Privacy Notice for Customers

PT Fajar Surya Wisesa respects the privacy rights of all individuals. To protect your personal data, we have created this privacy notice to inform you about how we collect, use, disclose, delete, and destroy your personal data in both electronic and other formats, in compliance with Law No. 27 of 2022, on Personal Data Protection, and other applicable laws and regulations on personal data protection in Indonesia (“PDP Laws”).

    • “We” means PT Fajar Surya Wisesa.
    • “You” means individuals who are our customers or potential customers, as well as contact persons, legal representatives, directors, employees, staff, advisors of our customers or potential customers, or other individuals acting on behalf of customers or potential customers.
    • “Processing” means the activities of collecting, analyzing, storing, correcting, updating, displaying, announcing, transferring, disseminating, using, disclosing, deleting, and/or destroying personal data.
    • “Personal data” means any information relating to an identified or identifiable natural person that can be recognized on its own or in combination with other information either directly or indirectly, through an electronic or non-electronic system.
  1. Purposes of Processing
    • Contractual Necessity: We process your personal data as it is essential for fulfilling contracts between you and us. This includes:
      • Providing you with services and products
      • Managing your account
      • Making deliveries
      • Managing accounting and financial matters
      • Offering after-sales services
      • Processing returns or exchanges
    • Legitimate Interests: We process your personal data to pursue our legitimate interests or those of third parties. This includes:
      • Business Operations: Managing, developing, and conducting our business operations, including communication, administration and development, fraud prevention and detection, crime prevention, customer relationship management for current and potential clients, and maintaining information technology (IT) systems.
      • Security: ensuring your security through measures such as personal data protection, access control, and identity authentication when logging into your user account.
      • Marketing and Data Analysis: Conducting marketing research and data analysis, sending updates via email, chat applications, telephone, and direct mail, as well as engaging in communications with you.
      • Legal Claims: Establishing, exercising, or defending legal claims.
    • Vital Interests: We process your personal data to protect your vital interests or those of another person, such as making contact in an emergency and controlling and preventing disease.
    • Legal Compliance: We process your personal data to comply with legal obligations that apply to us.
    • Public Interest: We process your personal data to perform tasks carried out in the public interest or in the exercise of official authority granted to us.
    • Consent: With your consent, we process your personal data for additional activities: We process your personal data based on your consent for specific purposes, which will be communicated to you when consent is obtained. Further details about your consent and its implications are provided in the subsequent sections of this privacy notice.
  2. Personal Data We Collect
    • Sources of Data Collection: We collect personal data directly from you and indirectly from reliable sources such as public organizations, the companies in the SCG Group, business partners, individuals who can legitimately disclose your personal data, and trusted service providers.
    • Use of Services and Membership: When you use our services, purchase our products, join our loyalty program, we collect the following personal data:
      • Personal Information: ID cards, ID number, title, name, date of birth, mobile number, email, conversation history, and signature.
      • Contact Information: Email address, telephone number, office address.
      • Work-Related Information: Occupation, position, work experience.
      • Purchase Information: Purchase history, claim history, and complaints.
      • Provided Data: Personal data you have shared when contacting us, requesting after-sales services, or participating in our research or interviews.
    • Contact and Participation: When you contact us or participate in any activities with us, such as reaching out to our contact center, participating in a customer holiday trip program or event, or participating in our activities, we collect the following personal data:
      • Personal Information: Name, date of birth, photograph, identification card number, passport number, airline membership number, health information (food allergies).
      • Contact Information: Name, last name, telephone number, email, address.
      • Participation Information: Information about your participation in our activities, including your history of previous activities and photographs taken during your participation.
    • Specific Personal Data: If we need to process specific personal data (e.g., personal financial data, health data, biometric data, or other sensitive data as defined by law), we will clearly inform you of the types of data we collect and the reasons for processing, either in this privacy notice or through other appropriate channels. We will handle such data in strict compliance with the laws and regulations, applying appropriate safeguards to ensure its security and confidentiality.
    • Third-Party Data Disclosure: If you disclose the personal data of others to us, you must ensure that it is done lawfully and in compliance with PDP Laws. This includes informing the data subjects of this privacy notice and other relevant documents and obtaining necessary consent before or at the time of disclosure.
  3. Cookies
    • We use cookies and similar technologies to collect personal data as specified in our Cookies Notice.
  4. Consent, Withdrawal, and Consequences
    • Right to Withdraw Consent: If we process personal data based on your consent, you can withdraw it at any time. The withdrawal will not affect the validity of any processing done prior to the withdrawal.
    • Consequences of Withdrawal or Refusal: Withdrawing your consent or refusing to provide certain information may impact our ability to achieve some or all of the objectives outlined in this privacy notice.
    • How to Withdraw Consent: You can withdraw your consent by following the instructions provided in the channels where consent was originally obtained (e.g., changing settings in your user account) or by sending an email to data.privacy@fajarpaper.com.
    • Consent for Minors and Incapacitated Persons: If you are a minor, incompetent, or incapacitated person and wish to give consent, you must first obtain authorization from your guardians or conservators.
    • Giving Consent on Behalf of Others: If you are providing consent on behalf of another person, you must have the legal authority to do so at the time consent is given.
  5. Retention Period
    • Data Retention Duration: We will retain your personal data for as long as necessary to achieve the stated objectives. In some cases, we may keep certain data for up to 30 years to defend against legal claims. If the retention period is not specified, we will retain the data for a customary period according to standard retention practices.
    • Data Deletion and Destruction: We have implemented an auditing system to ensure that your personal data is deleted or destroyed once the retention period expires or when it is no longer relevant or necessary for the purposes for which it was collected.
    • Retention After Withdrawal of Consent: If your personal data is processed based on consent, we will stop processing it upon your withdrawal of consent. However, we may retain your personal data to document your withdrawal and respond to future inquiries.
  6. Disclosure of Your Personal Data
    • Recipients of Personal Data: We disclose and share your personal data with:
      • Companies in the SCG Group, as listed in the most recent annual report available at https://scc.listedcompany.com/ar.html.
      • Individuals and entities other than the Companies in the SCG Group, such as:
        • Dealers
        • Transport and logistics service providers
        • Postal service providers
        • Data processing service providers
        • Marketing service providers (who might send promotional messages)
        • Contractors performing tasks on our behalf
        • Financial service providers (e.g., banks, payment companies, electronic payment service providers, credit providers)
        • IT service providers (e.g., cloud services, blockchain systems, data analytics, SMS, or email providers)
        • IT developers and programmers
        • Auditors, consultants, and advisors
        • Government agencies (e.g., Revenue Department, Anti-Money Laundering Office)
        • Insurers
        • Other relevant individuals or entities necessary for us to conduct business, deliver products and services, and achieve the purposes of collecting and processing personal data as outlined in this privacy notice.
      • Separate Privacy Notices: The recipients of your personal data mentioned in clause 7.1 may have their own privacy notices. Please review their privacy notices to understand how they handle your personal data.
      • Business Restructuring: In the event of business restructuring, asset sales or transfers, business acquisition, or mergers, we may disclose your personal data to our counterparties and advisors. With best effort, we will protect your data and ask them to comply with PDP Laws and this privacy notice.
      • Protection Measures: We will require recipients of your personal data to implement appropriate measures to safeguard your data, process it properly and only as necessary, and prevent unauthorized use or disclosure.
  1. International Transfer of Your Personal Data
    • Purposes of Transfer: We may send or transfer your personal data to the companies in the SCG Group or other entities located outside of Indonesia for the following purposes:
      • You have explicitly consented to the transfer after being informed of the potential risks due to the lack of an adequacy decision and appropriate safeguards;
      • The transfer is necessary for fulfilling a contract between you and us or implementing pre-contractual measures requested by you;
      • The transfer is necessary for concluding or performing a contract in your interest between us and another natural or legal person;
      • The transfer is necessary for significant reasons of public interest;
      • The transfer is necessary for the establishment, exercise, or defense of legal claims;
      • The transfer is necessary to protect your vital interests or those of others when you are physically or legally incapable of giving consent.
    • Data Storage and Processing: We may store your personal data on servers or clouds outside Indonesia and use software or applications from service providers located outside Indonesia. We ensure that unauthorized parties do not access your personal data and require service providers to implement appropriate security measures.
    • Compliance and Protection Measures: When transferring your personal data to another country, we comply with PDP Laws and take necessary measures to protect your data. We require recipients to implement protection measures, use the data only as necessary, and prevent unauthorized access or disclosure.
  2. Security Measures
    • Technical and Organizational Measures: We have implemented technical and organizational measures to protect your personal data from loss, misuse, unauthorized access, disclosure, or destruction. These measures include encryption and access restrictions to ensure that only authorized personnel have access to your data, and they are trained on the importance of data protection.
    • Comprehensive Security Measures: We maintain comprehensive set of security measures, including administrative, technical, and physical safeguards (such as access control and user access management), to prevent unlawful loss, access, use, alteration, or disclosure of personal data. We regularly review and update these measures as necessary or when technology advances to ensure ongoing effectiveness.
    • Protection of Specific Personal Data: When processing specific personal data, we make every effort to implement appropriate security measures to protect this data.
  3. Your Rights as Data Subjects
    • Summary of Your Rights under PDP Laws: You have the following rights:
      • Right to Information: To receive clear information about our identity, accountability, data processing purposes, and the legal basis for processing your data.
      • Right to Withdraw Consent: To withdraw any consent you have previously given to us at any time.
      • Right to Access: To request access to view and copy your personal data or disclose the source from which we obtained your personal data.
      • Right to Data Portability: To request that we send or transfer personal data in electronic form to other data controllers as required by PDP Laws.
      • Right to Object: To object to our collection, use, or disclosure of your personal data.
      • Right to Erasure: To request the deletion, destruction, or anonymization of your personal data.
      • Right to Restriction: To request that we suspend the use of your personal data.
      • Right to Object to Automated Decision-Making: To object to decisions made solely based on automated processing that have legal consequences or significantly affect you.
      • Right to Rectification: To request correction of your personal data to ensure it is current, complete, and accurate.
      • Right to Lodge Complaints: To file complaints with the Personal Data Protection Authority if we, our data processors, employees, or contractors violate or do not comply with PDP Laws.
    • Processing of Rights Requests: We will review your request, notify you of the result, and, if appropriate, take action within the timeline set by PDP Laws from the date we receive the request. Your rights will be processed in accordance with PDP Laws.
    • How to Exercise Your Rights: You can exercise your legal rights by emailing your requests to data.privacy@fajarpaper.com.
  4. Information about the Data Controller and Data Protection Officer
    • Data Controllers: The data controller of this privacy notice is PT Fajar Surya Wisesa.
    • Business Address: The business address of the data controller is Jl Abdul Muis No.32, Petojo Selatan, Jakarta 10160.
    • Contact Information: You can contact the data controller or inquire about this privacy notice by emailing data.privacy@fajarpaper.com.
  5. Miscellaneous
    • Amendments to the Privacy Notice: If this privacy notice is updated, we will publish the revised notice on our website or through other communication channels. The new privacy notice will be effective immediately upon its announcement.