Skip To Main Content

Privacy

Introduction

At Saigon South International School we are committed to compliance with Vietnamese privacy laws and good practice privacy principles. This includes respecting your privacy and protecting your personal data. This privacy notice describes how we collect and use (or "process") your information in line with Vietnam’s current Personal Data Protection Law as updated under Law No. 91/2025/QH15 and its implementing regulation, Decree No. 356/2025/NĐ-CP.

What is personal data?

Personal Data means any information relating to an individual who can be identified from that information or from any other information we may hold. Personal Data may be held on paper, in a computer, or in any other media, whether it is owned by the organization or a personal device.

Personal data may be expressed in the form of symbols, text, numbers, images, sound, or similar formats in an electronic environment, and is associated with or helps identify a particular natural person. It includes both basic personal data and sensitive personal data, as defined under Vietnam’s current Personal Data Protection Law.

The term ‘data subject’ refers to the person whom the personal data is about.

Personal data we collect

We process personal data about visitors to our website; prospective, current, and past: students and their parents; staff and contractors; donors and volunteers; and other data subjects connected with or visiting our school.

The personal data we process takes different forms.

Examples include:

  • names, addresses, telephone numbers, e-mail addresses, emergency contact information
  • IP addresses, location data, and website statistics and analytics
  • students' date of birth, nationality, family details
  • admissions, academic, disciplinary and other education related records, references, examination scripts and marks
  • parents’ employment data
  • images, audio, and video recordings
  • financial information and identification documents (e.g., for financial aid assessment or for fundraising)
  • employee and former employee data including recruitment, training, performance management, payroll, and other HR information.

As a school, occasionally, we also need to process personal data which is designated as “sensitive” or “special category personal data” to facilitate our school operations and activities. Such data includes personal information regarding a data subject concerning:

  • health
  • special education needs
  • information relating to safeguarding and child protection/welfare
  • criminal records.

In the course of school business, we share personal data (including sensitive personal data, where applicable) with third parties such as examination boards, the school’s Health Office , the school’s professional advisors and relevant authorities. We may also be required to share your personal data with other organizations for legal or statutory purposes, or where we have your consent to do so.

We may also share data with the School Community Organization to facilitate parental participation. Moreover, some of our systems are managed or operated by third parties (e.g., hosted databases, school website, school calendar, school post and my school portal or cloud storage providers).

Where SSIS uses third-party service providers, SSIS requires appropriate contractual and security measures to protect personal data

How do we obtain your information?

We collect most of the personal data we process directly from the person concerned (‘the data subject’) or, often in the case of students, from their parents. In some cases, we collect data from third parties (for example, referees/references, and previous schools) or from publicly available resources.

We also collect data about you when:

  • you have expressed an interest in having a student attend our school
  • you have registered to attend (or have attended) one of our events
  • you visit our website
  • you sign up to receive email, our newsletter and/or prospectus
  • you have expressed an interest in working for, or with, us
  • you are employed by us or an organization with whom we have a business relationship.
  • you participate in school-related activities or services involving authorized third parties (e.g., after-school vendors, educational tools, health or transport providers)

How do we use your personal data?

To support our operation as an international school, we process personal data as follows (but not restricted to):

  • selecting and admitting students
  • complying with legal and regulatory requirements
  • delivering education and student support (including curriculum administration and monitoring academic progress)
  • maintaining a safe and secure environment for students, staff, and visitors
  • managing school operations (including student records, billing/fees, accounts, and school property)
  • operating CCTV and monitoring IT and communications systems in accordance with our Acceptable Use Policy administering employment matters (recruitment/engagement, payroll/benefits/leave, performance management, and HR records)
  • supporting advancement activities (including fundraising)
  • analysing website usage through analytics tools and cookies
  • promoting SSIS through our website(s), publications, communications, and social media
  • maintaining relationships with alumni and former employees
  • engaging contracted service providers to support educational, administrative, or operational activities
  • maintaining historical records of significant school events

Photography and recording at school events

SSIS may take photos, audio, and/or video at school events and public activities. SSIS will provide notice through appropriate means (for example, signage or announcements). Any external publication or sharing will be managed in accordance with applicable consents/preferences and legal requirements.

Data Subject Rights

Data Subjects have a number of rights regarding our use of their Personal Data. Some rights may be subject to conditions or legal limitations. All requests will be managed by our Data Protection Office via ssis-dpt@ssis.edu.vn:

  • Right to be informed
    • Data subjects have the right to be informed about the processing of their personal data, including the purpose, scope, and parties involved, unless otherwise provided by law.
  • Right to consent
    • Data subjects have the right to provide or withhold consent for the processing of their personal data. Consent must be freely given, informed, specific, and provided separately for each purpose. It can be withdrawn at any time without affecting prior lawful processing. Explicit consent is required for sensitive personal data. In limited circumstances permitted by Vietnamese law, SSIS may process personal data without consent (for example, to protect life or health in an emergency, to comply with legal obligations or competent authority requests, or to perform contractual arrangements). In such cases, SSIS applies appropriate internal controls to ensure the processing is lawful, necessary, and proportionate.
  • Right of access
    • Data subjects may request information about the personal data we hold, including how and why it is used, who it is shared with, and how long it is retained. They may also request a copy of their data.
  • Right to withdraw consent
    • Data subjects may withdraw their consent at any time, unless restricted by law. Withdrawal will not affect data processing already carried out under valid consent.
  • Right to delete data
    • Data subjects may request deletion of their personal data. This right may be limited where SSIS must retain data for legal, contractual, regulatory, safeguarding, or legitimate school purposes permitted by law.
  • Right to restrict data processing
    • Data subjects may request that we limit the processing of their personal data, where legally permitted. SSIS will receive and handle requests to exercise personal data rights within the timeframe required by Vietnamese law and applicable implementing guidance.
  • Right to data access and portability
    • Data subjects may request access to, and a copy of, their own personal data. Where legally applicable and technically feasible, they may also request that their data be provided in a format that supports transfer to another controller.
  • Right to object to processing
    • Data subjects may object to the processing of their personal data where legally permitted, including where processing may lead to disclosure or use beyond the original purpose, or where required for direct marketing.
  • Right to complain, initiate legal action and seek compensation
    • Data subjects have the right to file complaints, denounce violations, initiate legal proceedings, and seek compensation if their personal data rights are violated, in accordance with applicable law, unless otherwise agreed by the parties or prescribed by law.

Obligations of data subjects and principles when exercising rights

When exercising rights and using SSIS systems/services, data subjects are expected to:

  • protect their own personal data;
  • respect and protect the personal data of others;
  • provide personal data that is adequate and accurate where required by law, contract, or where they choose to provide it; and
  • comply with personal data protection laws and not use rights in a way that obstructs SSIS (or its service providers) from fulfilling lawful obligations or infringes the legitimate rights and interests of others.

Consent of the Data Subject

Data subjects have specific rights regarding the consent they give for the processing of their personal data, some of which are subject to legal conditions.

  • The consent of the data subject applies to all activities involving the processing of their personal data, unless exceptions apply under the law.
  • Consent is only valid when the data subject voluntarily and clearly understands:

a) The types of personal data to be processed

b) The purposes for processing

c) The organizations and data subjects involved in the processing

d) Their rights and obligations as a data subject

  • Consent must be explicit and clearly expressed, such as by written agreement, verbal confirmation, ticking a consent box, text message, selecting settings, or other actions that show clear intent.
  • Consent must be provided for each specific purpose. Where multiple purposes apply, SSIS will clearly list them so the data subject may consent to one or more.
  • Consent must be given in a form that can be reproduced in writing or electronically and verified.
  • Silence or failure to respond does not constitute consent.
  • Data subjects may provide partial or conditional consent. However, SSIS reserves the right to decline applications if consent limitations prevent us from effectively delivering services.
  • When processing sensitive personal data, data subjects must be explicitly informed that such data is being used.
  • Consent remains valid until withdrawn by the data subject or overridden by a competent state authority.
  • In case of dispute, the data controller (or data controller and processor) is responsible for proving that valid consent was obtained.
  • A legally authorized individual or organization may act on behalf of the data subject to manage consent-related procedures, in accordance with the Civil Code and applicable law.

Withdrawal of Consent

  • The withdrawal of consent does not affect the legality of data processing carried out before the withdrawal was made.
  • Requests to withdraw consent must be provided in a format that can be printed or reproduced in writing, including electronic or verifiable formats.
  • Upon receiving a withdrawal request, SSIS will inform the data subject of any potential consequences of the withdrawal.
  • After reviewing the request, the data controller, data processor, or relevant third parties will cease processing the affected data and notify other parties, if applicable, to do the same.

Personal data incidents

SSIS takes reasonable measures to protect personal data and to prevent, detect, and respond to personal data incidents. If SSIS detects a personal data protection violation that triggers notification obligations under Vietnamese law, SSIS will notify the competent personal data protection authority within 72 hours of detection and will take appropriate remediation steps, as required.

How do we retain and store your personal data?

All personal data is securely stored and protected using appropriate technical and organizational measures, in line with legal requirements. We retain personal data only for legitimate purposes, relying on one or more lawful bases, and only for as long as necessary to fulfill the stated purpose or as required by law.

When data is no longer required, we take steps to securely delete, anonymize, or archive it, preventing unauthorized access or recovery.

Contact us

If you have questions, requests or issues, please let us know how we can help. Our Data Protection Office can be reached at ssis-dpt@ssis.edu.vn.

Controller Details

Saigon South International School

78 Nguyễn Đức Cảnh, Tân Hưng Ward, Thành phố Hồ Chí Minh 700000