Terms of Use

Privay Notice

Cookies Notice

Privacy Notice for Vendors

PT Fajar Surya Wisesa Tbk dan PT Dayasa Aria Prima (hereinafter collectively referred to as “we”) respect the rights to privacy of all individuals. To ensure that your personal data is protected, we have created this privacy notice to provide information on the collection, use, disclosure, deletion, and destruction of your personal data in electronic and other formats under Law No. 27 of 2022 on Personal Data Protection and other applicable laws and regulations pertaining to personal data protection in Indonesia (“PDP Laws”).

1. Definitions.

  • 1.1. “We” means PT Fajar Surya Wisesa Tbk. and/or PT Dayasa Aria Prima.
  • 1.2. “You” means individual vendors, directors of our corporate vendors, and operators and staff of vendors.
  • 1.3. “Processing” means collecting, analyzing, storing, correcting, updating, displaying, announcing, transferring, disseminating, using, disclosing, deleting, and/or destroying personal data.
  • 1.4. “Personal data” means any data relating to an identified or identifiable natural person that can be identified on its own or in combination with other information directly or indirectly through an electronic or non-electronic system.

2. Purposes of Processing

  • 2.1. Contractual Necessity: We process your personal data to perform contracts between us and our vendors.
  • 2.2. Legitimate Interests: We process your personal data to pursue our legitimate interests or those of third parties. Examples include:
    • (1) Contract Performance: To perform contracts with our vendors, including procurement, inspection, payment for goods and services, relationship management, and evaluation of work as specified in purchase orders, contracts, or other procurement-related documents.
    • (2) Business Operations: To manage, develop, and conduct our business operations, including website and application administration, research (e.g., interviews, questionnaires), fraud prevention and detection, crime prevention, and IT system maintenance.
    • (3) Security: To protect security through measures such as personal data protection, access control, and identity authentication when you log in to your user account.
    • (4) Marketing Research and Data Analysis: To conduct marketing research and data analysis, including sending news and privileges via emails, SMS, applications, social media, telephone, and direct mail, and conducting questionnaires and interviews with you.
    • (5) Legal Claims: To establish, exercise, or defend legal claims for you or us.
  • 2.3. Vital Interests: We process your personal data to protect your vital interests or those of another person, such as making contact in an emergency and controlling and preventing disease.
  • 2.4. Legal Compliance: We process your personal data to comply with the legal obligations to which we are subject.
  • 2.5. Public Interest: We process your personal data to perform a task carried out in the public interest or the exercise of official authority vested in us.
  • 2.6. Consent: We process your personal data based on your consent for specific purposes, which will be communicated to you when obtaining consent. More information about your consent and its implications can be found in the subsequent sections of this privacy notice.

3. Personal Data We Collect

  • 3.1. Sources of Data Collection: We collect personal data directly from you and indirectly from reliable sources such as public organizations, companies in the SCG Group, recruitment platforms, business partners, individuals who can legitimately disclose your personal data, and trusted service providers.
  • 3.2. Data from Vendors: When you contact us or when you (or a corporate vendor) supply products or services to us, we collect the following personal data:
    • (1) Contact Information: Email address, telephone number, office address, social media account, instant messaging account (e.g., information available on your business card).
    • (2) Identity Verification Information: ID cards, ID number, title, name, date of birth, mobile number, email, photograph, and identification information.
    • (3) Work-Related Information: Employment details, information related to managing your work safety, hygiene, and environment, bank account (for payment), remuneration, occupation, position, driving license, credentials, Information about past clients you have served and their references, and other personal data you have provided to us when contacting us or supplying products or services.
    • (4) Identification Information: Citizen identification number, passport number, driver’s license number, social security number, national insurance number, taxpayer identification number, and other government-issued identification numbers.
    • (5) Immigration and residency Information: Stay permit, residence permit, work permit, visa, and similar paperwork.
  • 3.3. Data from Premises Visits: When you visit our premises, we collect, monitor, and process your images and video recorded by CCTV in designated areas. We will display signage to notify you about the areas where CCTV operates.
  • 3.4. Data from Contact and Participation: When you contact us or participate in any activity with us, we collect the following personal data:
    • (1) Personal Information: Name, date of birth, photograph, identification card number, passport number.
    • (2) Contact Information: Telephone number, email, address, instant messaging account.
    • (3) Complaint Information: Details regarding your complaints.
    • (4) Participation Part Information: Information about your participation in our activities, including the history of previous activities and photographs taken.
  • 3.5. Other Data: Tax identification number, family card, and photographs taken during your participation in our workshops or work with us.
  • 3.6. Additional Data Collection: If we need to collect additional personal data, we will notify you and process the data in compliance with PDP Laws.
  • 3.7. Specific Personal Data: We may need to collect and process specific personal data, including:
    • (1) Personal financial data.
    • (2) Facial recognition or fingerprint data to verify your identity.
    • (3) General health data (e.g., food allergies, drug allergies, vaccinations) for event organization, accommodation, and compliance with legal and regulatory requirements.
    • (4) Criminal offense data.
  • 3.8. Third-Party Data Disclosure: If you disclose the personal data of others to us, you must be able to do so lawfully and comply with PDP Laws, including informing the data subjects of this privacy notice and other relevant documents and obtaining necessary consent before or at the time of disclosure.

4. Cookies

  • 4.1. We use cookies and similar technologies to collect personal data as specified in our Cookies Notice.

5. Consent, Withdrawal, and Consequences

  • 5.1. Right to Withdraw Consent: If we rely on your consent to process personal data, you can withdraw your consent at any time. Withdrawal will not affect the validity of processing carried out before the withdrawal.
  • 5.2. Consequences of Withdrawal or Refusal: Withdrawing your consent or refusing to provide certain information may result in our inability to fulfill some or all objectives stated in this privacy notice.
  • 5.3. How to Withdraw Consent: You can withdraw your consent by following the instructions provided in the channels where consent was obtained (e.g., changing settings in your user account) or by sending an email to data.privacy@fajarpaper.com or data.privacy@dayasa.co.id.
  • 5.4. Consent for Minors and Incapacitated Persons: If you are a minor, incompetent person, or incapacitated person and wish to give consent, you must obtain authorization from your guardians or conservators before giving consent.
  • 5.5. Giving Consent on Behalf of Others: If you consent on behalf of another person, you must have the legal authority to do so when consent is given.

6. Retention Period

  • 6.1. Data Retention Duration: We will retain your personal data for the period necessary to meet the stated objectives. We may retain certain data for up to 30 years to defend against legal claims. If the retention period is unclear, we will retain the data for a customary period in accordance with retention standards.
  • 6.2. Data Deletion and Destruction: We have established an auditing system to delete or destroy your personal data when the retention period expires or when it becomes irrelevant or unnecessary for the purposes it was collected.
  • 6.3. Retention After Withdrawal of Consent: If your personal data is processed based on consent, we will stop processing it upon your withdrawal of consent. However, we may retain your personal data to record your withdrawal and respond to future requests.

7. Disclosure of Your Personal Data

  • 7.1. Recipients of Personal Data: We disclose and share your personal data with:
    • (1) Companies in the SCG Group, as listed in the most recent annual report available at https://scc.listedcompany.com.
    • (2) Individuals and entities other than the companies in the SCG Group, such as:
      • (a) Dealers
      • (b) Transport and logistics service providers
      • (c) Postal service providers
      • (d) Data processing service providers
      • (e) Marketing service providers (who might send promotional messages)
      • (f) Contractors performing tasks on our behalf
      • (g) Financial service providers (e.g., banks, payment companies, electronic payment service providers, credit providers)
      • (h) IT service providers (e.g., cloud services, blockchain systems, data analytics, SMS, or email providers)
      • (i) IT developers and programmers
      • (j) Auditors, consultants, and advisors
      • (k) Government agencies (e.g., Revenue Department, Anti-Money Laundering Office)
      • (l) Insurers
      • (m) Other relevant persons to enable us to conduct business, provide products and services, and meet the purposes of collecting and processing personal data as described in this privacy notice.
  • 7.2. Separate Privacy Notices: Recipients of your personal data listed in clause 7.1 may have their own privacy notices. Please read their privacy notices to understand how they process your personal data.
  • 7.3. Business Restructuring: If we restructure our business, sell or transfer assets, acquire businesses, or merge with other businesses, we may disclose your personal data to our counterparties and advisors. We will do our best to safeguard your data and require our counterparties and advisors to comply with PDP Laws and this privacy notice.
  • 7.4. Protection Measures: We will require recipients of your personal data to take appropriate measures to protect your personal data, process it properly and only as necessary, and prevent unauthorized use or disclosure.

8. International Transfer of Your Personal Data

  • 8.1. Purposes of Transfer: We may send or transfer your personal data to SCG Companies or other entities located outside of Indonesia for the following purposes:
    • (1) You have explicitly consented to the proposed transfer after being informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards;
    • (2) The transfer is necessary for the performance of a contract between you and us or the implementation of pre-contractual measures taken at your request;
    • (3) The transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and another natural or legal person;
    • (4) The transfer is necessary for important reasons of public interest;
    • (5) The transfer is necessary for the establishment, exercise, or defense of legal claims;
    • (6) The transfer is necessary to protect your vital interests or those of other persons when you are physically or legally incapable of consent.
  • 8.2. Data Storage and Processing: We may store your personal data on servers or clouds outside Indonesia and use software or applications from service providers outside Indonesia. We ensure that unrelated parties do not access your personal data and require service providers to implement appropriate security measures.
  • 8.3. Compliance and Protection Measures: When transferring your personal data to a foreign country, we comply with PDP Laws and take measures to protect your data. We require recipients to implement protection measures, process the data only as necessary, and prevent unauthorized use or disclosure.

9. Security Measures

  • 9.1. Technical and Organizational Measures: We have implemented technical and organizational measures to protect your personal data from loss, misuse, unauthorized access, disclosure, or destruction. The measures include encryption and access restrictions to ensure only authorized personnel have access to your data and are trained on the importance of data protection.
  • 9.2. Comprehensive Security Measures: We maintain comprehensive security measures, including administrative, technical, and physical safeguards (such as access control and user access management), to prevent unlawful loss, access, use, alteration, or disclosure of personal data. We review and update these measures as necessary or when technology changes to ensure effective security.
  • 9.3. Protection of Specific Personal Data: If we process specific personal data, we will use our best efforts to impose appropriate security measures to protect the data.

10. Your Rights as Data Subjects

  • 10.1. Summary of Your Rights under PDP Laws: You have the following rights:
    • (1) Right to Information: To receive clear information about our identity, accountability, data processing purposes, and data processing basis.
    • (2) Right to Withdraw Consent: To withdraw consent you have given us at any time.
    • (3) Right to Access: To request to view and copy your personal data or disclose the source from which we obtained your personal data.
    • (4) Right to Data Portability: To request us to send or transfer personal data in electronic form to other data controllers as required by PDP Laws.
    • (5) Right to Object: To object to our collection, use, or disclosure of your personal data.
    • (6) Right to Erasure: To request us to delete, destroy, or anonymize your personal data.
    • (7) Right to Restriction: To request us to suspend the use of your personal data.
    • (8) Right to Object to Automated Decision-Making: To object to decisions based solely on automated processing that have legal consequences or significantly affect you.
    • (9) Right to Rectification: To request us to correct your personal information to ensure it is current, complete, and accurate.
    • (10) Right to Lodge Complaints: To file complaints with the Personal Data Protection Authority if we, our data processors, employees, or contractors violate or do not comply with PDP Laws.
  • 10.2. Processing of Rights Requests: We will consider your request, notify you of the result, and execute it (if appropriate) within the period set by PDP Laws from the date we receive the request. Your rights will be processed following PDP Laws.
  • 10.3. How to Exercise Your Rights: You can contact us that handle your personal data to exercise your rights by sending an email to the email address as provided in the item 11.3 (Contact Information).

11. Information about the Data Controller and Data Protection Officer

  • 11.1. Data Controllers: We are the data controllers of this privacy notice.
  • 11.2. Business Address: Jl. Abdul Muis No.32, Jakarta 10160, Indonesia.
  • 11.3. Contact Information: You can contact the data controllers or inquire about this privacy notice by emailing to:
    • – For inquiries related to PT Fajar Surya Wisesa Tbk.: data.privacy@fajarpaper.com;
    • – For inquiries related to PT Dayasa Aria Prima: data.privacy@dayasa.co.id.

12. Miscellaneous

  • 12.1. Amendments to the Privacy Notice: If this privacy notice is amended, we will announce the new privacy notice on our website or through other channels. The new privacy notice will be effective immediately on the date of announcement.