CANDIDATE PERSONAL DATA PROTECTION POLICY
1. OBJECTIVE
– This policy explains how Hoan My Medical Corporation and its Hospitals/Clinics/Subsidiaries collect, use, disclose, transfer, and process candidates’ personal data in the course of business operations, in compliance with applicable personal data protection laws.
2. SCOPE & APPLICABILITY
– This Policy applies to Hoan My Medical Corporation and all Hospitals/Clinics/Subsidiaries.
– Employees of Hoan My are responsible for the collection, processing, storage, and utilization of candidates’ personal data.
– All candidates applying for any position at Hoan My (including full-time, probationary, trainees, interns, contractors, consultants and third-party referrals).
3. DEFINITIONS & ABBREVIATIONS
– Hoan My includes Hoan My Medical Corporation, and all Hospitals/Clinics/Subsidiaries.
– Personal data refers to data in the form of symbols, letters, numbers, images, sounds, or similar formats in electronic environments that is associated with a specific individual or helps to identify a specific individual. Personal data includes both general personal data and sensitive personal data, as defined under the Legal Regulations on Personal Data Protection and any amendments or supplements thereto from time to time.
– General personal data includes: Last name, middle name and first name, other names (if any); Date of birth; Gender; Place of birth, registered place of birth, place of permanent residence, place of temporary residence, current place of residence, hometown, contact address; Nationality; Personal photos; phone number; identity card number, personal identification number, passport number, driver’s license number, vehicle registration plate number, personal tax code, social insurance number, health insurance card number; Marital status; Data on family relationships (such as parents and children); Digital account information; Personal data that reflects activities and activity history in cyberspace; Data associated with an individual or used to identify an individual, excluding sensitive personal data.
+ Examples in recruitment context: Full name, date of birth, gender, email address, phone number, personal photos attached to the application, education background, diplomas/certifications, professional and language skills, work experience, Identification number/passport number, professional license number, current job title, curriculum vitae (CV), personal photo, images and recordings captured by surveillance systems installed at Hoan My’s premises, and any other basic personal data voluntarily provided by the candidate as part of their application form, CV, or other supporting documents (collectively referred to as the “Application for employment”) during the recruitment process.
– Sensitive personal data refers to personal data in association with individual privacy which, when being infringed, will directly affect an individual’s legal rights and interests, including: political and religious opinion; health condition and personal information stated in health records (excluding information on blood group); data relating to racial or ethnic origin; data concerning inherited or acquired genetic characteristics of the candidate; data regarding physical attributes and unique biological traits; data concerning an individual’s sex life or sexual orientation; criminal data or information on criminal acts collected and stored by law enforcement agencies; data on accounts and transactions at credit institutions, bank branches, or providers of intermediary payment services; location data of the individual as determined by geolocation services; and any other types of personal data specified by law as sensitive and requiring enhanced protection measures.
+ Examples in recruitment context: Candidate health-related data such as medical condition, weight, height, and any other relevant health information. This may be reflected in the candidate’s medical certificate and/or health check results, used to assess the candidate’s suitability and qualification for employment at Hoan My. Other examples include income information, previous salary history, biometric data (if applicable), such as fingerprints or facial recognition via Face ID, and racial or religious information as indicated on copies of ID cards or citizen identification cards.
Note: Data that has been stripped of personally identifiable details may still be considered personal data if it contains information that could reveal an individual’s identity, or if it can be easily re-identified, such as when the data is disclosed in a context involving a small number of individuals.
– Personal data protection is the prevention, detection, and handling of violations related to personal data, as prescribed by law.
– Personal data processing refers to one or more activities involving personal data, including but not limited to: collection, recording, analysis, verification, storage, modification, disclosure, combination, access, retrieval, recovery, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction, or any other related actions.
4. PRINCIPLES & RULES
4.1. Collecting personal data
– By submitting an application or curriculum vitae (CV), the candidate confirms that the personal data provided is their own (which may include personal data related to their business activities), or that they have notified and obtained the lawful consent of any relevant third parties (e.g., referees). Where third-party personal data is provided, the candidate ensures that the collection and disclosure of such data fully comply with applicable laws and regulations. The candidate agrees that Hoan My has the right to process such data in accordance with the terms set out in this Candidate Personal Data Protection Policy.
– The candidate represents and warrants that the personal data provided is complete, accurate, truthful, and lawful at the time of submission.
– In all cases, Hoan My will ensure that only personal data necessary and appropriate for the purposes specified in Section 4.3.1 is retained.
4.1.1. Candidates’ personal data
– Directly from the candidate: Hoan My typically collects candidates’ personal data directly from the candidates themselves, such as when they contact, correspond with, or interact with Hoan My via email or in person. For example, Hoan My may collect a candidate’s personal data when the candidate applies for a job position either online or in person.
– Referrals: Hoan My may also collect a candidate’s personal data from other individuals, such as its employees, in cases where the candidate is referred.
– Third parties: Hoan My may additionally collect a candidate’s personal data from public online sources (e.g., LinkedIn, etc.), third-party service providers (e.g., personality/aptitude assessment vendors), recruitment agencies, hospitals, court decisions, or decisions issued by competent authorities.
4.1.2. Referee’s Personal Data
– Hoan My may collect personal data of referees (e.g., full name, contact information, job title, and relationship to the candidate) if such information is provided by the candidate as part of their job application.
4.2. Storing personal data
– Hoan My retains candidates’ personal data for as long as necessary to fulfill its contractual obligations or to provide services to the candidate, for an indefinite period unless otherwise agreed in writing with the candidate or as required or permitted by applicable law.
– Where Hoan My processes candidates’ personal data in connection with legal obligations, such data will be retained for the legally required retention period in accordance with applicable laws.
– Hoan My only processes candidates’ personal data with their consent. Personal data will be deleted, destroyed, or anonymized in accordance with the requirements and conditions set out by applicable laws.
– Hoan My may retain a candidate’s personal data even after the legal relationship between the candidate and the Corporation has ended, in order to comply with its legal obligations as prescribed by law and/or as required by competent authorities.
4.3. Processing personal data
– Hoan My is committed to processing candidates’ personal data in a lawful manner, in accordance with the candidate’s consent and applicable legal regulations, while fully meeting Hoan My’s data security standards.
4.3.1. Purpose of processing personal data
a. Candidate’s consent
– Hoan My processes candidates’ personal data that may be provided to the Corporation through the Application Form or during the recruitment process, such as health-related information, for the purpose of assessing the candidate’s qualifications and eligibility.
– By submitting the Application Form, the candidate confirms that they have read, understood, and agreed to allow Hoan My full rights to collect and use their personal information and data for legitimate purposes related to the recruitment process and other lawful purposes of Hoan My from time to time, including but not limited to:
+ Assessing the candidate’s eligibility and suitability for the position;
+ Storing candidate records for future recruitment needs;
+ Conducting reporting, statistical analysis, and complying with legal obligations and internal regulations.
– The candidate may withdraw their consent at any time in writing; however, such withdrawal may affect their ability to continue participating in the recruitment process.
b. Necessity for recruitment
– Hoan My collects and processes candidates’ personal data in order to facilitate their application for a position at Hoan My. Candidates may submit their applications in any form or by any means, such as sending their application form to Hoan My via email and/or physical address, submitting it directly to any responsible employee of the Corporation, delivering their CV in person at Hoan My’s office, or via online recruitment portals or through recruitment agencies.
– Hoan My collects and processes candidates’ personal data to arrange necessary interviews and assessments to evaluate and determine the candidate’s qualifications, suitability, and eligibility to work at Hoan My.
– In cases where personal data is processed on the legal basis of necessity for the performance of a contract, failure to provide required or necessary personal data may result in Hoan My being unable to process the application, in whole or in part, or to fulfill other requirements related to the recruitment process.
c. Legal obligations
– Hoan My collects and processes candidates’ personal data in order to comply with applicable laws or regulations, as well as to comply with orders from courts, competent authorities, and/or government agencies.
– In cases where personal data processing is based on legal obligations as the lawful basis, failure to provide required or necessary personal data may result in Hoan My being unable to proceed with or carry out any part of the recruitment process. Furthermore, it may lead to violations of applicable laws, regulations, or orders issued by courts, competent authorities, and/or government agencies by either Hoan My and/or the candidate.
d. Legitimate interests
– Hoan My collects and processes candidates’ personal data in order to contact and communicate with candidates throughout the recruitment process.
– Hoan My collects and processes candidates’ personal data to carry out identification and verification procedures, as well as for other administrative and management tasks related to the recruitment process. These include, but are not limited to, contacting referees whose contact information was voluntarily provided by the candidate.
– Hoan My collects and processes candidates’ personal data to prevent, detect, and deter fraud, legal violations, or other criminal activities, and to protect the assets, personnel, rights, and interests of Hoan My. This includes processing images and movements of candidates recorded by video surveillance cameras installed at Hoan My’s premises.
– Hoan My collects and processes candidates’ personal data to retain the candidate’s Application Form and any other personal data voluntarily provided during the recruitment process in its records, in the event of any future job opportunities that Hoan My determines to be potentially suitable for the candidate’s qualifications and capabilities. In such cases, Hoan My will process the candidate’s personal data to contact and communicate with the candidate regarding the opportunity.
– Hoan My collects and processes candidates’ personal data for the purpose of recruiting for the position applied for or for other roles that match the candidate’s capabilities and professional qualifications, as well as for documentation of the selection process.
– Hoan My collects and processes candidates’ personal data for the negotiation, planning, or execution of necessary activities related to the restructuring of Hoan My’s business operations (if any).
– Hoan My collects and processes candidates’ personal data for other activities of the Hoan My in accordance with applicable laws.
e. Legal complaints and disputes
– Hoan My collects and processes candidates’ personal data when necessary for the establishment, exercise, or defense of the Corporation’s legal claims or disputes.
f. Outbound transfer and share personal data
– Hoan My will implement necessary security measures to ensure the secure transfer or sharing of candidates’ personal data to:
+ Parties involved in the personal data processing as defined in Section 4.3.2 of this Policy;
+ Competent governmental authorities.
– Hoan My may regularly transfer candidates’ personal data to its parent companies, subsidiaries, affiliates, and in certain cases, to third parties (e.g., contractors, service providers) located outside of Vietnam, where data protection standards may differ from those applicable in Vietnam. Nonetheless, Hoan My ensures that candidates’ personal data is protected by implementing adequate personal data protection safeguards during any cross-border transfers. The Corporation also ensures that any organization to which the candidate’s personal data is disclosed will implement adequate data protection standards.
– By providing personal data and continuing to use Hoan My’s services, the candidate expressly acknowledges and consents to the sharing, transferring, and/or cross-border transfer of their personal data as described above.
4.3.2. Parties involved in personal data processing
Candidates’ personal data is collected and processed for the specific purposes outlined in this Policy and is treated with the highest level of confidentiality, prioritizing the interests of the candidate. Hoan My may disclose candidates’ personal data for purposes related to recruitment and potential employment to the following authorized parties:
– Companies, organizations within Hoan My, including hospitals, clinics, and affiliated entities under its management.
– Service providers, contractors, and partners of Hoan My, including but not limited to: recruitment service providers/contractors, human resource suppliers, agents, recruitment consultants, hospitals, and entities providing personality/aptitude testing services. These parties are also obligated to protect the data shared with them.
– Competent government agencies, judicial authorities, or other legally authorized organizations as required by law, or to protect the legitimate rights and interests of Hoan My.
– In certain necessary cases, Hoan My may transfer candidates’ personal data to affiliates, parent companies, or service providers located in other countries.
4.3.3. Duration of personal data processing
– Personal data is processed from the moment Hoan My receives the candidate’s personal data and has an appropriate legal basis for processing such data in accordance with applicable laws.
– For unsuccessful candidates, Hoan My will retain the candidate’s resume and personal data provided during the recruitment process for six (06) months after the conclusion of the recruitment process, unless otherwise required by law. After this period, Hoan My will securely delete or destroy the candidate’s personal data.
– For successful candidates, Hoan My will transfer the candidate’s personal data, including sensitive personal data, provided during the recruitment process into the Corporation’s employee records. The retention period for such personal data will be governed by the Employee Personal Data Protection Policy, which will be provided to the candidate upon completion of the recruitment process.
4.4. Rights and obligations of candidates regarding their personal data
4.4.1. Rights
– Candidates have the right to:
+ Provide, request updates, corrections, or deletion of their personal data;
+ Withdraw consent for Hoan My to process their personal data;
+ Restrict or object to the collection, storage, and use of their personal data, unless otherwise mandated by law.
Note: The exercise of these rights may be limited if legal obligations require Hoan My to retain certain data. Should a candidate choose to proceed, Hoan My will undertake the lawful procedures necessary to address the request under applicable legal frameworks and internal policies. Candidates should be aware that exercising these rights may adversely affect their recruitment process.
– Other rights as provided by law.
4.4.2. Obligations
– Candidates are obligated to provide honest, accurate, and complete personal information to Hoan My. In the event of any changes to the personal data provided, candidates must proactively contact the Human Resources Department of Hoan My to ensure timely updates, in order to comply with legal regulations and maintain the normal operations of Hoan My
– Candidates are responsible for the authenticity and accuracy of any information or data they submit online. They shall bear full responsibility in the event their personal data is leaked or compromised due to their own fault.
4.5. Force majeure/unforeseen circumstances
– Hoan My employs various information security technologies to protect personal data from unauthorized access, use, or sharing. However, no data can be guaranteed to be absolutely secure. Therefore, Hoan My cannot guarantee absolute security of candidates’ personal data in certain situations such as:
+ Hardware or software failures during data processing resulting in data loss;
+ Security vulnerabilities beyond Hoan My’s control, including third-party cyberattacks causing data breaches;
+ Candidates themselves disclosing their personal data due to carelessness or fraud, accessing websites/downloading applications containing malware, or voluntarily providing data to outside parties.
– Candidates should be aware that any time they disclose and publicly share their personal data, such data may be collected and used by others for purposes beyond the control of both the candidate and Hoan My.
– For certain online services provided by Hoan My, candidates are advised to keep confidential their login information, account credentials, OTP codes, and not share these with anyone else.
– Candidates should safeguard their electronic devices during use. They should lock, log out, or exit their accounts on websites or related applications when they no longer need to use them.
– In the event that Hoan My becomes aware of a third-party attack on its data storage servers resulting in loss of candidates’ personal data, the Corporation will be responsible for promptly notifying the relevant authorities for investigation and resolution, and informing affected candidates.
5. RISK RATE
| The importance of a timely amendment | Risk Rating | ||
| Minor 3 | Moderate 2 | Major 1 | |
| X | |||
6. IMPLEMENTATION
– This Policy takes effect from 30/08/2025.
– Hoan My may amend, modify, or update this Policy from time to time. Such updates will be published directly on Hoan My’s official website at: www.hoanmy.com.
– The amended Policy will take effect from the date of publication, unless otherwise specified in the Policy. By continuing to participate in the recruitment process of Hoan My after the Policy has been updated, the candidate is deemed to have agreed to and accepted all revisions to the Policy, including any expanded purposes related to the collection of their personal data.
– This Policy also serves as the personal data processing notice and the cross-border data transfer notice in accordance with applicable laws.
7. REFERENCE DOCUMENTS
– Decree No. 13/2023/NĐ‑CP dated April 17, 2023 of the Government, on “Personal Data Protection”, took effect on July 1, 2023.
– HMC-HR-PL-01.F02 Application for employment.
8. ANNEX
– Not applicable