Privacy Policy | Green SM

The controller of your personal data is: Green and Smart Mobility Netherlands BV Basisweg 32, Amsterdam, 1043 AP The Netherlands Chamber of Commerce (KvK): 99996901 If you have any question, request or complaint about this notice or the way we handle your personal data, please contact us at the e-mail address: td-gsm@gsm.net.vn

This notice applies to personal data we collect about you when you: • register for the Event through our online registration page, partner platform or QR-code registration form; • attend the Event at the venue or in a virtual / hybrid format, including data captured by event hosts, recruiters, marketing staff and partner staff acting on our behalf; • are photographed, filmed or recorded as part of branded photo, video or audio capture at the Event; • interact with our stand, sign-up tablets, QR codes, business-card bowls, lead-capture devices, games or marketing surveys at the Event; • express interest in working for GSM, becoming a driver, partnering with GSM or in receiving further information from us.

Depending on the type of event and how you interact with us, we may process the following categories of personal data. Categories that are not relevant to a given event will not be collected. 3.1 Identification and contact data • first name, last name; • e-mail address; • mobile phone number; • postal code / city of residence; • language preference; • confirmation that you are at least 18 years old 3.2 Recruitment data (only at recruitment events) • indication of the role(s) you are interested in (driver, operations, office, other); • for driver events: whether you hold a valid Dutch (or EU) driving licence (B), a Dutch taxi driver permit (chauffeurskaart) and/or a Certificate of Conduct (VOG); years of professional driving experience; availability; • for office / corporate roles: indication of professional background, years of experience and area of interest; • CV or résumé, if voluntarily submitted at the Event. 3.3 Photo, video and audio recordings • photographs taken by our official photographer at the Event; • video recordings (including b-roll and short interview clips, where you opt-in); • audio recordings (only where you actively participate in an on-stage Q&A, panel or interview and have been informed in advance). Photography and filming will be visibly signposted at the venue. Designated “no-photo” zones are available; attendees who do not wish to be photographed may also collect a visible “no-photo” wristband / sticker at the welcome desk. We will use reasonable efforts to exclude wristband-wearers from published images. 3.4 Marketing preferences and interaction data • your consent (or refusal) to receive marketing communications from GSM by e-mail, SMS or social media; • topics of interest you select (e.g. driver opportunities, brand launch, EV updates, app release); • survey answers and feedback you provide at the Event; • QR-scan and lead-capture metadata (e.g. stand visited, time of scan, badge ID). 3.5 We do NOT intentionally process special-category data We do not ask for, and ask attendees not to volunteer, special-category data (Article 9 GDPR) such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, sex life or sexual orientation, or biometric data used to uniquely identify you. If you accidentally provide such data (for example in a free-text field), we will delete it.

In most cases, we collect personal data directly from you (registration form, welcome desk, recruitment booth, marketing surveys, photographer / videographer). Where our external event or marketing agency, or another contracted vendor, collects data on our behalf at the Event, they act as our processor and pass the data to us under a Data Processing Agreement. Where you register through a partner platform (e.g. an external recruitment fair organiser or industry event organiser), we may also receive your registration data from that organiser; in that case the joint or independent controllership arrangement will be described on the partner platform.

Article 6(1) GDPR requires us to identify a legal basis for each processing purpose. The table below sets out our purposes and bases.

Purpose	Categories of data	Legal basis
Registering and admitting you to the Event; logistics; capacity / crowd control; health and safety; emergency contact during the Event.	Identification & contact data; age confirmation.	Art. 6(1)(b) GDPR: performance of (pre-contractual) attendance arrangements; Art. 6(1)(f): legitimate interest in safe and orderly event operations.
Following up with you about recruitment opportunities (driver, office or other roles) – assessing your interest, contacting you about open roles, inviting you to a screening interview, and – where on-site recruitment is enabled – starting a formal application.	Identification & contact data; recruitment data; if applicable, CV / supporting documents.	Art. 6(1)(b) GDPR: pre-contractual steps at your request; or Art. 6(1)(a): consent, where you tick the recruitment follow-up box.
Sending you marketing communications about GSM’s services, brand launch, EV programme, app and offers.	Identification & contact data; marketing preferences; interaction data.	Art. 6(1)(a) GDPR: your consent (freely given, specific, informed and unambiguous), withdrawable at any time.
Photography, video and audio capture at the Event, and subsequent publication on GSM websites, social-media channels, press, brochures and other branded materials.	Image and audio recordings.	Art. 6(1)(f) GDPR: legitimate interest in promoting our brand and events; balanced against your reasonable expectations through clear signage, no-photo zones and an unconditional right to object. For close-up portraits, identifiable testimonials and interview footage: Art. 6(1)(a): your consent at the moment of recording.
Event analytics: measuring attendance numbers, engagement, dwell time, channel effectiveness, and improving future events.	Aggregated and pseudonymised interaction data; coarse demographics (city, language).	Art. 6(1)(f) GDPR: legitimate interest in evaluating and improving our marketing.
Complying with legal obligations (tax, accounting, taxi-licensing, responding to lawful requests from competent authorities, defending against legal claims).	Any category, as relevant.	Art. 6(1)(c) GDPR: legal obligation; and / or Art. 6(1)(f): legitimate interest in establishing, exercising or defending legal claims.

Where we rely on legitimate interest (Article 6(1)(f) GDPR), we have carried out a balancing test. You have the right to object to such processing at any time (see Section 9).

We share personal data only with parties that have a clear need to receive it. Categories of recipients include: • GSM group entities: other entities within the Vingroup / Green and Smart Mobility group (including, where relevant, entities outside the EEA such as in Vietnam), where access is required for centralised recruitment, marketing-campaign management, brand governance, group reporting and IT support. Intra-group sharing is governed by an Intra-Group Data Sharing Agreement and / or Standard Contractual Clauses. • External event and marketing agencies (such as Fixers or other vendors specified in the event configuration sheet) acting as our processor under a Data Processing Agreement compliant with Article 28 GDPR. • Other processors: cloud-hosting providers, e-mail marketing platforms, CRM platforms, survey tools, photographers / videographers, and printers – each engaged under a Data Processing Agreement. • Professional advisors: lawyers, auditors and insurers, where strictly necessary. • Public authorities and courts: where we are required to do so by law or to defend our rights. We do not sell your personal data and we do not share your personal data with third parties for their own marketing purposes.

Some of our group entities and processors are located outside the European Economic Area (“EEA”), including in Vietnam. Where personal data is transferred outside the EEA, we ensure that an adequate level of protection is in place by relying on one or more of the following safeguards under Chapter V GDPR: • an adequacy decision of the European Commission for the destination country, where one exists; or • the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), supplemented by a Transfer Impact Assessment and – where appropriate – additional technical, organisational and contractual measures; or • any other safeguard recognised under Article 46 GDPR. You may request information about the relevant safeguards by contacting us at the e-mail address in Section 1.

We keep personal data only for as long as necessary for the purposes set out in Section 5. Standard retention defaults are: • Registration data and on-site contact data: 30 days after the Event, unless you have given a separate consent for marketing or expressed interest in a recruitment role. • Recruitment leads (expression of interest): 4 weeks after the recruitment campaign is closed, or up to 1 year with your separate consent (in line with NVP / Dutch recruitment guidelines). • Formal recruitment applications (CV, supporting documents) where on-site recruitment is enabled: handled under our Recruitment Privacy Notice. • Marketing contact data: until you withdraw your consent or unsubscribe, and in any event no longer than 24 months of inactivity. • Photographs and videos used in campaigns: campaign duration + 12 months archive; brand-archival materials may be retained for longer where editorially justified. • Raw, unselected event footage / contact sheets: 30 days, then deleted. • Data needed for legal, accounting or tax reasons, or to defend against claims: for the duration of the applicable statutory retention period (typically up to 7 years for tax / accounting; 5 years for civil claims under Dutch law). Where the event configuration sheet (Section 0) specifies different retention periods for a specific event, those override the defaults above. After the retention period, we either delete or irreversibly anonymise the personal data.

Under the GDPR you have the following rights, which you can exercise free of charge at any time: • right of access (Art. 15 GDPR); • right to rectification of inaccurate or incomplete data (Art. 16 GDPR); • right to erasure / “to be forgotten” (Art. 17 GDPR); • right to restriction of processing (Art. 18 GDPR); • right to data portability for data you provided to us under consent or contract (Art. 20 GDPR); • right to object to processing based on legitimate interest, including direct marketing (Art. 21 GDPR). For direct marketing, your objection is absolute and will always be honoured; • right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal (Art. 7(3) GDPR); • right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Art. 22 GDPR). We do not carry out such automated decision-making at our events; • right to lodge a complaint with a supervisory authority. In the Netherlands this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Postbus 93374, 2509 AJ Den Haag, https://autoriteitpersoonsgegevens.nl. You may also complain to the supervisory authority of your habitual residence or place of work in another EU / EEA Member State. To exercise any of these rights, please contact us at td-gsm@gsm.net.vn. We may ask for reasonable information to verify your identity. We will respond within one month, extendable by two further months for complex requests.

Photography and filming will be signposted at all entry points and inside the venue. If you do not wish to be photographed or filmed: • pick up a visible “no-photo” wristband or sticker at the welcome desk – our photographer and videographer will use reasonable efforts to exclude wristband-wearers from images; • stay in the designated “no-photo” zone; or • tell any photographer, videographer or member of staff that you do not consent. If you appear in published material despite having opted out, or you change your mind after the Event, contact us at td-gsm@gsm.net.vn and we will, without undue delay, remove or blur your image in materials still under our control. We cannot guarantee removal of images already published by third parties (e.g. journalists, social-media users) but we will use reasonable efforts to request take-down where appropriate. For close-up portraits, named testimonials and interview footage, we will only record and publish your image / voice after we have obtained your specific, informed consent at the moment of recording.

We implement appropriate technical and organisational measures (Art. 32 GDPR) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include access controls, encryption in transit, segregation of duties, vendor due diligence and incident-response procedures.

Most GSM events are intended for adults only (18+). Where this is the case, the registration form will require you to confirm you are at least 18 years old, and we will not knowingly collect personal data from minors. Where an event is open to minors, an additional minor-protection module will be added to this notice and, where applicable, parental / guardian consent will be obtained under Art. 8 GDPR.

Our online registration page uses strictly necessary cookies and, with your consent, analytics and marketing cookies. Detailed information is available in our Cookie Notice at [URL]. You can change your cookie preferences at any time via the cookie-preferences link in the footer of our website.

We may update this notice from time to time. The version date is shown at the top of this document. Material changes that affect you will be communicated by e-mail or by a clear notice on our website.