PRIVACY POLICY
NIHON M&A CENTER VIETNAM
(Pursuant to the Personal Data Protection Law and Decree 356/2025/ND-CP and related legal regulations)
Nihon M&A Center Vietnam Co., Ltd. (hereinafter referred to as “we” “us” “our” or “Our Company”) is committed to respecting personal data and protecting the privacy of all individuals. This Privacy Policy (hereinafter referred to as “Policy”) outlines how we collect and handle personal data that you may provide to us, or that we otherwise receive or collect in connection with our business.
Effective Date: 01/04/2026
ARTICLE 1. INTRODUCTION
Our Company lawfully incorporated under Vietnamese law, with head office at Vietnam Business Center Building (57-59 Ho Tung Mau Street, Sai Gon Ward, Ho Chi Minh City, Vietnam), is a member of Nihon M&A Center Holdings Group (Japan) (hereinafter referred to as “Group”). We specialize in consulting for business alliance and corporate partnership (especially M&A), business matching, and merger & acquisition transaction support services (“Services”).
ARTICLE 2. COMMITMENT TO PERSONAL DATA PROTECTION
We are committed to complying with the following principles in the processing of personal data:
(a) Your personal data is processed lawfully, fairly, and transparently, in strict compliance with applicable laws.
(b) Your personal data is collected for specific, explicit, and legitimate purposes and is not further processed in any manner incompatible with these purposes, in accordance with applicable laws.
(c) Your personal data is stored in an appropriate, relevant manner and limited to what is necessary for the purposes for which it is processed, pursuant to applicable laws.
(d) Your personal data is accurate and kept up-to-date, and we take all reasonable steps to ensure that inaccurate data, relative to the purposes for which it is processed, is erased or rectified without delay, in accordance with applicable laws.
(e) Pursuant to applicable laws, we implement appropriate technical and organizational measures to ensure the appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
(f) Furthermore, we contractually require our subcontractors (service providers, suppliers, etc.) to maintain the same level of personal data protection.
(g) We undertake to comply with all other principles required under applicable personal data protection regulations, particularly regarding the rights of data subjects and obligations related to cross-border data transfers.
ARTICLE 3. SUBJECTS AND TYPES OF PERSONAL DATA PROCESSED
3.1 Our personal data subjects include, without limitation, any individuals who interact with, access, use, or are otherwise related to our Services and related business activities, including but not limited to: users of our Services; clients and business partners; individuals involved in consulting services and business collaborations; participants in seminars, events, training sessions, and information exchange meetings; our job applicants, candidates, and employees; and the chairperson of, the member of the members’ council, or the director or general director of Our Company, or the any person holding any other managerial position prescribed in Our Company’s charter (each, hereinafter referred to as a “Director”); and any individual holding part or all of the charter capital of Our Company (each, hereinafter referred to as a “Member”).
3.2. The types of personal data Our Company may collect and process in the process of provision of our Services and related business activities, including consulting services and business collaborations, holding seminars, events, and information exchange meetings include:
(a) Name and other identifying information (such as your address, email address and telephone number);
(b) Company name, address, job title and role;
(c) Your communications with us (whether by telephone, in writing, via email or other electronic means);
(d) Other pertinent information necessary for providing our Services
3.3. The types of personal data Our Company may collect and process during the recruitment process from candidates and employees include:
(a) Name and other identifying information (such as your address, email address and telephone number); and
(b) Your date of birth, details regarding your gender, photographs of you, and other information described in your CV or otherwise submitted to us.
3.4 The types of personal data Our Company may collect and process from Directors and Members include:
(a) Name and other identifying information (such as your address, email address and telephone number); and
(b) Professional details (such as rights and obligations, position, management role, capital contribution details)
3.5 We may also collect and process certain information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, your payment information such as payment information of credit or debit card or other information which can be considered as “sensitive personal data” pursuant to Personal Data Protection Law and Decree 356/2025/ND-CP. Subject to your express consent, we may collect, use and share your special categories of sensitive data with third parties for the purposes described in Article 4 below.
3.6. In case when you have discovered that your personal data has been disclosed to Our Company by a third party without your consent or is not in accordance with the content that you have agreed to, please notify us in time at the contact information as stated below in Article 12.
ARTICLE 4. PURPOSE OF PROCESSING PERSONAL DATA
4.1. We will process your personal data for the following purposes:
(a) Execution of Services related to M&A intermediation and advisory, business valuation, and management consulting undertaken by Our Company and our group, as well as ancillary services connected to these.
(b) Handling consultations, receiving applications, sending materials, responding to inquiries, and maintaining communications related to the Services, including seminars and other projects organized or supported by Our Company and our group.
(c) Administration of contract execution and termination, as well as post-merger management following the completion of transactions by Our Company and our group.
(d) Ensuring the appropriate and efficient provision of the Services.
(e) Supporting group-wide business management operations, including risk identification and management.
4.2. We will process the personal data from Employees, and applicants for the purpose of recruitment and selection activities conducted by Our Company and our group, business and employment management including communication with officers, employees, applicants, and retirees (including informal employment offers).
4.3 In addition, we will process the personal data from Directors, Members for the following purposes:
(a) Business and employment management including communication with Directors.
(b) Administration of Member records, exercise of rights, and fulfillment of obligations under the Enterprise Law and other relevant laws.
(c) Provision of benefits associated with Member status.
(d) Implementation of measures to strengthen Member relations.
(e) Responding to Member inquiries.
(f) Supporting appropriate business management operations of our group.
ARTICLE 5. LEGAL BASIS OF THE PROCESSING OF YOUR PERSONAL DATA
Our Company processes your personal data in compliance with Vietnam’s Law on Personal Data Protection (91/2025/QH15) and Decree 356/2025/ND-CP. Our Company processes personal data on the following legal bases:
5.1. Your explicit consent. The consent must be given prior to processing for each specific purpose in a verifiable written or electronic form, and must be withdrawable at any time in accordance with Article 9 below. In such case, be aware that the withdrawal of your consent shall not affect the lawfulness of based on your consent before the withdrawal.
5.2. The necessity to perform contracts or to take steps at your request prior to entering into a contract (such as M&A advisory agreements, due diligence, and transaction execution).
5.3 Compliance with applicable legal obligations in accordance with Vietnamese laws.
5.4. The pursuit of our legitimate rights and interests.
ARTICLE 6. HOW TO PROCESS PERSONAL DATA
Our Company will process your personal data through the following methods and/or any other personal data processing methods that we deem lawful and necessary:
6.1. Collection of personal data: We may obtain your personal data directly through legal and fair means from you or alternatively from third parties, such as through a service provider of Our Company.
6.2. Storage of personal data: We store personal data that we collect from you in documents kept in Our Company, and/or the computer network managed or used by Our Company. Each individual’s data will be stored separately for each person and is classified, listed, or summarized as required for the purpose set out in Article 4 of this Policy. As a result, personally identifiable data collected will be kept confidential.
6.3. Sharing and providing personal data to third parties: We do not disclose or provide personal data to any third parties without your prior consent, except as required by law. In necessary cases, we may share or provide your personal data with the following categories of recipients:
(a) Group’s head quarter and Group’s and affiliates’ other overseas offices
(b) Third parties who process your personal data on our behalf, such as service providers of HR-related products and services, including those hosted in the cloud; and
(c) Law enforcement agencies, regulatory bodies and other related parties, to the extent necessary for us to comply with applicable laws and regulations.
6.4. Personal data processing without your consent: In accordance with the Personal Data Protection Law and related legal regulations, we will not need your consent when processing your personal data in the following cases:
(a) In an emergency, the relevant personal data may be immediately processed to protect the life and health of the data subject or to protect the life and health of others;
(b) The personal data is disclosed in accordance with the law;
(c) Competent state agencies process personal data in the event of an emergency on national defense, national security, social order and safety, major disasters, or dangerous epidemics; when there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; to prevent and combat riots and terrorism, to prevent and combat crimes and law violations according to the provisions of law;
(d) To perform your contractual obligations towards us or related organizations and individuals; and
(e) Serving the activities of state agencies as prescribed by specialized laws.
6.5. Cross-border personal data transfer: To process your personal data in line with the purposes as listed in Article 4 of this Policy, your personal data may be transferred to, accessed from or stored in countries outside Vietnam, including countries with different data protection laws. For example, we may transfer your personal data with our Group’s and affiliates’ overseas offices located in countries such as Japan, Singapore, Malaysia, Thailand, Indonesia and South Korea. In such circumstances, we will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Policy and as required by the applicable laws. For more information, please contact us using the details in Article 12 below.
6.6. Collection and processing of Sensitive personal data shall only be carried out with your explicit consent. Before obtaining such consent, we will expressly notify you of the sensitive nature of the personal data to be processed.
6.7. Accuracy of your personal data: If there is any change to your personal data that you have provided to Our Company, you need to immediately notify us. We will update or provide suitable methods so that you can edit, update or delete/destroy your personal data. In this necessary case, please contact us using the details in Article 12 below. Please note that in cases where personal data are mandatorily processed according to laws, your requests on deleting/destroying personal data may not be satisfied.
ARTICLE 7. CONSEQUENCES, UNWANTED DAMAGE
7.1. The incident of disclosure, data loss, unauthorized data processing by Our Company may occur due to objective reasons (e.g. system failure, hackers) although we strive to protect your personal data to the highest degree in the process of processing personal data.
7.2. Therefore, we always work closely with the competent state agencies to overcome and minimize these behaviors, and will notify you as soon as possible after the incident occurs.
ARTICLE 8. TIME OF COMMENCEMENT AND TERMINATION OF DATA PROCESSING
8.1. Your personal data will be processed from the moment it is obtained by Our Company.
8.2. We will only keep your personal data for as long as is necessary for the purposes set forth in this Policy or until we receive your legitimate request to terminate processing. We may retain your data for a longer period if required by applicable laws or if necessary to address potential legal claims, where the data is needed to assert or defend against claims that are not yet time-barred.
8.3 In cases where a candidate is not selected for employment, we shall delete or destroy all provided candidate information, unless otherwise agreed with the candidate. Furthermore, upon termination of the employment contract, we shall delete or destroy the employee’s personal data, except where otherwise agreed with employees or required by applicable law.
ARTICLE 9. RIGHTS OF DATA SUBJECTS
9.1. As a personal data subject, you will have the following rights:
(a) Right to know: you are informed about the processing of your personal data, unless otherwise provided by law.
(b) Right to give consent: you have the right to consent or not to consent to the processing of your personal data, except where the processing of personal data is carried out without the consent of the data subject as required by law.
(c) Right to access: you have the right to access to view, edit or request correction of your personal data in our database as required by law and our instructions.
(d) Right to withdraw consent: you have the right to withdraw your consent at any time. However, the withdrawal of consent will not affect the lawfulness of the processing of personal data based on your consent before the withdrawal of consent.
(e) Right to delete personal data: you have the right to request the deletion of your personal data, unless otherwise provided by law.
(f) Right to obtain restriction on data processing: you have the right to request the restriction of the processing of your personal data, unless otherwise provided by law. However, the restriction of data processing will not affect the lawfulness of the processing based on your consent before you made the request for restriction of data processing.
(g) Right to obtain personal data: you have the right to request Our Company to provide you with your personal data in accordance with the provisions of law and in accordance with our instructions.
(h) Right to object to data processing: you have the right to object to Our Company processing your personal data in order to prevent or limit the disclosure of personal data or use for advertising and marketing purposes without your consent.
(i) Right to file complaints, denunciations and lawsuits: you have the right to complain, denounce, or sue in accordance with the provisions of law.
(j) Right to claim damage: you have the right to request compensation for damages in accordance with the provisions of law when there is a violation on the protection of your personal data, unless otherwise agreed by the parties or otherwise provided by law.
(k) Right to self-defense: you have the right to self-defense in accordance with the provisions of law.
9.2. To invoke the rights mentioned above, please contact us using the details in Article 12 below. Our data protection department will respond within 2 working days and settle your request or notification at the soonest possible.
ARTICLE 10. TECHNICAL MEASURES FOR PROTECTING PERSONAL INFORMATION.
To secure the safety of personal data from a loss, theft, leak, falsification, or damage, Our Company may take the following technical, managerial, physical measures as:
10.1. The important personal data is stored and managed in password protected mode within the limited access.
10.2 Transfers of sensitive personal data shall incorporate physical security measures for storage and transmission devices, data encryption, pseudonymization, and other appropriate safeguards throughout the transfer process.
10.3. Given the risk of hacking, likelihood and severity of damage to the rights and freedoms of natural persons, we undertake:
(a) To prevent your personal data from leakage or damage by hacking or computer virus.
(b) To control the access suspension system, unauthorized accesses from outside.
(c) To take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the pseudonymization and encryption of personal data.
(d) To ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(e) To restore the availability and right to access to personal data in a timely manner in the event of a physical or technical incident;
(f) To ensure a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures with a view to ensuring the security of the data processing
(g) To operate an exclusive organization for protecting personal data.
ARTICLE 11. COMMUNICATION WITH YOU AND NOTIFICATION TO THE LOCAL AUTHORITY IN CASE OF A BREACH OF YOUR PERSONAL DATA
We will notify you immediately after we are aware that your personal data is breached, and to the local authority in accordance with the applicable laws. This notification about your personal data breach will describe in clear with plain language the nature of the personal data breach and contain at least the following information and measures:
(a) Name and contact details of the data protection officer or other contact point where more information can be obtained;
(b) Description of the likely consequences of the personal data breach.
(c) Description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
ARTICLE 12. THE DATA PROTECTION OFFICER.
In order to ensure the security of your personal data and to protect your rights and freedoms, we have appointed the following Data Protection Officers:
Name: Hiromitsu Watanabe
Address: Unit 901, Floor 9, Vietnam Business Center, No.57-59 Ho Tung Mau Street, Saigon Ward, District 1, Ho Chi Minh City
Email: inquiry_vietnam@nihon-ma.co.jp
ARTICLE 13. THE EFFECTIVENESS OF THIS POLICY
This Policy shall take effective as of 01/04/ 2026.
We guarantee that the protection for personal data is implemented comprehensively and our data protection officers comply with this Policy.
We reserve the right to amend this Policy from time to time if necessary. Any amendments to this Policy shall be posted on our website.
