GENERAL TERMS AND CONDITIONS ON PERSONAL DATA PROTECTION AND PROCESSING (Promulgated to Decision No. 470/2023/QĐ-TGĐ dated June 30, 2023 of Chief Executive




(Promulgated to Decision No. 470/2023/QĐ-TGĐ dated June 30, 2023 of Chief Executive Officer)


These Terms and Conditions govern the manner in which SSI Securities Corporation (“SSI”) collects and processes Data Subject’s Personal Data during the course that the Data Subject establishes connection with, use or interaction with products, website or services of SSI directly or indirectly. SSI encourages the Data Subject to read these contents carefully and regularly check for any changes that SSI may make in accordance with the provisions set out in these Terms and Conditions. The Data Subject agrees to apply, coordinate and commit to comply with the General Terms and Conditions on Personal Data Protection and Processing promulgated by SSI Securities Corporation.

Article 1. Common provisions

1.1.    The General terms and conditions on personal data protection (collectively called the “General Terms and Conditions on PDP") are integral to the contracts, agreements, proposals, registrations, etc., which govern and establish the relationship or bonding between the Data Subject and SSI.

1.2.    SSI values ​​and respects the privacy, security, and safety of Personal Data. Simultaneously, SSI always strives to protect Personal Data, the privacy of the Data Subject (including related parties of the Data Subject) and comply with the laws of Vietnamam through Personal Data protection measures that meet and are consistent with promulgated regulations.

1.3.    SSI shall only collect, process, and archive the Data Subject’s Personal Data in accordance with the law and within the scope of the contracts, agreements, and documents signed between SSI and the Data Subject or between SSI and the Data Subject’s related parties.

1.4.    Depending on the role of SSI in each specific situation as (i) Personal Data Controller; (ii) Personal Data Processor; or (iii) Personal Data Controller and Processor, SSI shall exercise the respective rights, responsibilities, and principles of processing Personal Data in accordance with applicable laws.

1.5.    The Data Subject understands and agrees that the provision of  Personal Data to SSI (including but not limited to the information that SSI has obtained beforehand, during and after the Data Subject has accepted the General Terms and Conditions on PDP) is the full acceptance of the Data Subject that allows SSI to use Personal Data throughout the process of receiving and processing Personal Data, starting from the time SSI receives information until there is a request to stop the data processing from the Data Subject or SSI stops processing Personal Data in accordance with laws and regulations.

1.6.    General Terms and Conditions on PDP shall prevail in the event of any conflict or inconsistency with the agreements, terms and conditions governing the relationship between the Data Subject and SSI, whether it has been signed before on, or after the date of Data Subject’s acceptance of General Terms and Conditions on PDP.

1.7.    All rights and obligations of SSI and the Data Subject prescribed in General Terms and Conditions on PDP shall not replace, terminate, or change but shall be concurrently the rights and obligations that SSI and the Data Subject have in any documents and none of articles in General Terms and Conditions on PDP is intended to limit or remove any of the rights and obligations established by SSI and the Client.

Article 2. Interpretation

2.1. “Personal Data” means information in the form of symbols, letters, numbers, images, sounds or equivalences on an electronic medium that is associated with a particular person or helps to identify a particular person.

Personal Data includes Basic Personal Data and Sensitive Personal Data.

2.2 “Basic Personal Data” includes:
a)  Last name, middle name and first name, other names (if any);
b)  Date of birth; date of death or being missing;
c)  Gender;
d)  Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current residence, hometown, contact address;
e)  Nationality;
f)  Personal image;
g)  Phone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;
h)  Marital status;
i)  Information about family relationships (parents, children);
j)  Information about the individual’s digital account; personal data reflecting activities, history of activities in cyberspace;
k)  Other information associated with a specific person or helping to identify a particular person that is not subject to Sensitive Personal Data.
2.3 “Sensitive Personal Data” is personal data associated with an individual privacy which, when violated, will directly affect an individual legitimate rights and interests, including:
a) Political views, religious views;
b) Health status and private life are recorded in the medical record, excluding information about blood type;
c) Information related to racial or ethnic origin;
d) Information about inherited or acquired genetic characteristics of the individual;
e) Information about the individual's physical attributes and biological characteristics;
f) Information about an individual's sex life and sexual orientation;
g) Data on crimes and offenses collected and archived by law enforcement agencies;
h) Information on customers of credit institutions, foreign bank branches, payment intermediary service providers and other licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment intermediary service providers;
i) Personal location data identified through location services;
j) Other Personal Data required by law is specific and requires necessary security measures.
2.4  “Personal data processing” means one or multiple activities that impact on Personal Data, such as collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of Personal Data or other related activities.
2.5 “Data Subject” means the individual(s) to whom the Personal Data reflects and their personal data is shared with SSI, including but not limited to clients, employees, collaborators, shareholders of SSI, individuals who are belonged to organizations which has established partnership with SSI or any other individuals whose Personal Data is processed by SSI.
2.6. “Client”[1] means individual(s) and organization(s) who approach, learn, register, use or are involved in the operation and provision of products and services provided by SSI.
2.7. “Company” or “SSI” means SSI Securities Corporation, including its headquarters, branches and offices (if any).
2.8. “Third party” means an organization or individual other than SSI and Data Subject.

For clarification, any words that are not explained in General Terms and Conditions on PDP shall be explained in accordance with Vietnamese law.

Article 3. Personal data processing activities

3.1. Collection of Personal Data

3.1.1. SSI may need and/or be compelled to collect Personal Data, including: (i) Basic Personal Data and (ii) Sensitive Personal Data relating to the Client and their related individuals to be able to deliver products and services to the Client and/or fulfill Client's requests.
3.1.2. Collection method and manner

SSI may directly or indirectly collect the Data Subject’s Personal Data during providing any its products or services, and from one or several sources specified below, including but not limited to:

a) Directly from the Client: SSI collects information while interacting, working with, providing services and directly meeting with the Client, as well as information provided by the Client.
b) From SSI websites: SSI may collect the Data Subject’s Personal Data when there is any access or declaration regarding Personal Data on any SSI‘s websites.
c) From Mobile Application: SSI may collect the Data Subject’s Personal Data when Data Subject downloads or delcares Personal Data on SSI's mobile application.
d) From exchanges, communication with Client: SSI may collect Data Subject’s Personal Data when Data Subject and SSI contact each other via email, Contact Center, electronic communication, or any other means (including and not limited to surveys and investigations conducted or obtained by SSI).
e) From interactions or automated data collection technologies: SSI may collect Personal Data of the Data Subject which is automatically recorded from Data Subject’s or its related parties’ connection to SSI such as cookies, plug-in, third-party social network connection sequence or any technology capable of tracking and collecting Personal Data on those devices or websites (e.g. Facebook, YouTube, TikTok, Instagram, etc.).
f) From State Competent Authorities: SSI may receive the Data Subject’s Personal Data from regulatory agencies such as State Securities Commission, Vietnam Securities Depository/ Viet Nam Securities Depository and Clearing Corporation, the Stock Exchanges or other competent authorities in Vietnam.
g) Public Sources: SSI may receive the Client's Personal Data from public sources such as telephone directories, advertising information/brochures, information publicly available on the Internet, etc.
h) From suppliers, service providers, partners, affiliates and third parties involved in SSI's business;
i) From third parties in relation to the Client;
j) From other sources where Client consents to share/provide Personal Data, or where the collection is required or permitted by law.
3.2. Purpose of Personal Data processing
3.2.1 SSI may process Personal Data for one or more of the following purposes:
a)  Verify the accuracy and completeness of the provided Personal Data; identify or authenticate the Client's identity and carry out the client authentication process;
b)  Appraise the Client's legal profile, financial capacity, and eligibility for any products or services that SSI may propose or offer;
c)  Provide products, services executed by SSI (including but not limited to products that third parties coordinate with SSI to carry out in accordance with the law);
d)  Publicize and inform about products, services, promotions, research, surveys, news, updates, events, awarded competitions, awarding pertinent awards, communication and introduction of SSI's services, products and other partners' services in cooperation with SSI;
e)  Get in touch with to exchange information, deliver documents, or other documents pertaining to transactions and the usage of products and services of SSI;
f)  Inform Clients of information about obligations, benefits, changes in features, improvements and enhancements to the utility and quality of products and services;
g)  Prepare financial statements, operational reports or other related reports as prescribed by law;
h)  Conduct market research, surveys and data analysis related to any products or services provided by SSI (whether conducted by SSI or another third party cooperating with SSI) that may be relevant to the Client;
i)  Protect SSI's legitimate interests and comply with relevant laws, including and not limited to the collection of fees, charges and/or to recover any debt, or deal with the proceedings, claims, or according to any agreement between the Client and SSI;
j)  Prevent or mitigate a threat to individual's life, health and the public interest;
k)  To meet and comply with SSI's internal policies, procedures, and any rules, regulations, guidelines, directives or requirements issued by the Competent State Authority as required by law;
l)  To evaluate any proposal regarding rights, interests or obligations under the contract(s) between the Client and SSI;
m)  Provide SSI's service providers/partners to perform services for the Client and/or SSI;
n)  For any other purpose required or permitted by any law, regulation, guideline and/or State Competent Authorities;
o)  For other SSI business-related objectives that it deems suitable from time to time;
p)  In any other manner that SSI informs the Client, either at the time of acquisition of Client's personal data or before the commencement of relevant processing, or as otherwise required or permitted by applicable law; and
3.3.2. Before using the Data Subject’s Personal Data for purposes other than those indicated in General Terms and Conditions of PDP, SSI shall request for consent from such Data Subject.
3.3. Personal Data processing in some special cases
3.3.1. SSI shall be able to record, video record and process Personal Data collected from Closed-circuit television (“CCTV”) in areas where CCTV is installed (including but not limited to office areas, corridors, exit areas, etc.) in accordance with the requirements to ensure SSI's and the Client's operational security in accordance with the law.
3.3.2. SSI always respects and protects children's Personal Data. In addition to the legal procedures for Personal Data protection, before processing children's Personal Data, SSI shall verify their age and obtain consent from either (i) the child and/or (ii) the child's parent or guardian in accordance with the law.
3.3.3. In addition to abiding by other pertinent legal requirements, SSI shall have to get the approval of one of the associated persons in accordance with the law for the processing of Personal Data related to the declared missing/deceased person.
3.4. The transfer and disclosure of Personal Data
3.4.1. SSI shall not sell, exchange, or lease (temporarily or indefinitely) the Data Subject’s personal information without the Data Subject’s consent in accordance with applicable law. However, to fulfill the purposes and processing of Personal Data set forth in General Terms and Conditions of PDP, the Data Subject accepts that SSI may disclose the the Data Subject’s Personal Data or the Personal Data of third parties associated with the Data Subject to one or more of the following parties:
a) SSI may share the Data Subject’s Personal Data with SSI’s personnel and internal departments for the purposes specified in these Terms and Conditions of PDP and the contracts and agreements executed between the Client and SSI.
b) Competent authorities in Viet Nam or any individual, regulatory authority, or third party that SSI is permitted or required to disclose under the law of any country or in accordance with any other contract/agreement or commitment between the third party and SSI;
c) Business partners, rewards providers, gift providers, co-branding parties, parties participating in or coordinating the organization of loyalty programs, advertisers, charities or non-profit organizations, and any related organization to operate or carry out the business activities of SSI and the party operating systems, applications or equipment or providing Client with any products or services chosen by the Client or for the purposes stated in these Terms and Conditions of PDP;
d) Any person or organization involved in the exercise or maintenance of any rights or obligations under the agreement(s) between the Client and SSI;
e) The third parties to whom SSI have a legal basis for disclosing theData Subject’s Personal Data or with whom the Data Subject has consented.
3.4.2. SSI shall keep the Data Subject’s Personal Data private and confidential. Aside from the parties listed above, SSI shall not disclose the Data Subject’s Personal Data to any other party, except for the following cases:
a)  When getting permission from the Data Subject;
b)  When SSI is required or allowed to disclose in accordance with the law; or at the decision of a competent state agency;
c)  When SSI, under the agreement(s) between the Data Subject and SSI, transfers its rights and obligations or complies with the provisions of law.
3.5. Overseas Transfer of Personal Data
3.5.1. For the purposes of processing Personal Data in these Terms and Conditions of PDP, SSI may be required to provide/share the Data Subject’s Personal Data to the SSI's relevant third parties located in, or outside of Viet Nam.
3.5.2. When overseas transferring/sharing Personal Data, SSI requires the recipient to ensure that the transferred Personal Data of the Data Subject shall be private and secured. Regarding transferring the Data Subject’s Personal Data, SSI and the recipient ensure that all legal and regulatory requirements are complied with.


Article 4. Rights and obligations of the Data Subject regarding Personal Data provided to SSI

4.1. The Data Subject has the following rights: (i) Right to be informed; (ii) Right to give consent; (iii) Right to access; (iv) Right to withdraw consent; (v) Right to delete data; (vi) Right to restrict data processing; (vii) Right to provide data; (viii) Right to object to data processing; (ix) Right to complain, allege, and initiate lawsuits; (x) Right to claim damages; (xi) The right to self-protection and other related rights as prescribed by the law. The Data Subject can exercise its rights by contacting SSI according to the information provided in detail in Article 8, Terms and Conditions of PDP.
4.2. SSI shall, in its reasonable endeavors, fulfill a lawful and valid request from the Data Subject within the statutory period from receipt of a complete and valid request and associated processing fee (if any) from the Data Subject, subject to SSI's right when invoked to any waiver and/or exception as prescribed by the law.
4.3. In the event that the Data Subject withdraws its consent, requires data deletion and/or exercises other related rights with respect to any or all of the Data Subject’s Personal Data, and depending on the nature of the Client's request, SSI may consider and decide not to continue providing SSI's products which are related to the use of Data Subject’s Personal Data due to the inability to ensure the standards/quality of the products and services according to SSI's assessment or due to collect Personal Data of the Data Subject when providing products and services as required by law. In such event, SSI shall notice the Client about the decision to stop providing products and services to the Client with explicit reasons. All arising damages to Client and SSI (if any) shall be borne by the Data Subject. The Data Subject should note that, due to the characteristics of SSI's operations, the law requires SSI to archive the Data Subject’s information in certain cases, then SSI cannot meet the related Data Subject’s request to delete data if the data deletion leads to a violation of the law.
4.4. For security purposes, the Data Subject may need to request in writing or use another method to prove and verify the Data Subject’s identity. SSI may require the Data Subject to verify its identity before processing the Data Subject’s request.
4.5. The Data Subject is responsible for protecting their own Personal Data, requesting other relevant organizations and individuals to protect their Personal Data. Simultaneously, the Data Subject shall respect and protect the Personal Data of others.
4.6. Provide complete and accurate Personal Data to SSI when entering into a contract or using services provided by SSI.
4.7. Implement and comply with the provisions of the law on Personal Data protection and participate in the prevention and combat of violations of regulations on Personal Data protection.
4.8. If there is a change or adjustment of Personal Data, the Data Subject and/or its related parties is responsible for contacting and immediately informing SSI so that SSI can promptly update such changes and adjustments. The Data Subject and/or its related parties shall be fully liable for any delay in this notice; at the same time, such delay in this notice shalll exempt SSI from all damages and risks that may occur (if any).


Article 5. Risks of Personal Data Exposure and Protection Measures

5.1. The Data Subject understands that providing and consenting to SSI to use Personal Data shall always have potential risks due to system failures, transmission lines, force majeure events, viruses, network attacks, or software or hardware failures, actions, manipulations of the Data Subject or any other third party affecting the provision and processing of the Data Subject’s Personal Data…. Risks may arise such that the Data Subject’s Personal Data may be exposed or stolen by another party resulting in these Personal Data being used for undesirable or out-of-control purposes of SSI and the Data Subject, cause both material and spiritual losses.
5.2. SSI recognizes the Data Subject’s Personal Data is one of the most important assets of SSI, and SSI always strives to ensure confidentiality, safety, compliance with the law, and restriction of unintended consequences and damages that possibly occur.
5.3. Responsibility for the confidentiality of the Data Subject’s Personal Data is a mandatory requirement that SSI sets for all employees. SSI fulfills its responsibility to protect Personal Data in accordance with current laws with the best security practices in accordance with the law and regularly reviews and updates management and technical measures when processing the Data Subject’s Personal Data (if any).


Article 6. Personal Data Storage

6.1. Data Subject’s Personal Data archived by SSI shall be kept confidential. SSI shall take reasonable actions to protect Data Subject’s Personal Data archived at SSI.
6.2. SSI shall archive the Data Subject’s Personal Data for the required period to fulfill the purposes in accordance with agreements, contracts, and documents signed by the related parties and SSI and under these General Terms and Conditions of PDP unless a more extended period of Personal Data Storage if required or permitted by the Client and current laws.


Article 7. Amendment

SSI may amend, update, or adjust the terms and conditions of these General Terms and Conditions of PDP from time to time and ensure that the amendments and supplements are consistent with relevant law provisions. Notice of any amendment, update, or adjustment will be updated and posted on the website of SSI at and/or via communicated to the Data Subject through other means of communication as SSI deems appropriate.

To the extent permitted by applicable law, the Data Subject/related parties continue to use of SSI's services and products or to provide services/products to SSI means that the Data Subject/related parties agrees to the updated contents of these General Terms and Conditions of PDP.


Article 8. Contact information for Personal Data processing

In case the Data Subject has any inquiries, questions related to the General Terms and Conditions of PDP or issues related to the rights of data subjects or the handling of the Data Subject’s Personal Data, do not hesitate to get in touch with the information below for specific answers and instructions:

SSI Contact Center: 1900545471 - Extension 9

Article 9. Terms of Consent

When using any service, product or accessing any website, application, or device of SSI or connected to SSI, the Data Subject is deemed to have accepted these entire General Terms and Conditions of PDP. In the event that the Data Subject does not accept these General Terms and Conditions of PDP, the Data Subject has the right to terminate the use of the services, products, or access the websites, applications, or devices of SSI or connected to SSI.




[1] Depending on actual context, Client may be a Data Subject.