Agreement on Personal Data Processing and Protection

(Hereinafter referred to as the “Agreement”)

This Agreement applies to individuals who sign a labor contract, probationary contract, collaborator contract, apprenticeship contract, internship contract, on-the-job training contract, perform work as assigned/coordinated by a partner cooperating with AIRCLOSET ENGINEERING COMPANY LIMITED (Hereinafter referred to as the “Company”) in business production, and any individual who, through any form of contract, transacts, cooperates, and works with the Company (Hereinafter collectively referred to as the “Employee”).

Throughout the period from the time the Employee starts working at the Company until the contract concludes/terminates, the Company will need the Employee to share, provide, and permit the processing of necessary basic personal information at any time for the following purposes:
1. Establishing a labor management book to manage Employee information.
2. Concluding appropriate contracts for the job position the Employee performs while working at the Company.
3. Participating in compulsory social insurance, unemployment insurance, health insurance, and other types of insurance (if any).
4. Paying salaries, bonuses, implementing welfare policies, and settling personal income tax.
5. Other purposes consistent with current laws are to serve labor management within the enterprise.
6. Serving inspection and examination work, providing, and exchanging internal and external information of the Company related to labor use and management.
7. Meeting the Company's internal policy regulations.
8. Other activities as stipulated by law.

The shared information includes:
1. Information to verify the identity of the Employee, including the data subject's basic personal data and/or any other relevant information to the Employee. (Hereinafter referred to as “Personal Data”).
2. Information on the Employee's income, educational level, professional skills, past and present work/employment history.
3. Other information about the Employee's relatives, including full name, date of birth, and contact information. If information has been provided, the Employee has the obligation to cooperate in explaining, if necessary, their agreement to provide the information.

The Company acknowledges that, during the data processing process, the information shared and provided by the Employee, especially Personal Data, may result in unintended consequences and damages arising from violations of laws on information security, personal data protection, or from losses due to destruction, technical incidents, etc. The Company understands that implementing information security measures is one of its important responsibilities. Furthermore, with respect to personal data, the Company understands and agrees that the subject of the provided Personal Data will have all rights and obligations as stipulated by relevant laws and/or according to the Company's Personal Data Protection and Processing Policy. The Company will process Personal Data in strict compliance with the law and will only store and process Personal Data from the time it is provided until it is necessary for the determined purposes or when there is an agreement between the parties.

By this Agreement, the Company submits to the Employee the content of the Agreement on Personal Data Processing and Protection. This Agreement is intended to ensure the rights of the Personal Data subjects that the Company is authorized to collect from the Employee.

The Employee must carefully read and study the terms in this Agreement before deciding to sign and confirm their Agreement to this document. This Agreement serves as proof of the Employee's consent, allowing the Company to perform personal data processing activities (including information already held and information that will be held in the future) according to the conditions and terms of this Agreement..

If the Employee, for any reason, has not signed the confirmation of Agreement but continues to provide the data subject's Personal Data to the Company after the Agreement has been successfully sent to the Employee or the Employee has legally accessed the entire content of this agreement, it shall be understood that the Employee has no objection to the Company's processing of Personal Data. However, if the extension or delay in signing the confirmation of Agreement could lead to or pose a risk of legal violation or cause damage to the Company, the Company will apply measures as stipulated in Clause 2, Article 2 below to finalize the signing of the confirmation of Agreement.

This Agreement shall be understood, interpreted, and governed by the laws of Vietnam.

Article of Agreement on Personal Data Protection

Article 1: Definition of Terms

1. Basic Personal Data includes: Full name, middle name, and birth name, other names (if any); Date, month, year of birth; date, month, year of death or disappearance; Gender; Place of birth, place of birth registration, permanent residence, temporary residence, current address, hometown, contact address; Nationality; Personal image; contact information, personal identification document number, driver's license number, vehicle license plate number, personal tax code, social insurance book number, health insurance card number; marital status; Information on family relationships; bank account information; personal data reflecting activities, history of activities on cyberspace; and other information associated with a specific person or helping to identify a specific person that is not sensitive personal data.
2. Sensitive Personal Data is personal data associated with the privacy of an individual that, if violated, will directly affect the legitimate rights and interests of the individual, including: political views, religious views, health status and private life recorded in the medical record, excluding information on blood type, information related to racial origin, ethnic origin, information on genetic characteristics, physical attributes, biological characteristics of the individual, information on sexual life, sexual orientation of the individual, data on crimes, criminal acts collected and stored by law enforcement agencies, customer information of credit institutions, foreign bank branches, intermediate payment service providers, other authorized organizations, including: customer identification information according to the law, information on accounts, deposits, sent assets, transactions, information on organizations, individuals that are guarantors at credit institutions, bank branches, intermediate payment service providers, data on the location of the individual determined via positioning services, and other personal data stipulated by law.
3. Personal Data Protection is the activity of preventing, detecting, stopping, and handling violations related to personal data according to the provisions of law.
4. Personal Data Processing is one or more activities that affect personal data, such as: collection, recording, analysis, confirmation, storage, editing, publicizing, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction of personal data, or related actions.
5. Personal Data Recipient is the Company or another party authorized by the Company for the purpose of carrying out activities related to personal data protection and processing in accordance with the law.
6. Personal Data Provider is an individual or organization that provides personal data to the personal data recipient (understood to include the data subject).
7. Personal Data Controller and Processor is the Company, which also determines the purpose, means, and directly processes Personal Data.
8. Data Subject is the individual reflected by the personal data.
9. Data Subject's Consent is the clear, voluntary, and affirmative expression of permission to process the data subject's personal data or that of the party authorized by the data subject.
10. Transfer of Personal Data Abroad is the activity of using cyberspace, electronic equipment, means, or other forms to transfer the personal data of Vietnamese citizens to a location outside the territory of the Socialist Republic of Vietnam or using a location outside the territory of the Socialist Republic of Vietnam, including:
a. Organizations, enterprises, and individuals transferring data of Vietnamese citizens to an organization, enterprise, or management department abroad for processing in accordance with the purpose agreed upon by the data subject.
b. Processing the personal data of Vietnamese citizens using automated systems located outside the territory of the Socialist Republic of Vietnam by the personal data controller, personal data processor, in accordance with the purpose agreed upon by the data subject.
11. Third Party is an individual or organization other than the Personal Data Recipient and the personal data provider that is authorized to Process personal data according to current Vietnamese law, including but not limited to:
a. The parent company of AirCloset Engineering Co., Ltd. (Hereinafter referred to as the “Parent Company”), the contractors, and representatives of the Parent Company.
b. Auditors, tax/legal/accounting/insurance/health advisors, etc., of the Company or other partners providing services to the Company or the Parent Company.
c. Accounting software service providers and those who perform maintenance, upgrades, and warranties for that software.
d. Competent State agencies of Vietnam.
e. Partners cooperating with the Company to provide services and products within the Company's business scope.
f. Other third parties working at the request of Vietnamese law, orders from competent State agencies or courts, commercial arbitration, international arbitration centers, or at the Company's or Parent Company's internal request to serve the purpose of Personal Data Processing stated in this policy.
12. Party Transferring Data Abroad includes the Personal Data Controller and Processor, Personal Data Controller (if any), Personal Data Processor (if any), and Third Party (if any).
13. To avoid misunderstanding, in this agreement, the content recorded as “according to the provisions of law,” “according to current law,” “according to the Company's regulations” shall all be understood as according to the regulations at a specific point in time. The regulations may change according to changes in the law or the Company's separate decisions.
14. In this agreement, when a concept/definition is mentioned, it shall be understood to refer to one and/or simultaneously many concepts/definitions/actions as described in that definition/concept.

Article 2: General Principles when applying this agreement

1. This Agreement regulates the relationship between the Data Provider and the Company regarding the provision, processing, and protection of Personal Data during the Employee's work at the Company. This agreement is a prerequisite for the two parties to establish and maintain the relationship between the Company and the Employee.
2. The Data Provider must read the content carefully before signing the confirmation of Agreement. If the data provider has signed the confirmation of agreement, it means they have read, clearly understood, been fully explained, and voluntarily agreed to the content of this agreement. If the Data Provider, for any reason, has not signed the confirmation of Agreement but continues to provide the data subject's Personal Data to the Company after the Agreement has been successfully sent to the Data Provider or the Data Provider has legally accessed the entire content of this agreement, it shall be understood that the Data Provider has no objection to the Company's processing of Personal Data.
3. If the delay in signing the confirmation of agreement may cause or potentially cause/lead to a violation of law or cause damage to the Company/Third Party, the Company has the right to refuse to sign or terminate the Labor Contract, Work Contract, Cooperation Contract, and demand compensation for damages from the Employee (if any).
4. This Agreement has the same legal value as the contracts the Company has signed or will sign with the Data Provider regarding the Company's personnel use and management. Simultaneously, it is also the Company's legal notice to the Employee about Personal Data Processing.
5. This Agreement may be amended, supplemented, or replaced to comply with the law and the Company's regulations. Amendments, supplements, or replacements will be notified to the Employee. If the Employee does not agree with the amended, supplemented, or replaced content, the Company has the right to apply the processing options mentioned in Clause 2 of this article.
6. The Data Provider confirms that this agreement is signed voluntarily, after having carefully read and clearly understood the content of the agreement.
7. In case of conflict related to Personal Data Processing between this agreement and other contracts or written agreements, this agreement shall prevail.

Article 3: Commitments of the Data Provider

By signing this agreement, the Data Provider commits to:
1. Agree to allow the Company to perform one or simultaneously many Personal Data Processing activities, specifically:
a) Personal Data processed according to this agreement includes all Basic Data and Sensitive Data (if any) that the Company legally collects from any source of information, including but not limited to:
• Submitting personal files upon joining the company, declaring, providing information during the working process, and sending declaration forms/files containing Personal Data to the Company in any form.
• Obtained from the Company's partners during business operations.
• Obtained from a public information source.
• Obtained from third parties that the Data Provider has consented to collect personal data.
• Obtained from legal audio and video recording activities during the Company's business operations.
• Obtained from competent State agencies in accordance with the law.
• Obtained from other legal activities.
b) The Personal Data Processing is for the following purposes:
• Establishing a labor management book to manage Employee information.
• Concluding appropriate contracts for the job content when the Employee works at the Company.
• Participating in social insurance, health insurance, unemployment insurance, and other insurance contracts (if any).
• Paying salaries, bonuses, welfare policies, and settling personal income tax.
• Serving inspection and examination, providing, and exchanging internal and external information of the Company related to the use and management of labor.
• Fulfilling the Company's obligations to competent State agencies.
• Implementing and complying with the Company's agreements and contracts with third parties, partners, and parties having transaction relationships with the Company in accordance with the law.
• Detecting and preventing violations of law or serving the investigation of crime denunciation.
• Other activities consistent with the law or as required by law.
c) Personal Data Processing may be performed directly by the Company or through a Third Party. The Company has the right to independently select the Third Party according to the Company's needs.
d) The Data Provider agrees that the Third Party has rights and responsibilities equivalent to the Company in Personal Data Processing.
e) The Data Provider agrees to unconditionally and irrevocably authorize the Company to carry out the necessary procedures (if any) for personal data processing through a third party.
2. The Data Provider agrees and understands that the processing of personal data by the Company and the Third Party before the effective date of this Agreement is consistent with the law, is undisputed, and the Data Provider agrees to waive all rights to complain and sue the Company, and simultaneously grants full exemption from liability to the Company related to any disputes, complaints, or lawsuits arising from and related to the Personal Data Processing stipulated in this Agreement.
3. The Data Provider will cooperate with the company in updating amendments, supplements, and replacements in this Agreement and understands that the amendments, supplements, and replacements are consistent with the law and the Company's regulations. In case the Data Provider does not agree with the amendments, supplements, or replacements, the Company has the right to choose the processing options according to the regulations in this Agreement.
4. The Data Provider understands that the Personal Data Processing will be effective from the time the Company collects the data (regardless of whether this Agreement is effective or not) until:
• The Company or the Third Party terminates, restricts Personal Data Processing, or deletes Personal Data according to the duration, scope of use, and other content requested by the Data Provider under this agreement. Or,
• A competent State agency requests the termination of personal data processing. Or,
• Termination according to the provisions of law, whichever condition comes first.
5. The Data Provider has fully, clearly, and voluntarily agreed completely that Personal Data may be processed at any time without any other approval from themselves. The Company has the right but no obligation to notify the Data Provider about personal data processing, including the case of sensitive personal data processing (if any).
6. The Data Provider clearly understands that even though the Company has applied safety measures as committed in this Agreement and according to the Company's Personal Data Protection and Processing Policy, the Personal Data processing process may still encounter incidents beyond the Company's control despite the Company's efforts to prevent them. This includes but is not limited to force majeure events, system and technical infrastructure incidents of the company, or errors caused by a Third Party (if any) that could not be foreseen.
7. The Data Provider has clearly understood and agreed to all risks and legal consequences arising from any Data Subject whose data is declared and provided to the Company by the Data Provider, exercising their rights as a data subject mentioned in this Agreement.
8. The Data Provider is responsible for ensuring that the personal data they declare and provide to the Company during the transaction process is complete, accurate, and truthful.
9. For Personal Data declared and provided to the Company that is not the personal data of the Data Provider themselves, the Data Provider commits that at the time of declaration and provision, they have met all necessary conditions as stipulated by law to be able to declare and provide it, and the Company can perform the Personal Data Processing activity according to the regulations in this Agreement without having to perform any further activities, including but not limited to the following contents. Simultaneously, the Data Provider commits to being responsible for all consequences caused by the Data Provider failing to meet any necessary condition mentioned in this Clause.
• Obtaining the consent of the Data Subject.
• Being legally authorized or represented in accordance with the law.
• Personal data related to children aged 7 and over (if any) must have the consent of the child and the approval of the parents or legal guardian, unless the law stipulates otherwise.
• Personal data related to a person declared missing or deceased must have the approval of the spouse or adult child, or the parents of the Data Subject, unless the law stipulates otherwise..
10. The Data Provider is clearly aware and agrees that the Company has the right to refuse one or simultaneously many requests to exercise the Data Provider's rights under this Agreement when those requests do not meet or insufficiently meet the conditions according to the Company's regulations and/or those requests violate the law/pose a risk of violating the law/contain elements of fraud/abuse of the Data Provider's rights to carry out illegal actions and/or violate social ethics and fine customs. In addition, the Company also has the right to refuse to fulfill the Data Provider's requests in cases where the Company is exempt from the obligation according to the law.
11. The Data Provider is responsible for informing the data subject about the entire content of this agreement in cases where the Data Provider is not also the data subject.
12. The Data Provider will always be ready and at any time, create all necessary conditions and to the extent possible.
• Allow the Company to check the Data Provider's implementation and compliance with the regulations of this agreement and/or
• Support the Company in exercising its rights and obligations under the law
13. The Data Provider shall fully and accurately perform other rights and obligations as stipulated by law and the regulations in this Agreement.

Article 4: Commitments of the Company

By this Agreement, the Company commits to:
1. Notify and request the Data Provider's acceptance and consent before processing personal data in cases not stipulated in this agreement.
2. The Company is not required to notify and seek the Data Provider's acceptance and consent when processing personal data in the following cases:
• For the purpose of protecting the life and health of the Data Subject or another individual and/or
• Publicizing personal data in accordance with the law.
• At the request of a competent State agency in a state of emergency regarding national defense, national security, social order and safety, disaster, dangerous epidemic, and/or
• When there is a risk of threatening national security and defense, but not yet at the level of declaring a state of emergency, or for the purpose of preventing riots, terrorism, combating crime, and violations of law, according to regulations and/or
• For the purpose of fulfilling the Data Subject's obligations to a competent State agency, or related organizations or individuals in accordance with the law, or at the request of a competent State agency, and/or
• For the purpose of serving the activities of competent State agencies as stipulated by law..
3. The Company commits, to the extent of its capability, to apply appropriate organizational, technical, storage, and protection measures, ensuring the safety and security of personal data and preventing, combating loss, destruction, or damage due to incidents related to the system and equipment used for the company's Recruitment activities and maintaining these measures throughout the Personal Data Protection and Processing process.
4. The Company will require the Third Party to:
• Sign contracts, written agreements, and commitments with the Company regarding Personal Data Processing (if any).
• Perform the obligations of the Controller and Processor of data in accordance with the law and the Company's Personal Data Protection and Processing Policy.
• Promptly notify the Company and/or competent State agencies when detecting violations of personal data protection regulations and apply remedial measures.
• Delete and/or return all Personal Data to the Company after the contract or written agreement on Personal Data Processing is terminated.
5. The Company commits to fully perform the rights and obligations of the Personal Data Processor in accordance with the law and this Agreement.

Article 5: Withdrawal of Consent, Restriction, Objection to Personal Data Processing, Deletion of Personal Data (Hereinafter referred to as the “Request to Withdraw Consent”)

1. The Data Provider has the right to request the withdrawal of consent after having signed the confirmation of Agreement to this Agreement, during the process of participating in the Company's work procedure, or after the conclusion of work at the Company. The Company will implement the necessary procedures to comply with the requests to withdraw consent according to the duration, scope, and other content requested by the Data Provider if the Data Provider has fully and correctly followed the procedures for the Request to Withdraw Consent as stipulated in this Agreement.
2. The Company will only resolve Requests to Withdraw Consent that are carried out according to the procedure and fully meet all conditions stipulated in the Company's Personal Data Protection and Processing Policy, which has been publicly communicated to the Employee. In addition, Requests to Withdraw Consent must ensure all the following conditions are met:
a. The Request to Withdraw Consent is made only by the Data Subject, unless the law stipulates that it must be through a representative or authorization.
b. The Request to Withdraw Consent will not be met if one or simultaneously many of the following cases occur:
• The Request to Withdraw Consent is not permitted by law.
• Personal Data Processing is performed by a competent State agency or for scientific research, or statistics.
• Personal data has been publicized in accordance with the law.
• In a state of emergency regarding national defense, national security, social order, and safety, a major disaster, a dangerous epidemic, or when there is a risk of threatening national security and defense, but not yet at the level of declaring a state of emergency; preventing riots, terrorism, combating crime, and violations of law.
• Responding to an emergency that threatens the life, health, or safety of the Data Subject or another individual.
• If, in the Company's assessment, the Request to Withdraw Consent would potentially affect the integrity, safety, and security of the Company's business operations.
c. When submitting the Request to Withdraw Consent, the Data Subject has clearly understood the legal consequences as well as the risks that may occur/are potentially to occur that cannot be foreseen and commits to be responsible for all consequences and damages that occur (if any) from the action of the Request to Withdraw Consent.
d. Full and timely payment of all fees and taxes related to the Request to Withdraw Consent (if any), and providing sufficient valid documents as proof.
3. In case the request meets the conditions under Clause 2 of this article, the Company will implement the necessary procedures to comply with one or all Requests to Withdraw Consent within 72 hours from the time of receiving the valid request from the Data Subject, except for the following cases:
• The Company receives a response or acceptance from the Third Party to resolve the Request to Withdraw Consent later than 72 hours.
• Force majeure event.
• The Data Subject has not completed the obligation to compensate the Company for damages under Clause 5 of this article (if any).
• The Company has not completed the remediation of causes beyond its control regarding the system and technical infrastructure arising from a service provider's error or being compromised by a virus, hacker attack, malicious software, or any other intervention or network attack aiming to destroy or cause harm..
4. The Data Subject's Request to Withdraw Consent does not affect the legality of the Personal Data Processing that the Company and/or a third party performed before the Company and/or the third party complied with part or all of the request to withdraw consent.
5. Before performing and completing the required procedures under Clause 2 of this Article, the Data Subject must have the obligation to independently research the provisions of law, the Company's Personal Data Protection and Processing Policy, and simultaneously clearly and fully understand the legal consequences as well as their rights and obligations and those of the Company that may arise when the Data Subject requests to withdraw consent. In cases where the Company reasonably assesses that complying with one or all Requests to Withdraw Consent may lead to a violation of the law and/or cause unexpected damage, the Company has the right to consider and decide to unilaterally terminate the execution of one or all transactions with the Data Provider/Data Subject during the recruitment process, regardless of how far the two parties have progressed in that recruitment process and what contents they have exchanged/agreed upon..
6. The Data Subject must immediately and unconditionally compensate the Company for all damages suffered by the Company according to the payment method and request put forth by the Company.

Article 6: Provision of Personal Data

1. The Personal Data Subject is entitled to request the Company to provide their own personal data (hereinafter referred to as the “Request”).
2. The Company commits to comply with the Request if the data subject fully and correctly follows the regulations in the Personal Data Protection and Processing Policy that has been publicly communicated to the Employee.
3. The Company will provide the data to the requesting party within 72 hours from the time of receiving the valid request under Clause 2 of this Article, except for the cases stipulated in Clause 3, Article 5 of this Agreement.
4. The Company will not comply with the Request if doing so would cause or potentially cause one of the following cases to occur:
• The law does not permit the provision of personal data.
• Complying with the Request may threaten the life, health, or safety of another individual and/or cause harm to national defense, national security, or social order and safety.
• The Data Subject does not agree to provide, permit representation, or authorize the receipt of Personal Data.
• The Company assesses that there are signs of forgery/violation of law in the Request.

Article 7: Editing Personal Data

1. The Personal Data Subject:
• They are entitled to access to view and edit their personal data after it has been collected by the Company with consent, unless the law stipulates otherwise.
• In cases where direct editing is not possible, the Data Subject requests the Company to edit their personal data according to the regulations in Clause 2 below.
2. The Company proceeds to edit personal data after the Data Subject agrees. If it cannot be carried out, the Company notifies the Data Subject within 72 hours from the time of receiving the Request to edit personal data from the Data Subject.

Article 8: Termination of Cooperation

1. In cases where the Data Provider performs or fails to perform one or several actions leading to the Company's decision to terminate the labor contract/work contract, or terminate cooperation with the Data Provider, the Data Provider agrees that their action is a violation leading to the Company exercising the right of unilateral termination, regardless of whether the previous exchanges and agreements between the two parties mentioned that action or not.
2. In the case of such termination, the Company is not required to compensate or reimburse any amount to the Data Subject, and if the Data Subject causes damage to the Company, they must compensate according to regulations.

Article 9: Exemption from Liability

The Company is exempted from any liability, including the responsibility to pay compensation for damages, reimbursement, or any related costs for damages or losses suffered by the Data Provider arising from:

1. The Data Provider, for any reason, did not receive, access, read, implement, agree to, or update the notice(s) or changes regarding this Agreement and/or related to this Agreement that were publicly announced by the Company on communication channels, or notices that were successfully sent to the Data Provider through any form.
2. Suffering damage arising directly from the fault or violating act of a Third Party, which is beyond the Company's control.
3. The Company being unable to continuously, fully, and clearly update, post, and/or display the amended and supplemented contents of this Agreement due to:
• The Company carries out periodic or sudden system, technical infrastructure upgrade, maintenance, and upkeep activities.
• Other causes beyond the Company's reasonable control, including but not limited to cases where the Company's system and technical infrastructure encounter incidents arising from the fault of the Service Provider or the Company's system and technical infrastructure are compromised or harmed by viruses, spyware, adware, or any other intervention or network attack aiming to destroy.
4. The occurrence of force majeure events during the performance of obligations to the Data Provider, including but not limited to events such as natural disasters, fire, flood, earthquake, accident, disaster, epidemic, nuclear or radioactive contamination, war, civil war, insurrection, strike, riot, or due to carrying out the decision of a competent State agency that could not have been foreseen at the time of concluding this Agreement and other force majeure events, regardless of whether these events occur inside or outside Vietnam.
5. Other cases where the Company is exempted from liability according to the law.

Article 10: Governing Law and Dispute Resolution

1. This Agreement is understood and governed by the laws of Vietnam.
2. If negotiation and mediation are not possible, all disputes arising will be submitted for resolution at the Vietnam International Arbitration Centre (VIAC) next to the Vietnam Chamber of Commerce and Industry, according to the procedural rules of this center. The place of arbitration shall be Hanoi. The number of arbitrators shall be agreed upon by the parties. Arbitration costs shall be paid by the at-fault party.
3. Provisions not yet stipulated in this Agreement shall be applied according to the law and the Company's separate regulations.

Article 11: Effectiveness

This Agreement is effective from the date the Data Provider signs the confirmation of Agreement.