Data Protection and Privacy Statement (in compliant with Singapore Personal Data and Protection Act 2012 (PDPA))

BNI’s Singapore Data Protection and Privacy Statement

I.                   Introduction

This statement relates to P.T. Bank Negara Indonesia (Persero) Tbk Singapore Branch (“BNI SG”), and outlines BNI SG’s policy in respect of compliance with the obligations under the Personal Data Protection Act 2012 (the “PDPA”) in relation to the collection, use and disclosure of personal data. This statement relates to personal data supplied by you to BNI SG on this website, as well as to personal data supplied by you to BNI SG in the form of hard copy mediums.

II.                Objective

The fundamental objective of this policy is to simultaneously establish and affirm BNI SG’s commitment to protecting the personal data and consequently the privacy rights of individuals in accordance with BNI SG’s obligations under the PDPA.

III.             Definition

“Personal data” means data, whether true or not, about an individual who can be identified: (a) From that data; or (b) From that data and other information to which the organisation has or is likely to have access. It does not include business contact information, unless such information was given solely for personal purposes. 

IV.              Data Protection Principles under the PDPA

BNI SG is committed to performing its obligations with the Data Protection Principles contained in the PDPA. In short, unless exceptions under the PDPA apply, BNI SG will:

  1. Obtain consent of an individual before collecting, using, or disclosing the personal data for a purpose;
  2. Collect, use or disclose personal data only for purposes that a reasonable person would consider appropriate in the given circumstances;
  3. Inform the individual of the purposes for the collection, use, or disclosure of the personal data, on or before collecting the personal data;
  4. Allow individuals to verify and correct the personal data that is in BNI SG’s possession or control;
  5. Make a reasonable effort to ensure that personal data collected by BNI SG is accurate or complete, if it is likely to use the personal data to make a decision affecting the individual concerned, or to disclose the personal data to another organisation;
  6. Put in place reasonable security measures to protect the personal data in BNI SG’s possession or control;
  7. Destroy personal data as soon as it is reasonable to assume that the personal data no longer serves the purpose of collection and the retention is no longer necessary for legal or business purposes;
  8. Not transfer personal data outside Singapore unless the transfer complies with the PDPA requirements;
  9. Develop data protection policies and dispense information about such policies to the public; and
  10. Be responsible for the personal data in BNI SG’s possession or control, including personal data that is being processed by its data intermediaries.

V.                 How BNI SG uses your information

The personal data collected from you by BNI SG is valuable in improving BNI SG’s range of services. In this regard, BNI SG would like to provide its assurance that your personal data will be treated as confidential. BNI SG will also use your personal data for the purposes of ensuring our services to you are kept at the highest level and also for keeping you informed about our products, services and other opportunities within BNI SG that you might be interested in.

VI.              Data security

BNI SG has put into place security measures which protect personal data from manipulation, loss, destruction, and which protect personal data from being accessed in an unauthorized manner.

VII.           Retention

The personal data collected from you by BNI SG is retained for the period of time that the purpose for which the personal data was collected continues. Thereafter, BNI SG will destroy the personal data, unless it is necessary to retain the personal data longer for BNI SG’s satisfaction of legal, regulatory or accounting requirements, or to protect BNI SG’s interest.

VIII.        Disclosure

BNI SG will not disclose your personal data to an external party, unless BNI SG has your consent or is under a legal obligation or any other duty to do so.

IX.              Transfer of data to other countries

The personal data collected from you by BNI SG may be transferred within the BNI Group. This will include transfer to other parts of the Group in other countries which may not have a level of data protection equivalent to Singapore. However, BNI SG pledges its intention to comply with the PDPA and will ensure that organisations in other countries which receive personal data from BNI SG will be aware of the protection as specified by the PDPA.  In doing so, we will ensure compliance by our staff with the strictest standards of security and confidentiality.

X.                 Cookies

It is common practice to use cookies to “remember” information about your preferences when you visit our website. You may set up your web browser to accept or reject our cookies. Most Internet browser software can be set such that all cookies are blocked, or to enable you to receive a warning before the storage of a cookie.

XI.              Your rights and how to contact us

You may request access and correction to your personal data that is held by BNI SG under certain circumstances. If you wish to access or request for the correction or deletion of any personal data that is held by BNI SG, or if you wish for clarification on any questions that you may have regarding BNI SG’s Data Protection and Privacy Statement, you may write to BNI SG as per the contact details furnished below:

Mail Address:
P.T. BANK NEGARA INDONESIA (PERSERO) TBK.
30 Raffles Place, #26-01 & #27-01,
Singapore 048622
Attention: dpo@ptbni.com.sg

XII.           Changes to our website privacy statement

BNI SG updates its Website Privacy Statement from time to time. Hence, we advise that you regularly check this Website for the purposes of familiarising yourself with the latest version of the BNI Singapore Data Protection and Privacy Statement.

BNI PRIVACY NOTICE

(In compliant with Indonesia Law No. 27 of 2022 on the Personal Data Protection (PDP Law))

Effective from 17 October 2024, 

PT Bank Negara Indonesia (Persero) Tbk (‘we’ or ‘Bank’ or ‘us’ or ‘our’) is a state-owned enterprise established under the laws of the Republic of Indonesia having its registered head office in Jakarta, Indonesia with its overseas branches located in London, Singapore, Hong Kong, Tokyo, New York and Seoul, having its business in banking and financial services. 

This Privacy Notice intends to provide clarity and assurance to Users on how we collect, use, and protect Users’ information and Personal Data. By reading this Privacy Notice, it is expected that Users feel assured that the security of Users’ Personal Data and privacy is a key priority for us. 

We are committed to protecting the information we hold about you. This privacy notice describes how, when, and why we, PT Bank Negara Indonesia (Persero) Tbk, may use your information, as well as your rights relating to that information. 

In this Privacy Notice, the use of the term (i) ‘User’ refers to each individual Personal Data owner (data subject) who has and/or will use our products and/or services, visitors and users of our websites/applications/electronic systems, as well as any third party to which this Privacy Notice applies; (ii) ‘Business Group’ refers to all affiliated companies that are in the same group due to the Bank’s direct or indirect ownership and/or control (parent company, subsidiary and other affiliate relationships); (iii) ‘Personal Data’ refers to data concerning Users who are identified or identifiable individually or in combination with other information either directly or indirectly, in particular by reference to identified such as name, identification number, location data, through electronic or non-electronic systems as referred to in the Applicable Regulations; (iv) ‘Applicable Regulations’ refers to Law No. 27 of 2022 on the Protection of Personal Data and other relevant laws and regulations in force, including their amendments from time to time; (v) ‘Processing’ refers to the act of acquiring, collecting, processing, analyzing, storing, correcting, updating, displaying, announcing, transferring, disseminating, aligning or combining, retrieving, disclosing, deleting and/or destroying Users’ Personal Data, including cross-border Personal Data Processing. 

The Personal Data that we will process is the Personal Data that has been and will be provided by the User to us, which also includes Personal Data as written in the Personal Data Acquisition and Collection section of this Privacy Notice to provide banking products and/or services that the User requests, including for the fulfillment of our agreements or legal obligations to laws and regulations, when the User visits, accesses, and/or uses the Bank’s products and/or services, including our website/application/electronic system in connection with the use of the Bank’s products and/or services (‘Services’). 

Applicability 

By using our Services, the User declares that the User has read, knows, and understands all the contents of this Privacy Notice, and also declares that the User is the legal and authorized party to provide the User’s Personal Data to the Bank through the Bank’s Service channel. 

We may amend, delete, and/or update this Privacy Notice from time to time if necessary. If such amendment, deletion, and/or update constitutes a change in information which under the Applicable Regulations is required to be notified to the User, then we will use reasonable efforts to notify the User in advance through our official channels. 

The version of the Privacy Notice displayed on our website/application/electronic system is an update to all previous versions of our Privacy Notice, therefore we encourage Users to check the Privacy Notice on our website/application/electronic system from time to time. 

Personal Data Acquisition and Collection 

It is important for Users to know what categories and types of User Personal Data can be processed.  

  1. Personal Data would include the following (where relevant and applicable): 
  2. Personal profile identification data, which can be in the form of full name, identification number, taxpayer identification number, immigration documents, gender, nationality, place and date of birth, birth mother’s maiden name, alias/calling name, religion, voice recording, image recording, personal appearance and photograph (such as photo attached in the identification number and/or passport), signature (wet and/or electronic), fingerprints and/or biometric data; 
  3. Other personal related data, which may include information on health data, legal offences, communication preferences, hobbies, interests, online profile and social media information and activity based on User’s interaction with Us which can be in the form of geolocation, IP address/MAC Address, User activity in the Bank’s application, mobile phone network information, and interaction of the Bank’s application with other applications on the User’s electronic device including site visits and spending patterns;  
  4. Financial data, which can be in the form of account number, source of income, total monthly/annual income and expenditure including account, transactional and historical information, payment and payee details, transaction and credit/financing data, investment, asset and collateral-related data, tax, as well as banking and financial service data from other financial services that the User receives; 
  5. Correspondence data, which can be in the form of an address according to the Identity Card, address and domicile status, electronic mail address (email), telephone number/mobile phone, and emergency contact which includes name, type of relationship with the User, address, telephone number/mobile phone, and email; 
  6. Education and/or employment data, which can be in the form of education level, type of work, business field, position, division, year of starting work/business, name of company/agency where worked, address of place of work, employment status, as well as name, position, and telephone number of co-workers; and Family data, which may include marital status, name of spouse, number of children, and number of dependents.
  7. Digital activity data, which can be in the form of geolocation, IP address/MAC Address, User activity in the Bank’s application, and interaction of the Bank’s application with other applications on the User’s electronic device; and/or 
  8. Customer interaction data consists of communications with the bank (recorded phone calls, emails, or massage exchanged with customer services) and complaint or queries (records of complaints or feedback submitted to the bank). 
  9. Compliance and regulatory data which can be Anti-Money Laundering (AML) information, sanction data and risk assessment data. 
  10. Marketing and behavioral data which may include marketing preferences whether, purchase behavior and survey responses. 
  11. Other than as referred in paragraph (a) above and to the extent permitted by law, we may also process certain special categories of information for specific and limited purposes to make our service accessible to customers or to prevent and detect unlawful acts, fraud, and financial crime, we may process information about criminal convictions, criminal offences, related security details, alleged offences including unproven allegations, spent or previous convictions, or other details provided in relation to a criminal reference check or similar.  

Source of User’s Personal Data 

In order to be able to support us in providing optimal Services for Users, we will collect Users’ Personal Data from various sources, including (where relevant and applicable) as follows: 

  1. Directly from Users; 
  2. Information about the User which will be generated when the User applies for a Service, uses our Service, or has had a previous Service; 
  3. Personal Data from Business Group and/or other third parties who are the Bank’s partners or enter into cooperation with the Bank, publicly available sources, credit references agencies, marketing and data brokers; 
  4. Cookies, location services, CCTV and surveillance systems, User’s IP address when User visits our website/application/electronic system, or when User fills out our contact form in our website/application/electronic system, or data that User allows to be accessed through User’s device; 
  5. From correspondence between the User and the Bank via email, physical mail, or the Bank’s official means of correspondence/communication media;  
  6. From survey data notified to the Bank;   
  7. Government or legal authorities consists of tax authorities, law enforcement agencies and court records; and/or 
  8. Transactional data which will be generated from banking and financial transactions and purchase history. 

Use of Personal Data 

  1. The Processing of Users’ Personal Data by the Bank is carried out to provide the Services, which includes the following purposes (where relevant and applicable): 
  2. General Services: to provide, design and/or develop Services, banking facilities, products or services, including assisting the Bank in analyzing how the Bank’s Services are used, replying to inquiries, or notifying Users of any changes to the Services.  
  3. Profiling and Decision-making: for the purpose of profiling and scoring activities for automated decision making of Users for the improvement of Services for Users and risk management of the Bank. 
  4. Marketing and Promotions: for marketing purposes to offer products or services, including special offers, promotions, contests or information that may be of interest to Users. Such marketing messages may be sent to Users by the Bank and/or Business Partners in various ways including through physical mail, electronic mail, short message service, telephone, facsimile, means of correspondence and other official Bank information delivery media in accordance with and subject to applicable laws and regulations. 
  5. Consultation and Business Operation: for the purpose of conducting the Bank’s business operations involving consultation with the Bank’s professional advisors or external auditors, including legal advisors, financial advisors, and consultants, Group companies, and any party to whom the Bank is bound by a duty of confidentiality. In this regard, the Bank will use best endeavors to ensure the parties mentioned to observe this Privacy Notice.   
  6. Compliance with Legal Requirements: to fulfil the requirements of the know your customer principle, the Bank’s risk mitigation efforts, as well as the implementation of verification/authentication of the correctness of User data, as required under applicable laws and regulations.   
  7. Regulatory Compliance: to comply with regulations or legal requirements, including for the administration of the Bank’s business activities, reporting to regulators, or inspection by the authorities, which are carried out in accordance with applicable laws in Indonesia. 
  8. Research Analysis: to conduct research and statistical analysis relating to the Services, including the use of new technology. 
  9. Internal Policies and Other Purposes: for other purposes in accordance with the Bank’s internal policies and regulations, or in accordance with the terms and conditions governing the relationship between the Bank and Users, which are carried out in accordance with applicable laws and regulations. 
  • For the purpose of paragraph (a) above, we may include use of generative artificial intelligence models using data and/or information provided by User. Any interaction with artificial intelligence will be provided with further explanatory to help User understand how the artificial intelligence model has processed User’s Personal Data and reached a particular decision. 

Personal Data Processing Principles 
 

Processing of Personal Data will only be carried out by the Bank to the extent that the Bank has fulfilled one or more of the following processing bases:  

  1. The Bank has explicitly and legitimately obtained the consent of the User; 
  1. The Bank exercises its rights and obligations under the agreement of the Services with the User; 
  2. The Bank needs to exercise authority or fulfil obligations based on applicable laws and regulations or orders of authorised institutions; 
  3. The Bank is obliged to fulfil the vital interests of the User; 
  4. The Bank is obliged to carry out tasks in the context of public interest and/or public services; 
  5. The Bank is obliged to fulfil other legitimate interests, while taking into account the balance between the Bank’s interests and the User’s rights; and/or
  6. The Bank is obliged to ensure appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

Personal Data Management 

The Bank is committed to store and manage Users’ Personal Data with the best protection for as long as necessary to provide our Services. We will perform Processing of User’s Personal Data for as long as the User is a customer or user of our Services. Furthermore, the User’s Personal Data will be retained for a minimum period of 5 (five) years after the end of the cooperation relationship with the User or for a longer period as long as such retention is necessary or required by Applicable Regulations (‘Retention Period’). 

The Bank may delete and/or destroy the User’s Personal Data from our system so that the Personal Data no longer identifies the User, with the exception of: 

  1. If it is necessary to retain Personal Data to fulfil legal obligations, future evidentiary purposes, tax, audit, and accounting; and/or 
  2. Personal Data is still within the retention period based on applicable laws and regulations. 

When destroying Personal Data, we will take reasonable standard measures to destroy, erase, and render the Personal Data practically unrecoverable. The particular method of destruction will depend on the Personal Data being destroyed, how the Personal Data was collected and stored. 

Information Sharing 

When required, the Bank may share the User’s personal information among the Business Group, and/or third parties who cooperate with us and/or the Business Group in order to carry out the Bank’s business activities (‘Business Partners’), for the purposes set out in the Use of Personal Data Section. We may also forward the User’s Personal Data to financial supervisory institutions, legal entities, authorities or government in accordance with the applicable laws and regulations.  

Cross-Border Personal Data Processing 

For the purpose of Processing Personal Data as we have mentioned in the Use of Personal Data section, we may process User’s Personal Data outside Indonesia. In the implementation of the transfer of User’s Personal Data outside Indonesia, we will ensure that the transfer destination country has the same or higher level of protection of Personal Data than the protection of Personal Data in Indonesia. In the event that the transfer destination country does not have an equivalent or higher level of Personal Data protection, we will implement adequate and binding Personal Data protection (such as entering into a contract with the transferee of User’s Personal Data and/or written provisions and/or instruments), or in the event that it is still not fulfilled, the Bank may still transfer Personal Data outside Indonesia based on the consent of the User.  

The Bank has implemented Personal Data protection which is periodically reviewed from time to time to ensure the security of User’s Personal Data and ensure that the User can obtain his/her rights as a Personal Data Subject in accordance with Applicable Regulations. If the User requires details of how the Bank protects User’s Personal Data, we can provide it upon request.  

It is important to note that the transfer of Personal Data outside Indonesia is not completely free from any risk, including risk of interference from unauthorised parties. Notwithstanding, we assure you that we have fulfilled all the requirements to conduct cross-border Personal Data transfer and Processing according to Applicable Regulations, and supported by a proper, reliable, and secure electronic system to protect the User’s Personal Data to the utmost care. 

Personal Data Security 

The Bank is committed to ensuring that the User’s information or Personal Data obtained through the Bank’s Services remains secure during the Processing of Personal Data (and during the Retention Period). In implementing this commitment, the Bank has implemented procedures and uses an electronic system equipped with an adequate level of security as required by the Applicable Regulations, including limiting access to User Personal Data which can only be done by parties who obtained the authority based on the need to know or providing User with the Service. Parties who process User’s Personal Data will only do so in a permitted manner and limited purpose, and are required to maintain the confidentiality and security of User’s Personal Data as required under the Applicable Regulations. 

In the event that the User accesses the Bank’s Services or products via our Bank’s APP, please ensure that the User downloads the Bank’s APP from the official Apple App Store or Google Play Store, and not from any links provided by unauthorized parties. Additionally, the Bank may require the User to: 

  1. Enter the Login Password and/or Transaction MPIN and/or use biometric access before the User accesses the Bank’s Services; 
  2. Maintain the confidentiality of the Login Password and/or Transaction MPIN and not disclose them to anyone; and/or
  3. Contact the Bank in the event that the User’s Login Password and/or Transaction MPIN is blocked, and follow the Bank’s instructions to reactivate the Bank’s Services or products. 

It is important to note that the transmission of information online is not completely secure and risk-free. Although we have made our best efforts to protect the User’s Personal Data, there remains a potential risk to the security of the data/information that the User transmits through the network being used. Once we receive the data/information from the User, we will implement strict procedures and secure features in an effort to prevent unauthorized access. 

In the event of any unauthorized access or illegal activity concerning the confidentiality of the User’s Personal Data that is beyond the Bank’s control, the Bank will promptly notify the User at the earliest opportunity within 72 hours of the discovery, allowing the User to mitigate the risks arising from such incidents. 

The User is responsible for maintaining the confidentiality of the details of their information and Personal Data, including username, password, email, and OTP, and for ensuring and being accountable for the security of the devices used. 

User Rights 

The User has the rights to: 

  1. Access and request a copy of their Personal Data, including obtaining and/or using their Personal Data in a form that is structured and/or in a commonly used or machine-readable format, for which we reserve the right to charge a reasonable fee to fulfill this request; 
  2. Request that we correct any inaccurate data, complete any incomplete Personal Data, or update Personal Data. However, we may not accommodate requests to alter Personal Data if we believe that such changes would violate any legal regulations or requirements or cause the information to become inaccurate;  
  3. Submit a complaint to a data protection authority or other independent regulator regarding how we use the User’s Personal Data, and seek compensation and the fulfillment of obligations by the Data Controller for any breaches in the Processing of Personal Data. 
  4. Request that we cease processing, delete, and/or destroy their Personal Data if it is no longer necessary for the purposes outlined in the Personal Data Usage section or if there is no other legal basis for the Processing of Personal Data, provided that this request is not restricted by applicable regulations. Upon receiving a request for cessation, deletion, and/or destruction, we will confirm receipt and subsequently confirm once the User’s Personal Data has been deleted and/or destroyed as required by Applicable Regulations. As a consequence, the User may no longer be able to receive or use our Services if they choose to delete or destroy their Personal Data, either partially or entirely; 
  5. Object to our use of their Personal Data for direct marketing purposes (including related profiling) or any other processing based on legitimate interests; 
  6. Object to decisions made solely on the basis of automated processing, including profiling, that produce legal effects or significantly impact the User. 
  7. Where applicable, delay or restrict the Processing of their Personal Data in a proportionate manner. If such a restriction is not feasible, we will inform the User accordingly. However, the User may still exercise other rights as outlined in this Privacy Notice, including withdrawing their consent for the processing of Personal Data, provided that the User has considered and accepted the potential consequences related to the provision of products and/or Services (if any);  
  8. In cases where processing is based on consent, withdraw their consent at any time regarding the Processing of their Personal Data by us. Upon receiving such a withdrawal of consent, we will confirm receipt and proceed with the process to cease the processing of the User’s Personal Data, provided that the User has considered and accepted the potential consequences related to the provision of products and/or services (if any). 

If the User wishes to exercise their rights or seek clarification regarding their rights, please contact us through one of the channels listed in the Contact Us section. 

Exercise of User Rights 

To exercise their rights, the User may submit a request by contacting one of the channels listed in the Contact Us section. Some exercises of rights may have consequences related to the provision of Services; therefore, we will confirm the User’s request, and/or the exercise of the User’s rights may be denied to the extent that such denial is permitted by Applicable Regulations. We will make every effort to facilitate the exercise of the User’s rights and/or provide confirmation and/or respond to the User’s request within the timeframe specified by the Applicable Regulations, which is no later than 3×24 (seventy-two) hours from the time we receive, among other things: a) a request to withdraw consent for the Processing of Personal Data; b) a request for correction of Personal Data; c) a request for access to Personal Data; and/or d) a request for a copy of Personal Data.   

Any exercise of the User’s rights as a Personal Data Subject regarding alleged violations by the Bank in the Processing of Personal Data must be submitted in writing to the Bank, in compliance with the terms and conditions required by Applicable Regulations. The Bank will then act upon and/or respond to the request within 3×24 (seventy-two) hours or such other time as permitted by Applicable Regulations and/or applicable civil procedure laws, starting from the time the Bank receives the User’s request for compensation, with the Central Jakarta District Court Registry selected as the place for dispute resolution. 

Acting on Behalf of Another Person 

The User is required to provide accurate data, information, and Personal Data to the Bank. Failure to provide certain data and/or information may result in the Bank being unable to fully provide Services to the User. 

When the User provides us with Personal Data about another person (or someone else), the User represents that they have been authorized and empowered by that person to provide their Personal Data and/or act on their behalf. The User ensures and warrants that the individual in question has understood and consented to their Personal Data being further processed in accordance with Applicable Regulations. This includes giving consent for: 

  1. Our processing of their Personal Data and any specific Personal Data (as described in the Personal Data Acquisition and Collection section above); and 
  2. The User receiving information protection notifications on their behalf. 

Direct Marketing 

The Bank and the Business Group may send information about our and the Business Group’s products and/or Services, as well as carefully selected third-party services, through the Bank’s official channels and directly to the User via various communication methods, including by mail or electronic means such as telephone, email, social media, or other electronic media, detailing products, services, and any special offers. We will only do this if the User has consented to be contacted through electronic or non-electronic means. 

Withdrawal of consent to receive direct marketing, whether through electronic or non-electronic means, can be done using one of the channels listed in the Contact Us section. Upon receiving a request to withdraw consent, we will confirm receipt and proceed to cease Processing the User’s Personal Data for such purposes. Please note, if the User opts out of receiving one form of direct marketing, we still reserve the right to send messages related to our Services, for other products or Services that the User utilizes. 

Contact Us 

The User may contact us through the following channels: 

BNI Call Center at: 

Telephone: +62 1500046 or Email: bnicall@bni.co.id 

Or visit the nearest BNI branch.  The Data Protection Officer appointed by PT Bank Negara Indonesia (Persero) Tbk can be contacted through BNI Call. 

© 1996-2003 P.T. BANK NEGARA INDONESIA (PERSERO) TBK.
UEN: S55FC1160D
All Rights Reserved