OVERVIEW
Your Personal Data is important to us, and we want to ensure that you understand how we process and protect this information.
As the Data Controller and/or the Data Controller and Processor (as defined in Decree No. 13/2023/NĐ-CP issued on April 17, 2023, effective from July 1, 2023 – hereinafter referred to as “Decree 13”), this Data Protection Policy (“Policy”) explains how we process the data you provide to us or that is collected by us.
For the purposes of this Policy, the following terms shall have the meanings set out below:
“Central Retail Vietnam Group” or “we” refers to all companies established in Vietnam for the purposes of investment, business operations, management, development, and operation of supermarkets and/or shopping centers and/or retail stores under the brands “GO!”, “Big C”, “Nguyễn Kim”, “SuperSports”, “Tops Market”, “Come Home”, “Robins”, “Lan Chi”, “HOKA Vietnam”, and any other brands we operate from time to time.
“You” refers to any individual or organization interacting with us in specific contexts in which personal data is processed, for example: customers, suppliers, business partners, contractors, agents, job applicants, or employees.
“Data Processing” means one or more activities performed on Personal Data, such as collecting, recording, analyzing, verifying, storing, modifying, disclosing, combining, accessing, retrieving, recovering, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying Personal Data, or any other related actions.
“Personal Data” refers to information in the form of symbols, letters, numbers, images, sounds, or similar formats on an electronic medium that is associated with or helps identify a specific individual. Personal Data includes both basic personal data and sensitive personal data.
Our websites (“website”), applications, and other platforms may contain links to third-party websites/applications/platforms that are not owned or controlled by us. We are not responsible for how those websites, applications, or platforms operate or process your data. Therefore, we recommend that you carefully review the personal data protection policies and privacy terms of such third parties.
1. PERSONAL DATA WE COLLECT
We collect Personal Data from various sources, which may include:
- Personal Data You Provide to Us
We collect information about how you use our services and products, such as the types of products/services you view or are interested in, and how frequently you use our services. We also collect the Personal Data that you voluntarily provide to us when you subscribe to our marketing newsletters, complete a survey, or register an account to purchase our products or services. When doing so, we may ask you to provide Personal Data such as your name, gender, date of birth, address, email address, phone number, or credit card details. Please note that credit card information is considered sensitive personal data as defined under Decree 13. - Personal Data Collected Automatically
We also receive and store certain types of Personal Data whenever you interact with us online. For example, we use cookies and other technologies to collect Personal Data when your web browser accesses our websites, advertisements, or other content provided by or on behalf of us on third-party websites. Your Personal Data may also be collected when you search, make purchases, post content, participate in an event or program, respond to surveys, or communicate with our customer service team. Examples of the types of Personal Data we collect include your IP address, device identifiers, location data, information about your computer and connection such as browser type and version, time zone settings, browser plug-in types and versions, operating system, and purchase history — which we may sometimes aggregate with similar information from other consumers. Please note that location data is classified as sensitive personal data under Decree 13. - Personal Data Collected from Other Legitimate Sources
We also collect Personal Data from other lawful sources, including trusted partnerships between us and third parties, and in cases where we operate branded accounts on third-party platforms. For example, when you use the “Like” feature on Facebook or the “+1” feature on Google+. In addition, we receive information about you and other users’ interactions with our advertisements to measure the effectiveness and relevance of our marketing campaigns. We may also collect information about you and your activities from third parties with whom we jointly provide products or services.
The types of Personal Data we collect depend on the specific contexts mentioned above and may include, but are not limited to, the following information:
1.1 Identification and Identity Information
Examples include: image, full name, date of birth, passport number, identity card number, citizen identification number, personal identification number, driver’s license number, vehicle registration number, personal tax code, social insurance number, health insurance card number, photographs, voice recordings, fingerprints, signature, nationality, and other basic data as prescribed under Decree 13. Please note that fingerprints are considered sensitive personal data under Decree 13.
1.2 Contact Information
Examples include: billing address, shipping address, email address, phone number, workplace address, permanent address, temporary residence address, etc.
1.3 Personal Relationship Information
Examples include: marital status, family relationships (parents, spouse, children), employment relationships, etc.
1.4 Membership Information
Examples include: membership card number, member’s personal information, reward points, date and month of joining/registering for membership, etc.
1.5 Financial Information
Examples include: bank account/debit card/credit card numbers, account holder’s name, type of payment card or account used, etc. Please note that this information is classified as sensitive personal data under Decree 13.
1.6 Transaction Information
Examples include: details of payments made by you (payment time, payment amount, refund details, refund amount), purchase location, order number, service appointment date, warranty details, transaction status, and/or any information arising from the use of products or services provided by us, etc.
1.7 Information from Computers/Mobile Devices
Examples include any information about the computer system or other technological devices you use to access any of our websites, applications, or other platforms — such as the IP address used to connect your computer or device to the Internet, operating system, and the type and version of your web browser. If you access our website or applications using a mobile device, such as a smartphone, the information collected (where permitted) may also include your device’s unique ID, advertising ID, and similar mobile device data.
1.8 Behavioral Information
Examples include:
Information about your purchasing behavior: We collect information about the products/services you have purchased from us. This information helps us understand your preferences and provide you with more relevant product or service recommendations.
Information about your online search behavior: We collect information about the keywords you have searched on search engines, as well as the websites you have visited. This information helps us better understand your interests and deliver more relevant advertisements.
Information about how you interact with our products/services: We collect data on how you use them, such as which pages you visit, which products/services you view, and the actions you take when interacting with them. This information helps us improve our products and services.
1.9 Profile Information
Examples include your username and password, details of your profile, and your purchase history of our products/services (including product/service prices, purchase time, and quantity).
1.10 Marketing and Communication Information
Examples include your responses or level of interest when participating in surveys regarding our promotional programs or marketing events, etc.
1.11 Other Types of Sensitive Personal Data
Examples include health and personal life information recorded in medical records (excluding blood type), information on racial or ethnic origin, religious beliefs, biometric data, genetic data, criminal records, criminal behavior, customer data from credit institutions or payment intermediary services, location data of individuals determined through location-based services, and/or other sensitive information as prescribed by law.
2. PROVISION OF THIRD-PARTY PERSONAL DATA BY YOU
When you provide us with Personal Data of other individuals besides yourself, you represent and warrant to us, and hereby confirm that:
- Before disclosing such Personal Data to us, you have obtained the valid consent of the individual(s) whose Personal Data is being disclosed to us, allowing the Processing of such Data in accordance with this Policy; and
- Any Personal Data of individuals that you disclose is accurate and complete; and
- You validly represent such individual(s) and have the proper authorization from them to provide their Personal Data to us, as well as to permit us to collect, use, disclose, and process such Personal Data for the purposes set out in this Policy; and
- This Policy has been communicated to those individuals so that they are aware of and have fully consented to its contents.
If you do not satisfy any of the above representations and warranties, please do not provide the Personal Data of such individual(s) to us.
3. PURPOSES OF DATA PROCESSING
Within the scope of your consent and/or as required or permitted by law, we may use your Personal Data for one or more of the following purposes (the “Purposes”):
3.1 Provision of Products and Services
We may process your Personal Data for the purpose of operating and providing products/services to you. This may include, but is not limited to: entering into and managing our contractual relationship with you; supporting and carrying out other activities related to the products/services you request; performing financial and transactional services related to payments, including transaction checks, verification, and cancellation; processing orders, deliveries, payments, refunds, and returns; providing updates and delivery information; carrying out internal warehouse operations such as picking, packing, and labeling of parcels; verifying warranty periods; and providing after-sales services, including maintenance, servicing, and transportation, etc.
3.2 Cooperation with Third Parties
We may process your Personal Data for or in connection with the purposes of third parties (including our agents, suppliers, contractors, partners, and any other individuals or organizations that have a cooperative or service relationship with us or with you) who perform functions on our behalf, engage in, execute, or process your transactions. This may include allowing such third parties to introduce or provide products/services to you, verify your identity or connect to your account, or carry out other activities including marketing, research, analysis, product development, and customer service, etc.
3.3 Marketing and Communication
With your consent, we may process your Personal Data for the purpose of sending you promotional information, product/service updates, announcements of new product or service launches, sales programs, promotions, advertisements, notifications, news, and any other marketing or communication activities related to our products and services. Details of such programs — including their content, methods, formats, and frequency of product/service introductions — will be specifically announced in each respective program.
We may market and communicate with you through various channels, as appropriate, including on our website/applications and/or through chat applications (e.g., SMS, WhatsApp, Telegram, LINE, Viber, WeChat, Zalo, etc.), phone calls, and email.
3.4 Registration and Verification
We may process your Personal Data for the purposes of registering, verifying, or authenticating your identity when we provide products/services to you and/or for other purposes as required by law and as set out in this Policy.
3.5 Relationship Management
We may process your Personal Data for the purposes of contacting, communicating, personnel management, customer file management, and handling information requests, inquiries, feedback, and complaints at your request in connection with the products/services we provide to you.
3.6 Data Analysis
We may process your Personal Data for the purposes of recommending products/services that may interest you, identifying your preferences, and personalizing your experience; to better understand you, the products and services you receive, and other products/services you may wish to receive; to measure your engagement level, conduct data analysis, data profiling, market research, surveys, behavioral assessments, statistics, segmentation, trends, and consumer pattern analysis, etc.
3.7 Improvement of Products/Services
We may process your Personal Data for the purposes of troubleshooting and diagnosing issues, errors, defects, or malfunctions of products/services, as well as providing customer care and support services; to evaluate, improve, and develop products/services based on your satisfaction levels and consumer behavior; and to measure the effectiveness of marketing, communication campaigns, and business models.
3.8 To Support the Functions on Our Online Platforms (Websites, Mobile Applications, and Social Media Platforms)
We may process your Personal Data for the purposes of managing, operating, tracking, monitoring, and administering our websites and online platforms; ensuring that they function properly, efficiently, and securely; and facilitating your overall experience on our websites and online platforms.
3.9 Information Technology Management
We may process your Personal Data for the purposes of managing, operating, improving, and developing our information technology systems, which may include ensuring information security and data protection, maintaining the availability, integrity, and confidentiality of systems, and ensuring that system performance meets user needs.
3.10 Protection of Common Interests
We may process your Personal Data for the purposes of protecting the confidentiality, integrity, and security of data and our business operations; to exercise our rights or protect our legitimate interests when necessary. For example, to handle complaints and disputes, detect, prevent, and address unlawful activities; and to ensure compliance with our terms and conditions under any contract or agreement with any third party.
3.11 Risk Management and Fraud Detection
We may process your Personal Data for the purposes of verifying your identity and conducting compliance checks on our employees and related parties in accordance with our internal policies and/or legal requirements. For example, to comply with anti-money laundering and anti-corruption regulations, to detect and prevent fraud, and to identify and prevent violations of internal rules and regulations, etc.
3.12 Security
At our retail stores, supermarkets, shopping centers, transaction offices, workplaces, warehouses, parking lots, and other locations where part or all of our business operations are conducted (hereinafter referred to as the "Operating Locations"), we may use a CCTV surveillance system (security cameras). Our CCTV systems may be installed in certain areas within the Operating Locations to record video and audio in real time for the purpose of maintaining order, ensuring safety, and protecting the legitimate rights and interests of both you and our company at these Operating Locations. Additionally, such recordings may be used to prevent, detect, identify, or investigate any misconduct occurring at the Operating Locations when we reasonably believe there are signs of violations or upon the request of competent government authorities.
By continuing to use our products/services or participate in activities at our Operating Locations, you acknowledge and consent to our collection of data through the CCTV system and the Processing of your Personal Data for the purposes described above.
3.13 Employment Relationship Management
We may process your Personal Data for the purposes of fulfilling the rights and obligations of both the Employer and the Employee in accordance with applicable laws; to manage the employment relationship, including but not limited to: evaluating and processing job applications, verifying candidates, managing employee records, reporting labor usage within the local area (e.g., salary and bonus surveys), participating in insurance programs (such as social insurance and health insurance), conducting periodic health check-ups, and other related activities.
3.14 Compliance with Legal Regulations
We may process your Personal Data for the purpose of complying with applicable laws and regulations, as well as requests from competent governmental authorities in Vietnam and other jurisdictions where we lawfully conduct business operations.
4. SHARING OF PERSONAL DATA
We may disclose or transfer your Personal Data to the following third parties, as appropriate, for the Purposes set out in this Policy. The third parties mentioned below may be located within Vietnam or in territories outside of Vietnam.
4.1 Companies within the same corporate group
We are part of the Central Group data ecosystem, which consists of multiple affiliated companies. The companies within this ecosystem share certain relevant information and Personal Data to carry out one or more of the Purposes stated in this Policy, as well as to support operational and administrative activities across the entire system in line with the Group’s overall direction. This means that we may need to disclose, share, or transfer your Personal Data to other companies within the ecosystem for the aforementioned Purposes.
We will only disclose or transfer your Personal Data to companies within the ecosystem when we have a reasonable basis to believe that they will protect your privacy and the security of your Personal Data. We will also implement appropriate safeguards to prevent your Personal Data from being used for any purposes other than those specified.
4.2 Service Providers
We may share your Personal Data with our partners and service providers, including but not limited to: providers of technical infrastructure, internet, software, websites, and information technology services; warehouse and logistics providers; payment service providers; media and event organizers; telecommunications providers; insurance providers; financial service providers; transportation providers; and other suppliers of goods and services.
4.3 Business Partners
We may share your Personal Data with our business partners in various industries, including but not limited to: retail, real estate, finance and banking, investment, insurance, telecommunications, marketing, e-commerce, logistics, and information technology.
4.4 Websites and Social Media Platforms
We may, at our discretion, provide you with the option to log in to our websites and platforms without manually entering your information into a form. When you use social media login systems, you consent to our access to and storage of public data from your social media accounts (such as Facebook, Google, Instagram, etc.) and any other data that you have authorized us to access through the use of those social login systems. In addition, we may link your email address with social media networks to verify whether you are a user of the relevant social network and, where appropriate, to display relevant and personalized advertisements on your social media accounts.
4.5 Third Parties as Required by Competent Government Authorities and/or by Law
We are committed to protecting your Personal Data and will only disclose or share it upon the request of competent government authorities and/or as required by law. In such cases, we will cooperate with the relevant authorities or other authorized third parties to comply with legal obligations, protect our rights and yours, and to prevent fraud, ensure security, or address information safety concerns.
4.6 Advisors
Our advisors may include, but are not limited to, lawyers, engineers, auditors, investment consultants, valuation firms, and/or any other professional advisors that we deem necessary to support the operation and management of our business activities.
4.7 Assignees of Rights and/or Obligations
We may transfer your Personal Data to relevant third parties in the event that we undertake or participate in any form of restructuring, merger, acquisition, joint venture, assignment, transfer, or divestment involving all or part of our equity, shares, assets, or business operations.
5. CROSS-BORDER TRANSFER OF PERSONAL DATA
Your Personal Data may be transferred by us from Vietnam (the "Home Country") to another location, city, or country outside the territory of Vietnam (the "Destination Country"). When we transfer your Personal Data from the Home Country to the Destination Country, we will comply with all applicable legal obligations and regulations regarding your Personal Data, including having a lawful basis for such transfer and implementing appropriate safeguards to ensure an adequate level of protection for your Personal Data. The lawful basis for such transfer, as provided in this section, shall be your consent to this Policy and the protective measures required by applicable laws.
6. RETENTION AND PROCESSING PERIOD OF PERSONAL DATA
We will only retain and process your Personal Data for as long as necessary to fulfill the Purposes set out in this Policy or to comply with our legal obligations. The processing of your Personal Data begins from the moment we obtain access to your Personal Data.
We will cease retaining your Personal Data by securely deleting or destroying it in accordance with applicable laws and this Policy when (i) there are reasonable grounds to believe that such retention no longer serves the purposes for which the Personal Data was collected and is no longer necessary for any legal or business purpose; and/or (ii) the retention period prescribed by law has expired; and/or (iii) you request the deletion of your Personal Data, object to, restrict the processing, or withdraw your consent for the processing of your Personal Data.
Notwithstanding the above provisions, we may retain certain portions of your Personal Data to exercise our rights, to comply with this Policy, or to fulfill legal requirements.
7. YOUR RIGHTS AND OBLIGATIONS
7.1 Right to Be Informed
You have the right to be clearly, transparently, and fully informed about how we process your Personal Data, including information regarding your rights and obligations in relation to your Personal Data when it is processed by us, unless otherwise provided by law.
7.2 Right to Consent and Withdraw Consent
You have the right to provide consent for us to process your Personal Data under this Policy (specifically where we rely on your consent as the legal basis for processing your data). You also have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before such withdrawal.
You have the right to withdraw your consent at any time, unless otherwise provided by law, by notifying us of your decision (however, such withdrawal shall not affect the lawfulness of the processing of your Personal Data that was based on your consent prior to its withdrawal).
7.3 Right to Access and Rectification
You have the right to access, review, correct, or request that we correct any of your Personal Data being processed by us, unless otherwise required by law.
We shall not be held responsible for any issues arising in cases where the Personal Data you provided (i) is falsified or inaccurate (in whole or in part), (ii) is misleading, (iii) is incomplete, irrelevant, or outdated, or (iv) has not been updated or corrected to reflect any changes to your Personal Data, as well as in other cases as prescribed by law.
7.4 Right to Erasure
You have the right to request that we delete part or all of your Personal Data, unless otherwise required by law. Please note that this is not an absolute right in all circumstances, as we may have legal grounds to retain your Personal Data for the purpose of complying with legal obligations and/or requests from competent government authorities.
7.5 Right to Restrict Processing
You have the right to request that we restrict the processing of your Personal Data, unless otherwise provided by law. This right means that the scope of our processing activities concerning your Personal Data will be limited — we may store your information but will not be permitted to further use or process it.
7.6 Right to Data Portability
You may request that we provide you with a copy of your Personal Data that we currently hold.
7.7 Right to Object to Processing
You have the right to object to the processing of your Personal Data in order to prevent or restrict its disclosure or use for advertising and marketing purposes, unless otherwise provided by law.
7.8 Right to Lodge Complaints, Denunciations, and Legal Actions
You have the right to contact the competent data protection authority to file complaints, denunciations, or initiate legal proceedings in accordance with applicable laws.
7.9 Right to Claim Compensation for Damages
You have the right to claim compensation for damages in accordance with the law if there are grounds to believe that we have violated regulations concerning the protection of your Personal Data, unless otherwise agreed by the parties or stipulated by law.
7.10 Right to Self-Protection
You have the right to protect yourself in accordance with the provisions of the Civil Code and applicable laws, or to request that competent authorities and organizations implement measures to safeguard your civil rights as prescribed by the Civil Code.
We always strive to handle your requests promptly, fairly, and transparently. However, we reserve the right to reject any requests that are unfounded, repetitive, infringe upon the legitimate rights and interests of us or any third party, or fall outside our authority or scope of data processing. In such cases, we will inform you of the reasons for refusal and provide possible remedies, if applicable.
You may exercise these rights by sending us an email at the address provided in the “Contact Us” section, along with any relevant documents (as required by us and/or permitted by law). If a request is made by someone other than you and that person fails to provide sufficient proof that the request is lawfully made on your behalf and with your valid consent, such a request will be rejected.
For your privacy and data security, we may require you to verify your identity before responding to any request you make to exercise your rights under Article 7 of this Policy.
7.11 Your Obligations
- Provide complete and accurate Personal Data when you consent to our Processing of your Data;
- Respect and protect the Personal Data of others;
- Comply with all other legal requirements and obligations applicable to data subjects as prescribed by law.
7.12 Note on Possible Unintended Consequences or Damages
If you exercise one or more of your rights as set out in Articles 7.2, 7.4, 7.5, or 7.7 of this Policy, we may (i) be unable to take the necessary actions to achieve the Processing Purposes described in this Policy for you; and/or (ii) be unable to perform or enter into any contract that we have entered into or are attempting to enter into with you; and/or (iii) be unable to provide you with our products or services.
Your exercise of these rights and any unintended consequences as mentioned in this Section 7.12 shall be deemed as your termination of any relationship you have with us and/or a breach of your obligations or contractual commitments. For the avoidance of doubt, we expressly reserve our legal rights and remedies in such cases and shall not be held liable to you for any loss, damage, claim, or action arising from your exercise of such rights.
8. DATA PROTECTION
We have implemented and continue to apply various technical and organizational measures to protect and secure your Personal Data, such as:
- Implementing information security policies and procedures, along with technical measures, to safeguard Personal Data and comply with legal requirements;
- Conducting cybersecurity assessments on systems, tools, and devices used for Personal Data processing prior to use, and securely deleting or destroying devices containing Personal Data to prevent recovery;
- Providing training and requiring employees who have access to customers’ Personal Data to comply with our data privacy and security standards;
- We also require our service providers or other third parties with whom we cooperate and to whom we disclose customers’ Personal Data to implement equivalent standards and measures for data security, privacy, and protection when Processing your Personal Data.
9. CHILDREN’S PRIVACY RIGHTS
Children are defined as individuals under the age of 16 in accordance with current Vietnamese law, and this age definition may vary depending on the applicable legal regulations from time to time.
We have implemented, are implementing, and will continue to implement appropriate additional protective measures to help ensure the safety of children’s Personal Data, based on the principle of safeguarding the rights and best interests of the child.
Before Processing a child’s Personal Data, we are required to obtain the child’s consent if the child is aged 07 years or older, as well as the consent of the child’s parent(s) or legal guardian(s) in accordance with the law.
We will take the necessary measures, as required by law, to verify the age before Processing a child’s Personal Data. You must understand that if you provide us with a child’s Personal Data, you are required to prove that you are the child’s parent or legal guardian, or that you have obtained the consent and authorization of the child’s parent or legal guardian before providing such information.
We will cease Processing and may delete or destroy a child’s Personal Data when necessary to protect the lawful rights and interests of the child, in accordance with applicable laws and consistent with our business principles — for example: (i) when the child, or the child’s parent or legal guardian, withdraws consent for the Processing of the child’s Personal Data; or (ii) upon the request of competent authorities.
In the event that a child’s Personal Data is disclosed to us by you in violation of the above provisions, and we are unaware of and/or unable to verify such violation at the time you provide the data, you hereby consent to the Processing of the child’s Personal Data and agree to be bound by this Policy, taking full responsibility for any issues arising in connection with such child’s Personal Data. We shall not be liable for any unauthorized use of our products and/or services by you or any related parties in violation of this Policy.
10. COOKIE
A cookie is a text file placed on your hard drive by a website server. Cookies cannot be used to run programs or deliver viruses to your computer. Each cookie is uniquely assigned to your device and can only be read by a web server in the domain that issued the cookie to you.
We use “cookies” to help personalize and maximize your online experience when visiting our website/app, allowing you to save time by not having to re-enter previously provided information.
You may choose to accept or decline cookies. Most browsers automatically accept cookies, but you can modify your browser settings to decline all cookies if you prefer. However, if you choose to decline cookies, it may hinder or negatively affect certain services and features that rely on cookies on the website/app.[NTD1]
11. UPDATES TO THE DATA PROTECTION POLICY
We may review, amend, or automatically update this Policy on our applications/websites/other platforms at our sole discretion from time to time to ensure that such updates align with our business operations and comply with changes in legal regulations. If the changes are material, we will provide a more prominent notice (for example, through a general announcement published on our applications/websites/other platforms or via the email address you have provided).
You agree that it is your responsibility to regularly review this Policy to stay informed of the latest information regarding how we Process your Data. Therefore, your continued use of our applications/websites/other platforms or use of our products and services after any amendments to this Policy shall constitute your consent to this Policy and any such amendments, as well as to the Processing of your Data in accordance with this Policy and any amendments (if applicable).
12. CONTACT US
If you have any questions, complaints, or feedback regarding how we Process your Data, or if you wish to exercise any of your rights as mentioned in this Policy, please contact us using the information below:
Personal Data Protection Department
Mailing address: 163 Phan Dang Luu Street, Cau Kieu Ward, Ho Chi Minh City, Vietnam.
Email address: CRV. dpo@vn.centralretail.com
CONSENT
Please read this Policy carefully. By checking the statement "I AGREE TO THE DATA PROTECTION POLICY" or any similar statement displayed on our websites/other platforms, or by signing the forms provided by us in specific cases, you confirm that you have read and fully understood the contents of this Policy and agree to allow us to Process your Data in accordance with the provisions of this Policy.
If you do not agree with any part of this Policy, please discontinue accessing our applications/websites/other platforms or providing/submitting your Personal Data to Us. You have the right to send your feedback, complaints, or inquiries to the "CONTACT US" section for clarification.
The information provided herein is based on the data protection policy of Central Retail Group. For more details, please see here.