Privacy Center

Privacy Center

HEINEKEN Vietnam feels very strongly about protecting the personal data that it is entrusted with. We strive to handle personal data with care according to our internal standards and applicable local law, to be transparent on how We use personal data and how individuals can exercise their data privacy rights.

CONTENTS:

I. THE 6 HEINEKEN PRIVACY PRINCIPLES

II. NOTICE OF APPLICANT PERSONAL DATA PROTECTION TERMS

III. NOTICE OF DISTRIBUTORS PERSONAL DATA PROTECTION TERMS

IV. NOTICE OF CUSTOMER PERSONAL DATA PROTECTION TERMS

V. NOTICE OF EMPLOYEE DATA PROTECTION TERMS WHEN APPLYING THE ACCESS CONTROL PROCESS AT THE COMPANY WORKPLACES

VI. NOTICE OF VISITOR PERSONAL DATA PROTECTION TERMS WHEN ACCESSING WORKPLACES

VII. NOTICE ON PERSONAL DATA PROTECTION TERMS FOR SURVEILLANCE CAMERA SYSTEM

VIII. HEINEKEN VIETNAM DATA SUBJECT RIGHTS POLICY (“DSR Policy”)

IX. HEINEKEN VIETNAM PERSONAL DATA BREACH NOTIFICATION POLICY

X. CONTACT INFORMATION

 

I. THE 6 HEINEKEN PRIVACY PRINCIPLES

Everyone at HEINEKEN Vietnam is responsible for adhering to the 'HEINEKEN 6 Privacy Principles' and making them part of their daily business practices.

Principle 1: Use Limitation

Define clear business purposes before you start collecting personal data. Limit the use of personal data to what is needed to achieve your business purposes.

Principle 2: Data Minimization

Only use the personal data that is necessary for the business purpose and restrict access to ‘need-to-know’. Delete the personal data when no longer needed. Keep the personal data up to date and correct.

Principle 3: Sensitive Data

Be extra careful when using sensitive data such as health, religion, social security numbers. Ask the Privacy Officer for advice if you wish to use sensitive data.

Principle 4: Transparency & Rights of Individuals

Communicate about what you do with personal data by means of privacy notices and other statements. Facilitate individuals exercising their rights in respect of their personal data.

Principle 5: Security

Have appropriate organisational and technical security measures in place to protect the personal data from unauthorised and unwanted access or use. Staff accessing the data must be bound by confidentiality obligations.

Principle 6: Third Party Access

Ensure required safeguards are in place when allowing third parties to access the personal data. Additional measures may be needed for international data transfers.

 

II. NOTICE OF APPLICANT PERSONAL DATA PROTECTION TERMS

Pursuant to current laws on personal data protection (“legal regulations”), HEINEKEN Vietnam Brewery Company Limited issues Notice of terms & conditions on Applicant personal data protection (“Notice”).

Effective from Jan 1, 2026

1. INTRODUCTION

HEINEKEN Vietnam Brewery Company Limited, together with its branches and affiliates (hereinafter referred to as "HEINEKEN" or “Company” or "We" or “Us”) is the Personal Data Controller of Applicant (or “You”).

HEINEKEN, your potential employer, is the controller and processor of your personal data. When Applicant visits the HEINEKEN career website or uses the internal job vacancies site, HEINEKEN collects information (personal data) about the Applicant: via web forms; or the Applicant’s CV or application letter submitted directly or via HEINEKEN's official career websites or from other sources that HEINEKEN may lawfully collect with the Applicant's consent; via interviews and discussions between Applicant and HEINEKEN; or via other official tools to Applicant's personal information with the Applicant's consent. HEINEKEN uses the Applicant's personal data in a lawful and fair manner, which means that HEINEKEN collects and processes personal data in compliance with applicable regulations on personal data protection. Protecting the privacy and personal data of Applicant is of the utmost importance to HEINEKEN and is a significant aspect of the way HEINEKEN creates, organizes and implements its recruiting activities.

This privacy statement is intended to inform Applicant regarding HEINEKEN’s processing of recruitment data and is applicable to HEINEKEN recruitment and selection activities.

This Notice may be updated from time to time, of which you shall be informed. If there are any amendments, additions, or updates to this Notice, Applicant is fully entitled to choose whether to continue allowing Company to retain their personal data or restrict the company's rights in accordance with applicable laws.

2. PURPOSES

Personal information (Applicant data) submitted by the Applicant to HEINEKEN or collected by HEINEKEN via any source and with the consent of the Applicant will be used by HEINEKEN to support a responsible, effective, and efficient recruitment and selection process. HEINEKEN will collect and process Applicant data from unsolicited applications, via interviews and discussions or via other official tools to Applicant's personal information with the consent from the Applicant. HEINEKEN will process Applicant data for recruitment purposes. These purposes are: assessment of your application, matching Applicant data with HEINEKEN current open positions, and contacting Applicant for future positions that suit the Applicant’s skills and capabilities, evaluating your eligibility to work at HEINEKEN (e.g. legal working age), communicating HEINEKEN recruitment and selection procedures, contacting Applicant to schedule interviews/tests and responding to questions the Applicant may raise, verifying information received via the application and for performing pre-employment screening.

In addition, HEINEKEN will process your personal data for the following purposes:

• Personalization purposes, such as providing information on relevant vacancies (Job alerts) on the basis of the profile you created of yourself. This includes sending emails notifying you on Job alerts and other relevant HEINEKEN recruitment messages;
• Information about your visit to and use of our Website/official recruitment system. We collect certain information when you visit our Website, such as your IP address, which web pages you visit, device category, browser, and type of internet browser, clicks and views. The information about your use of our Website and services enables us to build segments, which are groups of website visitors or customers with a number of common characteristics such as age group or region. We will likely add you to one of our segments. Segments are used by us to customize the Website and to change the order of search results, or where We place certain offers so you are more likely to see these. In addition, We may analyse anonymous measurement of response to our vacancies;

Before being accepted to work at HEINEKEN, you will be required to have a Pre-Employment Health Check-up. The purpose of this is to assess whether your health meets the requirements of the work environment, and to prevent the risk of spreading infectious diseases within Company. To do this, Company will provide instructions and seek your consent before conducting the health examination and consultation. 

3. APPLICANT DATA

HEINEKEN collects and processes Applicant data (required and optional) which the Applicant provides directly, via creating a profile and by attaching relevant documents (such as resume), on the HEINEKEN recruitment system. We also collect and process Applicant data through recruitment agencies, personal referrals, phone calls, e-mail or reference contacts who have the consent of the Applicant to share information, interviews, discussions with the Applicant and other legal forms with the Applicant's consent. Examples of Applicant data collected and processed by HEINEKEN for the purposes listed in section 2 include but  not limited to:

• Personal details (e.g. name, contact details, language spoken, legal working age, nationality);
• Work related information (e.g. details contained in your letter of application and CV, other details on education and development and work history);
• Position (e.g. position of interest, title, location, full-time/part-time possible terms of employment);
• Compensation (e.g. current and required salary and currency);
• Immigration status (e.g. citizenship and details of residency or work permit).

4. APPLICANT SENSITIVE PERSONAL DATA

During the recruitment and selection process, We may need to collect certain data viewed as ‘sensitive’ according to laws & regulations because they may reveal intimate characteristics or personal privacy. Any use of sensitive Applicant data shall be used by us only within the strict limits set out by applicable local law.

Sensitive personal data in the recruitment process may include one or all the information listed below:

• Health status & records: to check whether the Applicant's health meets occupational health standards according to relevant laws;
• Data related to ethnic origin: if permitted or required by law, Applicant’s personal information may be used to eliminate or minimize potential inequalities or to ensure diversity in recruitment for Applicant from racial/ethnic minority groups, however, the use of this personal information must ensure objective recruitment decisions and not violate steps in the Company recruitment process;
• Other personal data specified by law are special and require necessary security measures.

The Applicant data that We collect and process will be adequate, relevant and not excessive relative to the specified purposes for which the Applicant data are collected and processed. Applicant data will be as accurate as possible and, as necessary in accordance with applicable laws, kept up to date by Applicant.

5. REFERENCE CHECK

Reference check is a process applied by HEINEKEN to certain specific recruitment cases according to Company policy. In specific, if required, Applicant will be requested to provide data of the referees. The referees will be people related to the Applicant's work history (for example: former colleagues, former bosses,). Applicant will be sent an access link and forwarded to the referees so they can fill in their own contact information after reading and accepting HEINEKEN's data privacy terms. Data collected from the referees includes:

• Confirmation of the Applicant's basic data (name, contact information);
• Job-related data: position, title at the old company, work process and effectiveness at the old company, comments on the Applicant's personality;
• Other data related to the Applicant's job that is approved for collection by the Applicant.

When receiving a link to enter information, referee can only fill in basic information as outlined above after consenting to the data privacy notice. A copy of instructions on how to use myHR for the above purposes will be sent to the referee’s registered email. Referees’ data will include Full name, company, relationship with the consulted employee, phone number, email.

By reading, accepting this notice, and forwarding the access link to fill in the referee’s data,  Applicant consents to these individuals providing  Applicant's personal data to HEINEKEN and allows HEINEKEN share limited data related to the Applicant's basic information and work history. These discussions and sharings will be controlled responsibly, legally, and effectively, ensuring information security for Applicant. The data provided by the referee will be used for reference and will be carefully and responsibly evaluated and screened by the HEINEKEN recruitment team. This data does not have any value in deciding the Applicant application result. The referee’s data will be automatically deleted after 6 months from the end of the reference check activity.

6. COOKIES ORSIMILARTECHNOLOGIES

Our website uses ‘cookies’, which are small text files stored on your device, to help operate the site and collect information about your online activity. Our website uses cookies for several purposes, including:

• Storing your Preferences & Settings;
• Age gate verification;
• Sign-in and Authentication;
• Site Analytics;
• Targeted Advertising.

Through cookies or similar technologies, We may collect the following personal data:

• IPaddress;
• Age gate data (your birthdate);
• Cookie ID;
• Browser type;
• Language settings;
• The website you came from and the website you visit; and
• The links you click while using our sites and services.

You can find more information in our cookie policy as published on our website(s).

7. QUALITY AND LIABILITY

When you provide your personal data to HEINEKEN, you are responsible for the accuracy of your personal data and to make sure that your personal data remains accurate and up to date. HEINEKEN is, except for gross negligence or unlawful intent, not liable for errors, consequences or activities taken as a result of inaccurate or incomplete information that you provided to us.

8. TRANSFER OF & ACCESS TO YOUR PERSONAL DATA

To operate as a global business and to promote an Applicant’s career within HEINEKEN, it is in both the job Applicant and HEINEKEN’s interests to enter Applicant data in an international database that may either be limitedly available or available for all HEINEKEN recruiters worldwide. A third party service provider of HEINEKEN may also be located outside your home jurisdiction. Where such international data transfer takes place to a country that has a different data protection regime, HEINEKEN will ensure that the international data transfer will not negatively affect the level of protection of your personal data. Where required, HEINEKEN will inform you of any additional details on the international data transfers.

As part of the application process, Applicant is asked to select any of the following choices:

1. Only the HEINEKEN recruiters managing the relevant jobs;
2. Any HEINEKEN recruiter in the country of residence of the Applicant;
3. Any HEINEKEN recruiter worldwide.

By reading and accepting this recruitment privacy statement, Applicant agree to allow HEINEKEN to upload Applicant's personal data to the SuccessFactors system - HEINEKEN's data storage service according to the statement below. However, subject to the Applicant's choice above, only those individuals limited to that choice will have access to the Applicant's personal data and to have it processed for the purposes noted in the Notice. HEINEKEN will ensure adequate security measures and valid transfer mechanisms for the transfer to and processing of Applicant data in the HEINEKEN locations in the various countries where HEINEKEN operates.

During the recruitment process, Applicant information will be accessed internally only by those HEINEKEN employees (including employees of HEINEKEN affiliates) who are involved in the recruitment process. Where your information is submitted to, or processed on behalf of,

HEINEKEN by a contracted and trusted third party provider, We put in place an agreement with such third party service provider to protect your personal data. The provider will only use Applicant information to process HEINEKEN employment applications and not for its own purposes.

The recruitment website runs on SuccessFactors. SuccessFactors is a SAP cloud application owned by SAP and stored on servers in Germany with back up servers in the Netherlands. SuccessFactors has access to the system when providing hosting, maintenance, and support services. We have agreements in place with SuccessFactors to protect the confidentiality and security of your personal data.

From time to time, We may need to make personal data available to other unaffiliated third parties, such as recruitment agencies or IT systems suppliers, professional advisors (such as accountants, auditors, or lawyers), public and governmental authorities (entities that regulate or have jurisdiction over us such as regulatory authorities, law enforcement, public bodies and judicial bodies), or in the context of corporate transactions (a third party in connection with any proposed or actual reorganization, merger or sale). We require third parties and professional advisors to use appropriate measures to protect the confidentiality and security of the personal data. Where such international data transfer takes place from an EEA country to a recipient in a country that has a different data protection regime, We will ensure that this international data transfer will not negatively affect the level of protection of your personal data, and is based on appropriate safeguards including EU Model Clauses or Binding Corporate Rules.

9. RETENTION

HEINEKEN will retain Applicant data during the recruitment and selection process. HEINEKEN will only retain Applicant data in relation to a particular vacancy as long as legally allowed after the recruitment and selection process. If there is a legal obligation to retain personal data longer, HEINEKEN will do so (e.g. equal opportunity requirements in local labour laws).

HEINEKEN may also retain Applicant data in relation to a particular vacancy if you have given your consent to keep the Applicant data, e.g. keeping an Applicant’s resume on file if a suitable position arises. In addition, you may create a profile without actually applying to a particular vacancy. In those cases, HEINEKEN will generally delete your data after 05 (five) years – or shorter when legally required based on local law - of inactivity in our recruitment system (i.e. after not having logged-in to your account/profile). In addition, Applicant can also request that the Company delete data and exercise the right to withdraw the Applicant's consent within a prescribed period from the date of receipt of the request. However, Applicant will still be asked (every 6 months) whether to allow HEINEKEN to store their data in the future. By accepting or declining, HEINEKEN will continue to securely retain or delete Applicant data on the system in accordance with the law.

The time to start processing data is calculated from the time  data subject agrees to this data security notice and provides data to the Company. The end time of data processing is the actual time the Company no longer stores the data subject's data on the system according to the time described above.

After the retention period the Applicant data will be completely deleted from HEINEKEN’s system. Applicant is entitled to request deletion of his or her personal data at any time.

10. SECURITY

HEINEKEN uses a number of technical, physical and organizational security measures to assure the integrity, confidentiality and availability of AApplicant data, taking into account the nature, scope, context, purposes and risks involved. HEINEKEN has implemented security technologies to protect the stored Applicant data from unauthorized access, improper use, alteration, unlawful or accidental destruction and accidental loss.

HEINEKEN continues to enhance its security procedures as new technology becomes available. An Applicant has an important role to play in assisting HEINEKEN in keeping Applicant data secure. Applicant should at all times keep his or her password confidential and use the correct procedure to log in and out of the HEINEKEN recruitment system.

The Company is committed to ensuring the security of personal data are implemented and complied. However, because the processing activities of these types of data are mainly carried out in the cyber environment, it is impossible to absolutely guarantee that potential risks, unwanted consequences, and damages do not occur. Here are some examples of unwanted consequences and damages that may occur:

• Disclosure of personal data: When personal data is disclosed illegally, the data subject may be subject to risks related to possible privacy impacts and other damages;
• Stolen personal data: When personal data is stolen, criminals can use the stolen data to commit fraud or illegal activities;
• Data loss: If personal data is lost due to a system crash, the data subject may lose important information and have difficulty recovering the data.

Therefore, We consider your personal data to be very important and We will ensure its confidentiality, security, and compliance with applicable laws on personal data protection. In details:

• Organizational measures: The Company appoints a dedicated team to protect Applicant data and assign individuals responsible for data protection, and individuals responsible for data for each process;
• Physical measures: The Company commits to using the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of separation locks and limiting the number of people who can open, and a sufficient and quality security team;
• Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;
• In addition, the Company also recommends that relevant stakeholders be responsible for their personal data: do not open browsers, emails with unknown senders, applications, etc. which relevant parties suspect to contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures.

The Company will notify the government agencies of a Data Security Breach within the prescribed period after discovering such breach.

11. RIGHTS AND OBLIGATIONS OF APPLICANT

Applicant has the right to request access to his or her Applicant data that HEINEKEN holds. Applicant also have the right to have your data rectified, deleted, or restricted (as appropriate). Applicant can correct or delete their Applicant data themselves by making changes to their profile. Applicant also have the right to have the processing of their data restricted (as appropriate) or object to the use of their personal data by HEINEKEN. Please note that requests that do not meet the requirements set out by applicable law or HEINEKEN guidelines may be requested to be re-issued or ultimately denied and that certain personal data may be exempt from an Applicant’s request pursuant to applicable data protection laws and other laws and regulations.

You also have the right to submit a complaint to the data protection authority in accordance with your local laws and regulations.

You have obligations to: protect your personal data; respect and protect the personal data of others; provide complete and accurate personal data when agreeing to process personal data; and other obligations according to current legal regulations on personal data protection.

The application process may include an automated rejection of your application. Where this is the case, the criteria used to make such automated decision shall be included in the relevant job requirements. You have the right to ask us to look at your application notwithstanding the automated response you have received, or to inform us that you do not agree with the rejection of your application and the reasons why. 

III. NOTICE OF DISTRIBUTORS PERSONAL DATA PROTECTION TERMS

The Notice of Personal Data Protection Terms for Distributors (hereinafter referred to as the “Notice”) is effective from Jan 1, 2026, and applies to product distributors (hereinafter referred to as “Distributors” or “you”) of HEINEKEN Vietnam Brewery & Beverage Company Limited (hereinafter referred to as “HVBB” or “we” or “the Company”). This Notice applies to (i) individuals, and/or (ii) representatives or contact persons of the Distributors, in case the Distributor is a legal entity.

You are receiving this Notice because HVBB is currently processing and will process your personal information (hereinafter referred to as “Personal Data”) as a data controller and/or data processor. Please read this Notice carefully as it outlines the context in which We process your Personal Data and explains your rights and obligations as well as ours regarding such data processing.

We respect your privacy and are committed to keeping your Personal Data secure and managing it in accordance with our legal obligations under applicable personal data protection laws.

1. What personal data We process and how

We may collect and process the following types of your Personal Data:

• General and identifiable information (e.g. full name, gender, date and place of birth, nationality, ID card/passport number, email and/or address, phone number);
• Bank account information;
• Marital status and family relationship information;
• Voice (if recorded through our customer service hotline);
• Image (if captured at annual customer conferences and/or other Company events);
• Location data, GPS data;
• Signature.

If you intend to provide us with personal data of other individuals (e.g., your colleagues), you must share a copy of this Notice with them and obtain their consent.

We may process Personal Data by automated or non-automated means, through electronic or manual methods, or any other means We deem appropriate.

2. Purpose of processing your personal data

We always process your Personal Data for one or more specific purposes and only process data relevant to achieving those purposes. In particular, We process your Personal Data for the following:

• Managing our Distributors across the supply chain;
• Organizing tenders, preparing for or executing existing contracts;
• Organizing annual customer conferences;
• Monitoring activities at our premises, including compliance with applicable policies and health and safety regulations;
• Granting you access to our applications/systems;
• Managing our IT resources, including infrastructure and business continuity;
• Protecting and exercising our legal rights, ensuring compliance and reporting (e.g., complying with internal policies, legal/tax obligations, managing alleged fraud or misconduct, audits, litigation processes);
• Implementing, applying, and adjusting applications/systems/processes for business management, payment processing, and internal policy/regulatory compliance (including but not limited to: customer record management, DIS, GIS, HVN Ordering, Distributor 2.0 (TMS), Call Center, Base, DOT, SEM, VMI, JBP, Mendix and other systems implemented or adjusted by the Company from time to time);
• Collecting financial information from Distributors to analyze and share development strategies with HVN;
• Storing (including local storage and/or cloud-based services) and tracking records;
• Any other purposes as required by law or competent authorities.

3. Duration of personal data processing
Processing begins when you provide your Personal Data to us and continues until the data is deleted or destroyed in accordance with applicable laws and/or our internal policies or decisions from time to time. We will take reasonable steps to delete or anonymize your Personal Data when it is no longer required for the stated purposes or upon expiration of the retention period.

4. How We share your personal data
Your Personal Data may be accessed or transferred to the following third parties on a need-to-know basis to fulfill the purposes outlined above. These may include:

• Our personnel (including departments and affiliated companies within the HEINEKEN group);
• Independent agents (if any);
• Event service providers selected by us for annual customer conferences;
• Financial service providers selected by us (for example: banks), in case you agree to join our credit support projects;
• Our customer service and delivery providers;
• IT system providers, cloud service providers, database providers, and consultants;
• In the event We sell part or all of the assets/shares of a HEINEKEN Group company, your Personal Data may be disclosed to the acquiring party;
• Any national and/or international law enforcement authorities, regulators, or judicial bodies to fulfill our legal obligations or court orders.

These parties may be located in Vietnam, the European Union, other countries in the European Economic Area (EEA), or elsewhere in the world. If We transfer your data to such jurisdictions, We will ensure it is protected by (i) applying the required level of protection under applicable data protection law and (ii) acting in accordance with our policies and standards.

5. Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

• Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;
• Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;
• Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;
• In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

• Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;
• Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;
• Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

6. Your choices and rights

You have the right to give or withdraw your consent to the processing of Personal Data, to access or delete your Personal Data, to request processing restrictions, to data portability, to file complaints, denounce or initiate lawsuits, to seek compensation, and other rights as prescribed under current personal data protection laws. Withdrawal of consent and the exercise of these rights do not affect the legality of the data processed by the Company prior to such withdrawal.

7. Updates

We will periodically review and update this Notice. Any changes will be communicated to you via our usual communication channels (e.g., email).

 

IV. NOTICE OF CUSTOMER PERSONAL DATA PROTECTION TERMS

This Notice of Customer Personal Data Protection Terms (hereinafter referred to as the “Notice”) has been effective since 01 Jan 2026 and applies to all product sales outlets (hereinafter referred to as “you”) of Heineken Vietnam Brewery Company Limited (hereinafter referred to as “HVN,” “we,” or “the Company”), including its subsidiaries, branches, and representative offices.
This Notice applies to:
(i) individuals, and/or
(ii) authorized representatives or contacts of the sales outlets if the sales outlet is a legal entity.

You are receiving this Notice because HVN is and will be processing your personal data (hereinafter referred to as “Personal Data”) in its capacity as a data controller and/or data processor. Please read this Notice carefully as it outlines the context in which We process your Personal Data and explains both your rights and our obligations regarding such processing.

We respect your privacy and are committed to safeguarding and managing your Personal Data in accordance with our legal obligations under applicable personal data protection regulations.

1. The Personal Data We Process and How We Process It

We may collect various types of your Personal Data, including:

• Your general and identifying information (e.g., name, gender, date and place of birth, nationality, ID card/citizen ID number, email and/or address, phone number);
• Your voice (if recorded through our customer service hotlines or call centers);
• Your images;
• Location, GPS information.

If you intend to provide us with personal data relating to other individuals, you must provide them with a copy of this Notice and obtain their consent.

Processing activities may be conducted automatically or manually, by electronic means, or by any other methods We deem appropriate.

2. Purposes for Which We Process Your Personal Data

We always process your Personal Data for one or more specific purposes and only process data relevant to achieving those purposes. Specifically, We process your Personal Data to:

• Manage our customer relationships;
• Organize tenders, prepare for or perform existing contracts;
• Organize annual customer conferences;
• Monitor activities at our facilities, including compliance with applicable policies as well as health and safety regulations;
• Grant you access to and participation in our applications/processes;
• Manage our IT resources, including infrastructure administration and business continuity;
• Protect and enforce our legal rights, ensure compliance, conduct investigations, audits, and reporting (e.g., compliance with our policies, applicable laws and regulations, tax and withholding requirements, managing suspected fraud or misconduct, conducting audits and legal proceedings);
• Implement, apply, and adjust application systems and processes to support business administration, payment processes under applicable law, and compliance with HEINEKEN internal policies and regulations (including but not limited to systems for: order management, customer records management, payment processes, signage installation, draught beer system installation, advertising & promotion management, loyalty programs, data storage and analytics, branded fridge installation management, customer service hotlines, and other applications deployed or adjusted by HEINEKEN from time to time);
• Store and track records;
• Any other purposes permitted by applicable laws.

3. Commencement and Duration of Personal Data Processing

The processing of your Personal Data begins when you provide it to us and continues until such data is deleted or destroyed in accordance with applicable laws and/or our policies and decisions at the relevant time. We will take reasonable steps to delete or anonymize Personal Data when it is no longer necessary for the purposes specified above or upon expiry of any applicable retention period.

4. How We Share Your Personal Data

Your Personal Data may be accessed by or transferred to the following third parties on a need-to-know basis to fulfill the purposes outlined above:

• Our personnel (including employees, departments, or other HEINEKEN Group companies);
• Distributors and secondary distributors;
• Providers of customer event services selected by us from time to time;
• Other companies We control or co-control, third parties such as our business partners and service providers, or when required by law;
• IT system providers, cloud service providers, database providers, and our consultants;
• In the event of a sale of all or part of the assets or shares of a HEINEKEN Group company, your Personal Data may be transferred to the third party acquiring such assets or shares;
• Any national and/or international law enforcement authority (regulatory, public, or judicial authority) to comply with our legal obligations or court orders.

These parties may be located in Vietnam, the European Union, other European Economic Area (“EEA”) countries, or anywhere else in the world. Where We transfer your Personal Data to entities in other jurisdictions, We will ensure adequate safeguards are in place by (i) applying the required level of protection as set out in applicable data privacy laws and (ii) acting in accordance with our policies and standards.

5. Ensure personal data safety

We consider employee’s personal data to be an important asset of the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. In particular:

• Organizational measures: The Company appoints a dedicated team to protect employee data and assigns who is responsible for data protection and who is responsible for data of each process;
• Physical measures: The Company commits to use the best physical measures to protect servers and data backup machines, which contain the Company's personal data. These physical measures include: adding surveillance camera systems, creating multiple layers of locks to separate & limit the number of people who can open, and a sufficient and quality security team;
• Technical measures: The Company commits to use the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving, SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall, etc.;
• In addition, the Company also advise relevant people to be responsible for their personal data and the Company's general data: limit using other devices that are not provided by the company to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the installation of support tools (anti-virus, management, etc.) to ensure the device is properly installed as recommended by the Company's personal data protection department; do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; immediately report to the data protection team when suspecting a data breach or detecting a data security violation; implement other data security measures and recommend all employees to fully participate in courses of information security awareness as recommended by the Company.

The Company commits to ensure the solutions of personal data security to be deployed and implemented and complied as much as possible. However, due to the processing activities of these data types are mainly carried out in the cyber environment, so it is impossible to absolutely guarantee that potential risks, unwanted consequences and harm do not occur. Here are some examples of unwanted consequences and harm that may occur: 

• Disclosure of personal information: When personal data is disclosed illegally, the data subject may get risks related to privacy life that may have impacts and other damages;
• Stolen personal data: When personal data is stolen, criminals can use the stolen data to get fraud or illegal activities;
• Data loss: If personal data is lost due to a system problem, the data subject may lose important information and have difficulty recovering the data.

The Company will notify the authorized government office of a Data Security Breach within the prescribed time period after discovering such breach.

6. Your rights and choices

You have the right to grant or withdraw consent for processing, access and delete Personal Data, request restrictions on processing, obtain a copy of your data, file complaints, make denunciations and initiate legal proceedings, request compensation, and exercise other rights as provided by applicable personal data protection laws.

Withdrawal of consent and exercise of other rights does not affect the lawfulness of any data processing conducted prior to such withdrawal.

7. Updates

We will periodically review and update this Notice. Any changes will be communicated to you via our usual communication channels (e.g., email).

 

V. NOTICE OF EMPLOYEE DATA PROTECTION TERMS WHEN APPLYING THE ACCESS CONTROL PROCESS AT THE COMPANY WORKPLACES

HEINEKEN Vietnam Brewery Limited Company and its affiliates, branches & representative offices (hereinafter referred as "HVN" or "We" or "Us" or “the Company”) are committed to protecting the privacy of our employees. 

In order to ensure the Health & Safety of our employees and security at any offices and workplaces (hereinafter referred as “Workplaces”) of the Company, HVN needs to install access control and Surveillance camera system at such Workplaces. To implement this controls, We need to collect and process some personal data of HVN’s employees working at all HVN’s working locations and third parties’ employees & contractor’s employees working all HVN’s working locations (hereinafter referred as “Employee” or “you”). Before We process your personal data, We need you to consent for HVN to process such data for the specific purpose mentioned below and in accordance with applicable laws & regulations on personal data protection.

The access control arranges three options to register access control: (1) Face recognition, (2) fingerprint and (3) card scanning. Employees are reserved the right to choose one of three options to register for access control to HVN Workplaces. 

The surveillance camera system (“CCTV system”) is arranged to ensure security and safety at HVN Workplaces. Details of the Notice of personal data protection terms for CCTV system shall be also attached hereto as an integral part of this Notice: 2023_CCTV Privacy notice_EN.docx. You are required to read such Notice carefully and give consent for Us to process your personal data for the surveillance camera system.

We respect your privacy, and We are committed to keeping your Personal Data secure and managing it in accordance with our legal responsibilities under applicable laws and regulations on personal data protection.

In this Notice, We describe how We process and protect your personal data through the use of the Company’s access control equipment. We are the Controller of your personal data.

1. For which purposes do We use your personal data

We use your personal data for the following purposes:

• To ensure the Health & Safety of employees and to respond to technology application needs in managing access control to HVN offices & working premises effectively.
• Ensure security when entering and leaving the Company’s offices & working premises, protect the assets of employees and the company.
• Protect the legitimate interests of HVN and its employees.

2. Which types of personal data do We use

To register to use this control, We need employees to provide the following information: full name, employee code, and department. Additionally, through the access control system, We may also collect and process your activity history, such as the times you enter and exit the workplace areas.

If you sign up for the Face Recognition option, you will be asked to provide facial recognition data. 

If you sign up for the fingerprint option, you will be asked to provide fingerprint data. 

HVN's workplace has a surveillance camera system to ensure security and safety at the workplace. Therefore, your images will also be recorded and stored by CCTV system with certain period. Please find further details of the Notice on personal data protection terms for surveillance camera system: 2023_CCTV Privacy notice_EN.docx.

Your information that We collect and process will be completed, relevant and only for the specific purposes set out in section 1 of this Notice. Your information needs to be as accurate as possible and needs to comply with current laws on personal data protection. 

The sensitive personal data We may process includes:

• Individual biological characteristics: identification characteristics on ID card/ID card, fingerprint shape, facial recognition data
• Other data is considered sensitive personal data according to applicable laws & regulations on personal data protection.

3. Methods of processing your personal data 

By reading and selecting the facial recognition or fingerprint method or card scanning, you agree that your information will be collected, stored, and used by any method in accordance with the company’s policies and/or practices from time to time, including without limitation, collection, recording, validation, storage, modification, combination, access, retrieval, encryption, copying, transmission, deletion, cancellation, and other related actions. All of these methods must be consistent with the purposes set out in section 1 of this Notice. 

4. Who has access to your personal data

Only members of the HVN access control group have the right to access to your personal data to perform the work under their responsibility and any of the purposes described in this Notice.

In addition, some workplaces are located inside complex buildings/office buildings/restricted access areas managed by third parties, We will also share your data with those parties. This is to control access to those restricted places. This sharing will include limited data, for control, security purposes and the purposes stated in this Notice. Whenever your data is shared with or processed by a third party service provider contracted with the Company, We sign an agreement with that service provider regarding the security of your data in accordance with applicable laws & regulations on personal data protection. 

5. Security 

We consider your personal data as an important asset of the Company and We will ensure confidentiality, safety, legal compliance, and limit possible unwanted consequences and damages that might occur (including but not limited to: data leakage or inappropriate data processing that harms your legitimate rights and interests).

Because We cannot rule out the above unwanted possibilities, We consider your personal data to be very important to the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. Details as follow:

• Organizational measures: The company has appointed a dedicated team to protect employee data and assigned individuals responsible for data protection, individuals responsible for data for each process.
• Physical measures: The Company is committed to using the best physical measures to protect servers and data backup devices, which contain the Company's personal data. These physical measures include adding surveillance camera systems, create multiple layers for security block and limit the number of people who can access, a sufficient and qualified staff.
• Technical measures: The Company is committed to using the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall (Firewall)…
• In addition, the Company also recommends that relevant entities be responsible for their personal data and the Company's general data: limit the use of other devices than approved company devices to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the device support tools (anti-virus, management, etc.) is properly installed as safe as recommended by the Company's personal data protection department. Do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; Immediately report to the data protection team when suspecting a data breach or detecting a data security violation. Implement other data security measures and recommend that Company employees fully participate in data security awareness courses as recommended by the Company.

The Company shall notify the competent state authority of the Data Security Breach within a statutory period of time after such breach is discovered.

6. How long do We retain your personal data

We will retain your personal data for as long as required by law or for as long as necessary for any of the purposes listed in this Privacy Statement, or to comply with legal requirements to which We are subject, as long as reasonably necessary for archival purposes or as long as consistent with the applicable statute of limitations. We will take reasonable steps to destroy or de-identify the personal data We hold if it is no longer needed for the purposes set out above or after the expiration of the defined retention term.

Time start processing your personal data: after you agreed with this Notice.

Time to end processing your provided personal data: when the employees resign, contractor’s employees completed their jobs at the Company, We will delete the data within 30 days from the time the employee completes the job handover on the last working day excepting surveillance camera data. End time for processing surveillance camera data shall comply with the Notice on personal data protection terms for surveillance camera system (2023_CCTV Privacy notice_EN.docx).

7. Your rights and obligations 

You have rights to your personal data, which include: the right to consent, the right to withdraw consent, the right to delete, the right to restrict data processing and other rights as prescribed by applicable law on personal data protection.

You have an obligation to: protect your personal data; respect and protect the personal data of others; Provide complete and accurate personal data when giving consent to process personal data; and other obligations according to current laws on personal data protection.

8. The Notice Validity

This Notice is made in Vietnamese and English version. In case where there is a discrepancy in the meaning between Vietnamese and English, Vietnamese version shall prevail.

This Notice will be effective from Jan 01st, 2026. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent.

 

VI. NOTICE OF VISITOR PERSONAL DATA PROTECTION TERMS WHEN ACCESSING WORKPLACES

HEINEKEN Vietnam Brewery Limited Company and its affiliates, branch(s) & representative office(s) ("HVN" or "We" or "The Company") are committed to protecting the privacy of our visitors (visitors for business purposes, visitors for tours, and other individuals who come to the Company not in the capacity of employees or outsourced employees of HVN - hereinafter referred as “you”).

Workplaces according to the Notice of Terms & Conditions for Visitor’s Personal Data Privacy When Accessing Workplace (hereinafter referred to as “Notice”) includes but are not limited to: Subsidiaries, Branches, Head office, Regional offices, Sales offices, Breweries, Warehouses, and other workplaces with limited access to visitors (hereinafter referred as “Workplace”).

To ensure Safety and Security at our workplace, you are requested to register with our administrator at the workplace you need to visit before accessing. For this purpose, We need to collect and process some of your data. Before processing, We need you to confirm your consent to use this data. We respect your privacy and commit to keep your Personal Data secured and manage it with our legal responsibility under applicable laws & regulations on personal data protection. 

Additionally, We have installed a surveillance camera system (“CCTV system”) to ensure security and safety at HVN Workplaces. When you agree to access our Workplaces, your images will also be recorded and stored in accordance with applicable laws & regulations on personal data protection. Details of the Notice on personal data protection terms for CCTV system shall be also attached hereto as an integral part of this Notice: 2023_CCTV Privacy notice_EN.docx. You are required to read such Notice carefully and consent HVN to process your personal data for the surveillance camera system. If you disagree HVN to process your images for the surveillance camera system, you may not enter HVN Workplaces having surveillance cameras installed. 

In this Notice, We describe how We process and protect your personal data through registration and access to the workplace. We are the controller and processor of your personal data.

1. We use your personal data for these purposes as below:

• Ensure security when accessing the workplace, protect the assets of yourself, our employees, and Company.
• Protect the legitimate interests of yourself, our employees, and the company.
• Register to access the building to comply with the Building Management’s regulation (if any).
• Other purposes from time to time and in accordance with applicable laws & regulations on personal data protection.

2. Which types of personal data do We process?

To be able to access the workplace, you are requested to register with the administration department at the workplace. During the registration process, We may collect and process some of the following data:

• Image of ID card/Citizen identification card.
• Personal data: full name, date of birth, gender, nationality, permanent residence, date of issuance of Citizen identification card/ID card, place of issuance of Citizen identification card /ID card, Citizen identification card /ID card validity, reason for access, contact person at work, data relating to your health and other data are considered personal data according to applicable personal data protection law.
• HVN's workplace has a CCTV system (surveillance camera system) to ensure security and management at the workplace. Therefore, your images will also be recorded and stored by the surveillance camera system with a certain period of time. Please find further details of the Notice on personal data protection terms for surveillance camera system at the link: 2023_CCTV Privacy notice_EN.docx.

3. Do We process sensitive personal data?

The Citizen identification card /ID card image contains personal data that is considered sensitive according to the personal data protection law. We will also process such data as part of workplace registration and comply with applicable laws & regulations on personal data protection. The sensitive personal data We process includes:

• Individual biological characteristics: identification characteristics on ID card/ID card, fingerprint shape, data relating to your health. 
• Other data is considered sensitive personal data according to applicable laws & regulations on personal data protection.

4. Methods of processing your personal data

By reading and consenting to this Notice, you accept that your data will be collected, stored, and used in any method according to the Company's policies and/or operations as outlined in this Notice which will be adjusted from time to time, including but not limited to: collection, recording, validation, storage, encryption, decryption, copying, deletion, destruction and other related actions. All of these methods are consistent with the purposes stated in section 1 of this Notice.

5. Who has the access to your personal data

Only members of the administration department at the workplace to which you are registered will have access to your personal data to carry out work within their responsibilities and to carry out any of the purposes described in this Notice. 

In addition, some workplaces are located inside complex buildings/office buildings/restricted access areas managed by third parties, We will also share your data with those parties. This is to control access to those restricted places. This sharing will include limited data, for control, security purposes and the purposes stated in this Notice. Whenever your data is shared with or processed by a third party service provider contracted with the Company, We sign an agreement with that service provider regarding the security of your data in accordance with applicable laws & regulations on personal data protection.

6. Security

We consider your personal data as an important asset of the Company and We will ensure confidentiality, safety, legal compliance, and limit possible unwanted consequences and damages that might occur (including but not limited to: data leakage or inappropriate data processing that harms your legitimate rights and interests).

Because We cannot rule out the above unwanted possibilities, We consider your personal data to be very important to the Company and the Company will ensure confidentiality, safety and compliance with current legal regulations on personal data protection. Details as follow:

• Organizational measures: The company has appointed a dedicated team to protect employee data and assigned individuals responsible for data protection, individuals responsible for data for each process.
• Physical measures: The Company is committed to using the best physical measures to protect servers and data backup devices, which contain the Company's personal data. These physical measures include adding surveillance camera systems, create multiple layers for security block and limit the number of people who can access, a sufficient and qualified staff.
• Technical measures: The Company is committed to using the best technical measures to protect the Company's personal data. These technical measures include: data filtering, data blocking, data change checking, encryption before sending over HTTPS, data transmission via TLS, encryption with AES protocol before saving SSL protocol, automatic backup, digital certificate (SSL), Username/Password Administration, Access Management Authorization Administration and Firewall (Firewall)…
• In addition, the Company also recommends that relevant entities be responsible for their personal data and the Company's general data: limit the use of other devices than approved company devices to create, access, edit, change data; If you use devices not provided by the company to create, access, edit, and change data, you must ensure the device support tools (anti-virus, management, etc.) is properly installed as safe as recommended by the Company's personal data protection department. Do not open browsers, emails with unknown senders, applications, etc. that relevant parties suspect contain malicious code; Immediately report to the data protection team when suspecting a data breach or detecting a data security violation. Implement other data security measures and recommend that Company employees fully participate in data security awareness courses as recommended by the Company.

The Company shall notify the competent state authority of the Data Security Breach within a statutory period of time after such breach is discovered.

7. How long do We retain your personal data

We will retain your personal data for as long as required by law or for as long as necessary for any of the purposes listed in this Notice, or to comply with legal requirements to which We are subject, as long as reasonably necessary for archival purposes or as long as consistent with the applicable statute of limitations. We will take reasonable steps to destroy or de-identify the personal data We hold if it is no longer needed for the purposes set out above or after the expiration of the defined retention term.

Time starts processing your personal data: after you agreed with this Notice.

End time for processing your provided personal data: We will delete the data within 30 days from the time you complete your work and leave our workplace, excepting surveillance camera data. End time for processing surveillance camera data shall comply with the Notice on personal data protection terms for surveillance camera system (2023_CCTV Privacy notice_EN.docx).

8. Your rights and obligations

You have rights to your personal data, which include: the right to consent, the right to withdraw consent, the right to data deletion, the right to restrict data processing and other rights as prescribed by applicable laws & regulations on personal data protection.

You have an obligation to: protect your personal data; respect and protect the personal data of others; provide complete and accurate personal data when giving consent to process personal data; and other obligations according to applicable laws & regulations on personal data protection.

9. The Notice Validity

This Notice is made in Vietnamese and English version. In case where there is a discrepancy in the meaning between Vietnamese and English, Vietnamese version shall prevail.

This Notice will be effective from Jan 01st, 2026. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent.

 

VII. NOTICE ON PERSONAL DATA PROTECTION TERMS FOR SURVEILLANCE CAMERA SYSTEM

HEINEKEN Vietnam Brewery Company Limited, its affiliates, branches & representative offices (“HVN” or “We” or “Company” or “Data Controller & Processor”) is responsible for processing your personal data. HVN has issued a “personal data protection policy for surveillance camera systems”. This notice provides information on the purpose and types of data collected from surveillance camera systems (referred to as “data”), how the data is used and secured, clarifying privacy rights at workplace and contact information in case of need.

This notice complies with applicable laws and HVN's internal policy on protection of personal data. This Notice will be announced at the gates and areas before entering the monitored area. All employees, contractors, and contractors’ employees, third parties and visitors (collectively referred to as “you”) who agree to enter the breweries are deemed to have agreed to this notice. New employees need to be informed before starting their work at the breweries.

1. Definition

Employees are not limited to relationships based on employment contracts. “Employee” in this policy refers to all instances of an employment relationship in the broadest sense for HEINEKEN Vietnam, regardless of whether or not the relationship is based on a formal employment contract (Including: full-time employees, seasonal employees, third-party employees, etc.).

Contractors and visitors include: government officials, consultants, contractor employees, suppliers, freelancers, volunteers, representatives of external organizations, and other individuals come to visit and work at the breweries.

Surveillance camera system is the use of a camera system located at specified locations to record visual images of activities in the breweries area to ensure safety, security, and food safety regulations. Visual surveillance does not include audio recording.

2. Legal basis:

We only process your personal data if there is one of the following legal bases:

• Legitimate interests
  Where we have a legitimate business interest. We will always do so only within the limits of the data protection laws applicable to the processing or your personal data.

• Jury duty
  Where we believe it is necessary to use your information to comply with a legal obligation to which we are subject. For example, if we are required or directed to use camera surveillance in certain premises by applicable law or by license, franchise, administrative consent that we are required in order to operate business action.

• Consensus
  Or with your consent. We will always notify you and request your consent if we need to do so based on data protection laws & regulations applicable to the processing of your data.

3. Types of processed personal data

We process visual data based on which we can identify you based on your appearance or other specific factors when you enter a monitored space. In other words: we process your camera footage if you work at our sites or enter our sites where camera surveillance is active. Normally, we have audio recordings turned off.

4. Purpose:

We use surveillance cameras for the following purposes:

• Protect breweries’ property from damage, vandalism and other crimes;
• Support day-to-day management, including ensuring the health of employees, complying with the commitment to protect the safety of employees and stakeholders;
• Support internal investigations of security & safety and product quality when necessary;
• Assist law enforcement agencies in the prevention, detection and prosecution of crime;
• Assist in the effective resolution of disputes arising in the proceedings and discipline;
• Assist in defense , providing evidence for any civil action, including court proceedings.

5. Scope of application

Object: All HVN employees, contractors’ employees, third parties’ employees, and visitors.

Area: All areas that we are in charge of monitoring the surveillance system, including internal aisles, corridors, offices, production areas, warehouses, yards, canteens, etc. (Except for areas where legitimate privacy is required, such as: toilets, changing rooms).

Monitoring time: 24/7

6. Data handling measures

We strive to minimize the impact of using camera surveillance on your privacy as much as possible. The measures we have taken to achieve this include :

• Where cameras are located at our locations, we will ensure that signs are displayed at the entrance of the surveillance area to warn you that your images may be captured. Such signs will contain our contact details, the intended use of the surveillance system and who to contact for more information.
• When using a video surveillance device, the device will be clearly displayed and there will be a message indicating its presence.
• The monitoring system will not use the audio capture system.
• The data recorded by the monitoring system are automatically deleted after 180 days for food safety points and 30 days for the remaining areas. This is for disciplinary investigations, complaints and quality investigations. Recorded images can only be viewed by individuals or at designated offices.
• We will ensure that live camera feeds and recorded images are only viewed by approved personnel with access to that data. This may include certain employees involved in disciplinary investigations or grievance matters. Recorded images will only be viewed in designated secure offices.
• Employees using the monitoring system have been trained to ensure they understand and comply with the legal requirements regarding data processing.
• No surveillance cameras shall be placed in areas where there is a legitimate and objective expectation of privacy (e.g. in changing rooms or restrooms).

7. Data storage time:

The data recorded by the monitoring system are automatically deleted after 180 days for areas where surveillance cameras are installed for the purpose of ensuring food safety and 30 days for the remaining areas. This is for disciplinary investigations, complaints and products quality investigations. Recorded images can only be viewed by individuals or at designated offices.

At the end of the use period, all images stored in any format will be deleted permanently and in a secure manner. Any material used to store data such as tapes or discs will be disposed of as confidential waste. Any still images and hard copies will be disposed of as confidential waste.

The startg time is the time of first recording in the area with surveillance cameras and the end time is the time of data deletion according to the time limit mentioned above.

8. Individual rights risk assessment 

Before introducing any new surveillance system, including placing a new camera anywhere in the workplace, we will carefully review current data protection laws and implement data privacy impact assessment where appropriate. Such an assessment is intended to assist us in deciding whether new surveillance cameras are necessary and whether they should be used or whether any limitations should be set on their use. We will look at the nature of the problem we are looking to solve at the time and whether surveillance cameras are likely to be an effective solution, or whether there is a better solution. We will look at the effects of surveillance cameras on individuals and to carefully consider the appropriateness of using it to the problem identified.

We will ensure that existing uses of continuous camera surveillance are reviewed regularly, and in the event of any changes, to ensure that their use remains necessary and appropriate, and that any monitoring system is continuing to address the needs that underlie its use. 

9. Data sharing 

Data from surveillance camera can be shared with and transferred to the following: 

• The HEINEKEN group: We are members of HEINEKEN Global. We may share your information within the HEINEKEN group (www.heinekencompany.com ) if it is necessary to achieve the purpose for which we have collected your data. Within HEINEKEN, we can at least share camera material with Proseco BV. Proseco is HEINEKEN's own (internal) global security organization and service provider that provides expert security services and support for HEINEKEN operating companies.
• The organizations and service providers we are working with: With the large amount of data generated by the monitoring system, we can store it using the cloud system. We will take all reasonable steps to ensure any cloud service provider maintains information security in accordance with standards, regulations set by the applicable laws on data privacy protection.
• Our professional advisors;
• Any law enforcement agency, court, regulatory agency, government agency or third party we believe is necessary to comply with a legal obligation or to protect our legal rights and any third parties.

10. Oversea data transfer

Your personal data may be transferred to another country. For example, if your data is being stored in a data center outside your country, if we can remotely access your data from abroad or one of our IT providers provide on-site support and maintenance services from outside your country. The countries to which we transfer personal data may have different privacy standards than your country. We will always comply with applicable personal data protection regulatory requirements in your country with respect to data transfers abroad.

If we transfer your personal data to a country that does not provide an adequate level of protection, we will ensure that we put appropriate safeguards in place to protect your personal data or ensure that we are able to transfer your information in compliance with applicable personal data protection regulations.

11. Data security 

We will take appropriate technical, physical, and organizational measures to protect your personal information collected through the surveillance camera system from misuse or accidental, illegal destruction, lost, alteration, disclosure, acquisition or access, in accordance with applicable privacy and data security laws and practices on data privacy protection. 

When we contract with any service provider, we require the service providers to use appropriate measures to protect the confidentiality and security of your personal data.

In case of a personal data breach, we have taken and will take internal measures to ensure that such incidents are identified and addressed without undue delay. We take effort to prevent breaches of your personal data, as these can have an effect on your legal rights and interests, such as discrimination; damage to reputation; financial loss; or loss of confidentiality or any other significant economic or social disadvantage. 

12. Your rights and obligations: 

12.1 Rights: 

You have certain rights regarding your personal information. We rely on your consent to process your data, you can withdraw your consent at any time and you can object to some of the ways we use your personal data. You can make inquiries to us using the details below at any time:

• To access your personal information (i.e. get an overview of your personal data that we process).
• To have your personal information corrected, updated, corrected or deleted or to limit the processing of your personal information.
• To receive a copy of your personal information in a normal machine-readable format, or to have this information transmitted directly to another organization (if technically possible).
• Complain to the local privacy authority.

We reserve the right to obscure, pixelate or blur third-party images when disclosing camera surveillance data to you as part of your request to access or receive data.

To efficiently locate the relevant footage and respond to your request as soon as possible, any request for copies of the best recorded images should include:

• Clear time information;
• The location where the footage was recorded;
• Personal information (When necessary).

To ensure that we do not provide information about you to others, we may request your identification before we can process your request.

12.2 Obligations: 

You have all obligations under provisions of the applicable law & regulations on protection of personal data.

13. Effect of the Notice

This notice is made in two languages: Vietnamese and English. In case there is a difference in meanings between the Vietnamese and English versions, the Vietnamese version will prevail.

This Notice will be applied from Jan 1st, 2026. The Notice may be adjusted depending on the operating situation and the update of the Notice will be sent to you to read and confirm your consent.

 

VIII. HEINEKEN VIETNAM DATA SUBJECT RIGHTS POLICY (“DSR Policy”)

1. Introduction

This Data Subject Rights Policy (“DSR Policy” or “Policy”) sets out how Heineken Vietnam Brewery Limited Company and its branches, representative offices, and affiliates (hereinafter referred to as “HEINEKEN Vietnam”, “HEINEKEN”, “HVN”, “Company”, or “We”) receive and process requests from data subjects to exercise their rights under HVN’s Employee Data Protection Policy and the Customer, Supplier, and Business Partner Data Protection Policy (together referred to as the “Data Protection Policies”) and applicable laws on personal data protection. This DSR Policy outlines the obligations of HVN in facilitating the exercise of data subjects' rights.

“Data Subject” is an individual to whom the personal data relates. Within the scope of HVN’s operations, this includes, for example: HVN employees, former employees, job applicants, consumers, individual suppliers or business partners, or contact persons of business customers or suppliers.

DSR Policy is issued by HEINEKEN Vietnam to provide guidance for Data Subjects to exercise their rights regarding their personal data in accordance with HEINEKEN Group’s internal policies and applicable laws on personal data protection.

“Personal Data” refers to digital data or information in other forms that identifies or helps identify a specific individual (the Data Subject), comprising basic personal data and sensitive personal data. Personal data that has been de-identified shall no longer be considered personal data.

Details regarding the rights and obligations of the Data Subject and the corresponding responsibilities of HVN in data processing are specified in Appendix 3 attached to this Policy.

2. Content of the DSR Policy and obligations of HVN

HVN shall be required to ensure a timely and appropriate overall response to requests from Data Subjects to exercise their rights under the Data Protection Policy.

HVN shall ensure that Data Subjects are fully informed of the location and method for submitting requests to exercise any rights within the scope of this DSR Policy. Such information may be provided through a specific portal on the website, via a dedicated email address for Data Subject rights requests, or for employees, through a dedicated contact point within the local or global HR department. In all instances, personal data protection statements and notices must include a reference to the relevant contact point for request submissions.

This DSR Policy outlines the steps to be taken in the event a Data Subject requests to exercise any of their rights, as well as the roles and responsibilities associated with request processing (Appendix 1, including a flowchart reflecting the relevant steps and roles). It also specifies the criteria for determining request validity, the criteria for identity verification (Appendix 2), and any applicable exceptions or relevant limitations when fulfilling such requests (Appendix 3). 

3. Roles & Responsibilities for HVN

Contact Person: holding a relevant role within HVN who is known to the Data Subjects (who, in this context, may include: employees, former employees, retired employees, or job applicants) and serves as the point of contact for submitting Data Subject rights requests.

First point of contact: refers to HVN’s dedicated contact point, which may include a specific email or other addresses specified in the personal data protection notice, on HVN’s website or intranet, or as made known to Data Subjects. This serves as the channel for Data Subjects to submit relevant requests. These contact points consist of (1) the Data Subject rights request link, (2) the email address privacyvn@heineken.com, or (3) hotline 19001845.

Request Processor: refers to personnel from the Information Security/D&T Department or other relevant departments at HVN, who are granted access to IT systems to perform technical operations on personal data strictly within the scope of requests received from the Personal Data Protection Officer.

Information Security Officer: refers to the individual responsible for overseeing and ensuring that security measures meet technical security standards and maintain data integrity throughout all data processing activities.

Personal Data Protection Officer (“PO” or “Privacy Officer”): refers to the individual who shall bear the responsibilities set out below.

Global Privacy Office (Global Privacy Officer): shall be consulted in the event the PO has inquiries regarding a specific request and shall serve as the next-level point of contact for Data Subject requests, as well as for instances where a Data Subject has a complaint regarding the handling of their request.

Local Personal Data Protection Team: is appointed by the HVN Management Team (MT) to ensure compliance with the HeiRule on Data Protection, the HeiRule on Information Security, and applicable laws on personal data protection.(*)

(*) The roles and responsibilities of the HVN Local Personal Data Protection Team in processing Data Subject rights requests shall depend on the method by which the requester submits their request.

4. Response and Processing Timeframes 

HVN shall respond to and process Data Subject rights requests within the statutory timeframe from the receipt of the request to exercise such rights from the Data Subject.

If the Data Subject refuses to inform HVN of the grounds for their request, refuses to provide any further details regarding their request, or (if applicable) has not paid the processing fee, HVN shall nonetheless proceed with the processing of the request, unless: (a) the identity of the Data Subject has not been accurately verified; (b) the purpose of the request remains unclear (refer to Appendix 2); or (c) the request is manifestly unfounded or excessive.

5. Identification of the data subject

HVN shall verify the identity of each Data Subject to ensure that the correct action is performed on the right personal data. Appendix 2 sets out the criteria for verifying the identity of the requesting Data Subject. PO shall perform the identity verification of the requesting Data Subject in accordance with Appendix 2.

HVN shall not be required to verify the identity of the Data Subject in cases where they request to exercise the right to object to direct marketing purposes. In practice, this occurs when a Data Subject utilizes the opt-out or unsubscribe option regarding relevant communications (e.g., newsletters or alerts). Identity verification is not necessary for such requests, as the risk of unsubscribing the wrong individual is relatively low. Furthermore, Data Subjects must be provided with an easily accessible option to exercise their right to opt-out or unsubscribe.

In the event that the Data Subject fails to provide the necessary identification information, HVN shall refuse the request as further described in the procedure (Appendix 1) and in accordance with Appendix 2. 

6. Fees (if any), request and response formats 

In principle, HVN shall facilitate the exercise of all rights free of charge. However, for requests that incur actual costs associated with the provision or transfer of data (e.g., postal delivery fees for data records), the Data Subject shall be responsible for paying such incurred fees.

HVN is committed to establishing a transparent notification mechanism for cost estimates prior to fulfilling the request. Accordingly, Data Subject shall have the option to:

• Proceed with the request and confirm payment of the fees.
• Adjust the method of receiving data to optimize the associated costs.
• Withdraw the request if the incurred costs are found to be inconsistent with their needs. 

HVN shall respond in the language in which the Data Subject submitted the relevant request, except in cases where HVN chooses to respond in another language that it believes the Data Subject will understand and which is commonly accepted in Vietnam or the relevant country. HEINEKEN shall endeavor to receive and respond to data rights requests in electronic format, utilizing the templates provided in this Policy. HEINEKEN will only respond to requests via post or fax when the Data Subject has explicitly indicated a preference for communication via post or fax. 

In the event that the information provided to the Data Subject includes the personal data of other Data Subjects and/or HVN’s confidential information, HVN shall redact such information prior to disclosing the relevant documents to the requesting Data Subject.

In the event of a request for the right of access or data portability, where HVN is required to provide personal data to the Data Subject, the Data Subject shall be given the option to indicate whether they wish to receive such personal data via a secure communication method. HVN shall ensure that only the requested secure communication method is used, to the extent technically feasible.

In the specific cases mentioned, HVN may reject or refuse a Data Subject’s request as detailed in Appendix 3, including in instances of an 'overriding interest', where a compelling need for HVN exists that outweighs the interests of the Data Subject.

7. Managing and retention of individual requests 

PO shall be responsible for maintaining a repository for each Data Subject rights request and all communications exchanged in relation to the request, including identity verification and the response confirming that the request has been processed, as well as the name of the requesting Data Subject.

PO shall ensure that the repository is accurate and up-to-date, and that the retention period is appropriate for the purpose and the duration for which the requests and all exchanged information are to be retained. 

SCHEDULE 1. WORK FLOW

DATA PRIVACY RIGHTS REQUEST FORM FOR DATA SUBJECT:  

*You need to correctly provide this information in order for the request to be valid and enable HVN to respond within the required timeframe  

1. Your Information:

• Full name *
• Phone number *
• Email *
• Function (if the data subject is a HVN’s employee) 

2. Your role*: You are a: (i) employee, (ii) consumer, (iii) customer, (iv) supplier, (v) business partner, (vi) other (please specify) 
3. Consent: If you provided us the consent to process your personal data in the past: 

• When did you give us consent: 
• How did you give us consent (i.e via one of our applications/systems, in writing,…): 
• Where did you give us consent (i.e at our offline events;…) 
• For what personal data*: (i.e your name, date of birth, ID number, address,….) 
• For what purposes*: 

4. Content: What is your request: …………………………………………………………………………………………………………………………………..
5. Identity proof: Attached proof of your identity (i.e. ID card, passport, employee number, ….) 
6. Feedback method: How do you want us to get back to you (i.e email, phone, post):

Example flow of a data subject request via email privacyvn@heineken.com

  

SCHEDULE 2. VERIFICATION OF IDENTITY AND ASSESSING REQUESTS

This Schedule includes the process and criteria for verification of the identity of the data subject and for assessing if the request is sufficiently specific, and if the request is not manifestly unfounded or excessive. 

Phases	Verification: reason to reject	Action
Verification of identity	Unverifiable phone number (failure to receive OTP, unable to establish contact, etc.); Unclear or illegible copies (Data Subject information is unreadable); Invalid or expired documents.	Reject request and provide reasons
Procedural check	Requirement to specify: What type of data? What timeframe? etc. Vague description (e.g., insufficient detail and/or failure to provide evidence or valid reasons for certain statutory requests).	Reject request and provide reasons
Legal Assessment	Verify if the data is subject to legal exemptions (tax, accounting, etc.) that require mandatory retention by the company.	Refer to PO for final rejection
Final Assessment	Are there repetitive requests within a short period? Is the request intended to obstruct or hinder the Company's operations?	Refer to PO for final rejection

SCHEDULE 3. DATA SUBJECT RIGHTS AND OBLIGATIONS

This DSR Policy includes the following Data Subject rights and obligations:

1. Obligations of Data Subject:

Take full responsibility for the completeness, lawfulness, accuracy, and timely and full updating of any and all personal data provided to the Company in any form or format. The Company is entitled to assume that the personal data provided by the Data Subject is lawful, true, accurate, up-to-date, and complete in all respects, and is not required to verify such data, unless verification is a legal obligation of the Company under the law. The Company shall not be liable for any direct and/or indirect loss or damage caused to any party resulting from the provision of inaccurate personal data by the Data Subject in any form.

Be responsible for obtaining full and lawful consent from the Data Subjects and ensuring that all personal data provided to the Company including but not limited to the data of dependents and relatives (such as biological or adopted children, spouses, biological or adoptive parents, parents-in-law, and siblings) or any other individuals is collected, processed, and provided to the Company lawfully and in compliance with current personal data protection laws. The Data Subject commits that providing this data does not violate the rights or legitimate interests of any individual. The Data Subject agrees to indemnify and hold the Company harmless from any claims, disputes, demands, losses, damages, legal obligations, administrative penalties, or compensation liabilities (if any) arising from or related to personal data provided by the Data Subject that was not lawfully collected, lacks valid consent, is inaccurate, incomplete, or violates personal data protection regulations.

Respect and safeguard their own personal data and that of others.

Comply with personal data protection laws and participate in the prevention of personal data infringements as prescribed by data protection regulations.

Fulfill other obligations of Data Subjects as prescribed by law.

2. Rights of Data Subject: 

Right to be informed: To be informed of their personal data processing activities, unless otherwise provided by law.

Right to consent: To give or withhold consent for the processing of personal data, except where personal data processing does not require consent as prescribed by law.

Right to access, view, edit, or request rectification of personal data: To have the right to request access, viewing, and editing of their personal data, and to request the Company to rectify such data in the event of changes, updates, and/or if the personal data being processed by the Company is inaccurate, unless otherwise provided by law. In cases where the provision of personal data may prejudice national defense, national security, social order, or safety, or to protect the life, health, or property of other individuals, HVN reserves the right to refuse the request and will clearly state the reasons.

Right to withdraw consent: To have the right to withdraw consent for the collection and processing of personal data hereunder, unless otherwise provided by law. To withdraw consent, the Data Subject shall submit a request to HVN, stating the reasons and the specific scope of the withdrawal. The withdrawal of consent shall not apply to personal data processing activities carried out prior to the time of the withdrawal request.

Right to request erasure, destruction, or de-identification of personal data: To have the right to request the erasure, destruction, or de-identification of their personal data, unless otherwise provided by law. If a request for erasure or destruction falls within cases where data processing is permitted without consent and/or violates the principles of exercising the rights and obligations of Data Subjects under personal data protection laws, HVN reserves the right to refuse the request and will clearly state the reasons.

Right to restriction of processing: To have the right to restrict personal data processing. HVN will continue to store the Data Subject's personal data but will temporarily halt other processing actions, unless otherwise provided by law. When a Data Subject wishes to restrict the processing of their personal data, they must submit a notice to HVN, stating the reasons and the specific scope of the restriction. The restriction of processing shall not apply to personal data processing activities carried out prior to the time the Data Subject requests such restriction.

Right to object to personal data processing: To have the right to object to the processing of their personal data, unless otherwise provided by law.

Right to claim damages: To have the right to claim damages in accordance with the law when there is clear evidence of the Company’s violation of personal data protection regulations, unless otherwise agreed by the parties or provided by law.

Right to complain, denounce, or initiate legal proceedings: To have the right to lodge complaints, denunciations, or initiate legal proceedings in accordance with the law.

Right to request the implementation of data protection measures: To have the right to request competent authorities or agencies, organizations, and individuals involved in personal data processing to implement measures and solutions to protect their personal data in accordance with the law.

Other rights of Data Subject as prescribed by law.

 

IX. HEINEKEN VIETNAM PERSONAL DATA BREACH NOTIFICATION POLICY 

1. Introduction

Every individual within HEINEKEN Vietnam (“HVN”) bears an obligation to protect personal data. This Personal Data Breach Notification Policy (“Policy”) applies in the event that HVN becomes aware (either internally or from a third party) that a security incident relating to personal data has occurred or is likely to occur.

A personal data breach:

May result in physical, material, and/or non-material damage to individuals;

May subject HVN to significant fines;

Shall, where required by law, be reported to the relevant Data Protection Authority and/or the affected individuals.

Therefore, if HVN discovers that a personal data breach has occurred, or is potential, HVN must immediately implement all necessary technical and organizational measures to remediate the incident and ensure the security of personal data. In all cases, the Global Privacy Office (GPO) shall be notified of a personal data breach promptly. Additionally, breaches are required to be reported to the Ministry of Public Security (“Data Protection Authority”).

It is essential that every individual at HVN knows how to identify a personal data breach (or potential breach) and the steps to be taken, while understanding the importance of acting swiftly to allow HVN to take action and comply with Security Procedures and any applicable legal obligations.

2. What is personal data?

Personal data is digital data or information in other forms that identifies or helps identify a specific person, including: basic personal data and sensitive personal data. Personal data includes basic personal data and sensitive personal data.

Basic personal data includes:

• Surname, middle name, and given name at birth; other names (if any);
• Date, month, and year of birth; date, month, and year of death or going missing;
• Gender;
• Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current residence, hometown, contact address;
• Nationality;
• Personal images;
• Phone number, identity card number, personal identification number (Citizen ID), passport number, driver's license number, vehicle license plate number, personal tax identification number, social insurance number, and health insurance card number;
• Marital status;
• Information on family relationships (parents, children, spouse);
• Information on an individual's digital accounts; personal data reflecting activities and activity history in cyberspace;
• Other information associated with a specific person or that helps identify a specific person not belonging to the sensitive personal data group.

Sensitive personal data is personal data associated with an individual's privacy which, when infringed, will directly affect the legal rights and interests of that person, including:

• Political views, religious views;
• Health status and private life recorded in medical records (excluding blood group information);
• Information relating to racial origin, ethnic origin;
• Information on inherited or acquired genetic characteristics of an individual;
• Information on physical attributes and unique biological characteristics of an individual (biometric data);
• Information on an individual's sex life and sexual orientation;
• Data on crimes and criminal acts collected and stored by law enforcement agencies;
• Customer information of credit institutions, foreign bank branches, and payment intermediary service providers (including identification information, accounts, balances, deposits, deposited assets, transactions, etc.);
• Location data of an individual determined through location services;
• Other personal data prescribed by law as specific and requiring the application of strict security measures.

In its daily business operations, HVN processes personal data of employees, consumers, customers, visitors, business partners, and suppliers of HVN.

3. What is a personal data breach?

A personal data breach is a security incident resulting in the unauthorized collection, access, use, or disclosure of unencrypted personal data that compromises the confidentiality or privacy of such information. This Policy pertains to security incidents involving personal data that is stored, transferred, controlled, or otherwise processed (collectively referred to as "processed") by HVN.

• The use or access may include:
• Destruction of personal data: occurs when the data no longer exists or no longer exists in a form of information that is useful to HVN.
• Loss of personal data: occurs when the data may still exist, but HVN has lost control over, access to, or possession of such data.
• Alteration: occurs when personal data has been changed, becomes inaccurate, or is no longer complete.
• Unauthorized or unlawful processing: may include the disclosure of personal data to (or permitting access by) recipients not authorized to receive (or access) the data, or any other form of processing of personal data that violates applicable privacy laws.

Examples:

• HVN's network is infected with ransomware (a type of malware that encrypts HVN's data until a ransom is paid).
• An unencrypted device, such as a USB drive containing personal data, is lost or stolen.
• HVN sent an email to the wrong mailing list, or HEINEKEN made an error during the BCC/CC process.
• A briefcase containing documents with personal data is lost or stolen.
• One of HEINEKEN’s online marketplaces is subject to a cyberattack, and usernames and purchase histories are published online by an attacker.
• Personal data is leaked from a secure website managed by HEINEKEN during a cyberattack. 

4. What are HEINEKEN’s responsibilities?

In the event a personal data breach occurs, or is potential, HVN must immediately implement all necessary technical and organizational measures to remediate the incident and ensure the security of personal data.

If the notification criteria are met, HVN shall notify the relevant Data Protection Authority and/or the affected individuals of the breach.

If a personal data breach meets the requirements set forth in the Security Procedure (security incident – occurred due to unauthorized access or other intended use of personal data – affecting the confidentiality or privacy of such information – posing a high risk to the data subjects concerned): the breach must be reported to the GPO. The GPO may also require HVN to notify the relevant individuals.

HVN shall maintain records of all breaches occurring within the organization. Such records must include information regarding the facts surrounding the breach, its effects, and the remedial actions taken to address the breach..

5. What are the consequences of non-compliance?

HVN faces the risk of reputational damage due to the failure to secure personal data and will be subject to substantial fines in the event of non-compliance with applicable laws.

6. Employee responsibilities

Every employee is responsible for ensuring compliance with the internal procedures for reporting a breach, or a potential breach, as set forth in this Policy immediately upon becoming aware of it. Consequently, every colleague must contact the Global Service Desk (GSD) or the IT Helpdesk at HVN without delay in the event of a potential personal data breach.

For a comprehensive overview of HVN’s personal data breach process, please refer to the process flowchart here:

7. Where to report a personal data breach internally?

When an employee notices signs (internally or from a third party) of a security incident relating to personal data that has occurred, or is potential, the employee must report the incident immediately.

Incidents must be reported immediately by creating a ticket in ServiceNow, either through the GSD Self Service portal, by calling the GSD team, or by assigning it to HVN’s IT Helpdesk.

Where a Data Processor is involved, the Data Processor shall immediately report the security incident directly to HVN’s IT Helpdesk or through the contact person specified in the Data Processing Agreement (DPA).

Important Note: Any sensitive data breach must be reported to the Ministry of Public Security no later than 72 hours after discovery. For breaches involving location and biometric data, the organization is required to notify both the Data Subject of the nature of the incident and the damage mitigation measures.   

8. Global Service Desk or HVN IT Helpdesk 

Colleagues must report incidents potentially involving personal data through GSD Self Service, or by calling the GSD team or HVN IT Helpdesk:

During the incident reporting process, the reporter is required to provide specific details, if available, regarding the potential or actual personal data breach, such as when the incident occurred, the types of personal data potentially involved, the individuals who may be affected, etc.;

Once the incident has been raised, an automated email notification will be sent to the Data Breach Incident Response Team at HVN, including the HVN Privacy Officer (PO).

When more than one HEINEKEN entity is (potentially) affected by a breach, the HEINEKEN Global Service Desk (GSD) will also assign the incident to the relevant Security Incident Handling Team, as well as the POs and the GPO.  

9. Security Incident Handling Team 

The “Security Incident Handling Team” consists of the HVN Privacy Officer and the HVN Cyber Security Officer (CSO) depending on whether the security breach is identified at local (Vietnam) level or at Global Function level. The Security Incident Handling Team is responsible for handling the IT related matters of the security incident. 

The Security Incident Handling Team: 

Function	Responsibilities
Security (CSO)	Collects additional information about the breach, including the circumstances of the breach and the affected individuals (if any)  Take necessary steps to remedy the breach, keep track of remedy closing progress Immediately and constantly updates and/or consults the Privacy Officer (email/meetings) both when there is a report and when taking remediation  Ensure that all documentation regarding the breach has been added to Service Now
Legal (PO)	Identify remediation steps and closely follow with the remedy progress  Report the data breach to the Data Protection Authority within regulated timeframe (including report about the delay in handling the breach when it is impossible to provide remediation within required timeframe)
Functional stakeholder	Collaborate and support CSO and PO when needed

When more than one HEINEKEN entity in more than one country is affected by the breach, the Security Incident Handling Team will also immediately notify and work with the other relevant Privacy Officer(s) and the Global Privacy Officer, and work with the other relevant Security Incident Handling Team(s).

When a Data Processor is involved, the Security Incident Handling Team will also work with the Personal Data Breach Team of the Data Processor. 

10.HVN Privacy Officer

The 'HVN Privacy Officer' is responsible for handling the security incident.  When the HVN Privacy Officer is notified that an incident has occurred, the HVN Privacy Officer will need to: 

• validate if the data involved is indeed considered as personal data and assess if the incident concerns a potential personal data breach that requires further investigation and/or potential notification. If so, alert, connect and work together with the Security Incident Handling Team and other relevant Subject Matter Experts. If not, instruct the CSO to close the ticket in ServiceNow;
• establish the facts about the personal data breach, as well as the likelihood and severity of the risk to the affected individuals affected. To do this, the Privacy Officer will work together with the CSO and, where needed, other Subject Matter Experts;
• assess if the incident qualifies as a personal data breach that requires notification to the Data Protection Authority; 
• inform the Global Privacy Office of the personal data breach; 
• ensure to notify the personal data breach as required and within the applicable notification term;
• in case the individuals must or should be informed, ensure to work together with the HVN Corporate Affairs team on the drafting and communication of the notice;  
• identify remediation steps in joint collaboration with the CSO and relevant HEINEKEN teams; 
• document the personal data breach in the register by using the ‘personal data breach register’ template in OneTrust; 
• ensure to always have a back-up for the Privacy Officer role in case the Privacy Officer is not available. The back-up Privacy Officer must be included in the Security Incident Handling Team group in ServiceNow. 

When more than one HEINEKEN entity in more than one country is affected by the breach, the local Privacy Officer will also work with the other relevant Security Incident Handling Team(s), the other relevant Privacy Officer(s), the Global Privacy Officer and Global or Regional Security Operations and the other relevant Corporate Affairs Team(s) and the Global or Regional Corporate Affairs Team.

When a Data Processor is involved, the local Privacy Officer may choose to also work with the Personal Data Breach Team of the Data Processor. 

11. HVN Corporate Affairs

Corporate Affairs shall work with the Privacy Officer to draft and send responses to individuals when required. Corporate Affairs shall use the notification templates provide by the Privacy Officer. Corporate Affairs may always reach out to Global Corporate Affairs when additional support is required.   

When more than one HEINEKEN entity in more than one country is affected by the breach, the local Corporate Affairs Team will also work with the other relevant local Corporate Affairs Team(s), the Global Corporate Affairs Team, the other relevant Privacy Officer(s) and the Global Privacy Officer.

12. Global Privacy Officer 

The Global Privacy Office, headed by the Global Privacy Officer, must be informed without undue delay of all personal data breaches that require notification to the Data Protection Authority. The Global Privacy Officer may instruct HVN to inform affected individuals of the personal data breach, where there is no legal obligation to notify individuals under Vietnam law. The instructions of the Global Privacy Officer must be followed by HVN.

The local Privacy Officer consults the Global Privacy Officer when additional support is required and when a (potential) personal data breach appears to involve more than one country. 

When more than one HEINEKEN entity in more than one country is affected by the breach, the Global Privacy Office coordinates and strives to ensure consistency in personal data breach handling amongst the local Privacy Officers and works with Global or Regional Corporate Affairs in case communication with affected individuals is required.

13. Global / Regional Corporate Affairs

Local Corporate Affairs consults Global or Regional Corporate Affairs when additional support is required for the evaluation of any external and/or internal communication is needed regarding the personal data breach. 

When more than one HEINEKEN entity is affected by the breach, Global and or Regional Corporate Affairs coordinates amongst the Local Corporate Affairs teams and works with the Global Privacy Officer for the handling of the external and/or internal communication. 

14. Crisis Management

HEINEKEN has a Crisis Management process in place which applies to this Personal Data Breach Policy as well. If required, the Crisis Management process will be applied by the Security Incident Handling Teams. 

15. Notifying individuals 

All notifications of personal data breaches to affected individuals must be drafted in joint collaboration by the Corporate Affairs Team and the Privacy Officer.

HVN Corporate Affairs Team will determine how to notify individuals on a case-by-case basis (e.g. who within HEINEKEN the notification should come from, the format and whether it is done by individual or mass communication). 

Where appropriate, the notice should also include specific advice to individuals to protect themselves from possible adverse consequences of the breach, such as resetting passwords in case their log-in credentials have been compromised. 

Notifications to individuals of personal data breaches should be separate from any other communications such as regular updates, newsletters or standard messages. The notification must be clear and transparent.

16. Registration

The HVN Privacy Officer has overall responsibility in ensuring that all relevant information regarding a personal data breach is registered in OneTrust. When no further investigation is required, the HVN Privacy Officer instructs the CSO to close the ServiceNow Incident ticket. 

All personal data breaches follow the above registration process, including those that were not reported to the relevant Data Protection Authority. 

The information required to complete in the register in OneTrust includes: 

• Details of the breach, including:
  - Time
  - Location
  - The cause(s)
  - Description of the incident/Violations:
  - Organizations, individual, types of personal data and the quantity of relevant personal data: 
• Personnel in charge of protections of personal data:
  - Full name:
  - Title:
  - Phone number:
  - Email:  
• The effects and consequences of the breach;
• Details of the steps taken to remedy the breach;
• Whether or not a local legal requirement to notify personal data breaches to the Data Protection Authority and/ or individuals exists; 
• If such local legal requirement exists: the reasoning for a decision not to notify or not within the required time period and evidence to justify any such delay; 
• Where the breach was notified to the relevant Data Protection Authority and / or affected individuals, a copy of the notification(s) and evidence to demonstrate that the notification was provided timely and in a transparent and effective manner.

This information will be held in OneTrust for a period of 3 years following the date on which the personal data breach was registered, unless applicable local law indicates a longer retention period. 

17. Administrative information

Contact person	Nguyen Lan Huong HEINEKEN Vietnam Privacy Officer NguyenLan.Huong@heineken.com
	Bui Duc Thao HEINEKEN Vietnam Data Protection Officer  BuiDuc.Thao@heineken.com
	Nguyen Duc Phat HEINEKEN Vietnam Security Coordinator nguyenduc.phat3@heineken.com

 

X. CONTACT INFORMATION

If you wish to exercise any of the rights listed above and/or report any privacy violations, or if you have any questions or comments regarding this Notice and our privacy standards, you may contact us at the email address privacyvn@heineken.com or hotline 19001845 or send a letter to us at Floors 18 & 19, Vietcombank Tower, No. 5 Me Linh Square, Sai Gon Ward, Ho Chi Minh City.