Personal Data Privacy Policy
This Personal Data Privacy Policy (hereinafter referred to as “Privacy Policy” or “Policy”) applied at Vietnam Australia International School and Vietnam Australia International Education Corporation (collectively referred to as “VAS”).
By registering to learn, registering to use, using the Products, Services, entering into contracts and/or providing Personal Data to VAS on any platform and/or in any form that allows VAS to process Personal Data, the Data Subject has read, understood, accepted unconditionally all contents as mentioned in this Policy and any changes (if any) from time to time.
1. DEFINITIONS
Terms used in this Policy shall be construed and defined as follows:
1.1 Personal Data: means electronic information in the form of symbols, letters, numbers, images, sounds, or equivalences associated with an individual or used to identify an individual. Personal Data includes General Personal Data and Sensitive Personal Data.
1.2 Personal Data Processing: means one or multiple activities that impact on Personal Data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data or other relevant activities.
1.3 Products, Services, Utilities of VAS (hereinafter referred to as “Products, Services”): includes products, services, utilities of VAS and/or products, services and utilities of third parties with which VAS cooperates.
1.4 VAS’s Campuses: are the schools under the management of VAS at certain times.
1.5 Data Subject: means an individual reflected by the Personal Data, including all parents, students, legal guardians of students who register to learn about, or are using Products, Services, users of VAS's digital platforms, employees, collaborators, potential candidates, shareholders, other individuals who are related or have arisen relation of using and providing products, services, labour relation or other legal relation with VAS.
1.6 Personal Data Provider (hereinafter referred to as “Provider”): means an individual or an organization on behalf of or with the consent of the Data Subject to provide his/her Personal Data to VAS.
1.7 Data Controller: means an organization or an individual that decides purposes and means of Personal Data Processing.
1.8 Data Processor: means an organization or an individual that performs Personal Data Processing on behalf of the Data Controller via a contract or an agreement with the Data Controller.
1.9 Data Controller-cum-Processor: means an organization or an individual who simultaneously decides purposes, means and directly processes Personal Data.
1.10 Permitted Third Party: means an organization or an individual other than the Data Subject, Data Controller, Data Processor, Data Controller-cum-Processor authorized for Personal Data Processing, including but not limited to any third party processing Personal Data on behalf of the Data Processor, any third party authorized to process Personal Data with the consent of the Data Subject in this Policy and agreements, documents with the Data Subject.
1.11 VAS Platform: means website of VAS at www.vas.edu.vn and VAS’s mobile application.
1.12 Cookies: are small amounts of data sent to Data Subject’s web browser from a web server and stored on computer's hard drive of Data Subject. The VAS Platform may use cookies to store and, at times, track information about Data Subject. Some features of the VAS Platform may require Data Subject to accept cookies in order to function properly.
2. TYPES OF PERSONAL DATA TO BE PROCESSED
2.1 In order for VAS to be able to process for the purposes specified in Section 3 of this Policy and comply with other relevant laws governing VAS's operations, VAS will need to collect and process the types of Personal Data (including General Personal Data and Sensitive Personal Data) of the Data Subject as listed below. These types of Personal Data may be changed depending on the time and the relationship between the Data Subject and VAS:
a) Last name, middle name and first name, other names (if any);
b) Date of birth; date of death or going missing;
c) Gender;
d) Place of birth, registered place of birth, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address;
e) Nationality;
f) Personal image; information obtained from security systems, including audio and video recordings of the Data Subject on the camera system, surveillance cameras at VAS’s Campuses and Head Office;
g) Phone number, identity card number, personal identification number (citizen identification number), passport number, driver's license number, license plate number, taxpayer identification number, social insurance number, health insurance card number and other relevant information (such as tax payment information, insurance payment information, etc.);
h) Marital status;
i) Information about family relationships (parents, spouses, children, etc.);
j) Email;
k) Handwriting, signatures including electronic signatures;
l) Educational and employment history (including reference documents); information about education, degrees, certificates;
m) Payment information, such as bank account number, credit card number, and any other payment details;
n) Account information, such as user ID and password, account usage history of Data Subject, detailed information about Products or Services the Data Subject has purchased or obtained on the VAS Platform (if any).
o) Technical information and web data such as Internet Protocol (IP) address, login data of Data Subject, browser type and version, time zone setting and location, types and versions of browser plug-ins, operating system and platform, international mobile device version, device identifier, Cookie(s), how Data Subject uses and views any content on the VAS Platform, and other information and technologies on the devices Data Subject uses to access this Platform.
p) Data Subject’s voice through recorded phone calls (if applicable);
q) Health-related information, blood type in health examination reports, information in judicial background reports that Data Subject provides (if applicable);
r) Information about income and personal income tax of Data Subject (if applicable);
s) Information about ethnicity, religion, and political affiliation of Data Subject (if applicable);
t) Information about an individual’s own biometric or biological characteristics;
u) Information about genetic data related to an individual's inherited or acquired genetic characteristics;
v) Data on crimes and criminal activities collected and stored by law enforcement agencies;
w) Any other data or information that Data Subject voluntarily provides through VAS Platform or directly to VAS during Data Subject’s use of Products, Services;
x) Other relevant information affecting (directly/indirectly) or arising/relating to the establishment, provision and evaluation of activities of providing Products, Services, labour relations or other legal relations with VAS in accordance with the law.
2.2 If Data Subject chooses to register/link Data Subject’s accounts on VAS Platform with other social media accounts of Data Subject, Data Subject allows VAS to access, collect and process Personal Data that Data Subject voluntarily provided to the social media account providers in accordance with their policies, and VAS will manage and use Personal Data of Data Subject in accordance with this Policy at all times.
2.3 If Data Subject provides VAS with any personal data from any third party, Data Subject represents and warrants that the Data Subject has obtained the necessary consent, licenses, and permissions from that third party to share and transfer Personal Data to VAS, and for VAS to collect, store, use, disclose, and/or process that data in accordance with this Policy. Data Subject must provide VAS with legally valid documentation to demonstrate that you have obtained the necessary consent and permissions.
3. Purpose of Collection, Use, and Disclosure of Personal Data
3.1 The Personal Data may be processed by VAS or a Data Processor or a Permitted Third Party serve one or more of the following purposes:
a) To verify identity of the Data Subject and manage the online account that the Data Subject may have set up with VAS;
b) To provide Products, Services to the Data Subject;
c) To verify and process online financial transactions related to payments (if any);
d) To contact the Data Subject in order to process and respond to any inquiries, feedback, complaints, or disputes of the Data Subject, whether directly or through any outsourced customer service providers;
e) To contact the Data Subject for the purpose of communicating information, transaction contents, providing updates on changes in Products, Services, delivering invoices, statements, reports, receipts, payment vouchers;
f) To inform the Data Subject about Products and Services offered by VAS or partner companies, or to seek Data Subject’s feedback on current Products and Services or potential new products and services;
g) To send the Data Subject advertising/promotional materials from VAS or any of VAS’s Campuses, whether directly or through any advertising partners and strategies of VAS; to collect the Data Subject’s opinions through surveys and other forms of commercial promotion in accordance with the law;
h) To improve VAS Platform and enhance Products and Services;
i) To conduct market research on demographics, preferences, and advertising or purchasing behaviours, as well as other user behaviours;
j) To provide the Data Subject with information that VAS believes may be useful to the Data Subject or that the Data Subject has requested from VAS, including information about Products and Services or those of VAS’s Campuses;
k) To verify candidates’ eligibility, evaluate dossiers, documents for the purpose of appraising and evaluating candidates' qualifications, registering candidate profiles and serving the recruitment process;
l) To sign and manage employment contracts and agreements with candidates and employees;
m) To train, examine and evaluate work quality and compliance with obligations specified in contracts, agreements and commitments between employees and VAS;
n) To enforce the requirements of the Data Subject and fulfil the obligations as specified in contracts, agreements, terms, conditions and other documents between VAS and the Data Subject, including but not limited to:
- To perform obligations under contracts, agreements with the Data Subject and other documents on the provision of Products, Services for the Data Subject, including providing information to VAS’s service providers (legal consultants, financial consultants, etc.) to fulfil these obligations;
- To monitor, urge and evaluate the fulfilment of obligations of the Data Subject to VAS;
- To manage benefits or interests relating to VAS's relationship with the Data Subject or arising from the Data Subject's participation in events, advertising/marketing campaigns or similar programs;
- To resolve, investigate complaints, initiate lawsuits with the Data Subject.
o) To administer internal operations, business activities and manage internal risk of VAS, including but not limited to:
- To ensure the lawful business purposes of VAS in cases that VAS considers necessary, including communicating with VAS’s partners, service providers;
- To enter data, check the completeness, accuracy and legality of the Personal Data collected by VAS;
- To comply with agreements and contracts between VAS and other third parties;
- To fulfil its obligations of report, finance, insurance, accounting and tax;
- To perform activities for the purposes of auditing, risk management and compliance, archiving.
p) To comply with applicable laws and international treaties to which Vietnam is a member, including but not limited to:
- To comply with the obligation to provide to competent state agencies in accordance with the law;
- To generate data, reports and statistics upon requests of competent authorities in accordance with the law;
- To comply with all applicable laws (including but not limited to legislative documents, laws, decrees, directives, official dispatches, etc. ) and/or any competent authority’s requests and comply with international treaties.
q) To perform transactions such as transferring, disposing, merging or buying and selling, exchanging for operations and assets of VAS;
r) Any purpose described to Data Subject at the time of collecting Personal Data of Data Subject.
(Collectively referred to as "The Purposes")
3.2 For the avoidance of doubt, by accepting this Policy, the Data Subject agrees that VAS, its affiliated companies, subsidiaries, members of XCL Group and TPG Group are entitled to process Personal Data (including Personal Data updated in the future) for all of the above purposes. VAS will obtain permission of the Data Subject before using Personal Data for purposes other than those stated in this Policy and other contracts, agreements, terms, conditions and documents established with the Data Subject.
4. METHOD OF PERSONAL DATA PROCESSING
4.1 Depending on the purpose of Personal Data Processing, VAS or its Data Processor or the Permitted Third Party may apply appropriate processing methods including but not limited to automatic methods, manual methods or other methods of Personal Data Processing in accordance with the laws and regulations of VAS from time to time.
4.2 Personal Data of the Data Subject will be stored and processed either in its entirety or in parts in Vietnam and/or oversea, including cloud storage solutions. If the Data Subject accesses VAS Platform from a location outside of Vietnam, such usage is understood as the Data Subject’s consent to transfer Personal Data outside of that country/territory and send it to Vietnam.
4.3 The storage of Personal Data is carried out for the period necessary to fulfill the purposes as agreed with the Data Subject in this Policy, contracts, agreements, other documents established with the Data Subject, except where it is or must be stored longer as required by the laws from time to time.
4.4 Upon receiving the Data Subject's request to withdraw consent, object to processing and restrict processing, VAS will continue to store and not delete Personal Data in the following cases:
a) The deletion of Personal Data is prohibited by law or there are requirements of storage time;
b) The Personal Data is processed by the competent state agency with a view to serving operations by such agency as prescribed by law;
c) The Personal Data has been disclosed as prescribed by law;
d) The Personal Data is processed with a view to serving law, scientific research and statistics as prescribed by law;
e) In the event of a state of emergency on national defense, security, social order and safety, major disasters, or dangerous epidemics; when there is a risk of threatening security and national defence but not to the extent of declaring a state of emergency; to prevent and combat riots and terrorism, to prevent and combat crimes and law violations according to regulations of law;
f) It is required to respond to emergent cases that threaten the life and health or the safety of the Data Subject or other persons.
4.5 VAS can process Personal Data without the consent of Data Subject in the following cases:
a) The Personal Data is processed to protect the life and health of the Data Subject or others in an emergency situation;
b) Disclosure of Personal Data in accordance with the law;
c) Other cases as prescribed by law.
5. RIGHTS AND OBLIGATIONS OF DATA SUBJECT
5.1 Rights of Data Subject
a) The Data Subject may request VAS to provide detailed information of the provisions of this Policy or request to rectify its Personal Data according to VAS's instructions.
b) To be respected by VAS and VAS shall make efforts to protect rights of the Data Subject: (1) Right to know; (2) Right to consent; (3) Right of access (including viewing, rectifying or requesting correction of Personal Data); (4) Right to withdraw consent; (5) Right to delete data; (6) Right to restrict data processing; (7) Right to provide data; (8) Right to object to data processing; (9) The right to complain, denounce and initiate lawsuits; (10) Right to claim damages; (11) Right to self-defence.
c) When exercising his/her rights, the Data Subject understands and agrees that:
- VAS maintains measures to protect against unauthorized or unlawful access and/or destruction, loss, damage of Personal Data and considers the legitimate interests of the Data Subject, capabilities and systems of VAS from time to time. With reasonable efforts, VAS will fulfil lawful and valid requests from the Data Subject within the capacity and time in accordance with the law;
- The requests of Data Subject will have to comply with the process, procedures specified by VAS; be received at VAS's Campuses or Head Office, or other methods prescribed by VAS from time to time;
- For security purposes, the Data Subject may need to make its request in writing or use another method to prove and verify the Data Subject's identity. VAS may require the Data Subject to verify and authenticate his/her identity before processing the Data Subject's request;
- VAS reserves the right to decline the Data Subject's request in some cases: (i) The Data Subject fails to comply with the order and procedures guided by VAS; or (ii) VAS is unable to identify the Data Subject or is unable to verify the accuracy and completeness of the Personal Data and/or the Data Subject fails to provide or provide incomplete papers and documents to verify its identity, the accuracy and completeness of Personal Data; or (iii) VAS evaluates that there are signs of forgery, fraud, violation of Personal Data protection; or (iv) There is a dispute (including indications only) between the Provider and the Data Subject; or (v) The Data Subject does not accept the consequences or damages as prescribed in Section 7.2 of this Policy; or (vi) The Data Subject's request is not permitted to fulfill by the law.
5.2 Obligations of Data Subject
a) To protect, control and process your own Personal Data;
b) To respect and protect others’ Personal Data;
c) To fully and accurately provide his/her Personal Data and documents to verify the Personal Data in accordance with this Policy;
d) To timely notify rectification and update of all changes and errors in the Personal Data provided to VAS together with documents proving the rectification or change of Personal Data;
e) To participate in dissemination of Personal Data protection skills;
f) To comply with regulations of law on protection of Personal Data and prevent violations against regulations on protection of Personal Data;
g) Research and carefully study provisions of Decree 13/2023/ND-CP on Personal Data protection and its amendments and supplements (if any), especially content related to rights and obligations of the Data Subject to participate in activities and use data in cyberspace responsibly and safely;
h) To immediately notify VAS if discovering or suspecting that the Personal Data has been exposed which may lead to risks in the process of using Products, Services at VAS or that there is any breach of Personal Data protection under this Policy that may be recognized by the Data Subject;
i) To regularly check VAS's official website for updating and following any changes (if any) related to this Policy;
j) Other obligations as prescribed by law.
6. DURATION OF PERSONAL DATA PROCESSING
6.1 Start Time: VAS will begin Personal Data Processing upon receipt of Personal Data with the consent of the Data Subject or the Provider's commitment to the Data Subject's consent regarding the Personal Data Processing in accordance with this Policy.
6.2 End time:
VAS will stop Personal Data Processing when (whichever comes last):
a) There is any Data Subject’s written request;
b) Legal agreements between the Data Subject and VAS is terminated or the Parties have fulfilled all obligations related to agreements;
c) Disputes, complaints have concluded with a valid agreement/judgment/decision of a competent state agency;
d) The processing purpose has been completed with the Data Subject’s consent;
e) The archival obligation has been fulfilled as prescribed by law;
f) According to the law.
7. UNDESIRABLE CONSEQUENCES AND DAMAGES THAT MAY OCCUR
7.1 When VAS processes Personal Date
The Personal Data Processing always carries a risk of data leakage or inappropriate data processing. VAS is aware of the importance and responsibility of the protection of Personal Data, commits to apply appropriate protection measures in accordance with applicable laws and regularly review and update the best technical measures to ensure the safety of Personal Data Processing, make maximum efforts to prevent risks and limit undesirable consequences and damages that may occur, and protect legitimate rights and interests of the Data Subject and VAS.
7.2 When VAS processes the request of the Data Subject's rights
a) The Data Subject’s consent withdrawal, data deletion request, processing restriction, objection to Personal Data Processing and/or performance of other rights relating to any or all of the Personal Date may affect the ability to provide/maintain Products, Services to the Data Subject. Depending on the nature of the Data Subject's request, VAS may consider and decide to refuse or not continue to provide Products, Services to the Data Subject. Acts performed by the Data Subject pursuant to this clause shall be considered as a unilateral termination of the agreement on the part of the Data Subject for any relationship between the Data Subject and VAS and may completely lead to a breach of obligation or commitment under contracts, agreements or other documents between the Data Subject and VAS. Accordingly, the Data Subject shall be responsible for any arising loss and VAS's legal rights will be expressly reserved with respect to the limitation, restriction, temporary suspension, cancellation, and prevention to requests related to such Personal Data.
b) Any requests to delete data, withdraw consent, limit or object to data processing will not affect the legitimacy of VAS's previous data processing activities.
c) For the request to view and edit the Personal Data, the Data Subject understands and agrees that in some cases caused by technical reasons, the system's responsiveness, VAS's infrastructure, the requirement to verify the Personal Data before editing in accordance with the law or for other reasons it may affect and limit the scope of types of Personal Data, the way in which the Data Subject can access, view and edit.
8. CHANGE OF PRIVACY POLICY
VAS reserves the right to change, modify, or update this Privacy Policy at any time as long as such changes or updates are not in violation of applicable laws. Any changes or updates will be notified to the Data Subject by email or SMS message or phone call.
9. CONTACT INFORMATION
If the Data Subject has any questions regarding this Privacy Policy or any other inquiries related to how VAS manages, protects, and/or processes Personal Data of the Data Subject, please contact VAS via the following information:
Tel: (84 28) 38 687 576
Email: info@vas.edu.vn
Address: 594 Ba Thang Hai Street, Ward 14, District 10, Ho Chi Minh City, Vietnam