Loading

Please Wait while we set
things up for you!

Privacy Policy

At PT Sarana Menara Nusantara Tbk and its subsidiaries (collectively, the “Company”), trust is the foundation of our business relationships, and safeguarding personal data is core to conducting business responsibly. This Privacy Policy (“Policy”) explains how the Company collects, uses, stores, transfers, and protects personal data in accordance with Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) and international privacy standards.

The Company recognises that personal data must always be handled fairly, transparently, accurately, securely, and for lawful purposes. This Policy reflects those principles and sets out the Company’s general commitments to data subjects.

 

DEFINITIONS

 

For the purpose of this Policy, the following terms shall have the meanings set out below:

  1. Personal Data” means any data relating to an identified or identifiable individual, whether directly or indirectly, through electronic systems or otherwise.

  2. “Processing” means any activity carried out on Personal Data, including but not limited to collection, recording, storage, modification, use, transmission, disclosure, dissemination, erasure, or destruction.

  3. “Controller” means the Company, which has the authority to determine the purpose and method of processing Personal Data.

  4. “Processor” means any third party that processes Personal Data on behalf of the Company pursuant to a written agreement.

  5. “Data Subject” means any individual whose Personal Data is collected, used, or otherwise processed by the Company.

  6. “Transfer” means the disclosure, distribution, or provision of access to Personal Data to another party, including cross-border transfer.

  7. “Consent” means a freely given, explicit, and informed indication of the Data Subject’s agreement to the processing of their Personal Data.

 

SCOPE AND APPLICATION

 

  1. Who this Policy Applies to


This Policy applies to all personal data processed by the Company in the course of its business operations. It covers personal data relating to:

  • employees, officers, directors and commissioners;

  • shareholders and investors;

  • clients, vendors, service providers, and subcontractors (including client’s vendors, service providers, and subcontractors) ;

  • any other individuals whose personal data is collected or otherwise processed in connection with the Company’s activities.

 

  1. Covered Situations


This Policy applies to personal data processing activities carried out by the Company, whether such data is:

  • collected directly from the data subject;

  • obtained from third parties lawfully authorised to provide such data; oryes

  • processed through the Company’s internal systems, digital platforms, or other business processes.

 

  1. Exclusions

 

This Policy does not apply to anonymous data that cannot reasonably be used to identify an individual,  or personal data processed by third parties acting independently of the Company under their own privacy policies.

 

POLICY FRAMEWORK

 

  1. DATA COLLECTION

 

  1. Categories of Personal Data Collected

 

Category

Types of Personal Information



Personal details, contact details, and identifiers

name, pronoun, identifiers, e-mail, phone number, physical address; and where necessary, gender, date of birth, age, place of birth, national identification number, marital status,  family information

Financial data

bank account details, tax identification number, payment history, salary, tax information 

Employment and professional information


Corporate and Shareholding Data



Business Relationship



Technical and system data

job title, position, reporting line, professional qualifications, employment history, role description, employer, and location


shareholder records, ownership structures and other information required for governance and compliance



vendor and client contact persons, communication records, transaction history, access permits, authorizations


IP address, login credentials, device identifiers, system usage logs, access records, and other information captured by Company IT systems, platforms, and networks for security and operational purposes

 

Where the Company collects personal data not specifically listed above, affected data subjects shall be notified as required by law.

 

  1. Collection Principles


The Company collects personal data only on a lawful basis, for clear and legitimate purposes, and in a fair and transparent manner.

 

  1. Collection Methods

 

Personal data shall be collected directly from the data subject wherever possible. If data is obtained from third parties, the Company will ensure that such parties are lawfully authorized to disclose the information.

 

Method

Action Required

Direct collection

Where data is obtained directly from the data subject, the Company will provide clear information on the purpose, legal basis, and rights of the data subject.

Indirect collection

Where data is obtained from third parties, the Company will ensure that such parties are authorized to disclose the data and that appropriate agreements are in place.

 

  1. DATA SUBJECT RIGHTS

 

The Company respects and upholds the rights of individuals in relation to their personal data, as provided under applicable laws. Subject to lawful limitations and verification of identity, Data subjects shall be entitled to exercise the following rights:

 

  • Right of Access – to request confirmation as to whether their personal data is being processed, and to obtain a copy of such data together with relevant processing details.

  • Right to Rectification – to request correction or completion of personal data that is inaccurate, incomplete, or misleading.

  • Right to Erasure – to request deletion of personal data when it is no longer necessary, where consent is withdrawn, or where processing is unlawful, subject to applicable retention obligations.

  • Right to Restrict Processing – to request limitation of processing in circumstances permitted by law.

  • Right to Data Portability – to obtain and reuse their personal data in a structured, commonly used, and machine-readable format, and to transmit such data to another controller where technically feasible.

  • Right to Object – to object to the processing of personal data on grounds relating to their particular situation, where processing is based on legitimate interest or for direct marketing purposes.

  • Right to Withdraw Consent – to withdraw consent previously given for processing, without affecting the lawfulness of processing carried out before such withdrawal.

 

Requests to exercise any of the above rights may be submitted to the Company’s designated Data Protection Officer (LDPO), whose contact details are set out in this Policy. The Company will respond within the timeframes prescribed by applicable law.

 

  1. DATA PROCESSING

 

The Company processes personal data solely for lawful, fair, and proportionate purposes, including but not limited to:

 

Purpose

Legal Basis

Recruitment, employment management and human resources administration

Performance of contract, Legitimate interest, and Legal Obligation

Managing relationships with clients, vendors and stakeholders

Performance of contract

Corporate governance, shareholder administration and regulatory filings

Legitimate Interest and Legal obligation 

Facilitating communications

Legitimate interest

Business continuity, operating and managing business activities

Legitimate interest

Compliance with  legal and regulatory obligations

Legal obligation


Where expressly required by law, the consent of the data subject is also obtained to process personal data.

 

  1. STORAGE AND RETENTION

 

The Company will ensure that all personal data is stored securely using appropriate organizational, technical, and physical safeguards, consistent with ISO 27001 and recognized industry standards.

 

Retention periods for personal data will be established on the basis of legitimate business requirements, contractual obligations, and applicable legal or regulatory provisions.

 

When personal data is no longer required for the purposes for which it was collected, it will be securely deleted, irreversibly anonymized, or archived in accordance with applicable legal and regulatory requirements, and subject to documented internal procedures.

 

  1. DATA TRANSFER

 

Internal Transfers: Personal data may be shared across the Group on a need-to-know basis, subject to strict access controls.

External and Cross-Border Transfers: Transfers to third parties, including outside Indonesia, will only take place where adequate safeguards are in place and subject to written agreements in compliance with the PDP Law.

 

  1. THIRD PARTY PROCESSING

 

The Company engages third-party service providers only under written agreements that impose equivalent data protection obligations, ensuring confidentiality, integrity, and accountability as required by PDP Law and in accordance with recognized privacy standards.

 

  1. SECURITY AND BREACH RESPONSE

 

The Company is committed to protecting personal data against unauthorized access, disclosure, alteration, loss, or destruction. To this end, the Company applies organizational, technical, and physical security controls proportionate to the level of risk and sensitivity of the personal data being processed.

 

Security measures include, but are not limited to:

  • Organizational safeguards: implementation of governance structures, employee training, access rights management, and confidentiality undertakings.

  • Technical safeguards: use of encryption, firewalls, intrusion detection and prevention systems, secure software development practices, and monitoring of information systems.

  • Physical safeguards: restricted access to facilities, secure storage of physical records, and environmental controls to prevent damage or loss.

 

The Company’s security practices are aligned with ISO/IEC 27001 standards and are subject to regular risk assessments, audits, and continuous improvement processes.

In the event of a personal data breach, the Company will follow established incident response protocols, including notification to the relevant authority and affected data subjects, where required by applicable law.

 

  1. DATA PROTECTION OFFICER

Questions, concerns, or requests regarding this Policy or the exercise of data subject rights should be directed to:

Data Protection Officer

dpo@protelindo.net

53RD Floor Menara BCA, Jalan M.H. Thamrin No.1

Jakarta Pusat, Indonesia

 

  1. GOVERNANCE AND POLICY REVIEW 

 

This Policy will be reviewed periodically and may be updated to reflect changes in law, regulation, or business practice. Updated versions will be made available internally and externally, as appropriate.

  1.