Statement of Policy
1.Savills Vietnam Co., Ltd. (“Savills”) respects personal data privacy and is committed to implement and comply with the data protection principles and provisions under Decree No. 13/2023/ND-CP on personal data protection issued by the Government on 17 April 2023, valid from 01 July 2023 and any replacement legislation coming into effect from time to time (hereinafter refer to as “Decree 13/2023/ND-CP”).
Statement of Practices
Categories of Personal Data Held
2.Savills holds the following categories of personal data
Employment-related records which include data on job applications, personal particulars, education and qualifications, employment history, salary and allowances, terms and conditions of service, housing and medical benefits, leave records, training and development, appraisal reports, conduct and discipline, etc.
General administrative records which include personal data collected in connection with the office administration functions, records containing information supplied by data subjects and collected in connection with the handling of enquiries and complaints made to Savills, etc.
Customers records which include personal data collected in the course of handling customers’ membership applications, transactions, complaints and enquiries, etc.; and
Other records which include administrative and programme records containing personal data.
Which incude:
2.1. General Personal Data
a. Last name, middle name, first name, other names (if any)
b. Date of birth; date of death or going missing
c. Gender
d. Place of birth, registered place of birth, permanent residence, temporary residence, current residence, hometown, contact address;
e. Nationality
f. Personal images
g. Phone number, ID card number, personal identification number, passport number, driver’s license number, plate number, personal tax code, social insurance number, medical insurance card number
h. Marital status
i. Information about family relationship (parents, children)
j. Information about individuals’ digital accounts; Personal Data reflecting activities and operation history in cyberspace
k. Information associated with an individual or used to identify an individual other than that specified as sensitive Personal Data.
2.2. Sensitive Personal Data
a. Political views, religious views
b. Health status and private life recorded in medical records, excluding information about blood type
c. Information involved to racial origin and ethnic origin
d. Information about genetic or acquired characteristics of individuals
e. Information about the individual’s physical characteristics and biological characteristics
f. Information about the individual’s sex life and sexual orientation
g. Data on crimes and criminal activities collected and stored by law enforcement agencies
h. Information on Customers of credit institutions, foreign bank branches, payment service providers and other licensed institutions, including: Customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers
i. Data on the individual’s location determined through positioning services
j. Other Personal Data stipulated by law to be special and required necessary confidentiality.
Main Purposes of Keeping Personal Data
3. The main purposes of keeping the personal data are as follows:
Employment-related records are kept for a range of appointments and human resource management purposes, including postings and transfers, training and career development, performance appraisal and promotion, discipline, offer of benefits, etc.
General administrative records are kept for the purposes of carrying out various office administration functions, responding to and taking follow-up actions on enquiries and complaints, etc.
Customer records are kept for the purposes of handling customers ’ membership applications, transactions, complaints and enquiries, etc.; and
Other records are kept for various purposes, which vary according to the nature of the records, such as procurement of stores and equipment, organisation of activities, etc.
Practices of Personal Data Handling
4. The practices at (a) to (f) below are implemented to ensure that personal data held by Savills is handled in accordance with the data protection principles enshrined in the Decree 13/2023/ND-CP.
(a) Collection of personal data
5. When collecting personal data, Savills will satisfy that the following:
i. the purposes for which the data is collected are lawful and directly related to a function or activity of Savills
ii. the manner of collection is lawful and fair in the circumstances of the case; and
iii. the personal data collected is necessary but not excessive for the purpose(s) for which it is collected
iv. implement organizational and technical measures and appropriate safety and security measures to prove that the personal data is processed in accordance with regulations of the law on protection of personal data, review and update these measures when necessary
v. record and store log of the processing of personal data
vi. notify violations against regulations on protection of personal data according to regulations in Decree 13/2023/ND-CP
vii. select an appropriate Personal Data Processor with specific tasks and only work with the Personal Data Processor that has appropriate measures for protecting personal data
viii. protect the rights of data subjects according to regulations of Decree13/2023/ND-CP
ix. be responsible to the data subject for damage caused by the processing of personal data
x. cooperate with the Ministry of Public Security and competent authorities in protecting personal data and providing information serving investigation and handling of violations against the law on protection of personal data.
6. When Savills collects personal data from an individual, the individual will be provided with a Personal Information Collection Statement before the collection and grant a consent in an appropriate format and manner. Practicable steps will be taken to ensure that
i. the data subject is informed of whether it is obligatory or voluntary for him/her to supply the data and, if obligatory, the consequences for him/her if he/she fails to do so; and
ii. the data subject is explicitly informed of the purpose for which his/her personal data is to be used; the classes of persons to whom the data may be transferred or disclosed; the rights of the data subject to request access to and correction of the data, and the contact details of the individual to whom any such request may be made; Type of personal data to collect; Organization or individual permitted to process personal data; Rights and obligations of the data subject
iii. In case of the processing of sensitive personal data, the data subject shall receive notification of thereof.
(b) Accuracy and retention of personal data
7. Personal data collected and maintained by Savills shall be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used.
8. Savills maintains a personal data inventory, which contains the kinds of personal data that Savills holds; the purposes for which the personal data is collected, used and disclosed; and how the personal data is stored. The personal data inventory will be reviewed on an annual basis to ensure that it is accurate and up-to-date.
9. Personal data will not be kept longer than necessary for the fulfilment of the purpose for which the data is collected or used. Personal data that is no longer required should be erased unless such erasure of personal data is prohibited under any law or it is in the public interest for the data not to be erased. Should there be a need to retain the personal data for statistical purposes, such data will be anonymised so that the individuals concerned can no longer be identified.
10. A destruction exercise on records containing personal data will be conducted as and when necessary and in accordance with Savills records management guidelines and procedures. Destruction of paper records would be carried out by irreversible means and electronic records would be cleared or destroyed from storage media before disposal by means of sanitisation or physical destruction.
(c) Use of personal data
11. All personal data collected will be used only for purposes which are directly related to the discharge of Savills’ duties and responsibilities. Personal data collected may be transferred to third parties during the discharge of Savills’ functions when necessary. Relevant personal data may also be disclosed to other entities which are authorised to receive information for the purposes of law enforcement, prosecution or review of decisions. Data subjects would be informed of the possible transferees of their personal data when their personal data is collected.
12. If personal data is to be used for a purpose other than the purposes for which the data is collected, express prior consent preferred in writing would be sought from the data subject concerned. In seeking the data subject’s consent, all practicable steps would be taken to ensure that (i) information provided to the data subject is clearly understandable and readable; and (ii) the data subject is informed that he/she is entitled to withhold his/her consent or withdraw his/her consent subsequently by giving notice in writing.
(d) Security of personal data
13. Savills observes strictly relevant security standards and regulations. Security arrangements will also be reviewed regularly to ensure that personal data is protected against loss and unauthorised or accidental access, use, disclosure, modification and erasure. The security arrangements adopted include but not limited to the following:
i. restriction of access to personal data on a “need-to-know” basis
ii. regular review and enhancement of security measures for protection of personal data in the servers, user computers, transmission of electronic messages, etc.
iii. regular change of passwords for IT facilities, accounting and personnel systems, etc.
iv. encryption of all backup storage devices that are to be transported to offsite storage
v.limited staff access rights to office areas storing confidential information; and
vi. provision of clear guidelines to staff as to the types of data that may or may not be disclosed to a phone enquirer and implementation of appropriate identity verification procedures to confirm the enquirer’s identity.
(e) Transparency of the personal data policy and practices
14. privacy policy and practices can be found on Savills website.
(f) Data Subject’s rights and obligations
15. Data Subject has the right to be informed; consent; withdraw consent; delete Personal Data; restrict data processing; obtain Personal Data; object to processing; complain, denounce and sue; request compensation for damages; self-defend.
16. Data Subject has obligations to protect his/her own personal data; request relevant organizations and individuals to protect his/her personal data; respect and protect others’ personal data; fully and accurately provide his/her personal data when he/she consents to the processing; participate in dissemination of personal data protection skills; comply with regulations of law on protection of personal data and prevent violations against regulations on protection of personal data.
17. Savills recognises all Data Subject’s rights in accordance with the Decree 13/2023/ND-CP (hereinafter refer to as “Data Subject’s Right”). To perform Data Subject’s Right, an individual should complete the form specified by the Decree 13/2023/ND-CP and submit the completed form to Savills in any one of the following ways &
By email: [email protected]
By post or in person: Savills Vietnam – 18th floor, Doji Tower, 81-85 Ham Nghi Str., Nguyen Thai Binh ward, HCMC – Compliance & Risk Management Department.
18. When handling a Data Subject’s Right request, Savills will check the identity of the requester to ensure that he/she is the person legally entitled to perform Data Subject’s Right.
19. Savills maintains a Register on Requests for Data Subject’s Right recording the Data Subject’s Right requests received.
Organizations and individuals processing Personal Data
20. In case of receiving consent of the Data Subject and/or in accordance with the law, Savills may consider sending Personal Data to the following organizations and individuals:
i. Organizations and individuals in the territory of Vietnam
ii. Database management agency built by the Government
iii. The subject has the right to decide on the processing of Personal Data of a person declared missing or Personal Data and/or Personal Data of children according to regulations of Article 19 and Article 20 of Decree 13/2023/ND-CP
iv. Domestic organizations and individuals providing Personal Data Processing services
v. Competent authority as stipulated by law
vi. Other domestic organizations and individuals based on the compliance with the law and the consent of the Data Subject.
21. Your Personal Data may be transferred to, and processed in, countries other than the country in which you are a resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).
22. Organizations and individuals outside the territory of Vietnam
i. Organizations, companies, and management departments of Savills abroad for processing in accordance with the purpose agreed by the Data Subject
ii. Foreign organizations and individuals providing Personal Data Processing services
iii. Competent authority as stipulated by law
iv. Other organizations and individuals in compliance with the law and with the consent of the Data Subject.
23. Cases of sending Personal Data outside the territory of Vietnam
i. In case of sending Personal Data to organizations or individuals as stipulated in Clause 22 above for processing according to the purpose agreed by the Data Subject;
ii. In case Savills processes Personal Data using an automatic system located outside the territory of Vietnam to meet technical requirements, in accordance with the purposes stipulated in Item (c) of this Policy and in accordance with regulations of the law.
24. We take steps to safeguard your Personal Data in accordance with this Privacy Policy Statement. Further details about the protection given to your Personal Data can be provided upon request by contacting us using the details herein.
25. Savills only transfer, and process abroad after making a dossier on assessment of impact of outbound transfer of personal data and carries out the procedures specified in Decree 13/ND-CP.
Incident Reporting and Breach Handling
26. A mechanism is set up for incident reporting and breach handling in case there is loss or leakage of personal data, or there is a reason to believe that the personal data held by Savills has been compromised, in compliance with Decree 13/ND-CP.
Ongoing Monitoring and Review
27.Savills will keep the Privacy Policy and Practices under regular review. Officers responsible for handling personal data will attend relevant training courses and keep up to date with personal data policies.