Personal Data Protection Policy For Clients

04/03/2026

Introduction

Oriental Commercial Joint Stock Bank (hereinafter referred to as “OCB”, “Bank” or “we”) is committed to respecting and making efforts to ensure the confidentiality and rights of Data Subjects regarding Personal Data of Clients, potential Clients, walk-in Clients and Related Parties of Clients (hereinafter referred to as “Clients”). In the process of processing Personal Data of Clients, we will implement and comply with the contents of the Personal Data Privacy Policy for Clients using all of our Products and Services (hereinafter referred to as “Products”, “Services”) and for other purposes stated in this Personal Data Privacy Policy for Clients (hereinafter referred to as “Privacy Policy”).

This Privacy Policy applies to us as the controller and processor of Clients’ Personal Data and explains which information we collect about Clients, how it is used, who it is shared with and how it is stored to ensure that it remains private and secure.

This Privacy Policy is publicly available on the website https://ocb.com.vn/en/news-events/news/personal-data-protection-policy-for-clients or at OCB's Branches and Transaction Offices and is effective from 04/03/2026 and replaces OCB's Privacy Policy effective from 05/01/2026.

OCB reserves the right to amend and supplement this Privacy Policy at any time. OCB will notify Clients of any amendments or additions to the Privacy Policy and publicly announce them on OCB's website. We encourage Clients to regularly review the Privacy Policy to obtain the latest updates in order to exercise their Data Subject rights.

1. Definitions and interpretation:

In this Privacy Policy, unless the context otherwise requires, the following terms shall have the following meanings:

Personal Data Controller

is the agency, organization or individual that decides on the purposes and means of personal data processing.

Personal Data Controller and Processor

is the agency, organization, or individual that decides on the purposes and means of personal data processing and directly processes personal data.

Personal Data Processor

is the agency, organization, or individual processing personal data as requested by the personal data processing party or Personal Data Controller and Processor under a contract.

Data Subject

is the individual whose Personal Data is reflected.

Personal Data

is digital data or information in other forms that identifies or assists the identification of a specific individual, including basic personal data and sensitive personal data. Personal data, once de-identified, is no longer considered personal data.

Contact person

are individuals related to the organizational clients, organizational partner, including, but not limited to, representatives(s), directors(s), controllers(s), officers(s), employees(s) and other related individuals(s) of the Partner.

Program

is a program implemented by OCB for Clients.

Clients

are individuals and organizations (i) who have used Products and Services at OCB and have been recorded in the OCB Customer Database; (ii) have never used Products and Services at OCB and/or have not been recorded in the OCB Customer Database.

Client’s Consent

is a letter sent from the Client to OCB to express his/her consent to the processing of the Client's Personal Data.

For online transactions, Client’s Consent is a clear, voluntary expression, affirming the Client's consent to allow OCB to process his/her Personal Data, through the form of checking the box stating "I agree to OCB's Privacy Policy" or similar statements displayed on our paper documents or platforms equivalent to the purposes of processing Personal Data at OCB

Website

is the website ocb.com

Applications

are applications issued by OCB to serve the process of providing Products and Services to Clients.

Platform

are OCB's online platforms, including Website, Applications, and other Customer Care channels of OCB provided to Clients to access OCB's Products and Services.

Account

is the Client's online account when registering an online account at OCB.

Personal Data Processing

is activities impacting personal data, including one or more of the following: collection, analysis, summary, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer of personal data, and other activities impacting personal data.

2.   Scope and purpose of processing Clients' Personal Data
2.1.   Scope of processing:
Client's Personal Data processed by OCB includes:
(a)   Basic Personal data

Full name, middle name, and birth name; other names (if any);
Date of birth;
Place of birth, registered place of birth;
Gender;
Residential information (including permanent residence, temporary residence, current address, place of origin, contact address; work address, office address, other contact details);
Nationality;
Personal images; information obtained from security systems (for clients conducting transactions at OCB branches and transaction offices, e.g., audio recordings, video recordings in areas with surveillance cameras – CCTV);
Identification number;
Email address; Phone number;
Driver’s license number, vehicle registration plate number;
Social insurance number, medical insurance card number;
Marriage status;
Full name, phone number, and address of the Client's related parties;
For the Client who is a child (persons under 16 years old): Information about the parents or legal guardians as stipulated by law, appointed by the commune-level People’s Committee or the Court in accordance with legal regulations (collectively referred to as the “Legal representative”), including details such as their full name, ID card number, Citizen identification card number, Passport number, contact phone number, and the relationship between the Legal representative and the Client who is a child;
Information about the Client’s account number, personal data reflecting activities and activity history of the Client on digital platforms; 
Other information provided by the Client to exercise their rights or make requests, which does not fall under the category of sensitive Personal data;
Any other data, information provided by the Client to OCB during the approaching or use or expected to use of Products, Services, or during the participation in OCB’s Programs/events that involve information collection, which does not fall under the category of sensitive Personal data;
Other basic Personal data identify or enabling the identification of a specific individual.

(b) Sensitive Personal data

Data revealing racial or ethnic origin;
Political opinions, religious or belief-related views;
Information about private life, personal secrets, family secrets;
Health status;
Biometric data and genetic characteristics;
Data revealing an individual’s sexual life or sexual orientation;
Data on criminal offenses and illegal violations, stored by law enforcement authorities;
Location data of individuals identified through location services;
Information on the username and password for accessing an individual's electronic identification account; images of identification cards, citizen identification cards, or personal identification cards;
Account login credentials, passwords; bank card information; data on bank account transaction history; financial, credit information and information related to financial transactions history, securities, insurance of Client at credit institutions, foreign bank branches, payment intermediaries, securities, insurance, and other licensed organizations;
Data tracking behavior and activities in the use of telecommunications services, social networks, online media services, and other services in cyberspace;
Other Personal data prescribed by law to be kept confidential or determined by organizations or individuals to requirenecessary security measures.

When the Client provides the Personal data of other individuals to OCB, the Client acknowledges that they act as the Data controller in relation to the provision of such individuals’ Personal data to OCB, and that OCB only processes this Personal data based on an agreement with the Client for the Processing purposes set out in Article 2.2 of this Privacy Policy.

The Client is responsible for ensuring that these individuals have been fully informed about the relevant Processing purposes and the processing of their Personal data in accordance with legal regulations and has obtained their consent before providing such information to OCB.

2.2. Processing purposes
OCB is permitted to process Personal data for the following purposes (hereinafter referred to as the “Processing purposes”):

The Client identity verification: OCB processes the Client's Personal Data to verify the accuracy and completeness of the information provided by the Client; to identify or authenticate the Client's identity and to conduct the Client authentication procedures.
Provision of Products and Services to the Client: OCB processes the Client's Personal Data to provide Products and Services at OCB including but not limited to consulting, fulfilling Client’s requests and/or registrations, Customer care services, management activities, maintenance, and updating changes related to Products and Services at OCB.
Compliance with applicable laws, regulations, and other requirements: OCB commits to comply with the regulations on anti-money laundering, anti-terrorist financing and embargo of Vietnamese law and international practices (including but not limited to the regulations of the United Nations, countries with advanced anti-money laundering, anti-terrorist financing and sanctions compliance frameworks, reputable foreign banks with which OCB has correspondent relationships). All Clients and transactions at OCB must commit to comply with the customer acceptance policy and not violate the embargo policy. OCB does not establish relationships or conduct transactions with entities that do not accept the commitment and/or do not comply with regulations. To do this, OCB is responsible for implementing related management measures to the Client's data, including monitoring, mitigating and managing risks, conducting underwriting, the Client screening, transaction screening, and the Client risk assessment.
Improving, developing Products, Services quality, and surveying client demands/business: OCB processes the Client's Personal Data from surveys or during exchanges and interactions between Clients and OCB to understand how the Client uses OCB's Products, Services in order to promote the development of Products and Services as well as identify shortcomings of the Products, Services and limitations of the existing technology infrastructure. This enables OCB to enhance, refine, and diversify its Products and Services, develop tailor-made Products and Services for specific client segments, improve processes, and upgrade technological infrastructure to enhance Product and Service quality and best meet Client needs.
Communication, commercial promotion, marketing, and introduction of Products, Services: OCB processes the Client's Personal Data to provide the Client with information about OCB's Products and Services, events, promotions, as well as Products and Services from OCB's partners. This includes marketing via postal mail, email, telephone, text, messaging applications, mobile applications/electronic applications, or advertising to the Client through social media. OCB ensures compliance with regulations regarding obtaining the Client’s consent for this activity. The Client may change their preferences regarding marketing notifications or opt out of receiving such information at any time.
Risk management: OCB processes the Client's Personal Data to measure, detect, and prevent potential financial, reputational, legal, compliance, or client-related risks. This includes credit risk, transaction risk, operational risk, and insurance risk (e.g., for insurance purposes or claims management). This enables OCB to safeguard its legitimate interests before providing credit, loans, or other financial services to the Client.
Ensuring Security and Safety for Clients of OCB: To ensure security and safety for all Clients conducting transactions at OCB’s headquarters and branches, OCB implements necessary control and monitoring measures, such as verifying persons entering and exiting the building, as well as utilizing surveillance camera systems at branches, facilities, and ATMs…
Protection of OCB's legal rights and interests: OCB processes the Client's Personal Data to protect OCB’s legal rights in legal matters such as debt collection, enforcement of intellectual property rights protection, management of complaints or dispute resolution, cases of the banks restructuring, mergers, or other acquisitions.
Other legitimate purposes related to the aforementioned purposes.

If we process Clients' Personal Data for purposes other than those stated here, we will inform Clients about how we handle this Personal Data and obtain additional consent before processing it for such purposes, in accordance with applicable laws and regulations.

3. Entities, individuals authorized to process the Client’s Personal data
OCB will not provide the Client’s Personal data to any third party except for related parties involved in the Processing purposes. These related parties include:

OCB’s subsidiaries and/or affiliates (if any);
Entities within OCB’s operating network;
Service providers or other relevant third parties engaged in Processing Personal data on behalf of or under the authorization of OCB to serve the Processing purposes, including but not limited to:
- partners providing goods, services, equipment, machinery, and surveillance cameras;
- partners providing telecommunications services;
- partners providing software services, information technology services;
- partners providing consulting services such as legal consulting, financial consulting, auditing, other consulting entities, etc.;
Credit institutions and/or branches of foreign banks in Vietnam, financial institutions, Visa International Service Association, MasterCard International Incorporated, and other card associations related to any Products and Services that OCB provides to the Client;
The National Credit Information Centre of Vietnam, other credit information entities (if any);
Rating agencies, insurance companies or insurance brokers, or direct or indirect credit protection providers;
Any third party has a transaction with OCB to purchase or sale of debt and/or purchase or sale of any other assets of OCB;
Competent state authorities;
Business transfers: OCB has the right to share the Client’s Personal data with other parties in connection with any merger, acquisition, consolidation, partnership, restructuring, financing, or any other business transaction; and
Other third parties that OCB deems necessary for the Processing purposes or as required by applicable law.

4. Rights and obligations of the Client regarding Personal data
4.1. Rights of the Client
The Client, as a Data subject, has the following rights regarding their Personal data, unless otherwise provided by applicable law:

Right to be informed about the processing of their Personal data: The Client has the right to be informed about the processing of their Personal data.
Right to consent or withhold consent: The Client has the right to either consent or refuse to consent to the processing of their Personal data, except where the law permits processing without the Data subject’s consent.
Right to request the withdrawal of consent for the Processing of Personal Data, to restrict the processing of Personal Data: The Client has the right to request the withdrawal of their consent and to request the restriction of the processing of their Personal data.
Right to access, edit, and request the correction of Personal Data: The Client has the right to access and personally edit their own Personal Data for certain types of data as agreed with OCB; and to request OCB to correct their Personal Data.
Right to Personal data portability: The Client has the right to request the provision of their Personal data in accordance with legal regulations and agreements with OCB, or to have such data provided to agencies, organizations, or other individuals with the Customer’s consent.
Right to delete or erasure data: The Client has the right to erase or request the erasure of their Personal data where permitted under applicable law.
Right to object to processing of Personal Data: The Client has the right to object to the processing of their Personal data to prevent or restrict the disclosure of Personal data or the use for advertising, marketing purposes.
Right to complain, denounce, initiate legal proceedings: The Client has the right to complain, denounce, initiate legal proceedings in accordance with applicable law.
Right to claim compensation for damages: The Client has the right to claim compensation for damages in accordance with the laws in the event of a breach of personal data protection regulations with respect to their Personal data.
Other rights: The Client may request competent authorities or organizations to implement measures and solutions to protect their civil rights in relation to their Personal Data, in accordance with the laws.

The exercise of certain rights by the Client, such as the right to withdraw consent, the right to erasure, the right to restrict processing, or the right to object to processing, may result in OCB being unable to take necessary actions to achieve the Processing purposes or being unable to provide, support, resolve the Client’s requests. With above reasons, OCB will not be liable to the Client for any loss arising from the Client's exercise of these rights.

4.2. Obligations of the Client
The Client, as a Data subject, has the following obligations regarding their Personal data:

Protect their own Personal data and request relevant organizations, individuals to protect their Personal data. If the Personal data is disclosed due to the Client’s negligence or any error on their part, the Client will bear the associated risks and potential damages.
Respect, protect the Personal data of others.
Comply with the provisions of the law on Personal data protection and participate in preventing violations of Personal Data protection regulations.
Promptly notify OCB of any changes to the provided Personal Data.
Provide legally valid documentation when requested by OCB to demonstrate that the Client has obtained necessary consent and permission from related parties of Client when providing personal data of such parties.
Provide complete, accurate Personal data to OCB when consenting to the processing of Personal data.
The Client is solely responsible for maintaining the confidentiality and security of all activities when using the Products and Services at OCB. Additionally, the Client is responsible for promptly notifying OCB of any unauthorized use, misuse, security breaches, third-party access to their registered username and password so that appropriate measures can be taken; or when detecting any errors, inaccuracies regarding their Personal data, or suspecting violations regarding their Personal data.

5. Start and end time for Personal Data processing

OCB processes Clients’ Personal Data from the moment it receives the Clients’ Consent regarding the processing of Personal Data (as defined in Article 1 of this Privacy Policy). Clients’ Personal Data will be stored for the necessary period to achieve the Processing Purposes, unless a longer retention period is required or permitted by applicable laws and regulations (e.g., for tax and audit purposes) or to fulfill obligations that OCB has notified the Clients about. Certain types of Personal Data may be retained longer than others.

6. Methods of Personal Data processing
6.1. Collection and processing of Personal Data
OCB may collect Clients’ Personal Data through the following methods:

When Clients register for Products and Services provided by OCB, such as opening an account, digital banking services, card issuance, loan applications, savings accounts, insurance, investments, or transaction registration.
Through Clients' transactions and activities, such as deposits, withdrawals, transfers, payments, and credit card usage.
From interactions, communications, and exchanges with Clients (in person, via mail, phone, online communication, electronic messaging, social media, surveys, or any other means).
From recording and surveillance devices integrated into security systems located at branches, transaction offices, and OCB’s ATM systems.
From OCB’s Personal Data Processors (including business partners), publicly available data sources, government authorities, and other sources.
From information collection forms targeting potential Clients at conferences, seminars, or events organized by OCB.
From other lawful methods and means of collecting Personal Data.

After collecting Personal Data, OCB will carry out one or more appropriate Personal data processing activities, including recording, analysis, verification, storage, modification, disclosure, combination, access, retrieval, recovery, encryption, decryption, duplication, sharing, transmission, provision, transfer, deletion, destruction of Personal Data, or other related actions. These activities are conducted to fulfill Processing Purposes or meet Client requests regarding their rights as Data Subjects (e.g., rights to amend, update, provide, restrict Personal Data processing, etc.) in accordance with applicable laws and regulations.

6.2. Processing of Personal Data of individuals declared missing, deceased, or with restricted civil act capacity, or individuals with cognitive or behavioral difficulties

OCB shall only process the Personal Data of individuals who are declared missing, deceased, or who have restricted civil act capacity, or individuals with cognitive or behavioral difficulties, when their legal representative exercises the rights of the Personal Data Subject on their behalf in accordance with the laws.

6.3. Processing of Clients' Personal Data as minors

OCB processes minors’ Personal Data based on the principles of protecting their rights and acting in their best interests. Before processing a minor’s Personal Data, OCB will take appropriate measures to verify their age. Processing minors’ Personal Data requires the consent of a parent or legal guardian as mandated by law. In cases where minors are aged seven or older, their additional consent is required for the processing of their Personal Data, except where legal provisions allow processing without the Data Subject’s consent.

6.4. Processing of Personal Data as health information and insurance business activities

The processing of Personal Data as health information and insurance business activities shall require the Client’s consent, except where data processing is permitted without the Data Subject’s consent under the law. In addition, OCB shall ensure full compliance with all regulations governing the protection of Personal Data in the course of such processing.

6.5. Processing of Personal Data in financial, banking, and credit information activities

OCB undertakes to comply fully with regulations on the protection of sensitive Personal Data and to apply appropriate safety and security standards when providing Products and Services to Client. OCB shall not utilize Client’s credit information for scoring, credit ranking, credit information assessment, or creditworthiness evaluation of the Personal Data Subject without their consent.

6.6. Processing of Personal Data in big data, artificial intelligence, blockchain, metaverse, and cloud computing environments

OCB undertakes to process Personal Data strictly for legitimate purposes and within the necessary scope, ensuring the lawful rights and interests of Client in big data, artificial intelligence, blockchain, metaverse, and cloud computing environments, in compliance with legal regulations, ethical standards, and Vietnamese cultural norms.

6.7. Processing of Personal Data relating to personal location data

OCB shall duly inform users of its Mobile application regarding the use of personal location data, implement measures to prevent the collection of personal location data by unrelated organizations or individuals, and provide Client with lawful options for location tracking in accordance with the laws.

6.8. Processing of Personal Data relating to biometric data

In collecting and processing biometric data, OCB shall implement physical security measures for devices storing and transmitting biometric data, restrict access rights thereto, establish monitoring systems to prevent and detect unauthorized access or violations, and comply with applicable laws and relevant international standards.

6.9. Processing of Personal Data collected from public audio and video recordings

OCB may collect and process image data of individuals and information obtained from security systems (e.g., audio and video recordings from areas with surveillance cameras – CCTV, including but not limited to stores, supermarkets, hallways, entrances, etc. and parking lots) for purposes of national security, public order and safety, and protecting the legal rights and interests of organizations and individuals as required by law, without needing Clients’ consent.

At OCB, the security system and CCTV operate 24/7 to ensure Clients' safety, prevent crime, protect facilities, and support fire prevention efforts. OCB is committed to processing Clients’ Personal Data strictly in accordance with this Privacy Policy and applicable legal regulations.

6.10. Deletion of Clients’ Personal Data
OCB will permanently delete Clients' Personal Data in the following cases:

Data processing does not align with the intended purpose.
The processing purpose for which the Client provided consent has been fulfilled.
Personal Data storage is no longer necessary for the Bank’s operations.
OCB is dissolved, ceases operations, declares bankruptcy, or terminates business activities as required by law.

OCB will take necessary measures to prevent access to or usage of Personal Data for any purpose other than complying with this Privacy Policy or for safety, security, fraud detection, and risk prevention related to information system security, cybersecurity, and Clients’ Personal Data protection.

6.11. Transfer of Personal Data abroad
OCB may transfer or grant access to Clients’ Personal Data to foreign authorities, organizations, and management entities (including partners and service providers abroad) for processing in accordance with the Processing Purposes agreed upon by Clients. In some cases, OCB’s partners or service providers located in Vietnam may use data processing device, systems situated outside Vietnam’s territory to process Personal Data on behalf of OCB. These situations are considered cross-border transfers of Clients’ Personal Data.

It is important to note that some countries may have different levels or practices regarding Personal Data protection, which could be lower or higher than those in Vietnam. In all cases of transferring Personal Data abroad, OCB will strive to implement appropriate measures to safeguard Clients' Personal Data including entering into agreements and commitments regarding data protection, selecting suitable Data Processors with clearly defined responsibilities, and ensuring that such entities maintain adequate security practices.

7. Measures to Protect Personal Data
OCB will implement appropriate Personal Data protection measures, including organizational, personnel, and technical measures as required by law to detect and prevent data leaks or breaches of Personal Data, including but not limited to:

Developing and issuing regulations on Personal Data protection, clearly outlining actions required under legal provisions.
Designating departments and personnel responsible for Personal Data protection. Recording and storing system logs related to Personal Data processing.
Conducting cybersecurity checks on systems, equipment, and tools used for Personal Data processing before processing, permanently deleting, or destroying devices containing Personal Data.
Designing security systems, access control measures, intrusion prevention, authentication, data encryption, and data backup solutions.
Implementing other measures in accordance with legal requirements.

8. Unintended consequences and damages that may occur

Please note that although OCB strives to ensure that Clients' Personal Data is protected in accordance with legal regulations, OCB cannot completely and absolutely eliminate all risks associated with Personal Data processing. The transmission of information over the Internet or OCB’s internal information systems may still carry certain risks due to force majeure events or cybersecurity incidents, such as cyberattacks, cyber terrorism, unauthorized cyber espionage, disruptions in data processing, or Personal Data leaks. In such cases, OCB will immediately take the necessary actions to prevent, remediate, and minimize any unintended damages that may arise concerning Personal Data and will cooperate with competent government authorities to address violations. Clients also acknowledge that, to the extent OCB has implemented reasonable measures to mitigate these risks, OCB shall not be held liable for damages caused by third-party actions that negatively impact Clients' Personal Data beyond OCB’s control.

9. Contact information of the data collection, management, and Client support unit
If Clients have any questions and/or requests related to this Privacy Policy or regarding their Personal Data, they may contact OCB’s branches and transaction offices nationwide or reach out through the following channels:
ORIENT COMMERCIAL JOINT STOCK BANK

Hotline (Vietnam): 1800 6678 (Toll-free, 24/7)
Hotline (International): (84) 28 7305 6678
Email: dvkh@ocb.com.vn

10. Commitment to Clients’ Personal Data security
Clients’ Personal Data at OCB is strictly protected under this Privacy Policy. The collection and use of Clients’ Personal Data are carried out only with their consent, except in cases permitted by law.

The Bank commits to:

Not using, transferring, providing, or disclosing Clients’ Personal Data to any third party (except for organizations and individuals authorized to process Clients' Personal Data as outlined in Article 3 of this Privacy Policy) without Clients’ permission or consent, except as required by laws.
In the event that OCB’s information storage servers or internal systems are compromised due to cyberattacks, leading to Clients’ Personal Data being affected, OCB will promptly report the incident to authorities for investigation and resolution while notifying the Clients.
Strictly protecting all Clients’ online transaction information, including transaction details and digitized accounting documents within the Bank’s central data system.