Privacy Notice

Welcome to our Privacy Notice page. We want to provide clarity and assurance to Users about how we collect, use, and protect User information and Personal Data. By reading this Privacy Notice, we hope that Users will feel calm and confident that the security of their Personal Data and User privacy are our top priorities.

In this Privacy Notice, the use of the terms (i) “we” or “PT BKI” refers to PT Biro Klasifikasi Indonesia (Persero), a State-Owned Enterprise established under the laws of the Republic of Indonesia and engaged in the field of TIC (Testing, Inspection and Certification); (ii) The term “User” refers to each individual owner of Personal Data (data subject) who has and/or will use our products and/or services, visitors and users of our website/application/electronic system, and any third party to which this Privacy Notice applies; (iii) The term “Business Group” refers to all affiliated Companies that are in one group due to the direct or indirect ownership and/or control of PT Biro Klasifikasi Indonesia (Persero) (the relationship between the parent Company, subsidiaries and other affiliates); (iv) The term “Personal Data” refers to data about Users that are identified or identifiable individually or in combination with other information either directly or indirectly through electronic or non-electronic systems as referred to in the Applicable Regulations; (v) “Applicable Regulations” refers to the Indonesian Law No. 27 of 2022 concerning Personal Data Protection and other relevant applicable laws and regulations, including amendments from time to time; (vi) Processing refers to the act of obtaining, collecting, processing, analyzing, storing, correcting, updating, displaying, announcing, transferring, disseminating, disclosing, deleting and/or destroying User Personal Data.

The Personal Data that we process is Personal Data that Users have provided and will provide to us, which also includes Personal Data as written in the Personal Data Acquisition and Collection section of this Privacy Notice to provide TIC products and/or services that Users request, including to establish our agreements or legal obligations regarding laws and regulations, when Users visit, access, and/or use our products and/or services, including our websites/applications/electronic systems in connection with the use of our products and/or services.

By using our Services, Users declare that they have read, know and understand the entire contents of this Privacy Notice, and also state that the User is a legitimate party and is authorized to provide User Personal Data to PT BKI through our Service channels. We may change, remove, and/or update our Privacy Notice from time to time if necessary. If the changes, removals, and/or updates are changes to information that are required to be notified to Users based on applicable Regulations, we will use reasonable efforts to notify Users in advance through our official channels. We advise Users to read this Privacy Notice together with our Terms and Conditions of Service, as these documents may contain specific Service information on how to process the User Personal Data. The version of our Privacy Notice displayed on our website/application/electronic system is an update to all previous versions of our Privacy Notice, therefore we encourage Users to check the Privacy Notice on our website/application/electronic system from time to time.

It is important for Users to know the categories and types of User Personal Data that can be processed. These types of data include:

• Personal profile identification data, which can be in the form of full name, Population Identification Number, Taxpayer Identification Number, immigration documents, gender, citizenship, place and date of birth, mother's maiden name, alias/nickname, religion, voice recording, image recording, photo, signature form (wet and/or electronic), and/or biometric data.
• Correspondence data, which can be in the form of an address according to the Population Identity Card, address and domicile status, electronic mail address (e-mail), telephone/mobile phone number, and emergency contact including name, type of relationship with the User, address, telephone/mobile phone number, and e-mail.
• Education and/or employment data, which can be in the form of education level, type of work, field of business, position, division, year of starting work/business, name of Company/Agency where work is done, address of work, employment status, and name, position, and telephone number of co-workers.
• Family data, which can be marital status, spouse's name, number of children, and number of dependents.
• Financial data, which can be account number, source of income, monthly/annual income, monthly/annual expenditure, transaction data, credit/financing data, investment-related data, asset-related data, collateral-related data, and tax data as well as service data from other financial services that the User receives.
• Digital activity data, which can be geolocation, IP/MAC Address, User activity in our application, and application interaction with other applications on the User's electronic device; and/or
• Personal data, which can be health data information, legal violations, communication preferences, hobbies, and interests.

In order to support us in providing the best service to our Users, we will collect User Personal Data from various sources, including the following:

1. From Users directly.
2. Information about Users generated when Users apply for service, using our services, or have had previous services.
3. Personal Data from business groups and/or other third parties who are partners of PT BKI or have collaborated with PT BKI.
4. Cookies, location services, User IP addresses when Users visit our website/application/electronic system, or when Users fill out our contact form on our website/application/electronic system, or data permitted by Users to be accessed via User devices.
5. From correspondence between Users and PT BKI via e-mail, physical mail delivery, or official PT BKI correspondence/communication media; and/or
6. From survey data notified to PT BKI.

Our processing of User Personal Data is carried out including for the following purposes:

1. To provide, design and/or develop services, facilities, products or services, including assisting PT BKI in analyzing how services are used, responding to inquiries, or notifying Users if there are changes to service.
2. For profiling and scoring activities for automated decision-making on Users to improve services for Users and PT BKI risk management.
3. For marketing purposes, namely offering products or services, including special offers, promotions, contests or information that may be of interest to Users. Such marketing messages may be sent to Users by PT BKI and/or Business Partners in various ways including via physical mail, electronic mail, short message services, telephone, facsimile, correspondence and other official PT BKI information delivery media in accordance with and subject to applicable laws and regulations.
4. For the purposes of implementing PT BKI's business operations involving consultation with professional advisors or external auditors of PT BKI, including legal advisors, financial advisors, and consultants, Business Group Companies, and any party bound by an obligation to maintain confidentiality with PT BKI. In this regard, PT BKI will use its best efforts to ensure that the parties mentioned pay attention to this Privacy Notice.
5. To fulfill the requirements of the know your customer principle, risk mitigation efforts, and the implementation of verification/authentication of the truth of User data, as required by applicable laws and regulations.
6. To comply with regulations or legal requirements, including for the implementation of PT BKI's business administration, reporting to regulators, or inspections by authorized parties, which are carried out in accordance with applicable laws in Indonesia.
7. To conduct research and statistical analysis including the use of new technology.
8. For other purposes in accordance with PT BKI's internal policies and provisions, or in accordance with the terms and conditions governing the relationship between PT BKI and Users, which are carried out in accordance with applicable laws and regulations.

Personal Data Processing will only be carried out by PT BKI as long as PT BKI has fulfilled one or more of the following processing bases:

1. PT BKI has explicitly and legally obtained consent from the User.
2. PT BKI exercises its rights and obligations based on an agreement with the User.
3. PT BKI needs to exercise authority or fulfill obligations based on applicable laws and regulations or orders from authorized agencies.
4. PT BKI needs to fulfill the vital interests of the User.
5. PT BKI needs to carry out duties in the context of public interest and/or public services.
6. PT BKI needs to fulfill other legitimate interests, while still paying attention to the balance between PT BKI's interests and the rights of the User.

PT BKI is committed to storing and managing User Personal Data with the best protection for as long as it is necessary to provide our services. We will process User Personal Data as long as the User is a customer or user of our services. Furthermore, User Personal Data will be stored for a period of 5 (five) years after the end of the working relationship with the User or for a longer period as long as such storage is required or required by applicable regulations ("Retention Period").

PT BKI may delete and/or destroy User Personal Data from our system so that the Personal Data no longer identifies the User, except in the case of:

• If it is necessary to store Personal Data to fulfill legal obligations, future evidence, tax, audit, and accounting purposes; and/or
• If the Personal Data is still within the retention period based on applicable laws and regulations.

When destroying Personal Data, we will take reasonable standard measures to destroy, erase, and make the Personal Data practically unrecoverable. The specific method of destruction will depend on the Personal Data being destroyed, how the Personal Data was collected and stored.

If necessary, we may share User personal information among Business Group, and/or third parties who cooperate with us and/or the Business Group in the context of implementing PT BKI's business activities ("Business Partners"), for the purposes set out in the Personal Data Use Section. We may also forward User Personal Data to financial supervisory institutions, legal entities, authorities or the Government in accordance with applicable laws and regulations.

For the purposes of Personal Data Processing as we have mentioned in the Personal Data Use section, we may process User Personal Data outside Indonesia. By implementing the transfer of User Personal Data outside Indonesia, we will ensure that the destination country of the transfer has a level of Personal Data protection that is equivalent to or higher than the protection of Personal Data in Indonesia. In the event that the destination country of the transfer does not have a level of Personal Data protection that is equivalent to or higher, then we will implement adequate and binding Personal Data protection (such as entering into a contract with the recipient of the transfer of User Personal Data and/or provisions and/or written instruments), or if it is still not met, PT BKI may still transfer Personal Data outside Indonesia based on the consent of the User.

PT BKI has implemented Personal Data protection that is reviewed periodically from time to time to ensure the security of User Personal Data and ensure that Users can obtain their rights as Personal Data Subjects in accordance with applicable regulations. If Users require details of Personal Data protection, we can provide them upon request. Please note that the transfer of Personal Data outside Indonesia is not completely secure. Although we have made our best efforts to protect User Personal Data, there is still a possibility that the transfer process will be subject to interference from parties who are not legally interested. In transferring Personal Data outside Indonesia, PT BKI will try to the best of its ability to carry out the transfer process of User Personal Data supported by a proper, reliable, and secure electronic system to protect the User's privacy rights to Personal Data.

PT BKI is committed to ensuring that User information or Personal Data obtained through PT BKI services remains secure during Personal Data Processing (and during the Retention Period). In implementing this commitment, PT BKI has implemented procedures and uses electronic systems equipped with adequate levels of security as required by Applicable Regulations, including limiting that access to User Personal Data can only be carried out by parties who have the authority based on the need to know, parties who process User Personal Data will only do so in a manner that is permitted and required to maintain the confidentiality of User information or Personal Data, have a special section related to protecting the security of User Personal Data, and other security efforts required by Applicable Regulations.

In the event that the User accesses PT BKI services or products, please ensure that the User downloads PT BKI services or products through the App Store or Play Store and not from links provided by unauthorized parties. In addition, PT BKI may also require the User to:

1. Enter the Login Password and/or Transaction MPIN and/or biometric access before the User enters the PT BKI Service.
2. Maintain the confidentiality of the User's Login Password and/or Transaction MPIN and not disclose it to anyone.
3. Contact PT BKI if the User's Login Password and/or Transaction MPIN are blocked, and follow PT BKI's instructions to reactivate PT BKI's Services or products.

Please note that sending information online is not completely secure. Although we have made our best efforts to protect User's Personal Data, there is still a potential risk to the security of the data/information that the User sends through the network that the User uses. When we receive data/information from the User, we will use strict procedures and secure features as an effort to prevent irresponsible access.

In the event of illegal access and activities on the confidentiality of the User's Personal Data that is beyond control of PT BKI, PT BKI will immediately notify the User so that the User can reduce the risks arising from this.

The User is responsible for maintaining the confidentiality of the details of the User's information and Personal Data, including information regarding username, password, e-mail or OTP from anyone and for always maintaining and being responsible for the security of the device that the User uses.

Users have the right to:

1. Obtain access and request a copy of the User's Personal Data, including obtaining and/or using the User's Personal Data in a form that is in accordance with the structure and/or format commonly used or can be read by an electronic system, where we have the right to charge a reasonable fee to fulfill this request.
2. Request us to correct incorrect data, complete incomplete Personal Data, update Personal Data. However, we cannot accommodate requests to change Personal Data if we believe that such changes will violate the provisions of laws and regulations or any legal requirements or cause the information to be incorrect.
3. Submit a complaint to the data protection authority or other independent regulator about how we use the User's Personal Data and request the right to obtain compensation and obligations that must be fulfilled by the Personal Data Controller for violations of the Personal Data Processing.
4. Request us to end processing, delete, and/or destroy the User's Personal Data if the User's Personal Data is no longer needed for the purposes set out in the Personal Data Use Section or if there is no other legal basis for the Personal Data Processing or this is not limited by the provisions. Upon receipt of the request for termination, deletion, and/or destruction, we will provide confirmation of receipt and we will provide confirmation after the User's Personal Data has been deleted and/or destroyed as required by the Applicable Regulations. As a consequence, the User may not be able to receive/use our Services if the User deletes/destroys Personal Data either in part or in whole.
5. Submit objections to us regarding the use of the User's Personal Data for direct marketing (including related profiles) or other processing based on legitimate interests.
6. Submit objections to decision-making actions that are solely based on automated processing including profiling, which have legal consequences or have a significant impact on the User.
7. As long as relevant, the User may delay or limit the Processing of the User's Personal Data proportionally. When such restrictions are not possible, we will further notify the User. However, the User may still exercise other rights as described in this Privacy Notice, including withdrawing the User's consent to process the User's Personal Data as long as the User has considered and accepted the consequences that may arise related to the provision of products and/or Services (if any).
8. In the case of processing based on consent, the User may withdraw the User's consent at any time for the Processing of the User's Personal Data carried out by us. Upon receipt of the withdrawal of consent, we will confirm receipt and continue the process to stop processing the User's Personal Data as long as the User has considered and accepted the consequences that may arise related to the provision of products and/or services (if any).
9. If the User wishes to exercise their rights, or wishes to obtain an explanation of the User's rights, please contact us via one of the channels listed in the Contact Us section.

To be able to submit an application for implementation of User rights, Users can submit an application by contacting one of the channels listed in the Contact Us section. Some implementations of rights will have consequences related to the provision of Services so that we will confirm the User's application and/or the application for the implementation of User rights may not be fulfilled as long as the exception to the implementation of such User rights is permitted by the Applicable Regulations. Furthermore, we will make maximum efforts to implement User rights and/or submit confirmation and/or submit a response to the User's application to us within the time period stipulated by the Applicable Regulations, namely no later than 3x24 (three times twenty-four) hours since we received, among others: a) a request for withdrawal of consent to the Processing of Personal Data; b) a request for correction of Personal Data; c) a request for access to Personal Data; and/or d) a request for a copy of Personal Data.

Any implementation of the User's rights as a Personal Data Subject related to alleged violations by PT BKI regarding the Processing of Personal Data must be submitted in writing to PT BKI by fulfilling the terms and conditions required in the Applicable Regulations, to then be implemented and/or responded to by PT BKI within 3x24 (three times twenty-four hours) or other time permitted by the Applicable Regulations and/or applicable civil procedure law, calculated from the time PT BKI receives the User's application for compensation and by selecting the Central Jakarta District Court Clerk's Office as the place for dispute resolution.

Users are required to provide accurate data, information, and Personal Data to PT BKI. Failure to provide certain data and/or information may result in PT BKI being unable to provide full services to Users.

When Users provide us with Personal Data about another person (or someone), Users represent that Users have been appointed and authorized by that person to provide Personal Data and/or act on their behalf, and Users ensure and guarantee that the party has understood and agreed that their Personal Data will be further processed subject to Applicable Regulations. This includes providing consent to:

1. Our processing of their Personal Data and specific Personal Data (as we have explained in the Acquisition and Collection of Personal Data section above); and
2. Users receive information protection notices on their behalf.

We and the Business Group will be able to send information about our and the Business Group's products and/or services as well as carefully selected third party services through PT BKI's official media or the User's direct communication means including by post or electronic means such as by telephone, email, social media or other electronic media with details about the products, services and any special offers. We will only do this if the User has agreed for us to contact the User via electronic or non-electronic means.

Withdrawal of consent to receive direct marketing either via electronic or non-electronic media can be done by using one of the channels listed in the Contact Us section. Upon receipt of such withdrawal request, we will confirm receipt and proceed to stop the Processing of the User's Personal Data for such purposes. Please note, if the User chooses not to receive one form of direct marketing, we still have the right to send the User messages related to our services, for other products or services that the User uses.