Tokio Marine Insurance Vietnam Company Limited (hereinafter referred to as “TMIV”) is committed to protecting the privacy of our valued customers in accordance with relevant legislation & recognize the importance of the personal data you have entrusted to us and believe that it is our responsibility to properly manage, protect and process your personal data.

This Data Protection Policy is designed to assist you in understanding how TMIV collect, use, disclose, and/or process the personal data you have provided to TMIV, as well as to assist you in making an informed decision before providing TMIV with any of your personal data.

If you, at any time, have any queries on this policy or any other queries in relation to how TMIV may manage, protect and/or process your personal data, please do not hesitate to contact our Personal Data Protection Unit at:

Via email: welisten@tokiomarine.com.vn

Via post: Personal Data Protection Unit - Compliance Department

Tokio Marine Insurance Vietnam Company Limited

6th Floor, Sun Red River Building,

Cua Nam Ward, Hanoi, Vietnam

1. This Personal Data Protection Policy constitutes an integral and inseparable part of the agreements, terms, and conditions governing the relationship between Customers and TMIV and/or companies affiliated with TMIV (hereinafter collectively referred to as “TMIV”).

2. TMIV upholds, respects, and endeavors to protect the privacy, confidentiality, and information security of each individual through full compliance with applicable laws and regulations on personal data protection.

TMIV only collects, processes, and stores Customers’ personal data in compliance with applicable laws and within the scope of the agreement(s) between TMIV and Customers.

3. By providing TMIV with the personal data of a third party (including but not limited to: information of dependents, related persons as prescribed by law, spouse, children and/or parents and/or guardians, friends, referees, beneficiaries, authorized persons, partners, emergency contacts, or other individuals of the Customer), the Customer represents, warrants, and undertakes full responsibility that the Customer has obtained the lawful consent of such third party for the processing of their personal data and has duly informed such third party that TMIV is the personal data processor for the purposes set out in this Policy.

4. Depending on TMIV’s role in each specific circumstance as (i) a Personal Data Controller; (ii) a Personal Data Processor; or (iii) a Personal Data Controller and Processor, TMIV shall exercise the corresponding rights and fulfill the respective obligations in accordance with applicable laws and regulations.

5. This Policy shall prevail and take precedence in the event of any conflict or inconsistency with any agreements, terms, and conditions governing the Customer’s relationship with TMIV, whether such agreements, terms, and conditions were entered into before, on, or after the date on which the Customer accepts this Policy. 

II. DEFINITIONS AND INTERPRETATION

1. “Personal data” refers to digital data or information in other forms that identifies or assists the identification of a specific individual, including basic personal data and sensitive personal data. Personal data, once de-identified, is no longer considered personal data.

2. “Basic personal data” includes:

- Surname, middle name, and given name at birth; other names (if any);

- Date of birth; date of death or missing;

- Gender;

- Place of birth; place of birth registration; place of permanent residence registration; place of temporary residence registration; current place of residence; hometown; contact address;

- Nationality;

- Images of the individual;

- Phone number; personal identification number; passport number; driver’s license number; vehicle registration plate number;

- Marital status;

- Information on family relationships (parents, children, spouse);

- Information on the individual’s digital accounts;

- Other information associated with a specific individual or capable of identifying a specific individual, other than the sensitive information.

3. Sensitive personal data includes:

- Data revealing racial origin or ethnic origin;

- Opinions on politics, religion, and belief;

- Information on private life, personal secrets, and family secrets;

- Health status;

- Biometric data and genetic characteristics;

- Data revealing an individual’s sexual life or sexual orientation;

- Data on crimes and violations of law collected and stored by law enforcement agencies;

- Location data of individuals determined through positioning services;

- Login names and passwords for access to individuals’ electronic identification accounts; images of ID cards, citizen ID cards, or 9-digit ID cards;

- Login names and passwords for access to bank accounts; bank card information; data on transaction history of bank accounts; financial and credit information and other information relating to financial activities and transaction history, securities, and insurance of clients at credit institutions, foreign bank branches, intermediary payment service providers, securities institutions, insurers, and other authorized organizations;

- Data monitoring behavior and activities related to the use of telecommunications services, social networks, online communication services, and other services in cyberspace;

- Other personal data that are required by law to be kept confidential or to which strict confidentiality measures must be applied.

4. “Personal data processing” refers to activities impacting personal data, including one or more of the following: collection, analysis, summary, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer of personal data, and other activities impacting personal data.

5. Customer(s)” means Personal Data Subjects whose personal data has been, is being, and/or will be controlled and processed by TMIV.

6. “Tokio Marine Insurance Group” includes companies within the Tokio Marine Group (hereinafter collectively referred to as “TM GC”) or third parties with whom TM GC has entered into subcontracting arrangements to provide specific services to TMIV, and such entities may be located outside the territory of Vietnam.

For the avoidance of doubt, any terms not defined in this Article shall be interpreted and applied in accordance with the laws of Vietnam.

III. PURPOSES FOR COLLECTION, USE, DISCLOSURE, AND PROCESSING OF PERSONAL DATA

The personal data which TMIV collects from you may be collected, used, disclosed and/or processed for various purposes, depending on the circumstances for which TMIV may/will need to process your Personal Data, including:

- Considering whether to provide you with the insurance you applied for. This includes TMIV considering your application for a policy with TMIV and another Insurer considering your application (whether now or in the future) for a policy with that Insurer (“Insurer” means any insurer or company operating insurance business in Vietnam).

- Processing your application for underwriting and insurance. This includes dealing with your application with TMIV and any other application that you may make (whether now or in the future) with another Insurer;

- Administering and/or managing your relationship, account, and/or policy with TMIV including but not limited to accounting and dealing with or collecting of any outstanding amounts from you;

- Processing and/or dealing with any claims including the settlement of claims and any necessary investigations relating to the claims, under your policy or policies, whether such policy is issued by TMIV or another Insurer;

- Carrying out due diligence or other screening activities (including background, anti-money laundering (AML), and “know-your-client” checks) in accordance with legal or regulatory obligations or risk management procedures that may be required by law or that may have been put in place TMIV, whether for any policy with TMIV or a policy with another Insurer;

- Carrying out your instructions or responding to any inquiries by you;

- Conducting research, analysis, and development activities (including but not limited to data analytics, surveys (such as insurance surveys, customer service surveys), product and service development, and/or profiling) to improve our services or products and/or to enhance the product or service for your benefit.

- Dealing in any matters relating to the services and/or products which you are entitled to under any policy with TMIV and/or dealing in any matters relating to any policy with TMIV, which you are applying for or have applied. This includes but is not limited to contacting you or communicating with you via phone/voice call, text message and/or fax message, email and/or postal mail for the purposes of administering and/or managing your contractual relationship with TMIV such as but not limited to communicating with you on matters related to your policy with TMIV. You acknowledge and agree that such communication by TMIV could be by way of the mailing of correspondence, documents, or notices to you, which could involve the disclosure of certain personal data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages; 

- Investigating fraud, misconduct, any unlawful action or omission, whether relating to your application, your claims, or any other matter relating to your policy or policies, whether such policy is issued by TMIV or another Insurer, and whether or not there is any suspicion of the aforementioned.

- Storing, hosting, and backing up (whether for disaster recovery or otherwise) of your personal data, whether within or outside Vietnam.

- Complying with applicable law in administering and managing your relationship with TMIV.

- If you have so consented, sending you marketing, advertising and promotional information about other insurance, investment and/or financial products and/or services that TMIV may be selling or marketing, whether now or in the future, and which TMIV believe may be of interest or benefit to you (the “Marketing Purpose”), by way of the modes of communication as consented by you;

- Any other purposes which TMIV notify you of at the time of obtaining your consent.

(Collectively, the “Purposes”)

As the purposes for which TMIV may/will collect, use, disclose or process your personal data depend on the circumstances at hand, such purpose may not appear above. However, TMIV will notify you of such other purpose at the time of obtaining your consent, unless processing of your personal data without your consent is permitted by this Policy or by law.

IV. PERSONAL DATA PROCESSING ACTIVITIES

1. Collection of personal data

In order for TMIV to perform the rights and obligations of the Customer and TMIV under any contract/agreement/arrangement and/or to provide products and services to the Customer and/or to process the Customer’s requests, TMIV may need to and/or be required to collect personal data, including: (i) basic personal data and (ii) sensitive personal data relating to the Customer and the Customer’s related individuals.

TMIV may collect such personal data directly or indirectly from the Customer when the Customer makes a request, from one or more of the sources listed below, including but not limited to:

- Through the relationship established between TMIV and the Customer upon the execution of any contract/agreement/arrangement and/or the Customer’s use of TMIV’s products and services and/or participation in TMIV’s lawful programs and activities;

- From co-insurers, reinsurers, agents, brokers, suppliers, service providers, partners, affiliates, and other third parties related to TMIV’s business operations;

- From third parties having a relationship with the Customer, such as employers, co-account holders, guarantors, providers of security measures, and transaction counterparties;

- From the Insurance Supervision and Administration Authority under the Ministry of Finance or other competent authorities in Vietnam.

- From the analysis of the Customer’s activities during the course of using TMIV’s products and services;

- From third-party sources to which the Customer has consented to the sharing/provision of personal data, or from sources where such collection is required or permitted by applicable laws.

2. Transfer and Disclosure of Personal Data

For the purposes of achieving the objectives and carrying out the personal data processing activities set out in this Policy, TMIV may disclose the Customer’s personal data or the personal data of third parties related to the Customer to one or more of the following parties:

- Companies and/or organizations within the TOKIO MARINE INSURANCE GROUP;

- Partners, agents, branches, affiliated companies of TMIV, intermediary service providers, and other third parties, whether domestic or foreign, that are related to any products or services provided by TMIV to the Customer;

- Competent state authorities in Vietnam or third parties to whom TMIV is permitted or required to disclose information in accordance with applicable laws;

- The Insurance Supervision and Administration Authority under the Ministry of Finance, or any other authority or organization having jurisdiction over TMIV.

- Any individuals involved in the enforcement or exercise of, or compliance with, any rights or obligations under the agreement(s) between the Customer and TMIV;

- Third parties to whom the Customer has given consent, or with whom TMIV is legally permitted or required to share the

3. Customer’s personal data.

On the other hand, TMIV shall treat the Customer’s personal data as private and confidential. Except for the parties mentioned above, TMIV shall not disclose the Customer’s data to any other party, except in the following cases:

- Where disclosure is required or permitted by applicable laws or regulations;

- Where the purpose of such disclosure is clearly in the interests of the Customer and it is not practicable to obtain the Customer’s consent in a timely manner;

- Where such disclosure is necessary to respond to an emergency that threatens the life, health, or safety of the Customer or any other individual;

- Where such disclosure is necessary for any investigation or legal proceedings;

- Where personal data is disclosed to any officer of a law enforcement agency, provided that such agency produces a written authorization signed by the head or director of such law enforcement agency or a person of equivalent rank, confirming that such personal data is necessary for the performance of the duties of such officer;

- Where disclosure is made to any governmental authority and such disclosure is necessary in the public interest; and/or

-  Where TMIV transfers its rights and obligations under the agreement(s) between the Customer and TMIV;

-  Where disclosure is permitted by law without the consent of the Customer.

Where TMIV discloses the Customer’s personal data to a third party with the Customer’s consent, TMIV shall use its best efforts to ensure that such third party protects the Customer’s personal data.

4. Processing of Personal Data in Certain Special Cases

TMIV may record audio, video, and process personal data collected through surveillance cameras (“CCTV”) installed in areas under CCTV monitoring, in compliance with security requirements for TMIV’s operations and for the Customer in accordance with applicable laws. However, TMIV shall ensure that appropriate notice is provided to the Customer in accordance with the requirements of applicable laws.

5. TMIV always respects and protects children’s personal data. In addition to the personal data protection measures prescribed by law, prior to processing children’s personal data, TMIV shall verify the child’s age and obtain the consent of the child (from full 7 years of age and above) and the child’s parent(s) or legal guardian in accordance with applicable laws.

6. In addition to complying with other relevant legal requirements, for the processing of personal data relating to a person who has been declared missing or deceased, TMIV shall obtain the consent of one of the relevant persons in accordance with applicable laws.

V. CROSS-BORDER TRANSFER OF PERSONAL DATA

1. In order to perform the purposes of processing, TMIV may provide/share the Customer’s personal data with related third parties (such as international re-insurers or the parent company) located outside the territory of Vietnam. 

2. When transferring personal data abroad, TMIV commits to completing the Personal Data Transfer Impact Assessment dossier as required by the Ministry of Public Security. TMIV will require the recipient to ensure data security through contractual commitments complying with Vietnam's data protection standards.

VI. RIGHTS AND OBLIGATIONS OF THE CUSTOMER IN RELATION TO PERSONAL DATA PROVIDED TO TMIV

1. The Customer shall have the following rights: (i) Right to be informed; (ii) Right to consent; (iii) Right to access; (iv) Right to withdraw consent; (v) Right to data deletion; (vi) Right to restriction of processing; (vii) Right to data portability; (viii) Right to object to processing; (ix) Right to complain, denounce, or lawsuit; (x) Right to claim damages; (xi) Right to self-protection; and (xii) Right to request explanation and object to automated decisions that negatively affect the Customer’s insurance benefits. 

2. To the extent permitted by applicable law, the Customer may exercise his/her rights by contacting TMIV using the contact details provided at the beginning of this Policy.

3. TMIV shall, using reasonable efforts, process legitimate and valid requests from the Customer within the statutory time limits from the receipt of a complete request and payment of any applicable processing fees (if any).

4. If the Customer withdraws consent for essential processing, TMIV may consider and decide not to continue providing products and services. Such an act shall be deemed a unilateral termination of the contract by the Customer. However, withdrawing consent for marketing purposes will not affect existing insurance benefits.

For security purposes, the Customer may be required to submit his/her request in writing or through other means in order to prove and verify his/her identity. TMIV may require the Customer to verify his/her identity before processing the Customer’s request.

VII. PERSONAL DATA SECURITY MEASURES 

1. TMIV considers the Customer’s personal data to be one of its most valuable assets and is committed to ensuring its confidentiality, security, and compliance with applicable laws. The protection of the Customer’s personal data is a mandatory obligation imposed by TMIV on all employees.

2. TMIV shall also implement reasonable security measures to ensure that the Customer’s personal data is adequately protected. Appropriate safeguards shall be adopted to prevent any unauthorized access, collection, use, disclosure, copying, modification, leakage, loss, damage, and/or alteration of the Customer’s personal data. However, TMIV shall not be liable for any unauthorized use of the Customer’s personal data by third parties where such use arises entirely from factors beyond TMIV’s control.

3. In the event of a personal data breach (including cybersecurity incidents or data leakage), TMIV undertakes to notify the Customer and the competent personal data protection authority (the Ministry of Public Security) within 72 hours from the time the incident is detected, in order to coordinate handling of such an incident.

VIII. DATA STORAGE

1. TMIV stores the Customer's personal data for the period necessary to fulfill insurance purposes and according to the Law on Insurance Business and Law on Accounting (typically 10 years after contract termination), unless a longer storage period is required by authorities.

2. The Customer’s personal data stored by TMIV shall be subject to the security measures set out in Article 7 of this Policy and shall comply with applicable laws and regulations.

IX. COMPLAINT PROCESS

1. If you have any complaint or grievance regarding how we are handling your personal data or about how we are complying with the PDPA, we welcome you to contact us with your complaint or grievance.

2. Please contact us with your complaint or grievance by sending it to the Personal Data Protection Unit as per the information provided in the beginning part.

3. Where it is an email or a letter through which you are submitting a complaint, your indication in the subject header that it is a personal data protection complaint would assist us in attending to your complaint speedily by passing it on to the Personal Data Protection Unit to handle. 

4. We will certainly strive to deal with any complaint or grievance that you may have speedily and fairly.

5. Nevertheless, you may lodge any complaint about this matter with competent regulators overseeing personal data protection.

X. UPDATES ON DATA PROTECTION POLICY

1. As part of our efforts to ensure that we properly manage, protect and process your personal data, we will be reviewing our policies, procedures, and processes from time to time.

2. We reserve the right to amend the terms of this Data Protection Policy at our absolute discretion. 

3. You are encouraged to visit our website from time to time to ensure that you are well informed of our latest policies in relation to personal data protection.

This Personal Data Protection Policy is issued in Vietnamese and translated into English. The Vietnamese version shall prevail in case of any discrepancy.