These terms apply and bind the Subscriber, as Controller, that either occasionally and for limited services or with a durable agreement has business with Chen Sea Resort & Spa, as Processor. All the definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation to which to refer.

Data Processing Terms: in the course of providing the services in the interest of the Controller, the data processor may process personal data on behalf of the Controller. The parties agree to comply with the following provisions with respect to any personal data processed.
Processing of Controller Personal Data: Processor only process Controller personal data for the purposes in the interest of the Controller. The Processor shall not process, transfer, modify, amend or alter the Controller data or disclose or permit the disclosure of the Controller data to any third party other than in accordance with Controller’s documented instructions. The Processor shall inform the Controller of that legal requirement before processing the personal data and comply with the Controller’s instructions to minimize, as much as possible, the scope of the disclosure.

Reliability and Non–Disclosure: Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller personal data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Controller Personal Data.

The Processor must ensure that all individuals which have a duty to process controller personal data are informed of the confidential nature of the Controller Personal Data and are aware of Processor’s obligations, are subject to confidentiality undertakings, are subject to user authentication and log-in processes when accessing the Controller Personal Data.

Personal Data Security: taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of Controller Personal Data security appropriate to the risk (i.e. pseudonymization and encryption, thee ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident).

Sub-Processing: Controller hereby authorises the Processor to engage the Sub-Processors. In order to do so, the Processor shall provide the Controller with full details of the Processing to be undertaken by each Sub-processor, carry out adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for Controller Personal Data, include terms in the relationship between the Processor and each Sub-processor which are the same as those set out hereby, remain fully liable to the Controller for any failure by each Sub-Processor to fulfil its obligations in relation to the Processing of any Controller Personal Data.

Data Subject Rights: Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights as laid down in EU GDPR.
The Processor shall: 1) promptly notify the Controller if it receives a request from a Data Subject, the Supervisory Authority and/or other competent authority 2) cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a Data and comply with any assessment, enquiry, notice or investigation 3) provide assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by the Data Protection Laws 4) implement any additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.

Personal Data Breach: Processor shall notify the Controller without undue delay and, in any case, within twenty-four (24) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. The Processor will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach (nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned, the name and contact details of the Processor’s Data Protection Officer, Privacy Officer or other relevant contact from whom more information may be obtained, the estimated risk and the likely consequences of the Personal Data Breach, the measures taken or proposed to be taken to address the Personal Data Breach).

Erasure or return of Controller Personal Data: Processor shall promptly and, in any event, within 90 (ninety) calendar days of the earlier of: (i) cessation of Processing of Controller Personal Data by Processor; or (ii) termination of the agreement, at the choice of Controller (such choice to be notified to Processor in writing) either: 1) return a complete copy of all Controller Personal Data to the Controller by secure file transfer and securely erase all other copies of Controller Personal Data Processed by the Processor; or 2) securely wipe all copies of Controller Personal Data Processed by Processor or any Authorised Sub-processor.

Processor may retain Controller Personal Data to the extent required by local law, and only to the extent and for such period as required by law, and always provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Union or Member State law requiring its storage and for no other purpose.

Audit rights: Processor shall make available to the Controller, upon request, all information necessary to demonstrate compliance with these terms and allow for, and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller of any premises where the Processing of Controller Personal Data takes place.

International Transfers of Controller Personal Data: Processor shall not process Controller Personal Data nor permit any Authorised Sub-processor to process the Controller Personal Data in a Third Country, unless authorized by Controller in advance.

General Terms: Controller shall terminate automatically upon termination of the principal agreement (if any) or expiry or termination of all service contracts entered into by the Processor, pursuant to the principal agreement (if any), whichever is later. These terms shall be governed by the governing law of Vietnam. Any breach of these terms shall constitute a material breach of the principal agreement (if any). With regard to the subject matter of these Terms in the event of inconsistencies between the provisions of this agreement and any other agreements between the parties, the provisions of these terms shall prevail with regard to the parties’ data protection obligations for Personal Data. Should any provision of these terms be invalid or unenforceable, then the remainder shall remain valid and in force.