Personal Data Protection Policy

PERSONAL DATA PROTECTION POLICY

FPT International Telecom Company Limited (“FTI”) is a company established under the laws of Vietnam, with its head office at Lot L.29B-31B-33B Tan Thuan Road, Tan Thuan Export Processing Zone, Tan Thuan Ward, Ho Chi Minh City, Vietnam.

To ensure compliance with current legal regulations on personal data protection, FTI issues this Personal Data Protection Policy to transparently present the contents related to how FTI processes and protects personal data of all customers.

ARTICLE 1. DEFINITIONS

1.1. “FTI” means FPT International Telecom Company Limited.

1.2. “Policy” means this Personal Data Protection Policy.

1.3. “Personal data” means digital data or information in another form that identifies or helps identify a specific person, including basic personal data and sensitive personal data as prescribed by the current Personal Data Protection Law. Personal data after de-identification is no longer personal data.

1.4. “Basic personal data” means personal data reflecting common personal identity and background factors, frequently used in transactions and social relations, including:

- Full birth name, middle name and first name, other name (if any);

- Date, month and year of birth;

- Gender;

- Place of birth, place of birth registration, permanent residence, temporary residence, current residence, hometown, contact address;

- Nationality;

- Personal image;

- Phone number, personal identification number, passport number, driver’s license number, vehicle license plate number;

- Marital status;

- Information on family relationships (parents, spouse, children);

- Information on the individual’s digital account;

- Other information associated with a specific person or helping identify a specific person that is not specified in Article 1.5.

1.5. “Sensitive personal data” means personal data associated with personal privacy which, if infringed, will directly affect the lawful rights and interests of the individual, including:

- Political, religious and belief views;

- Information on private life, personal secrets and family secrets;

- Health status;

- Data revealing racial origin or ethnic origin;

- Biometric data and genetic characteristics;

- Data revealing sexual life or sexual orientation of the individual;

- Data on crimes and criminal acts collected and stored by law enforcement agencies;

- Username and password information for access to an individual’s electronic identification account; images of identity card, citizen identity card and identity documents;

- Username and password for bank account access; bank card information, bank account transaction history data; financial and credit information and information on activities and transaction history relating to finance, securities and insurance of customers at credit institutions, foreign bank branches, payment intermediary service providers, securities and insurance institutions and other permitted organizations;

- Location of an individual determined through location services;

- Data tracking behavior and activities of using telecommunications services, social networks, online media services and other services in cyberspace;

- Other personal data prescribed by law as specific and requiring necessary security measures.

1.6. “Data subject” means the person reflected by personal data.

1.7. “Personal data protection” means the use by agencies, organizations and individuals of forces, means and measures to prevent and combat activities infringing personal data.

1.8. “Personal data processing” means one or more activities affecting personal data, such as collection, analysis, synthesis, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer of personal data and other activities affecting personal data.

1.9. “Personal Data Controller” means an agency, organization or individual that decides the purposes and means of processing personal data.

1.10. “Personal Data Processor” means an agency, organization or individual that processes personal data at the request of the Personal Data Controller or the Personal Data Controller and Processor through a contract.

1.11. “Personal Data Controller and Processor” means an agency, organization or individual that decides the purposes and means and directly processes personal data.

1.12. “Providing Party” means the party providing personal data of the Data Subject to the other party when preparing a transaction, during performance of a transaction with the other party or interaction with the other party. For clarity, the Providing Party may be the Data Subject, Personal Data Controller, Personal Data Processor or Personal Data Controller and Processor.

1.13. “Transaction Channel” means transaction channels between FTI and the other party, including but not limited to contracts, websites, applications or other transaction channels provided by FTI from time to time.

1.14. “Applicable Law” means any currently applicable law relating to personal data protection and amendments, supplements, replacements and implementing guidance, including but not limited to: Personal Data Protection Law 2025, Data Law 2024, Law on Protection of Consumer Rights 2023, Cybersecurity Law 2018, Law on Cyberinformation Security 2015, Civil Code 2015 and decrees, circulars and other relevant legal normative documents.

ARTICLE 2. SOURCES OF COLLECTION AND TYPES OF PERSONAL DATA COLLECTED, CONTROLLED AND PROCESSED

2.1. Sources of personal data collection

During the provision and use of products and services, each Party may collect, receive, control and/or process personal data of the other Party and/or relevant third parties, depending on each Party’s role in each personal data processing activity, from the following sources:

a) Directly from the Providing Party through conclusion and performance of contracts; registration and use of products and services; transactions and information exchange between the Parties; service provision and/or use systems, websites, mobile applications or other lawful channels;

b) From data generated during the provision and use of products and services, including data created, recorded, stored and transmitted on systems, platforms and technical infrastructure provided, managed or operated by one of the Parties;

c) From third parties, including member units, partners, service providers or other related parties, where the Data Subject has consented or where law permits;

d) From competent state agencies or governmental organizations in accordance with law.

2.2. Types of personal data collected, controlled and processed

During the provision of products and services to customers, FTI and customers may perform one or more personal data processing activities and/or participate in personal data processing with respect to the following personal data:

a. Full birth name, middle name and first name, other name (if any);

b. Date, month and year of birth;

c. Gender;

d. Place of birth, place of birth registration, registered permanent residence, registered temporary residence, current residence, hometown, contact address;

e. Nationality;

f. Personal image, including images provided when registering for services and images uploaded by the Providing Party on FTI’s application/website during service use;

g. Phone number, personal identification number;

h. Bank card/account information;

i. Call information, messages and call recording data generated during the Providing Party’s use of FTI voice, messaging and call center services;

j. Image, audio and video data generated during the Providing Party’s use of FTI camera services with data storage features;

k. Data uploaded, stored and created by the Providing Party on cloud computing service systems and platforms provided by the Personal Data Controller and/or Processor;

l. Information on the individual’s digital account; personal data reflecting activities and activity history in cyberspace;

m. Telecommunications consumption behavior data: call, sms, data, vas;

n. Data provided by the Providing Party to FTI when registering for services and data generated during the Customer’s use of FTI services and/or third-party services through FTI.

ARTICLE 3. COMMITMENTS ON PERSONAL DATA PROTECTION

3.1. This Policy regulates the purposes, scope and methods by which FTI and/or the Providing Party processes personal data and/or participates in personal data processing during preparation and implementation of FTI’s provision of products and services or during the Providing Party’s interaction with FTI.

3.2. The Parties commit to comply with the following principles:

a. Personal data of the Providing Party is collected, processed and stored lawfully, appropriately, within the correct scope and purposes stated in this Policy, ensuring compliance with Applicable Law;

b. Personal data is accurate according to information provided by the Providing Party; there is no obligation to verify authenticity of personal data. Inaccurate data or data no longer suitable for the processing purpose will be amended or deleted in a timely manner in accordance with Applicable Law;

c. Proactively prevent, detect, stop and strictly handle all violations of law on personal data protection.

3.3. The Parties are responsible for ensuring their partners (service providers, other providers, customers, etc.) also comply with personal data protection under Applicable Law.

3.4. The Parties commit to comply with other principles prescribed by law on personal data protection, especially regulations related to rights of data owners and obligations on cross-border data transfer.

ARTICLE 4. PURPOSES OF CONTROLLING AND PROCESSING PERSONAL DATA

4.1. The Providing Party agrees to allow FTI to perform and/or participate in personal data processing for the following purposes:

a. Support the Providing Party and update Providing Party information when purchasing and using products and services provided by FTI and/or services provided by third parties through FTI;

b. Provide third-party products and services to the Providing Party (including but not limited to registration and management of Accounts/Resources/Brandnames/Hotlines using Services, service registration and warranty support, forwarding information to Service Providers...). For clarity, a third party may be a Personal Data Processor or Personal Data Controller and Processor;

c. Organize product introduction and trade promotion, market research, public opinion surveys and brokerage;

d. Research and develop new services and provide suitable products and services to the Providing Party;

e. Introduce products and advertisements;

f. Measure, analyze internal data, evaluate and conduct other processing to improve and enhance the quality of services FTI provides to the Providing Party;

g. Investigate and resolve inquiries and complaints of the Providing Party;

h. Adjust, update, secure and improve the products, services and equipment that FTI is providing;

i. Verify identity and ensure information security of the Providing Party;

j. Notify the Providing Party of changes to policies and promotions of products and services provided by FTI;

k. Prevent and combat fraud, identity theft and other illegal activities;

l. Comply with current laws, relevant industry standards and other current FTI policies;

m. Maintain records and comply with legal and tax obligations during provision of products and services. FTI will store these personal data for a period of time or as prescribed by law;

n. Any other purpose dedicated to FTI’s operations and any other purpose that FTI notifies to the Providing Party at the time of collecting the Providing Party’s personal data or before starting relevant data processing, or as otherwise required or permitted by current law.

o. Other cases for the purpose of performing transactions, contracts and agreements between FTI and the Providing Party.

4.2. The Providing Party has the right not to agree or to withdraw consent allowing personal data processing for all or each purpose specified in Article 4.1 above by written notice or email.

4.3. Where it is necessary to process the Providing Party’s personal data for other purposes or at the request of the Providing Party, the Personal Data Processor and/or Personal Data Controller and Processor will notify the Providing Party through FTI Transaction Channels for the Providing Party to express consent before implementation.

4.4. The Parties have been explained and understand that personal data processing may be applied simultaneously for multiple purposes. Purpose(s) not listed in detail (if any) but falling within the scope covered by this Article are acknowledged by the Parties as lawful purposes and satisfying consent requirements under law.

ARTICLE 5. PERSONAL DATA RETENTION AND PROCESSING PERIOD

Each Party will store and process personal data provided by the Providing Party on systems it manages, within the scope necessary to serve the provision and use of products and services, contract performance, until completion of personal data control and processing purposes or for the period necessary to comply with obligations under Applicable Law and resolve arising disputes (if any), except where the Data Subject submits a written request to withdraw consent, restrict personal data processing, or lawfully request deletion or destruction.

ARTICLE 6. ORGANIZATIONS RELATED TO PERSONAL DATA PROCESSING

6.1. Organizations receiving personal data

The Providing Party agrees that, within the scope necessary to perform the personal data processing purposes specified in Article 4 of this Policy and in accordance with Applicable Law, FTI may transfer, disclose personal data and/or share personal data processing results of the Providing Party to the following organizations and individuals:

a. FPT Group and member companies of FPT Group; telecommunications enterprises, carriers, contractors, agents, business partners, service and goods providers of FTI, where these organizations and individuals participate in personal data processing under FTI’s direction or agreement.

b. Branches, business units, agents, officers and employees of FTI, within their assigned functions and duties and consistent with the established personal data processing purposes.

c. Other related organizations and individuals, including but not limited to auditors, inspectors, lawyers, arbitrators, courts and competent state agencies, where the transfer or provision of personal data is carried out at the request of a competent authority or under Applicable Law.

FTI ensures that personal data transfer is carried out with appropriate protection measures to ensure personal data safety and confidentiality in accordance with Applicable Law.

6.2. Cross-border transfer of personal data

FTI may transfer personal data of the Providing Party across borders for processing and storage to serve the purposes stated in Article 4 of this Policy. Cross-border data transfer ensures compliance with Applicable Law.

ARTICLE 7. PERSONAL DATA PROCESSING IN SPECIAL CASES

Each Party ensures that processing of the Providing Party’s personal data fully satisfies legal requirements in the following special cases:

7.1. Footage from surveillance cameras (CCTV), in specific cases, may also be used for the following purposes:

a. for quality assurance purposes;

b. for public security and occupational safety purposes;

c. detect and prevent suspicious, inappropriate or unauthorized use of FTI utilities, products, services and/or facilities;

d. detect and prevent criminal acts; and/or

e. conduct investigations and verify incidents.

7.2. Each Party always respects and protects personal data of children, persons who have lost or have limited civil act capacity, and persons with difficulties in cognition or behavior control. In addition to personal data protection measures prescribed under Applicable Law, before processing children’s personal data, that Party will verify the child’s age and request consent from:

a. the child and the child’s legal representative where the child is from full 07 years old or older; or

b. the child’s legal representative where the child is under 07 years old.

7.3. In addition to complying with other relevant legal regulations, for processing personal data related to personal data of persons declared missing/deceased, each Party must obtain consent from one of the relevant persons as prescribed by Applicable Law.

ARTICLE 8. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS REGARDING PERSONAL DATA

8.1. Rights of Data Subjects

a. Right to be informed and right to consent

Through this Policy, the Providing Party is informed of personal data processing activities of the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor with respect to its personal data.

By accessing the website and agreeing to sign contracts and use products and services on this website, the Providing Party expresses consent allowing the Controller and/or Processor to process the Providing Party’s personal data.

b. Right to correction

The Providing Party has the right to view, correct and request the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor to correct personal data.

c. Right to request data deletion

The Providing Party has the right to request deletion of its personal data stored by the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor in cases under Applicable Law, for example where the Providing Party’s personal data is no longer necessary for the original collection or processing purpose or where the Providing Party’s personal data is processed unlawfully.

d. Right to restrict personal data processing

The Providing Party has the right to request the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor to limit, restrict or object to one or more activities in the process of processing the Providing Party’s personal data based on conditions under Applicable Law.

e. Right to withdraw consent

Where processing of the Providing Party’s personal data is based on prior consent of the Providing Party, the Providing Party has the right to withdraw consent at any time by sending written notice to the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor, except where otherwise prescribed by law. However, withdrawal of consent will not affect the lawfulness of prior processing of data based on the Providing Party’s consent.

If the Providing Party withdraws consent, the Controller and/or Processor may not be able to provide the Providing Party with services in full and with the requested quality if the information for which consent is withdrawn directly affects service provision or service quality.

f. Right to complain, denounce or initiate lawsuits in accordance with law.

g. Right to request implementation of measures and solutions to protect personal data: the Providing Party has the right to request the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor to implement necessary measures and solutions to protect its personal data.

h. Right to request compensation for actual damages in accordance with law if the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor violates regulations on personal data protection, except where otherwise agreed by the parties or otherwise provided by law.

i. Other rights under Applicable Law.

j. Method of exercising rights: by written notice sent to the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor or by another method provided by the Personal Data Controller, Personal Data Processor and/or Personal Data Controller and Processor.

8.2. Obligations of the Providing Party

a. Where the Providing Party is an organization and provides personal data of individuals related to or managed by the Providing Party to the Controller and/or Processor, the Providing Party ensures that it has obtained consent from such individuals to provide their data; provides complete and accurate personal data under the contract or when agreeing to allow personal data processing.

b. Comply with laws, regulations and FTI guidance relating to processing of personal data of the Providing Party.

c. Take responsibility for personal data and consent that it creates and provides in the network environment; take responsibility where personal data is leaked or infringed due to its fault.

d. Regularly update FTI regulations and policies on personal data protection from time to time as notified to the other Party or posted on FTI Transaction Channels. Carry out actions according to FTI guidance to clearly express consent or non-consent to personal data processing purposes notified by FTI from time to time.

e. Other obligations under Applicable Law.

ARTICLE 9. RIGHTS AND OBLIGATIONS OF PERSONAL DATA CONTROLLERS, PERSONAL DATA PROCESSORS AND/OR PERSONAL DATA CONTROLLERS AND PROCESSORS

9.1. Rights of Personal Data Controllers, Personal Data Processors and/or Personal Data Controllers and Processors

a. Request the Providing Party to provide necessary information and documents to ensure personal data processing complies with this Policy and Applicable Law.

b. Perform personal data processing within the scope and purposes prescribed in Article a of this Policy.

c. Other rights under Applicable Law.

9.2. Obligations of Personal Data Controllers, Personal Data Processors and/or Personal Data Controllers and Processors

a. Ensure the rights of the Providing Party as prescribed in this Policy and Applicable Law.

b. Implement security measures and personal data protection measures under Applicable Law and comply with the commitments prescribed in Article 3 of this Policy.

c. Support the Providing Party in implementing requests of Data Subjects within its capacity.

d. Delete and destroy personal data after completing personal data processing, expiry of retention period, termination of contracts, agreements or related documents, and/or other cases prescribed by law.

e. Coordinate with competent state agencies in personal data protection, provide information serving investigation and handling of violations of laws on personal data protection.

f. Other obligations under Applicable Law.

ARTICLE 10. POTENTIAL UNINTENDED CONSEQUENCES AND DAMAGES

10.1. FTI uses various information security technologies to protect personal data from unintended access, use or sharing. However, no data can be 100% secure. Therefore, FTI commits to securing personal data to the maximum extent.

Some unintended consequences and damages that may occur include but are not limited to:

a. Hardware or software errors during data processing causing loss of data of the Providing Party;

b. Security vulnerabilities outside FTI’s control, systems attacked by third parties causing data leakage;

c. The Providing Party leaks personal data due to carelessness or fraud; accessing websites/downloading applications containing malicious software...

10.2. FTI recommends that the Providing Party keep confidential information related to the Providing Party’s account login password and OTP code and not share such login password or OTP code with anyone else.

10.3. The Providing Party should keep electronic devices secure during use. The Providing Party should lock, log out of, or exit its account on FTI’s website or application when no longer needed.

10.4. Where FTI becomes aware that a data storage server is attacked by a third party leading to loss of personal data of the Providing Party, FTI will be responsible for notifying the incident to competent authorities for timely investigation and handling and notifying the Providing Party.

ARTICLE 11. GENERAL TERMS

11.1. This Policy takes effect from 01/01/2026 and will be updated, amended and supplemented from time to time in accordance with law without prior notice or approval, except where changed contents must be consented to by the Providing Party under Applicable Law. Continued use of products and services by the Providing Party after the notification period for amendments and supplements from time to time means the Providing Party has accepted such amendments and supplements.

11.2. Customer provision of personal data, registration or continued use of FTI products and services and/or confirmation of consent through appropriate forms under Applicable Law is understood as customer consent for FTI to process personal data for the purposes stated in this Policy. FTI does not need to take any other measure for the purpose of notifying personal data processing to the Providing Party, except where law clearly requires separate consent. Customers have the right to change or withdraw consent in accordance with Applicable Law.

11.3. This Policy is interpreted and governed by Vietnamese law.

11.4. This Policy represents the entire Policy between the Parties and supersedes all prior understandings or Policies in writing, orally or in other forms relating to the matters mentioned above.

11.5. For personal data protection purposes in accordance with Applicable Law, this Policy will also apply to contracts, agreements and documents between the Parties signed before, during and after this Policy takes effect.

11.6. If any provision of this Policy is held invalid by a competent court, that provision will automatically become invalid and no longer binding on the Parties; however, such ruling will not affect validity of the remaining provisions of this Policy, and those provisions will remain in full force and effect.

11.7. This Policy is publicly posted by FTI on the website for the Parties to be aware of. The Parties agree that they have carefully read, clearly understood their rights and obligations and agreed to the entire contents of this Policy. In addition, by signing any contract, agreement or other document in which this Policy is referenced, the Providing Parties commit that they agree or have obtained full consent of Data Subjects regarding provision, processing and control of their personal data throughout transaction and contract performance, and ensure compliance with the personal data protection regulations stated in this Policy. This Policy is an inseparable part of any contract, agreement or other document in which this Policy is referenced.