Data Processing Addendum
Decree No. 13/2023/ND-CP (PDPD)
Effective: April 2025 · Version 1.0
| Relationship to the global Privacy Policy |
This Addendum supplements and forms part of Dialogg's global Privacy Policy (available at dialogg.ai/privacy-policy). It applies exclusively where Dialogg processes personal data of individuals located in Vietnam ('Vietnamese Data Subjects'), whether directly or on behalf of an enterprise client deploying the Dialogg Platform to Vietnamese end-users. In the event of conflict between this Addendum and the global Privacy Policy, this Addendum prevails for Vietnamese Data Subjects. |
|---|
A1. Applicable Law
This Addendum implements Dialogg's obligations under:
- Decree No. 13/2023/ND-CP on Personal Data Protection ("PDPD"), effective 1 July 2023
- Circular and guidelines issued by the Ministry of Public Security (MPS) pursuant to the PDPD
- Law on Cybersecurity No. 24/2018/QH14
A2. Definitions
| Term | Meaning |
|---|---|
| Vietnamese Data Subject | An individual located in Vietnam whose personal data is processed through the Dialogg Platform |
| PDPD | Decree No. 13/2023/ND-CP on Personal Data Protection |
| MPS | Ministry of Public Security of Vietnam |
| Sensitive Personal Data | As defined in PDPD Article 2(4): data relating to political views, religion, health, sexual life, criminal records, financial information, biometric data, genetic data, and location data |
| Enterprise Client | A business entity that has entered into a services agreement with Dialogg and deploys the Platform to Vietnamese end-users |
A3. Consent Requirements
A3.1 General consent
Under the PDPD, processing of personal data of Vietnamese Data Subjects requires explicit, informed, and voluntary consent prior to collection. Consent must:
- Be obtained in writing or through an equivalent electronic mechanism that creates a verifiable record
- Clearly state the purpose, scope, and duration of processing
- Be specific to each purpose — bundled consent for multiple unrelated purposes is not permitted
- Be freely given without conditioning access to the service on consent to non-essential processing
A3.2 Sensitive personal data
- Processing of Sensitive Personal Data (including voice recordings and financial data processed through Dialogg's voicebot and chatbot services) requires explicit written consent from the Vietnamese Data Subject.
- Enterprise clients deploying Dialogg to Vietnamese end-users must implement a consent capture mechanism that meets this standard.
A3.3 Withdrawal of consent
- Vietnamese Data Subjects may withdraw consent at any time without penalty or detriment to service quality where the processing is not required to fulfil a contract.
- Dialogg provides technical mechanisms to support consent withdrawal. Upon withdrawal, Dialogg will cease processing within 5 business days and delete data unless a lawful retention obligation applies.
A4. Data Subject Rights under PDPD
Vietnamese Data Subjects may exercise the following rights by contacting [email protected]. Responses will be provided within 72 hours (acknowledgement) and 30 calendar days (resolution).
| Right | Description | PDPD reference |
|---|---|---|
| Right to be informed | Know about processing activities before data is collected | Art. 9 |
| Right to consent | Provide or withdraw consent to processing | Art. 11 |
| Right to access | Access personal data held about you | Art. 9 |
| Right to rectification | Correct inaccurate data | Art. 9 |
| Right to erasure | Request deletion of personal data | Art. 16 |
| Right to restriction | Restrict processing in specific circumstances | Art. 17 |
| Right to portability | Receive data in a structured, interoperable format | Art. 9 |
| Right to object | Object to automated processing or profiling | Art. 20 |
| Right to complain | Lodge a complaint with MPS or competent authority | Art. 9 |
A5. Cross-border Data Transfers
- Personal data of Vietnamese Data Subjects is stored and processed on infrastructure operated by Google (GCP) and Amazon (AWS) in locations that may include Singapore, Ireland, and the United States.
- Dialogg complies with PDPD Article 25 requirements for cross-border transfers:
- Impact assessment completed prior to transfer, evaluating the legal protections in each destination country
- Contractual obligations imposed on all overseas recipients requiring data protection standards equivalent to those under the PDPD
- Notification to the MPS Department of Cybersecurity and Hi-Tech Crime Prevention where required
- Records of cross-border transfers maintained and available for regulatory inspection
- Enterprise clients acknowledge that transferring personal data of Vietnamese Data Subjects to Dialogg's Platform constitutes a cross-border transfer and confirm they have complied with their own PDPD Article 25 obligations.
A6. Processing Registration
- Where required under PDPD Article 13, Dialogg will register its personal data processing activities involving Vietnamese Data Subjects with the MPS.
- Enterprise clients who act as data controllers for their Vietnamese end-users are responsible for their own PDPD registration obligations.
- Dialogg will cooperate with enterprise clients in preparing required registration documentation.
A7. Data Breach Notification
In the event of a personal data breach affecting Vietnamese Data Subjects, Dialogg will:
- Notify the MPS within 72 hours of becoming aware of the breach, per PDPD Articles 23-24
- Notify affected Vietnamese Data Subjects without undue delay where the breach poses a high risk to their rights and interests
- Notify the relevant enterprise client within 48 hours, including the nature of the breach, categories of data affected, and remediation steps taken
A8. Enterprise Client Responsibilities
| Responsibility allocation |
Dialogg acts as a data processor for personal data processed on behalf of enterprise clients. Enterprise clients act as data controllers for their Vietnamese end-users' personal data. This section sets out the respective responsibilities. |
|---|
Enterprise clients deploying Dialogg to Vietnamese users are responsible for:
- Obtaining valid consent from Vietnamese end-users prior to processing their personal data through the Platform
- Providing PDPD-compliant privacy notices to Vietnamese end-users in Vietnamese language
- Completing any registration obligations applicable to them as data controllers under the PDPD
- Ensuring the lawfulness of cross-border transfers of Vietnamese end-user data to Dialogg's infrastructure
- Responding to data subject rights requests from Vietnamese end-users (Dialogg will provide technical assistance)
Dialogg is responsible for:
- Processing Vietnamese Data Subjects' data only on documented instructions from the enterprise client
- Maintaining the security measures described in the global Privacy Policy Section 10
- Sub-processor management and contractual controls
- Complying with PDPD obligations applicable to data processors
A9. Language
- This Addendum is issued in English. Where enterprise clients require a Vietnamese-language version for regulatory or operational purposes, Dialogg will provide a certified translation upon written request to [email protected].
- In the event of conflict between the English and Vietnamese versions, the English version prevails unless otherwise required by applicable Vietnamese law.
A10. Contact for Vietnam Data Protection Matters
| Contact | Details |
|---|---|
| Dialogg data protection | [email protected] |
| Vietnamese supervisory authority | Department of Cybersecurity and Hi-Tech Crime Prevention, Ministry of Public Security (MPS), Hanoi, Vietnam |
Dialogg Europe SRL · Vietnam DPA v1.0 · April 2025 · Supplement to dialogg.ai/privacy-policy
Specialised AI compliance for global markets.
Ensuring operational excellence across Europe and Southeast Asia.