCHEDULE 1. WORK FLOW

DATA PRIVACY RIGHTS REQUEST FORM FOR DATA SUBJECT:  

*You need to correctly provide this information in order for the request to be valid and enable HVN to respond within the required timeframe  

  1. Your Information:
  • Full name *
  • Phone number *
  • Email *
  • Function (if the data subject is a HVN’s employee) 
  1. Your role*: You are a: (i) employee, (ii) consumer, (iii) customer, (iv) supplier, (v) business partner, (vi) other (please specify) 
  2. Consent: If you provided us the consent to process your personal data in the past: 
  • When did you give us consent: 
  • How did you give us consent (i.e via one of our applications/systems, in writing,…): 
  • Where did you give us consent (i.e at our offline events;…) 
  • For what personal data*: (i.e your name, date of birth, ID number, address,….) 
  • For what purposes*: 
  1. Content: What is your request: …………………………………………………………………………………………………………………………………..
  2. Identity proof: Attached proof of your identity (i.e. ID card, passport, employee number, ….) 
  3. Feedback method: How do you want us to get back to you (i.e email, phone, post): 

Example flow of a data subject request via email privacyvn@heineken.com

SCHEDULE 2. VERIFICATION OF IDENTITY AND ASSESSING REQUESTS

This Schedule includes the process and criteria for verification of the identity of the data subject and for assessing if the request is sufficiently specific, and if the request is not manifestly unfounded or excessive.  

Subject

Verification: reason to reject

Action

  1. Verification of identity by:
  • copy of passport or other identification document.
  • copy is not clear, does not enable reading the name of data subject;
  • the document is no longer valid, has expired.

Rejection

  1. Optional re-identify check of employees: employees with access to their HVN e-mail address, should send their request via that e-mail address (sufficient proof of identity).   

 

  1. Verification of identity for job applicants, former employees, consultants, temporary workers and other external individuals that do not have a HVN e-mail address:
  • copy of passport or other identification document.

For employees:

  • not repeating their request via their HVN e-mail address or 
  • alternatively, via verification methods described under 1.

For all external individuals without HVN e-mail address:

  • copy is not clear, does not enable reading the name of data subject;
  • the document is no longer valid, has expired. 

Rejection

 

  1. Request is not sufficiently specified
  • it is unclear what the data subject is asking for (which type of request) and the data subject has not further specified upon HVN’s request.

Rejection

 

  1. Request is manifestly unfounded or excessive
  • same data subject has submitted a request recently, without any reasonable indication that relevant changes in the personal data processing relation to the data subject may have taken place;
  • same data subject has submitted several requests in the past one year;
  • the request violates rights of other data subjects.

Forward to Privacy Officer. Privacy Officer to decide on rejection.

SCHEDULE 3. DATA SUBJECT RIGHTS

This DSR Policy covers the following rights of data subjects: the right to be informed, the right to give and to withdraw consent, the right to access and to delete personal data, the right to obtain restriction on and to object to processing, the right to file complaints, denunciations and lawsuits, to claim damage and to self-protection. A more detailed description of these rights of data subjects and the criteria for when to accommodate and to what extent can be found below: 

1. Right to be informed: The data subject has the right to be informed of his/her personal data processing, unless otherwise provided for by law. 

2. Right to give consent: The data subject has the right to give consent to the processing of his/her personal data, other than cases specified in Article 17 of Decree 13/2023/ND-CP on Protection of Personal Data. 

3. Right to access personal data: The data subject has the right to access his/her personal data in order to look at, rectify or request rectification of his/her personal data, unless otherwise provided for by law. 

4. Right to withdraw consent: The data subject has the right to withdraw his/her consent, unless otherwise provided for by law. 

5. Right to delete personal data: The data subject has the right to delete or request deletion of his/her personal data, unless otherwise provided for by law. 

6. Right to obtain restriction on processing: a) The data subject has the right to obtain restriction on the processing of his/her personal data, unless otherwise provided for by law; b) The restriction on the processing of personal data shall be implemented within 72 hours after receiving request of the data subject, and all personal data that the data subject requests the restriction, unless otherwise provided for by law. 

7. Right to obtain personal data: The data subject has the right to request the Personal Data Controller and the Personal Data Controller-cum-Processor to provide him/her with his/her personal data, unless otherwise provided for by law. 

8. Right to object to processing: a) The data subject has the right to object to the Personal Data Controller and the Personal Data Controller-cum-Processor processing his/her personal data in order to prevent or restrict the disclosure of personal data or the use of personal data for advertising and marketing purposes, unless otherwise provided for by law; b) The Personal Data Controller and the Personal Data Controller-cum-Processor shall comply with the data subject’s request within 72 hours after receiving the request, unless otherwise provided for by law. 

9. Right to file complaints, denunciations and lawsuits: The data subject has the right to file complaints, denunciations and lawsuits as prescribed by law. 

10. Right to claim damage: The data subject has the right to claim damage as prescribed by law when there are violations against regulations on protection of his/her personal data, unless otherwise agreed by parties or unless otherwise prescribed by law.

11. Right to self-protection: The data subject has the right to self-protection according to regulations in the Civil Code, other relevant laws and the Decree 13/2013/ND-CP, or request competent agencies and organizations to implement civil right protection methods according to regulations in Article 11 of the Civil Code.

12. Right to data portability: The data subject has the right (at his option) to receive a copy of the personal data that it has provided in a common machine-readable format.

 

X. HEINEKEN VIETNAM PERSONAL DATA BREACH NOTIFICATION POLICY 

Introduction

Everybody within HEINEKEN Vietnam (“HVN”) has the legal obligation to keep personal data secure. This Personal Data Breach Notification Policy (“Policy”) applies when HVN becomes aware (internally or from a third party) that a security incident that involves personal data has occurred, or is likely to occur.

A personal data breach:

  • may result in physical, material and/or non-material harm to individuals;
  • may expose HVN to significant fines; and
  • where required by law, may need to be reported to the relevant Data Protection Authority and/or individuals affected.

Therefore, if HVN becomes aware that a personal data breach has occurred, or may occur, HVN must immediately take all appropriate technological and organizational measures to remedy the incident and ensure that the personal data is secure. In any event, the Global Privacy Office (GPO) shall be informed of the personal data breach without undue delay. In addition, Decree 13/2023/ND-CP requires that breaches must be reported to the Ministry of Public Security (“Data Protection Authority”). 

It is important that everyone at HVN knows how to recognize a personal data breach (or potential breach) and what steps to take, whilst understanding the importance of acting quickly to allow HVN to take actions and to comply with the Privacy Procedures and any applicable legal obligations.  

What is personal data?

Personal data refers to electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. Personal data may include general personal data and sensitive personal data.

Examples of personal data are:

  • identifiers such as a name, identification number or location data; 
  • online identifiers such as an IP address, device identifier or cookie identifier; and
  • factors specific to the physical, mental, economic, cultural or social identity of an individual.

As part of its everyday business activities, HVN handles personal data of HVN employees, consumers, customers, visitors, business partners and suppliers.

What is a personal data breach?

personal data breach is a security incident which leads to the unauthorized acquisition, access, use or disclosure of unencrypted personal data that compromises the security or privacy of this information.  This policy is relevant to security incidents involving personal data that is stored, transferred, controlled or otherwise handled (in general “processed”) by HVN. 

Use or access may include:

  • Destruction of personal data is where the data no longer exist or no longer exists in a form that is of any use to HVN.
  • Loss of personal data is where data may still exist, but HVN has lost control or access to it, or no longer has it in its possession.
  • Alteration is where personal data has been altered, corrupted or is no longer complete.
  • Unauthorized or unlawful processing may include disclosure of personal data (or access by) recipients who are not authorized to receive (or access) the data, or any other treatment of personal data which violates applicable privacy laws.

Examples:

  • HVN’s network is infected by ransomware (malicious software that encrypts the HVN data until a ransom is paid). 
  • A non-encrypted device, e.g. a USB stick, containing personal data is lost or stolen.
  • HVN has sent an email to the wrong mailing list, or HEINEKEN has made a mistake in BCC/CC
  • A briefcase with papers containing personal data is lost or stolen. 
  • One of HEINEKEN’s online marketplaces suffers a cyber-attack and usernames and purchase history are published online by the attacker. 
  • Personal data is extracted from a secure website managed by HEINEKEN during a cyber- attack. 

What are HEINEKEN’s responsibilities?

Where a personal data breach occurs, or is likely to occur, HVN must immediately take all appropriate technological and organizational measures to remedy the incident and ensure the personal data is secure.

If conditions for notification are met, HVN must notify the breach to the relevant Data Protection Authority and/or affected individuals. 

If the personal data breach meets the requirements for such qualification as set out in the Privacy Procedures (a security incident – whereby there has been unauthorized access or other use of personal data – compromising the security or privacy of such information – posing a high risk to the individuals whose data it concerns): the breach must be reported to the HEINEKEN Global Privacy Office (GPO). GPO may also require HVN to inform the individuals concerned. 

HVN must keep a record of all breaches that have occurred in the organisation. This record must include information about the facts relating to the breach, its effects and which actions have been taken to remediate the breach.

What are the consequences of non-compliance?

HVN risks reputational damage for failing to keep personal data secure. HVN will be subjected to enormous fine according to the current law for non-compliance.   

Colleagues’ responsibilities

Each colleague is responsible for ensuring that they follow the internal process for reporting a breach, or potential breach, set out in this policy as soon as they become aware of it. Each colleague therefore needs to contact the Global Service Desk or local IT Helpdesk immediately in case of a potential personal data breach. 

For a full overview of HVN’s personal data breach process, please see the diagram flow here:

Where to report a personal data breach internally?

When a colleague has an indication (internally or from a third party) that a security incident that involves personal data has occurred, or is likely to occur, the colleague must report the incident immediately.  Incidents must be immediately reported by creating a ticket in ServiceNow, either through the GSD Self Service portal or by calling the GSD team or local IT Helpdesk assigned to HVN.

When a Data Processor is involved, the Data Processor immediately reports the security incident either directly to HVN IT Helpdesk or via the contact person that is mentioned in the data processor agreement (DPA).   

Global Service Desk or HVN IT Helpdesk 

A colleague should report an incident which is likely to include personal data through the GSD Self Service Portal or by calling GSD or HVN IT Helpdesk:

  • In the incident reporting process, the incident reporter is requested to provide particular details, if available, about the potential or actual personal data breach, such as when the incident occurred, which types of personal data might be involved, the individuals that might be involved, et cetera;
  • Once the incident has been raised, an automated email notification is sent to the local Security Incident Handling Team, including the local Privacy Officer(s).  

When more than one HEINEKEN entity is (potentially) affected by the breach, the HEINEKEN Global Service Desk (GSD) will also be assigned to the other relevant Security Incident Handling Team(s), as well as to the other relevant Privacy Officer(s) and the Global Privacy Officer.  

Security Incident Handling Team 

The “Security Incident Handling Team” consists of the HVN Privacy Officer and the HVN Cyber Security Officer (CSO) depending on whether the security breach is identified at local (Vietnam) level or at Global Function level. The Security Incident Handling Team is responsible for handling the IT related matters of the security incident.  

The Security Incident Handling Team: 

Function

Responsibilities

Security (CSO) 

  • Collects additional information about the breach, including the circumstances of the breach and the affected individuals (if any) 
  • Take necessary steps to remedy the breach, keep track of remedy closing progress
  • Immediately and constantly updates and/or consults the Privacy Officer (email/meetings) both when there is a report and when taking remediation 
  • Ensure that all documentation regarding the breach has been added to Service Now 

Legal (PO) 

  • Identify remediation steps and closely follow with the remedy progress 
  • Report the data breach to the Data Protection Authority within 72 hours (including report about the delay in handling the breach when it is impossible to provide remediation within required timeframe) 

Functional stakeholder  

  • Collaborate and support CSO and PO when needed

When more than one HEINEKEN entity in more than one country is affected by the breach, the Security Incident Handling Team will also immediately notify and work with the other relevant Privacy Officer(s) and the Global Privacy Officer, and work with the other relevant Security Incident Handling Team(s).

When a Data Processor is involved, the Security Incident Handling Team will also work with the Personal Data Breach Team of the Data Processor. 

HVN Privacy Officer

The ‘HVN Privacy Officer’ is responsible for handling the security incident.  When the HVN Privacy Officer is notified that an incident has occurred, the HVN Privacy Officer will need to: 

  • validate if the data involved is indeed considered as personal data and assess if the incident concerns a potential personal data breach that requires further investigation and/or potential notification. If so, alert, connect and work together with the Security Incident Handling Team and other relevant Subject Matter Experts. If not, instruct the CSO to close the ticket in ServiceNow;
  • establish the facts about the personal data breach, as well as the likelihood and severity of the risk to the affected individuals affected. To do this, the Privacy Officer will work together with the CSO and, where needed, other Subject Matter Experts;
  • assess if the incident qualifies as a personal data breach that requires notification to the Data Protection Authority; 
  • inform the Global Privacy Office of the personal data breach; 
  • ensure to notify the personal data breach as required and within the applicable notification term;
  • in case the individuals must or should be informed, ensure to work together with the HVN Corporate Affairs team on the drafting and communication of the notice;  
  • identify remediation steps in joint collaboration with the CSO and relevant HEINEKEN teams; 
  • document the personal data breach in the register by using the ‘personal data breach register’ template in OneTrust; 
  • ensure to always have a back-up for the Privacy Officer role in case the Privacy Officer is not available. The back-up Privacy Officer must be included in the Security Incident Handling Team group in ServiceNow. 

When more than one HEINEKEN entity in more than one country is affected by the breach, the local Privacy Officer will also work with the other relevant Security Incident Handling Team(s), the other relevant Privacy Officer(s), the Global Privacy Officer and Global or Regional Security Operations and the other relevant Corporate Affairs Team(s) and the Global or Regional Corporate Affairs Team.

When a Data Processor is involved, the local Privacy Officer may choose to also work with the Personal Data Breach Team of the Data Processor. 

HVN Corporate Affairs

Corporate Affairs shall work with the Privacy Officer to draft and send responses to individuals when required. Corporate Affairs shall use the notification templates provide by the Privacy Officer. Corporate Affairs may always reach out to Global Corporate Affairs when additional support is required.   

When more than one HEINEKEN entity in more than one country is affected by the breach, the local Corporate Affairs Team will also work with the other relevant local Corporate Affairs Team(s), the Global Corporate Affairs Team, the other relevant Privacy Officer(s) and the Global Privacy Officer.

Global Privacy Officer 

The Global Privacy Office, headed by the Global Privacy Officer, must be informed without undue delay of all personal data breaches that require notification to the Data Protection Authority. The Global Privacy Officer may instruct HVN to inform affected individuals of the personal data breach, where there is no legal obligation to notify individuals under Vietnam law. The instructions of the Global Privacy Officer must be followed by HVN.

The local Privacy Officer consults the Global Privacy Officer when additional support is required and when a (potential) personal data breach appears to involve more than one country. 

When more than one HEINEKEN entity in more than one country is affected by the breach, the Global Privacy Office coordinates and strives to ensure consistency in personal data breach handling amongst the local Privacy Officers and works with Global or Regional Corporate Affairs in case communication with affected individuals is required.

Global / Regional Corporate Affairs

Local Corporate Affairs consults Global or Regional Corporate Affairs when additional support is required for the evaluation of any external and/or internal communication is needed regarding the personal data breach. 

When more than one HEINEKEN entity is affected by the breach, Global and or Regional Corporate Affairs coordinates amongst the Local Corporate Affairs teams and works with the Global Privacy Officer for the handling of the external and/or internal communication. 

Crisis Management

HEINEKEN has a Crisis Management process in place which applies to this Personal Data Breach Policy as well. If required, the Crisis Management process will be applied by the Security Incident Handling Teams. 

Notifying individuals 

All notifications of personal data breaches to affected individuals must be drafted in joint collaboration by the Corporate Affairs Team and the Privacy Officer.

HVN Corporate Affairs Team will determine how to notify individuals on a case-by-case basis (e.g. who within HEINEKEN the notification should come from, the format and whether it is done by individual or mass communication). 

Where appropriate, the notice should also include specific advice to individuals to protect themselves from possible adverse consequences of the breach, such as resetting passwords in case their log-in credentials have been compromised. 

Notifications to individuals of personal data breaches should be separate from any other communications such as regular updates, newsletters or standard messages. The notification must be clear and transparent.

Registration

The HVN Privacy Officer has overall responsibility in ensuring that all relevant information regarding a personal data breach is registered in OneTrust. When no further investigation is required, the HVN Privacy Officer instructs the CSO to close the ServiceNow Incident ticket. 

All personal data breaches follow the above registration process, including those that were not reported to the relevant Data Protection Authority. 

The information required to complete in the register in OneTrust includes: 

  • Details of the breach, including:
    - Time
    - Location
    - The cause(s)
    - Description of the incident/Violations:
    - Organizations, individual, types of personal data and the quantity of relevant personal data: 
  • Personnel in charge of protections of personal data:
    - Full name:
    - Title:
    - Phone number:
    - Email:  
  • the effects and consequences of the breach;
  • details of the steps taken to remedy the breach;
  • whether or not a local legal requirement to notify personal data breaches to the Data Protection Authority and/ or individuals exists; 
  • if such local legal requirement exists: the reasoning for a decision not to notify or not within the required time period and evidence to justify any such delay; 
  • where the breach was notified to the relevant Data Protection Authority and / or affected individuals, a copy of the notification(s) and evidence to demonstrate that the notification was provided timely and in a transparent and effective manner.

This information will be held in OneTrust for a period of 3 years following the date on which the personal data breach was registered, unless applicable local law indicates a longer retention period. 

Administrative information

Contact person

Nguyen Lan Huong
HEINEKEN Vietnam Privacy Officer
NguyenLan.Huong@heineken.com

Bui Duc Thao
HEINEKEN Vietnam Data Protection Officer 
BuiDuc.Thao@heineken.com 

Huynh Thien Phu
HEINEKEN Vietnam Security Coordinator
HuynhThien.Phu@heineken.com 

 

XI. CONTACT INFORMATION

If you wish to exercise any of the rights listed above and/or report any privacy violations, or if you have any questions or comments regarding this Notice and our privacy standards, you may contact us at the email address privacyvn@heineken.com or hotline 19001845 or send a letter to us at Floors 18 & 19, Vietcombank Tower, No. 5 Me Linh Square, Sai Gon Ward, Ho Chi Minh City. 

Close video