For business Locations Test result
Partner portal
19001717
Tiếng Việt English
search.svg
Recently Searched

    CONSENT DOCUMENT FOR PERSONAL DATA PROCESSING AND PROTECTION

    The Customer (or “I“) agrees to this Consent Document for Personal Data Processing and Protection (the “Document/Consent Document“) which governs the processing of Personal Data, implementation of the Customer’s rights, and the responsibilities of Polyclinic – Medical Testing and Diagnostic Center – Medical Diag Center and all healthcare facilities under Lab Group International Vietnam Co., Ltd. (hereinafter referred to as “Diag“), as set out below:

    Article 1: Definitions

    1. Customer/Client: refers to individuals and/or organizations who provide personal data to Diag when searching for, accessing, purchasing, registering for, or using Diag’s Products, Goods, And Services.

    2. Products, Goods, and Services: refers to any product, goods, or services provided by Diag and/or provided by Diag in cooperation with partners to Customers.

    3. Agreement: includes contracts, agreements, terms, conditions, or other documents entered into or agreed upon or established between the Customer and Diag in accordance with applicable law.

    4. Personal Data: refers to digital data or information in other forms that identifies or helps identify a specific individual, including: basic personal data and sensitive personal data. Personal data that has been anonymized is no longer considered personal data.

    Basic Personal Data includes:

    – Full name (including middle name) and birth name, other names (if any);

    – Date, month, year of birth;

    – Gender;

    – Place of birth, place of birth registration, permanent residence registration, temporary residence registration, current address, hometown, contact address;

    – Nationality;

    – Individual’s photographs;

    – Phone number, personal identification number, passport number, driver’s license number;

    – Marital status;

    – Information about family relationships (parents, children, spouse);

    – Other information associated with a specific individual or helping identify a specific individual that does not fall under sensitive personal data.

    Sensitive Personal Data includes:

    – Health information of the Customer: including the Customer’s health status; medical examination results, paraclinical results such as medical test results, X-rays result, ultrasounds result, functional assessment  results; diagnosis, treatment, care process, and other related information during the Customer’s medical examination and treatment at Diag’s healthcare facilities;

    – Genetic characteristics data;

    – Individual location data determined through location services;

    – Images of citizen identity cards, national identity cards;

    – Other personal data required by law to be kept confidential or subject to strict security measures, or other sensitive personal data collected by Diag from time to time.

    5. Personal Data Subject: is the individual (i.e., the Customer/Client) whose personal data is reflected.

    6. Processing of Personal Data: refers to activities that affect personal data, including one or more of the following: collection, analysis, consolidation, encryption, decryption, editing, deletion, destruction, anonymization, provision, disclosure, transfer of personal data, and other activities affecting Personal Data.

    7. Personal Data Controller: is an organization or individual that determines the purposes and means of Processing Personal Data.

    8. Personal Data Processor: is an organization or individual that carries out the Processing of Personal Data on behalf of the Personal Data Controller, pursuant to a contract with the Personal Data Controller.

    9. Personal Data Controller and Processor: is an organization or individual that simultaneously determines the purposes and means and directly processes Personal Data.

    10. Third Party: is an organization or individual other than the personal data subject, the Personal Data Controller, the Personal Data Controller and Processor, and the Personal Data Processor, who participates in the processing of personal data in accordance with applicable law.

    11. Diag’s Transaction Channels:

    – Email: [email protected]

    – Diag’s healthcare facilities

    – Hotline: 19001717

    – Zalo/Messenger channels as displayed on Diag’s website: https://diag.vn/

    Article 2. Types of Personal Data Processed

    1. Personal data processed by Diag includes the basic personal data and sensitive personal data set out in Article 1.4 of this Document.

    2. Personal data processed is appropriate to each corresponding type of Product, Goods, or Service.

    Article 3. Purposes of Personal Data Processing

    The Customer agrees that the Personal Data under Article 2 above may be processed by Diag for the following purposes (the “Purposes”):

    1. Providing Products, Goods and Services to the Customer, including medical examination and treatment services such as paraclinical activities including laboratory testing, X-rays, ultrasounds, functional exploration; diagnosis, treatment, care, and other related services during the examination and treatment process. The Customer agrees to allow Diag to access and retrieve the Customer’s medical examination history at Diag, regardless of how it was recorded, in order for Diag to provide appropriate medical services in accordance with applicable law or to supply other goods and products to the Customer upon request.

    2. Performing other activities related to and in support of medical examination and treatment services or the supply of Products, Services, and Goods to the Customer, such as:

    a. Processing the Customer’s payments;

    b. Receiving and resolving Customer inquiries, complaints, and disputes regarding Products, goods, and services;

    c. Contacting, providing, sharing, and transferring the Customer’s Personal Data to Personal Data Processors or Third Parties to support or act on behalf of Diag in providing Products, Goods, and Services to Customers as stated in Article 3.1 of this Document;

    d. Contacting, providing, sharing, and transferring the Customer’s Personal Data to insurance companies, insurance brokers, other medical fee guarantee service providers, or insurance claim payment support service providers in cases where the Customer requests medical fee guarantees, or providing data to insurance companies that request health checks prior to issuing insurance, or companies requiring employee health examinations, or other cases requested by the Customer and agreed to by Diag, or cases proposed by Diag and agreed to by the Customer;

    e. For internal storage, management, and operational purposes of Diag, reporting to or complying with requirements from competent state authorities, resolving disputes, fulfilling legal obligations, including contacting, providing, sharing, and transferring the Customer’s Personal Data to Personal Data Processors or Third Parties.

    f. Allow Diag to collect, store, and use your voice and images for the purpose and activities of medical examination and treatment between Diag and the Customer.

    The Customer understand that the Purposes stated in Articles 3.1 and 3.2 above of this Document is mandatory for us to provide Products, Goods, and Services to Customers without requiring Customer consent, in accordance with Article 18.3.b of the Law on Protection of Consumer Rights 2023, and Article 19.1 of the Law on Personal Data Protection..

    3. Carrying out other purposes (as agreed upon by the Customer from time to time)

    a. Receive marketing, communication, new product introductions, offers, and promotions from Diag to Customers;

    b. Receive notifications, calls, messages, and emails regarding customer care to improve the quality of Diag’s products and services;

    c. Allow Diag to share and transfer this information to third parties for the purposes stated in section a and/or section b above.

    Article 4. Processing of Personal Data

    1. Depending on the circumstances, Diag acts as the Personal Data Controller or as the Personal Data Controller and Processor.

    2. Diag is permitted to process the Customer’s personal data to fulfill the Purposes set out in Article 3 and in compliance with applicable law. Diag’s Personal Data Processing activities are as follows:

    a. Collecting: Personal data is collected in various ways, manually or electronically, including but not limited to:

    – Through the filling and completion of forms such as registration forms, payment information forms, consent forms;

    – When the Customer provides detailed information for using Diag’s Products, Goods, Services and to facilitate payment;

    – When the Customer undergoes procedures of the examinations, or treatment by Diag’s medical professionals;

    – From third parties such as relatives of Customers, insurance companies, employers, companies or other medical facilities cooperating with Diag ;

    – When the Customer searches for, accesses, purchases, registers for, or uses any Products, Goods, or Services through any channel (SMS, website, Diag’s applications (if any), or Zalo, Facebook, TikTok, or other applications…); Diag’s transaction channels, cyberspace; and/or other methods as permitted by law;

    – When Diag communicates or contacts the Customer in person, by mail, telephone, online, call center systems, electronic communications, or audio/video recording devices if any;

    – When the Customer browses Diag’s information pages, including https://diag.vn.

    b. Analyzing and synthesizing personal data

    c. Encryption and Decryption of Personal Data

    i. Encryption of Personal Data is the conversion of Personal Data into an unrecognizable form if it cannot be decrypted, for the purpose of protecting the confidentiality of Personal Data, preventing unauthorized access, and ensuring the integrity of Personal Data. Personal Data is encrypted according to appropriate encryption standards as required by law and Diag.

    ii. Decryption will be carried out in accordance with Diag regulations to ensure the provision of services, the fulfillment of Customer Purposes, and operations in accordance with internal policies of Diag and legal regulations.

    d. Editing Personal Data: Editing Personal Data is carried out in accordance with Article 6.1.c of this Document.

    e. Deleting or destroying Personal Data: Deleting or destroying Personal Data is carried out in accordance with Article 6.1.e of this Document.

    f. Providing Personal Data: Providing Personal Data is carried out in accordance with Article 6.1.d of this Document.

    g. Anonymization of Personal Data:

    i. Anonymization of Personal Data is the process of modifying or removing information in order to generate data that cannot identify, or cannot be used to identify, a specific individual. Anonymization is carried out to protect the privacy rights of Customers.

    ii. Personal Data after anonymization is no longer considered Personal Data.

    iii. The Company shall perform the anonymization of Personal Data where deemed necessary, if applicable. Throughout the anonymization process, the Company is responsible for:

    – Strictly controlling and closely supervising the entire process of Personal Data anonymization;

    – Implementing appropriate technical and organizational measures to prevent any unauthorized access, copying, misappropriation, disclosure, or loss of personal data during the anonymization process;

    – Not re-identifying personal data once it has been anonymized, unless otherwise required by applicable law;

    – Complying with all applicable laws and regulations on anonymization.

    h. Transfer and Sharing of Personal Data:

    i. Diag is permitted to transfer Personal Data in accordance with the Purpose stated in Article 3 of this Document, or in accordance with the law on personal data protection, without requiring consent such as:

    – Sharing personal data between departments within Diag for processing personal data;

    – Transferring Personal Data at the request of competent state agencies;

    – Transferring to the Processing Party or third parties for processing in accordance with the provisions and Purpose stated in Article 3 of this Document, including cross-border transfers carried out in compliance with Vietnamese law;

    – Transferring personal data in the cases stipulated in Article 19.1 of the Law on Personal Data Protection, including the following cases:

          • To protect the life, health, honor, dignity, rights, and legitimate interests of the Personal Data Subject or others in urgent cases;
          • To protect Diag’s legitimate rights or interests, others, or the interests of the State, agencies, or organizations in a necessary manner against acts that infringe the aforementioned interests;
          • To address emergency situations; threats to national security that have not yet reached the level requiring a state of emergency declaration; prevention and combating of riots, terrorism, crime, and legal violations;
          • To serve the activities of state agencies and state management activities as prescribed by law;
          • To fulfill agreements between the Personal Data Subjects and relevant agencies, organizations, and individuals as prescribed by law;
          • Other cases as prescribed by law.

    ii. In the event that Diag transfers the Customer’s personal data to a country other than Vietnam, Diag will ensure that it follows the necessary procedures in accordance with Vietnamese law and meets the technical requirements for the security of Personal Data.

    Article 5: Duration of Personal Data Processing

    1. Commencement of Processing:
    The processing of Personal Data shall commence from the time the Customer provides such data to Diag or grants consent for Diag to collect the data through lawful channels.

    2. Duration of Processing:
    Diag shall store and process Personal Data for the entire duration during which the transactional relationship between the Customer and Diag remains effective.

    3. Diag shall continue to retain Personal Data for the period prescribed under specialized laws applicable to the healthcare sector for the following purposes:

    – Compliance with legal obligations in accordance with applicable laws;

    – Compliance with statutory data retention periods in the healthcare sector as prescribed by applicable laws;

    – Resolution of complaints and disputes arising in connection with the transaction;

    – Fulfillment of requests from competent state authorities.

    4. Upon expiry of the retention period:
    Upon expiration of the applicable retention period, Personal Data shall be erased or destroyed in accordance with applicable laws and Diag’s policies on the erasure and destruction of Personal Data.

    Article 6: Rights and Obligations of the Customer

    1. Customer’s Rights

    a. The Customer has the right to be informed about Personal Data Processing activities, except as otherwise provided by law.

    b. The Customer’s consent

    i. The Customer has the right to decide on consent related to the Personal Data of Customer, except as otherwise provided by law.

    ii. The Customer has the right to request withdrawal of consent or restriction of Processing of Customer’s Personal Data when there is doubt about the scope, purpose of personal data processing, or the accuracy of Personal Data, except as provided in Article 19 of the Personal Data Protection Law or as otherwise provided by law. The following are cases in which consent may not be withdrawn or processing may not be restricted (hereinafter referred to as the “Cases Where Withdrawal of Consent or Restriction of Personal Data Processing Is Not Permitted“):

    – Personal data is required to store in accordance with law;

    – To protect the life, health, honor, dignity, rights, and legitimate interests of Personal Data Subject or others in urgent situations; to protect legitimate rights or interests of Diag or of other people, or of the State or other organizations as necessary against acts that infringe the aforementioned interests;

    – To address emergency situations; threats to national security that have not yet reached the level requiring a state of emergency declaration; prevention and combating of riots, terrorism, crime, and legal violations;

    – To serve the activities of state agencies and state management in accordance with law;

    – To fulfill the agreement between the Customer as Personal Data Subject and Diag or relevant agencies, organizations, or individuals as prescribed by law, such as to enable Diag to sell and provide Products, Goods, and Services at the Customer’s request, or other related circumstances;

    – Requests that are inconsistent with legal regulations, such as: editing medical records; requesting modification, concealment, non-provision, incomplete provision, or inaccurate provision of Personal Data to competent state authorities or other third parties; requesting data modification and/or modification of related transactions when Diag is obligated to retain personal records and transactions for legal compliance purposes;

    – Other cases as prescribed by law.

    iii. Steps for exercising these rights of Customer shall comply with Article 5 of Decree 356/2025/ND-CP and relevant guidelines and amendments from time to time, specifically as follows:

    Step 1: Customer submits a valid request in accordance with Article 6.1.b.ii of this Document to Diag through Diag’s transaction channels as stated in Article 1.1 of this Document, attaching evidence including personal information, identification documents, information proving that medical examinations and treatments have been performed at Diag, supplementary documents for the purpose and reason of exercising the rights under Article 6.1.b.ii, Other documents as requested by Diag from time to time.

    – Step 2: Diag will verify the identity of the Personal Data Subject; assess the validity of the request and issue an initial notification to the Personal Data Subject within 02 working days from date of receipt of the request, confirming acceptance or rejection, and notifying the Personal Data Subject of this initial result and the processing timeline.

          • If not falling under the Cases Where Withdrawal of Consent or Restriction of Personal Data Processing Is Not Permitted, Diag will process the request from 15 to 20 working days. If an extension is required, it may be extended once for a maximum of 15 additional days, and Diag will notify the Customer of the reason for the extension;
          • If falling under the Cases Where Withdrawal of Consent or Restriction of Personal Data Processing Is Not Permitted, Diag will refuse to proceed and notify the Customer.

    c. Customers have the right to request correction of Personal Data:

    i. Personal Data is requested for correction by Customer when the Personal Data contains errors or mistakes due to unintentional errors by the Customer or Diag’s employees during the data provision process, or when the Customer’s Personal Data expires or is updated according to legal regulations.

    ii. The steps to exercise these rights of the Customer will comply with Article 5 of Decree 356/2025/ND-CP and guidelines, amendments, and supplements from time to time, specifically as follows:

    Step 1: Customer sends a request for correction of Personal Data, with attached evidence, to Diag through Diag’s transaction channels as stated in Article 1.1 of this Document.

    Step 2: Diag will verify the identity of Personal Data Subject, assess the validity of the request and provide an initial notification to the Customer within 2 working days of receiving the request. Diag will confirm whether or not it agrees to the Customer’s request and will inform the Customer of this initial result and processing time.

          • If the Customer’s request is valid and reasonable, Diag will process it from 10 to 15 days. In case an extension is needed, the processing time will be extended a maximum of one time for a period not exceeding 10 days, and Diag will inform the Customer of the reason for the extension.
          • If the Customer’s request is unfounded, Diag will refuse to process it and notify the Customer.

    d. Providing the Personal Data:

    i. The Customer provides Personal Data to Diag for the Purposes specified in Article 3 of this Document.

    ii. The Customer is entitled to request Diag to provide the Customer’s Personal Data, except where such provision may adversely affect national defense, national security, social order and safety, or infringe upon the life, health, or property of others, or in other cases as prescribed by law (the “Cases Where Personal Data Cannot Be Provided Upon Customer Request”).

    The procedure is as follows:

    Step 1: Customer submits a valid request in accordance with Article 6.1.d.ii of this Document to Diag through Diag’s transaction channels as stated in Article 1.1 of this Document, attaching evidence including personal information, identification documents, information proving that medical examinations and treatments have been performed at Diag, supplementary documents for the purpose and reason of exercising the rights under Article 6.1.d.ii, and other documents as requested by Diag from time to timet.

    Step 2: Diag shall verify the identity of Personal Data Subject; assess the validity of the request; and determine whether the request falls under the Cases Where Personal Data Cannot Be Provided Upon Customer Request or not.

          • If the Customer’s request is valid and reasonable, Diag will process it from 10 to 15 days. In case an extension is needed, the processing time will be extended a maximum of one time for a period not exceeding 10 days, and Diag will inform the Customer of the reason for the extension;
          • If the request falls under the Cases Where Data Cannot Be Provided Upon Customer Request, Diag shall issue a written refusal stating the reasons for refusal.

    e. Deletion or destruction of Personal Data

    i. The Customer is entitled to request deletion or destruction of Customer’s Personal Data and accepts any risks or damages arising. The Customer’s request in this case must fully comply with the principles set out in Article 4.3 of the Personal Data Protection Law and not falling under the Cases Where Deletion or Destruction of Personal Data Is Not Permitted as stated in Article 6.1.e of this Document.

    ii. Diag will not fulfill the Customer’s request for deletion or destruction of Personal Data in cases stipulated in Article 19 of the Personal Data Protection Law or where deletion or destruction would fail Article 4.3 of the Personal Data Protection Law, or in other cases provided by law as follows: (hereinafter “Cases Where Deletion or Destruction of Personal Data Is Not Permitted“):

    – Personal data that is required to store under the provisions of law;

    – To protect the life, health, honor, dignity, rights, and legitimate interests of the Customer as Personal Data Subject or others in urgent situations; to protect the legitimate rights or interests of Customer or others, or tthe State, organizations as necessary against infringements said above;

    – To solve the emergency situations; threats to national security that have not yet reached the level requiring a state of emergency declaration; prevention and combating of riots, terrorism, crime, and legal violations;

    – To serve State agencies and state management activities in accordance with law;

    – To fulfill the agreement between the Customer as Personal Data Subject and relevant agencies, organizations, or individuals in accordance with law;

    – Deletion or destruction of Personal Data would lead to violate the applicable law or the obligations of the Personal Data Subject when using services provided by Diag;

    – Deletion or destruction of Personal Data would lead to fail to protect the legitimate rights and interests of the Personal Data Subject;

    – Deletion or destruction of Personal Data would lead to cause inconvenience to Diag or impede Diag’s legal rights and obligations;

    – Deletion or destruction of Personal Data would lead to infringe the legitimate rights and interests of the State, other agencies, organizations, or individuals;

    – Requests to delete or destroy Personal Data that are inconsistent with legal regulations include but not limited to: deleting, destroying, or modifying medical records; requests to correct, conceal, withhold, provide incomplete, or provide false Personal Data to competent state agencies or other third parties; requests to correct, delete, or destroy Personal Data and/or related transactions when Diag is obligated to retain personal records and comply with legal obligations;

    – Other cases as prescribed by law.

    In cases where Diag is unable to delete or destroy the Customer’s Personal Data for legitimate reasons after receiving the Customer’s request, Diag will notify the Customer accordingly.

    iii. The procedures for exercising these rights shall comply with Article 5 of Decree 356/2025/ND-CP and relevant guidelines and amendments from time to time, specifically as follows:

    Step 1: Customer submits a valid request in accordance with Article 6.1.e of this Document to Diag through Diag’s transaction channels as stated in Article 1.1 of this Document, attaching evidence including personal information, identification documents, information proving that medical examinations and treatments have been performed at Diag, supplementary documents for the purpose and reason of exercising the rights under Article 6.1.e, and other documents as requested by Diag from time to time.

    Step 2: Diag will verify the identity of the personal data subject; assess the validity of the request and issue an initial notification within 02 working days from receipt, confirming acceptance or rejection, and notifying the personal data subject of this initial result and the processing timeline.

          • If not falling under Cases Where Deletion or Destruction of Personal Data Is Not Permitted, Diag will process the request from 20 to 30 days.

    If an extension is required, it may be extended once for a maximum of 20 additional days, and Diag will notify the Customer of the reason for the extension;

          • If falling under Cases Where Deletion or Destruction of Personal Data Is Not Permitted, Diag will refuse to proceed and notify the Customer.

    f. Filing complaints, denunciations, lawsuits, or claims for damages in accordance with applicable law;

    g. Other rights as prescribed by law.

    2. Customer Obligations

    a. To protect the Personal Data of Customer; to require other relevant organizations and individuals to protect the Customer’s Personal Data; to proactively apply measures to protect Personal Data when using Products, Goods, and Services; and to promptly notify Diag upon d any errors, inaccuracies, or suspected infringement of Personal Data.

    b. To respect and protect the personal data of others;

    c. To provide personal data completely, truthfully, and accurately as required by law, by agreement, or when the Customer consent to the processing of personal data;

    d. To comply with Law on personal data protection and participate in preventing and combating activities infringing personal data;

    e. To comply with applicable laws and Diag’s regulations relating to the Processing of the Customer’s Personal Data;

    f. Customers must provide personal data and other information as requested by Diag when using the Products, Goods and Services in a complete, truthful, and accurate manner; and update it promptly when there is any changes. Diag is not responsible for any damages arising from inaccurate, incomplete, or outdated information provided by the Customer.

    g. To cooperate with Diag, competent state authorities, or third parties in the event of issues affecting the security of the Customer’s Personal Data;

    h. To take responsibility for information and data created or provided by the Customer on cyberspace; to take responsibility in the event of personal data leakage or infringement due to the Customer’s own fault;

    i. To regularly update Diag’s regulations and policies relating to the protection and Processing of Personal Data as notified to Customers through Diag’s Transaction Channels from time to time;

    j. Other obligations as prescribed by law.

    3. When exercising the rights and obligations of the Customer, the Customer must fully comply with the following principles:

    a. To act in accordance with applicable law; to comply with the obligations of the Personal Data Subject when using the Products, Goods and Services at Diag. The exercise of rights and obligations by the Personal Data Subject must aim to protect the legitimate rights and interests of that Personal Data Subject;

    b. Not to impede or obstruct the exercise of legal rights and obligations of Diag and related parties in their roles as Personal Data Controller, Personal Data Controller and Processor, or Personal Data Processor;

    c. Not to infringe upon the legitimate rights and interests of the State, other agencies, organizations, or individuals.

    Article 7: Personal Data Protection and Potential Risks

    1. Diag commits, through all necessary and reasonable efforts, to process the Customer’s Personal Data securely and confidentially, and to ensure the Customer’s rights in compliance with applicable law. However, certain risks beyond Diag’s control may occur, including but not limited to the following:

    (i) Hardware or software errors during data processing that result in loss of the Customer’s Personal Data;

    (ii) Security vulnerabilities beyond Diag’s control, including system hacker attacks that cause data breaches;

    (iii) The Customer’s disclosure of personal data due to carelessness or fraud of the Customer; accessing websites or downloading applications containing malware; or being subject to hacker takeover;

    (iv) Force majeure events that Diag could not have foreseen and that are beyond Diag’s control, such as power outages, natural disasters, floods, etc.

    2. Diag advises Customers to maintain absolute confidentiality of the personal information of Customer, OTP codes, and not to share this information with any other person; to safeguard personal devices (mobile phones, tablets, personal computers, etc.) during use; and to log out of the accounts of Customer when not in use.

    Article 8. General Provisions

    1. The Customer confirms having read, understood, and agreed to all contents of this Document.

    2. The Customer understands and agrees that this Document may be amended from time to time and will be updated by Diag on its website: https://diag.vn/ in compliance with applicable law.

    The Customer’s continued registration for or use of Products, goods, and services constitutes acceptance of any amendments to this Document, unless applicable law requires express consent to such amendments.

    3. The Customer has read, understood, agreed to, and commits to strictly comply with all terms and conditions set out in this Document. Matters not addressed herein shall be governed by applicable law, guidance from competent state authorities, and/or amendments and supplements to this Document from time to time.

    4. In the event of any dispute, the parties shall proactively negotiate in good faith and in a spirit of cooperation. If negotiation fails, either party may request resolution by the competent authority in accordance with applicable law.

    Zalo

    Zalo
    Messenger

    Messenger
    Test Now

    Test Now

    Promotion
    Call Diag

    Call Diag
    Book Test Zalo Button Messenger Button promotion