PERSONAL DATA COLLECTION AND PROCESSING POLICY

This Personal Data Collection and Processing Policy (“Policy“) is implemented by Duy Anh Fashion and Cosmetics Joint Stock Company; business registration certificate/tax identification number No. 0304130177; Head Office Address: 3rd Floor, Centec Building, 72 – 74 Nguyen Thi Minh Khai, Vo Thi Sau Ward, District 3, Ho Chi Minh City, Vietnam (“DAFC” or the “Company“), which describes the activities related to the Processing of Customer’s Personal Data.

This Policy is an integral part of the contracts, agreements, terms and conditions that bind the relationship between DAFC and the Client.

Article 1. SUBJECTS AND SCOPE OF APPLICATION

This Policy governs the manner in which DAFC processes the Personal Data of the Customer and/or the co-users of DAFC’s products/services with the Customer when using the products/services provided by DAFC and/or when interacting with the Website. For the avoidance of doubt, this Policy applies only to individual Customers. DAFC encourages Customers to read this Policy carefully and to regularly check DAFC’s Website for any changes that DAFC may make in accordance with the terms of the Policy.

Article 2. TERMINOLOGY EXPLANATION

2.1 “Customer”means an individual who approaches, learns, registers, purchases, uses products and services or is involved in the process of operating and providing products and services by DAFC.

2.2 “DAFC” or “the Company”means Duy Anh Fashion and Cosmetics Joint Stock Company, tax code/business registration certificate No. 0304130177, head office address: 3rd floor, Centec Building, 72 – 74 Nguyen Thi Minh Khai, Vo Thi Sau Ward, District 3, Ho Chi Minh City, Vietnam.

2.3 “Personal Data” or “Personal Data”means information in the form of symbols, letters, digits, images, sounds, or the like in the electronic environment that is associated with a specific person or helps to identify a specific person. Personal Data includes Basic Personal Data and Sensitive Personal Data.

2.4 Basic Personal Data includes:

2.4.1 Full name, middle name and birth name, other names (if any);

2.4.2 Date of birth; date of death or disappearance;

2.4.3 Gender;

2.4.4 Place of birth, place of birth registration, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address;

2.4.5 Nationality;

2.4.6 Images of individuals;

2.4.7 Telephone number, identity card number, personal identification number, passport number, driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number;

2.4.8 Marital status;

2.4.9 Information about family relationships (parents, children);

2.4.10 Information about the individual’s digital account; Personal Data reflecting activities and history of activities in cyberspace;

2.4.11 Other information that is associated with a specific person or helps identify a specific person is not subject to Sensitive Personal Data.

2.4.12 Other data in accordance with current laws.

2.5 Sensitive Personal Data is  Personal Data associated with the privacy of individuals which, when infringed, will directly affect the legitimate rights and interests of individuals, including:

2.5.1 Political views, religious views;

2.5.2 Health status and private life are recorded in medical records, excluding information about blood type;

2.5.3 Information related to racial origin, ethnic origin;

2.5.4 Information about an individual’s inherited or acquired genetic trait;

2.5.5 Information about physical attributes, unique biological characteristics of individuals;

2.5.6 Information about the individual’s sex life and sexual orientation;

2.5.7 Data on crimes and criminal acts collected and stored by law enforcement agencies;

2.5.8 Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other licensed organizations, including: customer identification information in accordance with law, information about accounts, information on deposits, information on deposited assets, etc  information about transactions, information about organizations and individuals that are guarantors at credit institutions, bank branches, payment intermediary service providers;

2.5.9 Data on an individual’s location determined through location services;

2.5.10 Other Personal Data is specified by law as specific and requires necessary security measures.

2.6 Personal Data Protection: is the prevention, detection, prevention, and handling of violations related to Personal Data in accordance with the law.

2.7 Processing of Personal Data: means one or more activities affecting Personal Data, such as: collection, recording, analysis, confirmation, storage, correction, disclosure, combination, access, retrieval, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion,  destruction of Personal Data or other related actions.

2.8 Partners of the Company:are organizations and individuals that provide products, services and/or operate to DAFC through contracts, agreements or other forms of equivalent legal validity.

2.9 Third party: is an organization or individual other than DAFC and the Customer that has been explained under this Policy. For further clarification, any terms that have not been explained in this Article will be understood and applied in accordance with the applicable Vietnamese law.

2.10 DAFC transaction channels: including websites, retail channels at DAFC’s stores, electronic transaction channels and/or other transaction channels to provide products/services or to serve the needs of DAFC and customers.

Article 3. PURPOSES OF PROCESSING YOUR PERSONAL DATA

3.1 The Customer agrees to allow DAFC to Process the Customer’s Personal Data for one or more of the following purposes:

3.1.1 Providing products or services or assisting the Client in using the products/services of the Company and/or its Partners through a cooperation agreement requested by the Client;

3.1.2 Advising, evaluating, handling, responding or resolving the Client’s questions, requests, feedback, questions, instructions or complaints; as well as carrying out after-sales and customer care activities;

3.1.3 Adjust, update, secure and improve products, services, applications and equipment that DAFC is providing to Customers;

3.1.4 Verify the identity and ensure the confidentiality of the Client’s personal information;

3.1.5 To meet the service requirements and support needs of the Customer;

3.1.6 Notify customers of changes to policies and promotions of products and services that the Company is providing; exchanging information, including but not limited to promotional services, advertising and promotion programs related to products and services through forms such as phone calls, electronic means of contact such as email, fax, etc.

3.1.7 Measuring, analyzing internal data and other processing to improve and enhance the quality of the Company’s services/products or to carry out marketing communication activities;

3.1.8 Organize market research activities, public opinion polls to improve the quality of products/services or to research and develop new products and services to better meet the needs of customers;

3.1.9 Blocking and preventing fraud, identity theft and other illegal activities;

3.1.10 To have a basis for establishing, enforcing legal rights or defending legal claims of DAFC or the Client. These purposes may include exchanging data with other companies and organizations to prevent and detect fraud, reduce credit risk;

3.1.11 Compliance with applicable laws, relevant industry standards and other applicable policies of the Company;

3.1.12 Any other purpose specific to the Company’s operations;

3.1.13 Provide information to IPPG Group, its affiliates for the purposes set out above and provided that the recipient of the information will be bound by the same strict confidentiality terms as those contained herein;

3.1.14 Any other purpose notified by DAFC to the Client, at the time of collection of the Client’s Personal Data or prior to the commencement of the relevant processing or as otherwise required or permitted by applicable law;

3.1.15 Maintain, test and/or operate any systems or platforms necessary to provide any of the Company’s products and services; or in connection with the websites or mobile applications that will be provided by the Company to the Client;

3.1.16 Verify the Client’s identity to process orders when the Client places an order through the Company’s sales platforms such as the Company’s websites or mobile applications;

3.1.17 Marketing, promoting, improving, and enhancing the provision of products and services by the Company and optimizing the experience for Customers related to products and services through the collection and processing of Customer’s data;

3.1.18 To share with the Company’s organizations, affiliates and Partners, including those within the IPPG Group, to enable the Company’s organizations, affiliates and Partners to conduct market research, planning, customer surveys, trend analysis and/or other related forms of data analysis in order to better tailor the incentives, promotions and/or other direct marketing activities for the Company;

3.1.19 To provide additional services or value-added services;

3.1.20 To provide and administer loyalty benefits, rewards, promotions, contests, sweepstakes and other related benefits;

3.1.21 To inform the Client of new products and services offered or offered for sale by the Company or any of its organizations, affiliates and partners;

3.1.22 Any other purpose for which (i) is permitted or required by applicable law, trade rules, or market rules; (ii) is necessary, complementary or consequential to the purposes set forth above; or (iii) the Company deems it necessary to comply with applicable laws and regulations on the protection of personal data.

3.2 DAFC will request the Client’s permission before using the Client’s Personal Data for any purpose other than the purposes set out in Clause 3.1 above, at the time of collection of the Client’s Personal Data or before commencing the processing of the relevant Personal Data or as otherwise required or otherwise required by applicable law permit.

Article 4: CONFIDENTIALITY OF CUSTOMERS’ PERSONAL DATA

4.1 Privacy Guidelines:

4.1.1 The Client’s Personal Data is committed to confidentiality in accordance with the provisions of DAFC and the provisions of applicable laws. The processing of each Customer’s Personal Data shall only be carried out with the consent of the Customer, unless otherwise provided by law.

4.1.2 DAFC does not use, transfer, provide or share to any third party the Customer’s Personal Data without the Customer’s consent, unless otherwise provided by law.

4.1.3 DAFC will comply with other Personal Data security principles in accordance with applicable laws.

4.2 Consequences, unexpected damage may occur: DAFC uses various information security technologies to protect the Customer’s Personal Data from being retrieved, used or shared unintentionally. However, no data can be 100% secure. Therefore, DAFC is committed to providing the utmost security within the scope of the Client’s Personal Data. Some of the consequences and unexpected damages that may occur include but are not limited to:

4.2.1 Hardware and software errors in the process of data processing that cause loss of Customer’s data;

4.2.2 The security vulnerability is beyond the control of DAFC, the relevant system is attacked by hackers causing data disclosure;

4.2.3 The Customer discloses Personal Data due to: careless or fraudulent access to websites/downloading applications containing malware, etc.

4.3 DAFC recommends that the Customer keep confidential information related to the login password to the Customer’s account, OTP code and do not share this login password and OTP code with any other person.

4.4 Customers are advised to preserve electronic devices during use; Customers should lock, log out, or exit their account on DAFC’s website or App when not in use.

Article 5: TYPES OF PERSONAL DATA THAT DAFC PROCESSES

In order for DAFC to be able to provide products and services to the Customer and/or to process the Customer’s requests, DAFC may need and/or be required to collect Personal Data. Your Personal Data includes the information stated and listed below:

5.1 Basic Personal Data of the Client;

5.2 Data related to the Sites or applications: technical data (as stated above, including device type, operating system, browser type, browser settings, IP address, language settings, date and time of connection to the Site, application usage statistics,  app settings, date and time of connection to the app, location data and other technical communications); security login details; usage data;

5.3 Marketing data: concerns about advertising; cookie data; clickstream data; browsing history; reaction to direct marketing; and opt out of direct marketing.

Article 6: HOW PERSONAL DATA IS COLLECTED

DAFC collects Personal Data from Customers in the following ways:

6.1 Directly from the Client by various means:

6.1.1 When the Client submits a request to register or fill in any other form related to the products and services of DAFC, the Company’s Partners;

6.1.2 When you interact with the Company’s Customer service personnel, for example through phone calls, letters, face-to-face meetings, sending emails, or interacting on social media;

6.1.3 When you use certain DAFC services or from the means and tools that the Company participates in or accesses, such as websites and applications including the establishment of online accounts with DAFC; video footage of surveillance cameras (CCTV),

6.1.4 When the Customer is contacted and responds to DAFC’s marketing representatives and Customer service personnel;

6.1.5 When the Client submits his/her personal information to the Company for any other reason, including when the Client registers for a free trial of any of its products and services or when the Client expresses interest in any of the Company’s products and services.

6.1.6 When the Customer purchases or uses Third Party services through DAFC or at DAFC’s transaction points and business establishments;

6.1.7 The Company may collect Personal Data from other lawful sources.

6.2 From Third Parties:

6.2.1 If you interact with a Third Party’s content or advertisements on the Site or in an application, the Company may receive your personal information from the relevant Third Party, in accordance with the applicable privacy policy of that Third Party.

6.2.2 If you choose to make an electronic payment directly to DAFC or through the Website or application, DAFC may receive your Personal Data from Third Parties, such as payment service providers, for that payment purpose.

6.2.3 In order to comply with its obligations under applicable law, DAFC may receive Personal Data about Customers from competent authorities.

Article 7: ORGANIZATIONS SUBJECT TO PERSONAL DATA PROCESSING

7.1 DAFC will share or jointly process Personal Data with the following organizations and individuals:

7.1.1 TRANSPACIFIC IMPORT-EXPORT CO., LTD

7.1.2 Partners of the Company.

7.1.3 Branches, business units and employees working at DAFC’s branches, business units, and agents.

7.1.4 Commercial stores and retailers involved in the implementation of DAFC promotions.

7.1.5 DAFC’s professional advisors such as auditors, lawyers,… as prescribed by law.

7.1.6 Courts and competent state agencies in accordance with the provisions of law and/or when requested and permitted by law.

7.2 DAFC undertakes to share or co-process Personal Data only where it is necessary to fulfil the Processing Purposes set out in this Policy or in accordance with the law. Organizations and individuals that receive Customer’s Personal Data will have to comply with the content specified in this Policy and the relevant provisions of the law on Personal Data Protection.

7.3 While DAFC will make every effort to ensure that Customer information is anonymized/encrypted, it cannot completely exclude the risk that such data may be disclosed in force majeure circumstances in accordance with applicable law

7.4 In the event of the involvement of other entities set out in this Clause 7.1, the Client agrees that DAFC shall notify the Client prior to DAFC’s implementation.

Article 8: PROCESSING OF PERSONAL DATA IN SOME SPECIAL CASES

DAFC ensures that the Processing of Customer’s Personal Data fully meets the requirements of the law in the following special cases:

8.1 Surveillance camera (CCTV) footage, in specific cases, can also be used for the following purposes:

8.1.1 For quality assurance purposes;

8.1.2 For the purpose of public security and occupational safety;

8.1.3 To detect and prevent suspicious, inappropriate or unauthorized use of the Company’s utilities, products, services and/or facilities;

8.1.5 Detecting and preventing criminal acts; and/or conduct investigations into incidents.

8.2 DAFC always respects and protects children’s Personal Data. In addition to the Personal Data Protection measures required by law, before Processing Children’s Personal Data, the Company will verify the age of the child and require the consent of (i) the child and/or (ii) the child’s parent or guardian in accordance with the law.

8.3 In addition to complying with other relevant legal regulations, the Company shall obtain the consent of one of the relevant persons in accordance with the provisions of applicable laws for the Processing of Personal Data related to the Personal Data of a person who has been declared missing/deceased.

Article 9: RIGHTS AND OBLIGATIONS OF CLIENTS IN RELATION TO PERSONAL DATA PROVIDED TO DAFC

9.1 Client Rights:

9.1.1 Customers have the right to be informed about their Personal Data Processing activities, unless otherwise provided by law.

9.1.2 The Customer may or may not consent to the Processing of his/her Personal Data, unless otherwise provided by law.

9.1.3 Customers have access to view, correct or request correction of their Personal Data in writing to DAFC, unless otherwise provided by law.

9.1.4 The Client has the right to withdraw his/her consent in writing to DAFC, unless otherwise provided for by law. The withdrawal of consent does not affect the lawfulness of the data processing that was agreed to by the Client with DAFC prior to the withdrawal of consent.

9.1.5 The Customer has the right to delete or request the deletion of his/her Personal Data in writing to DAFC, unless otherwise provided by law.

9.1.6 The Customer has the right to request the restriction of the processing of his/her Personal Data in writing to DAFC, unless otherwise provided by law. The restriction of data processing will be implemented by DAFC for 72 hours after the Customer’s request, with all Personal Data requested by the Customer to be restricted, unless otherwise provided by law.

9.1.7 The Customer has the right to request DAFC to provide itself with his/her Personal Data in writing to DAFC, unless otherwise provided by law.

9.1.8 The Customer has the right to object to DAFC, the Entity Entitled to the Processing of Personal Data as set out in this Policy Processing its Personal Data in writing to the DAFC in order to prevent or restrict the disclosure of Personal Data or the use of Personal Data for advertising, marketing purposes,  unless otherwise provided for by law. DAFC will fulfill the Client’s request within 72 hours after receiving the request, unless otherwise provided by law.

9.1.9 Customers have the right to complain, denounce or initiate lawsuits in accordance with the law.

9.1.10 To the maximum extent permitted by applicable law, DAFC is exempt from liability and the Client undertakes to release DAFC’s liability for damages in relation to Personal Data in any event; except for the case where DAFC violates the regulations on protection of Customer’s Personal Data as prescribed in this Policy and the provisions of the law, then the Customer only has the right to claim compensation for damages in accordance with the provisions of law.

9.1.11 Customers have the right to self-protection in accordance with the provisions of the Civil Code, other relevant laws, or request competent agencies and organizations to implement methods of protecting civil rights.

9.1.12 The Client has the right to withdraw this consent in whole or in part at any time by a formal notice to the Company (in writing), in accordance with applicable data protection laws. Customer acknowledges that the withdrawal of this consent may limit Customer’s rights to certain services, benefits, and rights, as set forth in this Policy

9.1.13 Other rights as prescribed by current law.

9.2 Client’s Obligations

9.2.1 Comply with the provisions of laws, regulations, and guidelines of DAFC regarding the processing of Customer’s Personal Data.

9.2.2 Provide complete, truthful, and accurate Personal Data and other information as required by DAFC when registering and using DAFC’s services and when there is a change in this information. DAFC will conduct the confidentiality of the Customer’s Personal Data based on the Customer’s registered information, so if there is any false information, DAFC will not be responsible in case such information affects or restricts the interests of the Customer. In case of failure to notify, if risks or losses arise, the Customer shall be responsible for errors or acts of abuse or fraud when using the service due to his/her fault or due to failure to provide correct, complete, accurate and timely information changes; including financial losses and expenses incurred due to incorrect or inconsistent information provided.

9.2.3 Coordinate with DAFC, competent state authorities or Third Parties in case of problems that affect the security of the Client’s Personal Data.

9.2.4 Protect your Personal Data; proactively apply measures to protect their Personal Data in the process of using DAFC’s services; promptly notify DAFC when detecting any errors or mistakes in his/her Personal Data or suspecting that his/her Personal Data is being breached.

9.2.5 Take responsibility for the information, data, and approvals that they create and provide in the online environment; take responsibility in case Personal Data is leaked or infringed due to his/her fault.

9.2.6 Regularly update DAFC’s Regulations and Policies in each period notified to Customers or posted on DAFC’s websites and or other transaction channels from time to time. Take actions in accordance with DAFC’s instructions to clearly express your approval or disapproval of the purposes of processing Personal Data that DAFC discloses to the Customer from time to time.

9.2.7 Respect and Protect the Personal Data of Others.

9.2.8 Other responsibilities as prescribed by law.

Article 10: PROCESSING AND STORAGE PERIOD OF PERSONAL DATA

10.1 Personal Data Processing Period: starting from the time the Customer consents to the Company processing Personal Data or the use of the Company’s products and services until the Customer completely terminates the use of the Company’s products and services or the Personal Data is requested by the Customer to be canceled in accordance with Article 10.3 below.

10.2 Retention period of Personal Data: starting from the time the Customer consents to the Company processing Personal Data or the use of the Company’s products and services until the Customer completely terminates the use of the Company’s products and services or the Personal Data is requested by the Customer to be canceled in accordance with Article 10.3 below.

10.3 Cases in which you have the right to request DAFC to delete your Personal Data immediately:

10.3.1 Withdraw consent;

10.3.3 Realizing that it is no longer necessary for the purpose of collection, have consented and accepted the possible damages when requesting the deletion of data;

10.3.3 Object to the processing of the data and DAFC has no legitimate grounds for further processing;

10.3.4 Personal Data is processed incorrectly for the agreed purposes or the processing of Personal Data is in violation of the provisions of law;

10.3.5 Personal Data must be deleted in accordance with the law.

10.4 Cases in which DAFC is allowed to refuse to delete Personal Data even if the Client requests:

10.4.1 Deletion of data is prohibited by law;

10.4.2 Personal Data is processed by competent state agencies for the purpose of serving the activities of state agencies in accordance with law;

10.4.3 Personal Data has been made public in accordance with the provisions of law;

10.4.4 Personal Data is processed to serve legal requirements, scientific research and statistics in accordance with law;

10.4.5. In case of national defense and security emergencies, social order and safety, major disasters, dangerous epidemics; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; prevention and combat of riots, terrorism, crime and law violations;

10.4.6 Responding to an emergency situation that threatens the life, health or safety of the Customer or other individual.

10.5 Time to delete and cancel Personal Data: from the end of the Personal Data storage period or at the request of the Customer to 72 hours after the end of the Personal Data storage period or at the request of the Customer.

Article 11: METHOD OF DATA PROCESSING

DAFC applies one or more activities that affect Personal Data such as: data collection, recording, storage, retrieval, analysis, use, sharing, disclosure, deletion, encryption, decryption and automatic processing of Personal Data.

ARTICLE 12: COOKIES

12.1 When you use or access DAFC’s websites and online news sites (hereinafter collectively referred to as the “Website“), DAFC may place one or more cookies on your device.”A“cookie” is a small file placed on the Customer’s device when the Customer accesses a Web Site, which records information about the Customer’s device, browser and, in some cases, the Customer’s preferences and browsing habits. DAFC may use this information to identify you when you return to the DAFC Sites, to provide personalized services on the DAFC Sites, to compile analytics to better understand the operation of the Sites and to improve the DAFC Sites. Customers can use their browser settings to delete or block cookies on their devices. However, if you decide not to accept or block cookies from the DAFC Websites, you may not be able to take full advantage of all the features of the DAFC Websites.

12.2 DAFC may process your personal information through cookie technology, in accordance with the provisions of these Terms. DAFC may also use remarketing to serve ads to individuals that DAFC knows have previously visited its Site.

12.3 To the extent that Third Parties have assigned content on DAFC’s Sites (e.g., social media features), such Third Parties may collect your personal information (e.g., cookie data) if you choose to interact with such Third Party’s content or use the Third Party’s services.

Article 13: CONTACT INFORMATION FOR PROCESSING PERSONAL DATA

In the event that the Client has any questions regarding this Policy or matters relating to the rights of the data subject or the Processing of the Client’s Personal Data, the Client may use the following contact forms:

13.1 Send a letter to the Company at: DAFC – 3rd Floor, Centec Building, 72 – 74 Nguyen Thi Minh Khai, Vo Thi Sau Ward, District 3, Ho Chi Minh City, Vietnam

13.2 Send an email to the email box: nguyen@dafc.com.vn; phong.dang@dafc.com.vn

13.3 Phone: +8428 3825 7537

Article 14: GENERAL PROVISIONS

14.1 This policy is effective from 01/06/2024.

14.2 The Client understands and agrees that this Policy may be amended from time to time and updated through the DAFC Trading Channels. The changes and the effective date will be updated and announced in the DAFC Trading Channels. The Customer’s continued use of the service after the deadline for notifying the amended and supplemented contents in each period means that the Customer has accepted such amended and supplemented contents.

14.3 The Customer has clearly understood and agreed that this Policy is also the Notice of Personal Data Processing specified in Decree No. 13/2023/ND-CP, dated 17/04/2023and amended and supplemented from time to time. Accordingly, DAFC does not need to take any other measures for the purpose of notifying the Customer of the Processing of Personal Data.

14.4 The Customer commits to strictly implement the provisions of this Policy. For matters that have not been regulated, the Parties agree to comply with the provisions of law, the guidance of competent State agencies and/or amendments and supplements to this Policy shall be notified by DAFC to the Customer from time to time.

14.5 You may see advertisements or other content on any Site, application or device that may link to Sites or services of partners, advertisers, sponsors or other Third Parties. DAFC does not control the content or links appearing on the Sites or Third Party services and assumes no responsibility or liability for the activities used by the Sites or Third Party services linked to or from any of the Sites,  app or device. The Sites and these services may be subject to the Third Party’s own privacy policies and terms of use.

14.6 This Policy is entered into on the basis of good faith between DAFC and the Client. In the process of implementation, if a dispute arises, the Parties will actively settle it through negotiation and mediation. In case of unsuccessful mediation, the dispute will be brought to a competent People’s Court for settlement in accordance with law.

14.7 This Policy constitutes the entire understanding between the Client and the Company regarding access to personal information and supersedes all prior written or understood (if any), whether written or oral. This Policy shall be binding and effective for the benefit of the parties as well as their respective successors and assigns.

14.8 Customers have carefully read, understood their rights and obligations and agree to the entire content of this Policy./.

ROLEX SECTION

While navigating on the Rolex section of our website, some cookies are controlled by ROLEX SA which applies the following Cookies Policy.