- Applicable Data Protection Law
|
- Indonesia: Law No. 27 of 2022 of the Republic of Indonesia regarding Data Protection (“Data Protection Law”) and Law No. 11 of 2008 of the Republic of Indonesia regarding Information and Electronic Transaction as amended with Law No. 19 of 2016 regarding Amendment to Law No. 11 of 2008 regarding Information and Electronic Transaction (“ITE Law”) as well as any implementing regulations thereof and amendments from time to time shall apply to any individual, company and business entity established in Indonesia.
- Singapore: Personal Data Protection Act 2012 of the Republic of Singapore (“PDPA”) applies to personal data collected or processed by companies incorporated in the Republic of Singapore and/or personal data collected or processed within the Republic of Singapore.
- European Union: As we may process personal data of European citizens, the Regulation (EC) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”) is applicable to it.
|
- What kind of Personal Data do we collect from you?
|
The Personal Data we collect varies based on the collection situation and the type of service or transaction used. For the avoidance of doubt, Personal Data means data of an identified or identifiable natural person individually or in combination with other information either directly or indirectly through electronic or non-electronic systems which includes general or specific data such as full name, gender, nationality, religion, marital status, personal data combined to identify a person, health data and information, biometric data, genetic data, criminal records, child data, personal financial data, identification, photos, contacts, other data including personal profiles, unique identifiers associated with personal data and/or other data in accordance with the provisions of laws and regulations or as regulated in this Privacy Policy (“Personal Data”).
By reading and understanding this Privacy Policy and referring to applicable laws and regulations, User hereby agrees that we can Process Personal Data of the User, both general and specific, as follows:
- Identity Data is information used to specifically identify a person such as name, Identity Card (KTP), Driving License (SIM), Taxpayer Identification Number (NPWP), Passport, Limited Stay Permit Card (KITAS), Family Card (KK), user identity or other identifiers, date of birth, gender, place of birth, nationality, income, position, and/or photo;
- Contact Data is information used to contact a person such as service installation address including postal code and city name, document delivery or billing address, electronic mail address (e-mail), and telephone number;
- Eligibility Data is information that we need to further verify your new service installation application, business license, registered certificate, taxable entrepreneur confirmation letter (if any) or company deed document;
- Biometric Data is biometric information, such as fingerprints, faces and others that are used as authentication to use our Services;
- Credential Data such as passwords, hints, and similar security information used for authentication and access to our accounts and Services;
- Payment Data such as every time you make a purchase, such as payment method, payment amount, payment time, and information about payments such as credit card information, debit cards, bank account numbers, electronic money and other financial information;
- Account Data such as transaction history such as subscription packages, account numbers, initials, nicknames, credit information, and billing information;
- History Data such as your contact with us, such as telephone recordings between you and one of our Contact Centers, live chat on the website, electronic mail, and messages through other communication media that we provide;
- Log Data is a record on our system that obtains information such as the device’s IP address, date and time of access, application features or pages viewed/browsing history, application work processes and other system activities, browser type, and third-party sites or services you use before interacting with our Services;
- Device Data is information about the device you use to use our Services, such as device type, hardware model, device operating system and version, software, IMEI number, file name and version, language selection, unique device identifier, advertising identifier, serial number, device location identifier, network and device performance, browser type, language, information that enables digital rights management, camera access, and/or cellular network information;
- Location Data includes your real-time geographic location data, location coordinates in the form of longitude latitude, and Wi-Fi location;
- Cookies Data includes files with small amounts of data that are commonly used as anonymous unique identifiers. Cookies are sent to your browser from the websites you visit and are stored on your device’s internal memory. Data provisions as referred to our Cookies policy at https://www.online-pajak.com/cookie-policy-and-service-use-policy. Please Users to note that our Services do not use these “cookies” explicitly. However, this application and/or website may use third party code and libraries that use “cookies” to collect information and improve their services. You have the option to accept or reject these cookies and know when a cookie is being sent to your device. If you choose to reject our cookies, you may not be able to use some parts of our Services;
- Your preferences for our products and Services and specific activities when you tell us such information, or our assumptions about your preferences, based on how you use our products and Services;
- Advertising Services (Advertising ID) used by us to conduct advertising and promotional activities;
- Metadata of your usage activities, data usage, activation of Additional Services (“Add-ons”), prepaid deposit amounts, advance bill payments, prepaid deposit transfers, content and package purchases, and your profile and segmentation; and/or
- Information we obtain from other sources, such as credit agencies, fraud prevention agencies, and from other data providers, including demographic data, interest-based data, and internet browsing behavior.
Additional information and data may be collected from you from time to time. In such cases, we will provide notice to you or through other mechanisms in accordance with laws and regulations and continue to ensure the protection of your personal data under this Privacy Policy. |
- How do we collect your Personal Data?
|
We collect your Personal Data under the following conditions:
- You apply for a new Services installation;
- You use our network or Services, not limited to the internet services we provide including free Wi-Fi, websites, and applications, including our social media such as Facebook, Instagram, X, LinkedIn, and others;
- You contact and use the Services of all our communication channels such as, but not limited to Contact Center, live chat, electronic mail and other communication media messages provided by us;
- You participate in our promotional activities, events, marketing, loyalty programs, certain surveys and other activities;
- You are a User of a company involved in corporate actions (mergers and acquisitions) with us in accordance with applicable laws and regulations;
- You visit our office area where CCTV devices are installed;
- Information comes from third parties who have a basis for processing your Personal Data, to the extent that we also have a basis for processing your Personal Data; and/or
- Your information has been made publicly available.
We collect your Personal Data only for the needs of the service process. Therefore, if you choose not to provide or provide incompletely your Personal Data to us, we may not be able to provide Services to you.
We process your personal data based on Law Number 27 of 2022 concerning Personal Data Protection (including all amendments from time to time) as follows:
- Your explicit valid consent for the purposes stated by us in this Privacy Policy;
- Fulfillment of agreement obligations in fulfilling your request for Services;
- Fulfillment of our legal obligations in accordance with the provisions of laws and regulations;
- Fulfillment of the protection of your vital interests, in the event of a threat to your life, physical, and/or property/assets or other third parties;
- Implementation of duties in the context of public interest, public services, or the implementation of our authority based on laws and regulations; and/or
- Fulfillment of other legitimate interests by taking into account the objectives, needs, and balance of our interests and yours.
|
- What are we doing with your Personal Data?
|
The Personal Data and other information that you provide and if relevant, to use, or subscribe, or purchase the, including any additional information that you further provide, may be used and processed by us for the following purposes:
- to use your information to carry out our business and help us to improve your experience with our products;
- to communicate and implement Know Your User (KYC) with you;
- to notify you about the products and Services available to you;
- to provide selections as to the function of our information that is suitable for you and to improve our Services for you;
- to provide transparent and clear explanation as to how we use the information;
- to publish or share the information which has been combined with several Users, in the manner which certainly avoid you or the others of being identified;
- to aggregate your account data, which has been uploaded and non-personal in nature so as to avoid you being identified, with the data of other Users of the Services to improve the quality of Services, design a promotion or provide a way for you to compare business practices with other Users;
- to train our employees and also to train you as to how to maintain the security and protection of your information;
- to obtain and collect your Personal Data, and to store your Personal Data in an electronic system owned by Achilles or third parties;
- to review and process the User’s request in relation to the Services;
- to verify and validate the User’s identity and background;
- to build communication between the User and Achilles;
- to process payment transactions of the User in relation to the Services;
- to answer questions, complaints, or comments from the User;
- to manage the User’s participation in an event or program held by Achilles;
- to process and analyze your Personal Data, including to perform market analysis, whether performed by Achilles or third parties;
- to share your Personal Data with Achilles’ subsidiaries, affiliates, related companies, license holders, business partners and/or service providers. List of our business partners will be available upon request;
- to analyze data, build algorithms, creating database for rating systems;
- to carry out internal activities, including internal investigation, compliance, audit, and other internal security purposes;
- to provide you with the latest security, versions, features, options, and controls related to your system or device;
- to use your information to participate in surveys or User meetings;
- to enable us to send you information via electronic mail (email), telecommunications (phone calls or text messages) or social media about products and Services offered by selected third parties that we think may be of interest to you;
- for business operations to conduct accounting, auditing, billing, reconciliation, and collection activities, including monitoring and preventing crime or fraud, protecting our legal rights, and carrying out obligations under an agreement/contract/agreement;
- for other legal business activities of Achilles;
- we may use the physical location of your device, combined with information about what advertisements you view and other information we collect, to enable us to provide personalized content and to study the effectiveness of advertising and marketing campaigns; and/or
- you may choose to allow or decline subscriptions or sharing of your device location by changing your device settings;
(collectively, “Purposes“).
In accordance with Article 6 of the GDPR, your Personal Data are therefore processed either: (1) on the basis of your consent; (2) because of the contract that binds you to Achilles; or (3) because it pursues the legitimate interests of Achilles in order to enable the execution of the above-mentioned Services. |
- With whom do we share or disclose your Personal Data?
|
Achilles is a global company and may access or store Personal Data in various countries, including but not limited to Singapore, Indonesia and/or other countries in which Achilles operates its office/affiliates. In accordance with Article 56 of Data Protection Law and Article 46 of the GDPR, we may: (i) conduct transfer of Personal Data to outside the jurisdiction of Indonesia insofar with the approval of User and in accordance with the provision of Data Protection Law; and/or (ii) to access or store the Personal Data insofar as these countries do not benefit from an adequacy decision of the European Commission, and Achilles has implemented appropriate safeguards. To the extent your Personal Data is collected in Indonesia, Singapore, and/or other countries in which Achilles operates its office/affiliates, your Personal Data will not be deliberately transferred to any place located outside Indonesian, Singapore and/or other countries in which Achilles operates its office/affiliates (as the case may be) or deliberately disclosed to third parties, except in the cases listed below:
- to allow us to perform the Purposes specified above, we may provide and/or disclose your Personal Data to our subsidiaries, affiliates, related companies, license holders, business partners, service providers, professional advisors and external auditors, including legal counsels, financial advisors and consultants, as well as other third parties, which may be located within or outside Indonesia;
- we may offer a feature that connects you to our business partners, service providers or other third parties, and for that reason we may give some limited information related to your Personal Data to our business partners, service providers or other third parties only for the purpose of carrying out such feature and including for the purposes of conducting promotions, marketing, loyalty programs, events or offering Company products or Services as well as billing;
- we may share your Personal Data with third parties who assist us in providing information for authentication and due diligence purposes, including credit references, fraud prevention or business assessment agencies, or other credit assessment agencies, including banks;
- we may share your Personal Data with Public Accounting Firms and other Audit Institutions;
- we may engage with or employ other companies or individuals to facilitate, provide certain Services or perform functions on our behalf, and in relation thereof we may provide and/or disclose your Personal Data to these companies or individuals;
- in the event of a corporate transaction, including but not limited to sale of subsidiaries or divisions , merger, consolidation, financing, sale of assets or other situations involving the transfer of our business assets, in part or in whole, we may disclose your Personal Data to the parties involved in the negotiation or transfer;
- we may also disclose your Personal Data if required by law, or necessary to comply with the laws, regulations and government, or in case of dispute, or any kind of legal process in relation to the Services, or in case of emergency related to your health and/or security;
- at the order of an authorized law enforcement agency or government institution pursuant to the provisions of prevailing laws and regulations, we may provide access to the law enforcement agency or government institution in question to carry out search or seizure on your data which is stored electronically in the servers of Achilles;
- we may also share aggregated or anonymized information that does not directly identify you;
- we will disclose information if it is held for the purpose of protecting us from fraud, defending our rights or assets/property, or to protect the interests of our Users. We may also need to disclose your information to comply with obligations in the event of responding to legal demands, or for the legitimate interests of any subject in the context of national security, law enforcement, litigation, criminal investigations or to prevent epidemics, emergencies that have been declared by the Government. Your personal data will only be provided if we, in good faith, believe that we are required to do so in accordance with the law and based on a thorough evaluation of the provisions of the laws and regulations.
|
- How we store your Personal Data?
|
The Personal Data we collect is stored in a storage place (data center) that we manage ourselves and/or that is managed by a third party located or domiciled within the jurisdiction of Indonesia or outside the jurisdiction of Indonesia. All facilities, infrastructure, and data storage systems, whether managed by us or a third party, are equipped with security controls to ensure the protection of your Personal Data.
This Personal Data may be stored in hard copy or electronic format. The storage period for your Personal Data varies greatly based on the processing purposes that have been previously stated, such as providing the Services you request, complying with our legal obligations, resolving disputes, and implementing our policies. We store your Personal Data as long as:
- you are still using the Services; and/or
- your use of the Services has passed with a maximum storage period of 5 (five) years for specific data related to your taxation and 10 (ten) years for other specific and general data; and/or
- in accordance with applicable laws and regulations.
|
- How do we maintain the security of your Personal Data?
|
In maintaining the security of your Personal Data, we have:
- used the best methods that have been tested to protect your information;
- carefully reviewed our security procedures;
- complied with the applicable law and security standard;
- ensured that your Personal Data is securely transmitted and encrypted; and
- ensured that our employees are trained and required to participate in securing your information.
Achilles has obtained ISO/IEC 27001 (IS 652921) certification from a reputable certification body, BSI, based in London, England. ISO 27001 is an internationally renowned strict and structured certificate on information security control.
ISO/IEC 27001:2013 sets forth the requirement to establish, implement, maintain and continuously improve the information security management system in the context of organization. It also covers requirement for assessment and handling of information security risks designed specifically for the needs of an organization.
The objective of this international standa rd is to assist an organization in building and maintaining the information security management systems (ISMS). ISMS is a system used to process and control information, several risks in security as also the same as controlling the integrity, protection and preservation, and confidentiality of information. Achilles currently implements this system into all its business activities. This system applies to all our business activities in Singapore and Indonesia.
We will take all measures necessary to maintain the privacy and security of all Personal Data that you provide. We will notify you if any third party (such as hackers) hacks or attempts to hack our security measures or obtains unauthorized access to our data center or device that contains your Personal Data. Achilles shall not be liable for any damage caused that is not attributable to it. However, you should be aware that the use of the internet of is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data which is transferred from you or to you via the internet.
The provisions of the mechanism for protecting your Personal Data by us also refer to the provisions in the Trust Center which you can find at https://www.online-pajak.com/trust-center . |
- What rights do you have over your Personal Data?
|
In accordance with the applicable laws and regulations on the protection of personal data, you benefit from a certain number of rights relating to your data, namely:
-
- the right of access and information: you have the right to be informed in a concise, transparent, intelligible, and easily accessible manner of how your Personal Data is processed. You also have the right to obtain (i) confirmation that data concerning you is being processed and, where appropriate, (ii) to access such data and obtain a copy of it. However, Achilles reserves the right to deny you access to your Personal Data and may provide an explanation as required by applicable laws;
- the right of rectification: you have the right to obtain the rectification of inaccurate data concerning you. You also have the right to complete incomplete data concerning you by providing an additional declaration. If you exercise this right, we undertake to communicate any rectification to all the recipients of your data;
- the right of end processing, deletion and/or destruction: we store and process your data as long as necessary to achieve the purposes described in this Privacy Policy and in accordance with the retention period of each data that we set in point 6 of this Privacy Policy. You have the right to terminate the processing that we do or delete your data that we control at the risk that you cannot use our Services in full because the minimum information we need to provide the Services cannot be processed. You have the right to destroy your data that we control if it does not violate the law and there is no other obligation for us to continue to store it. For the avoidance of doubt, this provision does not apply to data that is fully controlled by our partners such as the Directorate General of Taxes, the Directorate General of Treasury or the Population and Civil Registration Service. Requests for your rights can be submitted by contacting the contact in the Contact Us section of this Privacy Policy;
- the right to delay or limitation of processing: in certain cases, you have the right to delay or obtain a limitation of the processing of your data;
- the right to portability and interoperability of Personal Data: You have the right to obtain and/or use your Personal Data that has been provided to us in a form that conforms to the structure and/or format commonly used or can be read by electronic systems, such as payment history and subscription history. You also have the right to use and send your Personal Data to other Personal Data controllers, as long as our systems and the systems of other Personal Data controllers used can communicate securely with each other in accordance with the principles of Personal Data Protection based on the provisions of applicable laws and regulations;
- the right to object to the processing: you have the right to object at any time to the processing of your data for processing based on our legitimate interest and those for commercial prospecting purposes. This is not an absolute right, and we may for legal or legitimate reasons refuse your request for opposition;
- the right to withdraw your consent at any time: you may withdraw your consent to the processing of your data at any time where the processing is based on your consent. Withdrawal of consent does not affect the lawfulness of the processing based on the consent given prior to such withdrawal;
- the right to complain to a supervisory authority: you have the right to contact your data protection authority to complain about our personal data protection practices;
- the right to send the personal data to the other personal data controller(s): you have the right to send your data to the other personal data controller(s), as long as the system used can communicate with each other securely and in accordance with the personal data protection’s principles; and
- the right to opt-out from marketing information: We may from time to time provide promotions and offers to you based on lawful processing grounds. You have the right to withdraw your consent to the processing of marketing-related Personal Data so that We do not share marketing-related information. You will still receive service-related information and will still be able to use our Services. You can withdraw your consent to the processing of marketing-related Personal Data through the media that we provide from time to time or by contacting Us via the contact information in the Contact Us section of this Privacy Policy.
To exercise these rights, you can contact us at the following address: [email protected]. Please note that we may require proof of your identity in order to exercise these rights and that we may charge a reasonable administrative fee for this service.
Exceptional circumstances mentioned above include (to the extent allowable under applicable law) where:
- an investigating authority or government institution objects to Achilles complying with your request; and/or
- information is collected in connection with an investigation of a breach of contract, suspicion of fraudulent activities or contravention of law.
Achilles shall also not provide access to your Personal Data if it could reasonably be expected to:
- threaten or cause immediate or grave harm to the safety or physical or mental health of an individual other than you;
- reveal personal data about another individual;
- reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity;
- the reason for the request is not relevant to you and/or the Personal Data processing activities we undertake; and/or
- be contrary to the national interest.
|
- Transfer of Personal Data abroad
|
We may need to transfer your information outside the jurisdiction of Indonesia to store data whose storage infrastructure (data center) is outside the jurisdiction of Indonesia and managed by a third party partner. We always maintain the security of your data by ensuring that:
- the country where the third party partner who receives the data transfer is domiciled has a level of personal data protection that is equal to or higher than Indonesia; or
- there is adequate and binding personal data protection; or
- you agree to the transfer of Personal Data abroad that we carry out.
|
|
In the process of analyzing new installation requests, providing promotions or offers, and preventing fraud, we use automated decision-making (meaning without human involvement), including profiling, which may have legal consequences or otherwise significantly impact you. You have the right to object to decisions based solely on automated processing through the objection mechanism in this Privacy Policy. |
- Provisions Concerning Persons with Disabilities
|
If you are categorized as a person with disabilities, then you are required to ensure that you have obtained approval from your parents (father or mother) and/or guardian in accordance with the regulations in force in Indonesia. |
- Personal Data Breach Notification
|
In the event of a leak of your personal data, we will immediately provide written notification to you no later than 3 x 24 hours via registered email, including the type of personal data disclosed and efforts to handle and restore said personal data. |
|
Achilles needs your assistance to ensure that your Personal Data is current, complete, and accurate. As such, please inform Achilles of changes to your Personal Data by sending a written notification/request to [email protected]. |
- Amendment to Privacy Policy
|
We may modify this Privacy Policy from time to time, particularly in order to comply with any regulatory, editorial or technical changes. If so, we will change the “last update” date and indicate the date on which the changes were made. Where necessary, we will inform you and/or seek your consent. You should check this page regularly for any changes or updates to our Privacy Policy. |
|
This Privacy Policy is prepared in both Indonesian language and English language. In case of any inconsistency or conflict between the Indonesian text and the English text of this Privacy Policy, the English text shall prevail, and the Indonesian text shall be deemed to be automatically amended to conform with the relevant English text. |
- Governing Law and Jurisdiction
|
This Privacy Policy, its subject matter and its formation (and any non-contractual disputes or claims) are governed by the laws of the Republic of Indonesia. We both agree to the exclusive jurisdiction of the Indonesian National Arbitration Board (Badan Arbitrase Nasional Indonesia or “BANI”) which was established in 1977 by the Indonesian Chamber of Commerce and Industry (KADIN) through Decree No. SKEP/152/DPH/1977 dated November 30, 1977 in a closed proceeding and in the Indonesian language with the arbitration location in Jakarta, Indonesia. |
- Acknowledgement and Agreement
|
By using any of our products and/or Services or our Site, you represent that you have read, understood and agreed to the Privacy Policy, hereby you agree and commit to comply with the principles of our Privacy Policy and We are not responsible if you provide us with Personal Data relating to another individual, hereby you represent and warrant that you have obtained all consents from such individual for the Processing of such individual’s Personal Data by us. You also hereby warrant to be cooperative in the event of any request for proof of such consent by us to you at any time. |
|
If you have any questions about this Privacy Policy or if you have any requests relating to your data, you can contact us by addressing an email to our Data Protection Officer to the following address: [email protected]. |
- Marketing or Publication of Services
|
By accepting to the terms of this Privacy Policy, you understand that we may send information material for the purpose of marketing or publicizing our Services (such as newsletters, advertisements or short message services) either through our website, electronic e-mail or third-party media platforms that partner with us to interests of commercial and non-commercial activities. If you do not wish to receive material from our marketing activities, you can stop it at any time by contacting us or selecting the “berhenti berlangganan/unsubscribe” option on the relevant marketing material. |
|
Our Site may contain links to another website. Please note that we are not responsible for the privacy practices or policy of those websites. |