logo-header.png
icon-phone.svg

Đường dây nóng:

024 3959 0352
VN

KGV Privacy Policy

 

1. Basic Policy

Kurita-GK Vietnam Co., Ltd. (the “Company”) shall comply with the laws and regulations, guidelines, etc. on personal data protection of Vietnam, the Personal Data Protection Law (“PDPL”) and Decree No. 356/2025/ND-CP (“Decree 356”), as amended from time to time, and properly obtain and handle the personal data (which shall have the meaning as set forth in the Personal Data Protection Laws) of customers, business partners, owner and officers and employees, etc. (collectively, the “Data Subjects”), and make efforts to protect personal data. In the event of any inconsistency between this Privacy Policy and mandatory applicable law, such law shall prevail.

 

2. Collection of Personal Data

The Company may obtain from the Data Subjects, their names, company names, affiliation, telephone numbers, email addresses, positions, and online identifiers; and with respect to employees, personal data necessary for personnel management, labor management, company asset management, etc., and other information necessary to achieve the purpose of use stated in the “Purpose of Use” below. In addition, the Company shall obtain the foregoing from public information on the Internet, social media, and provision from third parties. Where required by applicable law, the Company will provide appropriate notice to Data Subjects regarding the categories of personal data collected (including whether sensitive personal data is involved) and the purposes of processing.

 

3. Purposes of Use

The Company will use obtained personal data for the following purposes:

(1) Customers’ personal data

• For provision of products and services

• For appropriate and smooth transactions

• For responses to various inquiries including consultations on products and services

• For research and analysis, etc. on products and services such as customer satisfaction surveys and browsing history acquisition

• For analysis of information such as obtained browsing history, and provision of information by sending catalogues or emails, etc. on products and services regarding which customers’ interests are high

(2) Business partners’ personal data

• For various communications necessary in the course of business

• For appropriate and smooth transactions

(3) Personal data of applicants for recruitment, applicants for internship, and retirees

• For work on provision of information and recruitment

• For management of recruitment work at the Company

• For the provision of information, communication, etc. to retirees

(4) Personal data of the owner, Company’s officers, employees, etc.

• For personnel and labor management, salary-related work, expense settlement work, education and training and human resources management, provision of welfare benefits, and work pursuant to laws and regulations such as social insurance and taxation

• For health control, ensuring health and safety, crime prevention, asset management, and provision of IT services

• For business communications and for other work incidental to the purpose above

Where required by applicable law, the Company will obtain valid consent for processing personal data, and such consent will be clear and verifiable as to timing and content, will not be obtained through default or misleading settings, and will be retained as evidence.

 

4. Roles of the Company as Data Controller and/or Data Processor

Depending on the specific processing activity and relationship with Data Subjects and other parties, the Company may act as either a personal data controller, a personal data processor, or both, in accordance with applicable personal data protection laws.

(1) Personal Data Controller
The Company acts as a personal data controller when it determines the purposes and means of processing personal data, including, without limitation, processing personal data of:
• customers and business partners in connection with the provision of products and services;
• applicants for recruitment, internship candidates, and retirees; and
• the owner, officers, and employees of the Company for personnel, labor, and corporate management purposes.
In such cases, the Company bears primary responsibility for ensuring compliance with applicable personal data protection laws, including establishing legal bases for processing, providing required notices, obtaining valid consent where required, and ensuring the protection of Data Subject rights.

(2) Personal Data Processor
The Company may act as a personal data processor when it processes personal data on behalf of another organization (including group companies or business partners) and in accordance with their lawful instructions. In such cases, the Company shall process personal data strictly within the scope, purpose, duration, and security requirements agreed with the data controller and as required by applicable law.

(3) Joint or Combined Roles
Where applicable, the Company may simultaneously act as both a personal data controller and a personal data processor for different processing activities. The Company will clarify its applicable role and responsibilities for each processing activity through internal governance measures and, where required, contractual arrangements with relevant parties.

 

5. Disclosure and Provision of Personal Data

The Company shall comply with laws and regulations, and may disclose and/or provide acquired personal data to recipients in the following category:

(1) Related company, etc: The Company may disclose and/or provide personal data to companies belonging to the Company group.

(2) Officers and employees: The Company may disclose and/or provide personal data to the Company’s officers and employees who are authorized to access and have the need to access personal data.

(3) Service providers: The Company may disclose and/or provide personal data to service providers who are third parties to perform certain services, such as IT service providers (including data servers and cloud service providers), legal advisors, and insurance companies. Where required by applicable law, the Company will put in place appropriate written agreements with recipients (including processors/third parties) specifying necessary matters such as purpose, data types, processing duration, deletion, legal basis, and responsibilities of the parties.

 

6. Provision to Persons Overseas

In the case of provision of personal data to third parties or overseas group companies beyond national boundaries, the Company shall comply with the provisions on cross-border transfer of the Personal Data Protection Laws. Where required by applicable law, the Company will prepare and submit the relevant impact assessment dossiers for cross-border transfer and implement required security measures (e.g., encryption/anonymization or other measures during transfer, and physical security measures for sensitive personal data), and will comply with any applicable review/approval mechanisms by competent authorities.

 

7. Security Control Measures

In order to properly handle personal data, the Company shall strive to strengthen and improve internal systems by appointing a personal information protection officer, developing and implementing internal rules, conducting audits, training officers and employees, other supervision of handling personal data, etc.

The Company will also designate a department/ personnel in charge of personal data protection (DPO/DPD function) as required by applicable law and ensure appropriate competency and responsibilities are maintained.

The Company implements the measures set forth below for security control.

(1) Formulation of basic policy: To ensure proper handling of personal data, Kurita Group personal information management policy is formulated.

(2) Development of rules regarding the handling of personal data: Personal data handling rules are formulated regarding handling methods, responsible person, person in charge and their duties, etc. for each stage such as acquisition, use, storage, provision, deletion, and destruction of personal data.

(3) Institutional security control measures: As well as appointment of the person responsible for the handling of personal data, employees engaged in the handling of personal data, and the scope of personal data to be handled by such employees are clarified, and the system has been developed for reports and communications to the person responsible where the facts or indicators are recognized as being in breach of the laws and handling rules.

(4) Personnel security control measures: Periodic training is conducted with employees engaged in the handling of personal data for matters to be noted regarding the handling of personal data.

(5) Physical security control measures: In the area handling personal data, as well as control of the entry and exit of employees engaged in the handling of personal data and restricting equipment to be brought in, measures to prevent inspection of personal data by persons not authorized to do so are taken. As well as taking measures to prevent theft, loss, etc. of equipment, electronic media, documents, etc. when handling personal data, including movement within the place of business, in the case of carrying such equipment, electronic media, etc., measures are taken so that personal data are not easily identified.

(6) Technological security control measures: Access control is implemented, and the persons in charge, the scope of personal information database, etc. to handle are limited. A mechanism to protect the information system to handle personal data from external unauthorized access or unauthorized software is introduced.

(7) Ascertaining the external environment: Security control measures are implemented after ascertaining the legal systems on protection of personal data of foreign countries where personal data is stored. In other cases where personal data is stored on servers established in foreign countries, security control measures are taken after ascertaining the legal systems on the protection of personal data of each country.

(8) Management of contractors: Upon entrustment, contractors properly handling personal data are selected, and arrangements are made concerning the necessary matters so that contractors may conduct proper management. In the event of a personal data breach or violation, the Company will take remedial measures and, where required, notify competent authorities. In addition, where required by applicable law, the Company will notify Data Subjects (e.g., for violations involving location data and biometric data) within the legally required timeframe and retain breach records for the legally required period.

 

8. Rights of Data Subjects

Data Subjects hold multiple legal rights to personal data stored by the Company. These rights may change depending on the Personal Data Protection Laws applied to the Data Subjects’ locations and the relationship with the Company, and may typically include the following:

(1) Right to obtain information on the processing of related personal data, and the right to access related personal data held by the Company;

(2) Right to demand that the Company make corrections where related personal data are inaccurate or incomplete;

(3) Right to demand that the Company erase related personal data under certain circumstances;

(4) Right to demand that the Company restrict the processing of personal data by the Company under certain circumstances;

(5) Right to object to the Company regarding the processing of related personal data;

(6) Right to demand that personal data be received in structured, generally used, and machine-readable form, and/or to demand that the Company directly transfer to the recipients their personal data within a scope that is technically feasible (so-called data portability rights); and

(7) Right to withdraw consent to the processing of related personal data at any time.

The Company will establish procedures, processes, and templates to respond to and implement Data Subjects’ rights within the timelines prescribed by applicable law (including response/implementation timelines and allowable extensions where coordination with processors/third parties is required).

Data Subjects may exercise their rights by contacting the Company at the contact address stated in the Point of Contact for Personal Information Protection Consultation Contact provided below. In the case where it is considered that the Company has infringed any Data Subjects’ rights, a complaint may be lodged with the competent data protection authorities.

      Address: Room 305, 3F, Techno Center, Thang Long Industrial Park, Thien Loc Commune, Hanoi, Vietnam
      Kurita-GK Vietnam Co., Ltd.
      Personal Information Protection Office
      Email: [email protected]

 

9. Use of Cookies on the Website

Cookies function to store information about the Data Subjects having accessed websites on devices that may be connected to the Internet such as computers, tablets, and smartphones.

The Company may use Cookies to improve the content of services such as those for the website and emails. Information collected through cookies does not include emails and names that may identify individuals, etc. Where required by applicable law, the Company will provide appropriate cookie/technology consent choices and retain records of such consent.

Users may refuse the Company’s use of Cookies by refusing to receive Cookies by altering the settings of the Internet browser software. However, there may be incidences of restrictions such as not being able to use some functions such as customized functions. In such cases, please consult with the Point of Contact for Personal Information Protection Consultation stated in preceding clause 8.

 

10. Personal Data Retention Period

The retention period of personal data shall be each country’s statutory retention period or the period necessary to achieve the purpose of use above, where there is no statutory retention period. After such retention period, personal data shall be deleted promptly and securely, unless required in connection with the purpose of the agreement or other processing. The Company will also retain records required by applicable law (including, where applicable, retained consent evidence and breach records) for the legally required periods.

 

11. Change in Privacy Policy

The Company may revise all or part of this privacy policy.

Date of establishment: July 1, 2024

Date of last revision: March 30, 2026