GENERAL TERMS AND CONDITIONS

ON PERSONAL DATA PROTECTION AND PROCESSING

These General Terms and Conditions on personal data protection and processing (“General Terms”) outline the procedures followed by Everest Securities Joint Stock Company (EVS) in the collection, processing and protection of the personal data of Data Subjects.

Article 1. Definition of terms.

The definitions of the terms used in these General Terms are as follows (unless otherwise defined by law):

1. 1. “Personal data” refers to information presented in the form of symbols, letters, numbers, images, sounds or similar forms in the electronic environment, that is associated with an individual or aids in their identification.

Personal data includes basic personal data and sensitive personal data.

1.2. “Basic personal data” includes:

Surname, middle name, birth name, other names (if any);
Date of birth; date, month, year of death or disappearance;
Gender;
Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;
Nationality;
Images of individuals;
Phone number, ID card number, personal identification number, passport number, driver's license number, license plate number, personal tax code number, social insurance number, health insurance card number;
Marital status;
Information about family relationships (parents, children);
Information about individual digital accounts; Personal data reflecting activities and history of activities in cyberspace.
Other information that pertains to a specific individual or helps identify a specific individual that does not fall under the category of sensitive personal data.

1.3. "Sensitive personal data" is personal data associated with an individual's privacy rights that any breach of this data can have a direct impact on the individual's lawful rights and interests, including:

a) Political views, religious views;

b) Health status and personal life are recorded in medical records, excluding information about blood type;

c) Information related to racial and ethnic origin;

d) Information about inherited or acquired genetic traits of the individual;

e) Information about physical attributes and biological characteristics of individual;

f) Information about individual's sex life and sexual orientation;

j) Data on crimes and offenses collected and stored by law enforcement agencies;

h) Customer information of credit institutions, foreign bank branches, intermediary payment service providers, other permitted organizations, including: customer identification information in accordance with the provisions of law, account information, deposit information, information about deposited assets, etc., information on transactions, information about organizations and individuals acting as guarantors at credit institutions, bank branches, intermediary payment service providers;

i) Data about the individual's location determined through location services;

j) Other personal data mandated by legislation is distinct and necessitates appropriate security measures.

1.4. “Personal data processing” refers to one or various activities involving personal information, such as: gathering, recording, analyzing, verifying, storing, rectifying, disclosing, merging, accessing, retrieving, recalling, encrypting, decrypting, duplicating, sharing, transmitting, providing, transferring, deleting, destroying personal data, or other relevant actions.

1.5. “Data subjects” refers to individuals whose personal data is reflected by the personal data shared with EVS, including but not limited to individuals who are customers of EVS; users on EVS's digital platforms, and individuals affiliated with organizations that have legal relationships to EVS; the individual is/belongs to the party providing products and services to EVS; collaborators, potential candidates, employees; EVS shareholders or any other individuals is affiliated with or arising from the utilization, provision of products, services, labor relationships, or other legal relationships with EVS.

1.6. “Customer” refers to individuals and organizations that access, acquire information about, register, use, establish relationships or are associated with the products and services provided by EVS.

1.7. "Personal Data Subject" refers to the Data Subject, an individual, or an organization acting on behalf of or obtaining the consent of the Data Subject to provide and consent to the processing of their personal data to EVS.

1.8. “Company” or “EVS” refers to Everest Securities Joint Stock Company, including the company's headquarters, branches, representative offices, and transaction offices (if any).

1.9 “Third party” refers to organizations and individuals that are not affiliated with EVS, Customers and Data Subjects.

To clarify, any terms not explained in the General Terms will be explained in accordance with Vietnamese law.

Article 2. General principles

2.1. EVS values and respects the right to privacy, confidentiality and security of personal data. Simultaneously, EVS consistently aims to safeguard Personal Data, the privacy of Data Subjects, and adhere to the law by implementing Personal Data protection protocols in order to fulfill and adhere to enacted regulations;

2.2. EVS collects and processes Personal Data solely in compliance with the law and within the parameters of the documents and agreements established between EVS and the Customer and/or relevant party(s);

2.3. Depending on EVS's role in each specific situation are (i) Personal Data Controller; (ii) Personal Data Processor; or (iii) The Controller and processor of personal data, EVS will adhere to the rights , responsibilities as well as principles for processing Personal Data in compliance with current laws;

2.4. All rights and obligations of EVS, Data Subject, Personal Data Provider in these General Terms will not be substituted, terminated, or altered, but will coexist as the rights and responsibilities of EVS, the Data Subject, and the Party providing the personal data in any document and nothing in these General Terms implies the limitation or removal of any existing rights or responsibilities of the parties, unless otherwise agreed in writing;

2.5. The Data Subject/Personal Data Provider acknowledges and agrees that the Personal Data (including Basic Personal Data and Sensitive Personal Data) supplied to EVS will not only be restricted to the extent of personal data to be supplied but also encompasses personal data previously supplied to EVS. The ongoing utilization of EVS's services and products by the Data Subject/Personal Data Provider, as well as the continuous upholding of transactions or agreements formed with EVS subsequent to the acceptance of these General Terms, signifies the explicit, voluntary, and affirmative agreement of the Data Subject/Personal Data Subject to EVS's processing of Personal Data (comprising Basic Personal Data and Sensitive Personal Data) throughout the reception and handling of such information, commencing from the moment EVS acquires the data until a termination request is made by the Data Subject/Data Subject or as mandated by law.

2.6. When disclosing Personal Data of a third party (including but not limited to Personal Data of the organization's transaction representative, dependents, legal relatives, guardians, friends, beneficiaries, authorized persons, partners, emergency contact person or other individual) to EVS, the Personal Data Subject affirms, guarantees, and takes responsibility for ensuring that they have provided adequate information and obtained the lawful consent of the Data Subject to collect and process their Personal Data in accordance with these General Terms. The Personal Data Provider acknowledges that EVS has no obligation to verify the legality and validity of the above consent and that the storage of supporting evidence is the responsibility of the Personal Data Provider. The Party providing personal data must provide evidence of the Data Subject's consent in the requested EVS field. EVS is absolved from liability and obligated to cover expenses for damages and associated costs in cases where the personal data provider does not adhere to the regulations outlined in this Section.

Article 3. Contents of personal data processing

3.1. Collection of personal data

3.1.1. To fulfill the purposes of Article 3.2 below, EVS needs and/or is required to gather Personal Data of Data Subject.

3.1.2. Methods and procedures of EVS in gathering Personal Data

EVS may directly or indirectly gather collect Personal Data from one or various sources as listed below, including but not limited to:

a) From direct meetings with the Party providing personal data: EVS gathers information through various means such as contacting, collaborating, offering/using services, and receiving information directly from the Personal Data Provider.

b) From exchanges and communications with the Personal Data Provider when the contact between the Personal Data Provider and EVS arises, such as via email, EVS's Call Center (Contact Center), electronic communications or any other method (including but not limited to surveys, investigations conducted or acquired by EVS);

c) From EVS's websites when the Personal Data Provider accesses and declares Personal Data;

d) From the mobile application when the Personal Data Provider downloads, uses or declares Personal Data on EVS's mobile application.

e) From interactions or automated data collection technologies: EVS may gather Personal Data of Data Subjects automatically recorded from connections of Personal Data Subjects or related parties such as cookies, plug-ins, third party social network connection sequences or any technology capable of tracking and collecting Personal Data on those devices or websites (such as facebook, tiktok, instagram...);

f) From competent state agencies such as the State Securities Commission, Vietnam Securities Depository and Clearing Corporation, Stock Exchanges or other competent authorities in Vietnam;

g) From publicly available sources such as phone books, advertising information/flyers, information publicly available online, etc.

h) From other sources where the Data Subject consents to the sharing/provision of Personal Data, or where collection is required or permitted by law.

3.2. Purposes of personal data processing

3.2.1. EVS may process Personal Data for one or more of the following purposes:

3.2.1.1.General purpose:

a) Review the accuracy and completeness of the Personal Data provided; verify or authenticate the identity of the Data Subject and carry out procedures for Data Subject authentication.

b) To establish the relationship between EVS and the Data Subject/Personal Data Provider/Relevant Third Party;

c) To fulfill other objectives associated with EVS's business operations that EVS considers suitable periodically.

d) To protect the lawful interests of EVS and adhere to relevant laws, including but not limited to the collection fees, charges and/or the retrieval of any debts, or proceeding with lawsuits, complaints or any agreement between the Data Subject/Personal Data Subject and EVS;

e) To evaluate any proposals related to rights, benefits or obligations outlined in the document(s), agreement(s) between the Data Subject/Personal Data Provider and EVS;

f) Provide to service providers/partners of EVS to carry out transactions for Data Subjects/Personal Data Providers and/or EVS;

g) Prevent or minimize a threat to the life, health of others and the general public;

h) To evaluate risks, analyze trends, statistics, plan, including but not limited to statistical data processing analysis, transactions, credit and anti-money laundering, terrorist financing, weapons of mass destruction financing;

i) To identify, prevent and investigate crimes, assaults, or any breaches of the law (including fraud, bribery, corruption or tax evasion);

j)To carry out transactions such as transfer, disposition, business reorganization or purchase, sale or exchange of EVS's activities and assets;

k) To meet and adhere to EVS's internal policies, procedures and any rules, regulations, instructions, directives or requirements issued by competent state agencies in accordance with the law;

3.1.1.2. In addition to the General Purpose in Article 3.2.1.1 above, EVS can also process Personal Data for one or various purposes corresponding to each of the following subjects:

A. For the Customer

a) Evaluate legal documents, financial capabilities and customer's circumstances for any operations, products and services offered or provided by EVS;

b) Providing operations, products, and services conducted by EVS (including but not limited to products that third parties cooperate with EVS to conduct in accordance with the provisions of law);

c) Promotion and information about products, services, promotional initiatives, research, surveys, news, updates, events, contests with prizes, relevant rewards, other relevant communication and introduction activities about EVS's services and products and other partners' services in cooperation with EVS;

d) Contact to exchange information, provide writings or other documents related to transactions and the utilization of EVS's products and services;

e) Notify information about obligations, rights, changes in features, improvements and enhancements of utilities and quality of products and services;

f) Prepare financial reports, activity reports or other relevant reports in accordance with the provisions of law;

g) Conduct market research, surveys and data analysis related to any products and services provided by EVS (whether performed by EVS or another third party with whom EVS cooperates) that may relate to Customers/Data Subjects.

B. For product and service providers, leasing partners, property leases, and cooperation with EVS

a) To engage in and execute the objectives as outlined in the pertinent documents and agreements.

b) Contact, exchange, and verify information during the execution of tasks/services between the Personal Data Provider and EVS.

C. For potential candidates, collaborators, and employees

a) Review conditions for candidates and collaborators; evaluate dossiers, documents, and financial papers for the purpose of appraising and evaluate the capacity of candidates and collaborators, register candidate and collaborator profiles, and serve the recruitment process and signing service contracts;

b) Sign and manage contracts, employment and services agreements with candidates, collaborators, and employees;

c) Train, test, evaluate work quality and compliance with obligations in contracts, agreements, and commitments with EVS;

d) Manage personnel records and carry out procedures in accordance with the law with functional agencies and competent agencies such as agencies of labor, insurance, tax, State Securities Commission, etc.;

e) Carry out essential activities and tasks from agreements and contracts signed with third parties depending on the purpose and needs arising at each time such as training services, health insurance, medical examination. medical treatment, transportation, tourism, event organization, etc.;

f) Carry out other purposes related to human resource development and management.

3.2.2. EVS will seek consent from Data Subjects prior to utilizing their Personal Data for any purposes not outlined in the General Terms.

3.Processing of Personal Data in certain special cases

3.3.1. EVS has the capability record, video and process Personal Data obtained from CCTV ("CCTV") in areas where CCTV is installed (including but not limited to office areas, corridor areas, exit areas, etc.) in accordance with EVS's operational security requirements and for the Customer in accordance with legal regulations law;

3.3.2. EVS always respects and protects children's Personal data. In addition to the Personal Data protection measures prescribed by law, prior to processing children's Personal Data, EVS will verify the child's age and request the consent of (i) the child and/or (ii) the child's father, mother or guardian as in accordance with the provisions of law;

3.3.3. In addition to complying with other relevant legal regulations, for the processing of Personal Data related to Personal Data of people declared missing/deceased, EVS will have to obtain consent of one of the relevant individuals in accordance with the provisions of applicable law.

3.4. Transfer and Disclosure of Personal Data

3.4.1. EVS will not sell, exchange, or rent (term or indefinitely) the Data Subject's personal information without the Data Subject's consent in accordance with the provisions of applicable law. However, in order to fulfil the purposes and activities of processing Personal Data in these General Terms, the Personal Data Subject understands and agrees that EVS may disclose Personal Data to one or more of the following parties:

a) EVS's subsidiaries, including but not limited to subsidiaries, subsidiaries, joint ventures, affiliates identified by EVS from time to time;

b) EVS's internal employees and departments for the purposes set out in these General Terms and documents and agreements entered into between Customer and EVS;

c) EVS's consultants, lawyers, advisors, accountants, auditors or clients;

d) The competent authorities in Vietnam or any individuals, regulator or third party to whom EVS is permitted or required to disclose under the laws of any country, or under any other documents or agreements between the third party and EVS;

e) Business partners, rewards providers, gift providers, co-branded parties, participants in or coordinating loyalty programs, advertisers, charities or not-for-profit organizations, any related organizations for operational purposes, carry out the business of EVS, the operator of the system, application or equipment or provide Customer with any products or services selected by the Customer or for the purposes set out in these General Terms;;

f) Any person or entity involved in exercising or maintaining any rights or obligations under the Customer/Personal Data Supplier(s) agreement(s) with EVS;

g) Parents, spouses, children and heirs of the Data Subject in case the Data Subject has died or been declared missing;

h) Third parties to whom Customer consents or EVS have a legal basis for sharing Personal Data.

3.4.2. EVS considers Personal Data to be private and secure. Other than the parties stated above, EVS does not disclose Personal Data to any other party, except in the following cases:

a) The Data Subject's consent.

b) When EVS is required or permitted to disclose by law; or as decided by competent state agencies;

c) When EVS transfers rights and obligations under the agreement(s) between the parties concerned and EVS or performs in accordance with the law.

3.5. Overseas transfers of Personal Data

3.5.1. For the purposes of processing Personal Data in these General Terms, EVS may be required to provide/share Personal Data to relevant EVS third parties who may be located in Vietnam or anywhere else outside of Vietnam.

3.5.2. When providing/sharing Personal Data to foreign entities, EVS will mandate that the recipient guarantees the security and protection of the transferred Personal Data. EVS and recipient guarantee adherence to legal and regulatory requirements concerning the safeguarding of Personal Data.

3.6. Personal Data Processing methods

Depending on the purposes for which Personal Data is processed, EVS or EVS's data processors or third parties authorized to process EVS may adopt appropriate processing practices including but not limited to automated Personal Data processing, manual or other methods in accordance with the provisions of law and EVS from time to time.

3.7. Personal Data Processing Time

Depending on the specific activity, Personal Data may be processed by EVS after it has been provided, gathered, and concluded upon the fulfillment of data processing in accordance with intended objective or until the Personal Data has been deleted in accordance with regulations (whichever comes later).

3.8. Other contents

Other contents related to the Processing of personal data not expressed in this General Terms shall apply in accordance with applicable legal documents.

Article 4. Rights and obligations of Data Subjects in relation to Personal Data provided to EVS

4.1. Data subjects have the following rights: (i) The right to know; (ii) The right to consent; (iii) The right of access; (iv) The right to withdraw consent; (v) The right to erasure; (vi) The right to restrict data processing; (vii) The right to data disclosure; (viii) The right to object to processing; (ix) The right to complain, denounce or initiate lawsuits; (x) The right to claim damages; (xi) The right to self-protection; and (xii) other relevant rights as provided by law. The specific content of the above-mentioned rights shall comply with the provisions of current law.

4.2. EVS, in reasonable endeavors, will honor a lawful and valid request from the Data Subject within the statutory time period after receipt of the complete, valid request and the relevant processing fee (if any) from the Data Subject, subject to EVS's right to invoke any regulatory exemptions and/or exceptions legislative.

4.3. In the event that the Data Subject withdraws his/her consent, requests deletion, restriction of data processing and/or exercises other relevant rights with respect to any or all of his Personal Data, and depending on the nature of the Data Subject's request, EVS may consider and decide whether to discontinue transactions or discontinue to provide products and services related to the use of the Customer's Personal Data/Data Subjects due to the inability to ensure the standard/quality of the products, services assessed by EVS or as required by law need to collect relevant Personal Data when providing products or services. Actions performed in accordance with this provision constitute unilateral termination of the transaction on the part of the Data Subject/Customer for any relationship with EVS and may result in a breach of obligations or commitments under the documents, agreement between the Data Subject/Customer and EVS. When this situation arises, EVS will notify the Data Subject/Customer of the termination of products and services and the Customer/Data Subject is solely responsible for any damages incurred in connection therewith.

Customer/Data Subject should be aware that, due to the peculiarities of EVS's operations, in cases where EVS is legally obligated to retain Personal Data in certain circumstances, EVS may be unable to fulfill the data deletion request of the relevant Data Subject if the deletion of the data results in a violation of the law;

4.4. For security purposes, the Data Subject may need to make their request in writing or use another method to prove and authenticate the identity of the Data Subject. EVS may require the Data Subject to verify their identity before processing the Data Subject's request;

4.5. Data subjects are responsible for protecting their own Personal Data, requesting other relevant organizations and individuals to protect their Personal Data. Simultaneously, the Data Subject shall respect and protect the Personal Data of others;

4.6. Data subjects fully and accurately provide Personal Data to EVS when entering into contracts or using services provided by EVS;

4.7. Data subjects implement and comply with the provisions of the law on personal data protection and participate in preventing and combating violations of regulations on personal data protection;

4.8. In the event of any change or adjustment of Personal Data, the Data Subject/Personal Data Provider and/or related parties are responsible for contacting and immediately notifying EVS so that EVS can promptly update such changes and adjustments. The data subject/Personal Data Provider and/or related parties shall bear full responsibility for the delay in this notification; at the same time, the delay in this notification will exempt EVS from all damages and risks incurred (if any);

4.9. The data subject updates the information posted on EVS's website at https://www.eves.com.vn/security_en/security.html and complies with any changes (if any) to these General Terms;

4.10. The Data Subject shall promptly notify EVS if it detects or suspects that Personal Data has been exposed, which may result in risks in the use of products, services, or any breach of Personal Data protection under these General Terms that the Data Subject may be aware of;

4.11. The Data Subject understands and agrees that EVS reserves the right to refuse to comply with the Data Subject's requests in a number of circumstances, including but not limited to: (i) the Data Subject fails to comply with the order and procedures instructed by EVS; (ii) The data subject fails to provide or provides insufficient documents and documents to verify his/her identity; or (iii) where EVS assesses signs of fraud or violations of Personal Data protection; or (iv) the provisions of law do not permit the fulfillment of the Data Subject's request;

4.12. The Data Subject acknowledges that, by accepting these General Terms, the Data Subject has been notified by EVS, is aware of and agrees to all the contents to be notified before EVS processes the Personal Data, as detailed as set out in these General Terms. The Data Subject agrees that EVS does not need to give further notice before processing Personal Data.

Article 5. Risks of Personal Data Disclosure and Safeguards

5.1. The Data Subject agrees that the processing of Personal Data will always involve potential risks due to system failures, transmission lines, force majeure events, viruses, network attacks or hardware and software failures, actions and actions of the Customer/Data Subject or any other third party affecting the provision and processing of Data personal of the Data Subject… Risks that may arise such as the Personal Data being exposed or stolen by another party result in such Personal Data being used for undesirable purposes or beyond the control of EVS and the Data Subject causing both material and emotional losses.

5.2. EVS considers Personal Data as EVS's most important asset and EVS strives to ensure confidentiality, safety, legal compliance, and limit potential unwanted consequences and damages.

5.3. The responsibility for the security of Personal Data is a mandatory requirement EVS imposes on all employees. EVS carries out its responsibility to protect Personal Data in accordance with applicable laws with the best security practices as prescribed by law and regularly reviews and updates its management and technical measures when processing Personal Data (if any).

Article 6. Retention of Personal Data

6.1. Personal data stored by EVS will be kept confidential. EVS will take reasonable measures to protect Personal Data when stored at EVS.

6.2. EVS retains Personal Data for as long as necessary to fulfill the purposes for which the relevant parties have signed with EVS and in accordance with these General Terms, unless the retention period is longer if required or permitted by the relevant party(s) and applicable laws.

Article 7. Amendment and supplementation of General Terms

EVS may amend and supplement the contents of these General Terms from time to time and ensure that such amendments and supplements are in accordance with the relevant provisions of law. Notice of any amendments will be updated, posted on EVS's website at https://www.eves.com.vn/security_en/security.html and/or notified to Data Subjects/Customers or related parties via such means of communication as EVS deems appropriate.

To the extent permitted by applicable laws, the continued use of EVS's services and products by the Customer or related parties; or continuing to maintain transactions or agreements with EVS means that the Data Subject/Customer/related parties agree to the amendments and supplements of these General Terms without any conditions.

Article 8. Contact information for processing Personal Data

For inquiries regarding EVS's processing of the Data Subject's Personal Data, please contact us using the information below:

For Customers: EVS hotline 0243 772 6699
For candidates, collaborators, employees: Human Resources Department of EVS
For other service providers and partners: according to the contact information in relevant documents and agreements.

Article 9. Consent Terms

9.1. When using any service, product or accessing any EVS website, application or device or connected to EVS, or establishing a transaction or authorizing EVS to process Personal Data (either directly or through a third party), the Data Subject/Customer is deemed to have accepted and without any conditions for the policies referred to in these General Terms and changes (if any) from time to time.

9.2. These General Terms are an integral part and should be read and understood in accordance with the contracts, agreements, offers, commitments, registration for products and services established between the Data Subject/Customer/Personal Data Provider and EVS. The General Terms shall prevail in the event of any conflict or inconsistency with the contracts, agreements, offers, undertakings, subscriptions for products or services governing the relationship of the Data Subject/Customer/Personal Data Provider with EVS, whether concluded before, on or after the date of the Data Subject/Customer/Personal Data Provider these General Terms.