Privacy and Personal Data Protection Policy

How the Environmental Incident Information Portal collects, uses, protects and limits public disclosure of personal data during WebGIS operation.

Types of Data That May Be Processed

Account data: username, full name, role, permission scope, display theme and language preferences.
Login and security data: login time, login result, IP address, user-agent, session identifier and activity logs.
Location data actively entered by users, selected on the map or shared through browser geolocation permission to find nearest stations, view weather or calculate routes.
Operational contact data in the internal area: assigned personnel, customers, facility contacts, phone numbers, email addresses, incident records and operational notes.

Personnel, supplies, customer, environmental risk point and incident-record data are designed to be displayed after login according to user permissions, and are not public by default.

Purposes of Processing

Authenticate users, authorize access and protect the administration area.
Record activity history for data-change traceability, abuse prevention and internal review.
Support map functions such as locating positions, finding nearest stations, viewing hydro-meteorological data, simulation and response-map preparation.
Manage environmental incident prevention, response, recovery and customer-support activities within assigned operational scope.

Legal Basis and Data Protection Principles

Personal data processing should comply with Vietnam Personal Data Protection Law No. 91/2025/QH15, effective from 01 January 2026, and Decree No. 356/2025/ND-CP detailing a number of articles and implementation measures of the Personal Data Protection Law.

The system collects data only within the scope necessary for operation, security, operational management and environmental incident response support.

Rights of Data Subjects

Within the applicable legal framework and internal operating rules, individuals whose data is stored in the system may request to be informed, access, correct, restrict processing of or request deletion of data that is no longer necessary, except where retention is required for system security, operational audit trails, contract performance, legal obligations or requests from competent authorities.

Requests related to personal data should be sent to the operator with appropriate identification information so that request authority can be verified before processing.

Data Sharing and Third-Party Services

The website may call map, routing, hydro-meteorological or open-data services to support display and analysis. When users use these functions, queried coordinates or minimum technical information may be sent to the relevant service.

The operator does not sell users personal data. Data is provided to third parties only when necessary for technical operation, internal authorization, a valid arrangement or a request from a competent authority.

Updated: 12/06/2026. The contents on this page are published for website operation transparency and system-use principles; they do not replace legal advice or documents issued by competent state authorities.