Introduction
This Personal Data Protection Policy outlines Mailtarget's commitment to protecting users' personal data as governed by Indonesia's Personal Data Protection Act (Personal Data Protection Act No. 27 of 2022). Mailtarget is committed to protecting the privacy and security of user personal data and ensuring that it is processed transparently, securely, and in accordance with applicable law.
1.1 User Trust and Security
We ensure personal data is managed with strict integrity and security to strengthen user trust.
1.2 Transparency and Legal Compliance
Mailtarget strives to provide clear information about personal data processing and ensure compliance with applicable law.
1.3 Respect for User Rights
Respect and facilitate users' rights about their personal data, including the right to access, correct, or delete such data.
1.4 Continuous Development
Periodically review and update our policies and practices to reflect changes in laws, technology, and commercial practices.
Definition of Personal Data
2.1 Meaning of Personal Data
Personal Data refers to information about an individual that is identified or can be identified directly or indirectly through electronic or non-electronic systems, as regulated in Article 1 of the Personal Data Protection Law.
2.2 Data Categories
Mailtarget categorizes personal data into two types according to Article 4 of the Personal Data Protection Law, namely general personal data and specific personal data.
2.2.1 General personal data managed by Mailtarget includes, such as full name, gender, nationality, email address, and personal data combined to identify an individual.
2.2.2 Specific personal data is limited to tax identification number (NPWP) data and payment data, and/or other data in accordance with applicable laws and regulations.
2.3 Data Management
Mailtarget manages personal data with strict protection principles, ensuring that processing is conducted for legitimate, transparent purposes and only within the necessary limits according to applicable legal provisions.
Collection and Use of Personal Data
3.1 Collection Purpose
Mailtarget collects personal data in a limited and specific manner to support legitimate operational objectives, such as service provision, fulfilling user requests, improving service quality, and fulfilling legal obligations. We ensure that data collection is carried out in a way that minimizes impact on user privacy.
3.2 Types of Data Collected
The data we collect may include names, addresses, email addresses, phone numbers, and other information as provided by you through forms within our application. We ensure that the data collected is relevant and not excessive in relation to the purposes of its collection.
3.3 User Rights
Users have the right to access, update, and delete their personal data. We are committed to facilitating these rights, providing information on data protection failures, and carefully reviewing user requests. See point #6 for more details.
4. Data Processing
Personal data is processed in a limited and specific manner in accordance with clear, legitimate, and transparent purposes in accordance with applicable laws.
4.1 Legal Basis for Processing
Personal data processing is conducted based on informed user consent, obligations under agreements, legitimate legal interests, or fulfillment of legal obligations in accordance with applicable regulations. This refers to Article 16 of the Personal Data Protection Law.
4.2 Processing Principles
Personal data is processed lawfully and transparently. We ensure that data is only used for clear purposes and not used in a way that contradicts these purposes. We are committed to ensuring data accuracy and security and informing users about the purposes and processes of data processing.
4.3 Accuracy and Relevance
Mailtarget ensures that personal data processed is always accurate, complete, and compliant with the purpose of processing as stipulated in Article 29 of the Personal Data Protection Law. We proactively conduct verifications and updates on a regular basis to ensure accuracy. Users are also provided the facility to correct or update their data to support data integrity and relevance.
4.4 Protection and Security
In an effort to protect personal data in accordance with Article 35 of the Personal Data Protection Law, Mailtarget adopts comprehensive technical and organizational measures. This includes the use of encryption, the latest technology-based security systems, strict access controls, and risk management protocols to prevent unauthorized access, disclosure, or processing. We also ensure that privacy training and awareness are routinely provided to all employees.
4.5 Joint Processing
In the event of joint processing with other controllers in the context of Article 51 of the Personal Data Protection Law, when cooperating with third parties, Mailtarget establishes agreements outlining each party's roles and responsibilities. We ensure that all data processors adhere to high security and privacy standards, conduct audits and feasibility assessments regularly to maintain compliance with legal provisions and internal company policies.
By adhering to these principles, Mailtarget ensures personal data processing is conducted ethically, securely, and according to the Personal Data Protection Law, providing optimal protection for all managed personal data.
5. Legal Basis for Processing
Mailtarget is committed to ensuring that every personal data processing is conducted based on a legitimate legal basis according to Article 20 of the Personal Data Protection Law. This processing is based on the following principles:
5.1 User Consent
Mailtarget obtains clear and explicit consent from users before processing data. The consent process is conducted with complete transparency, ensuring users understand the purpose and nature of the data to be processed.
5.2 Contractual Execution
Necessary personal data for executing contracts between Mailtarget and users will be processed. This includes service agreements requiring data usage for the agreed purposes.
5.3 Legal Obligations Fulfillment
Mailtarget processes personal data when necessary to fulfill applicable legal obligations. This includes various legal compliance mandated by regulation.
5.4 Vital Interests Protection
In situations where the vital interests of users or other individuals may be threatened, Mailtarget will process relevant personal data to provide necessary protection.
5.5 Mailtarget's Legitimate Interests
Processing is conducted for Mailtarget's or third parties’ legitimate interests, provided such processing does not override the rights and freedoms of users. The evaluation of legitimate interests is conducted carefully to ensure a fair balance.
Mailtarget complies with these provisions with the aim of protecting users' privacy rights while ensuring efficient and legitimate data processing.
6. User Rights
Mailtarget fully respects users' rights regarding their personal data and is committed to protecting these rights in accordance with the Personal Data Protection Act. These rights include:
6.1 Access and Clear Information
Users have the right to obtain transparent & clear information about their personal data management, including the identity of the data controller, legal basis, and processing purposes.
6.2 Data Correction and Update
Users have the right to complete, update, or correct their personal data to ensure that the information stored by Mailtarget is accurate and current.
6.3 Data Halt and Deletion
Users have the right to request the halt or deletion of their personal data if no longer necessary or relevant and under certain conditions as per regulation.
6.4 Consent Withdrawal
Users have the right to withdraw their consent for data processing at any time, without affecting the legality of processing based on consent before withdrawal.
6.5 Raise Objections and Processing Limitations
Users have the right to object to processing their personal data, including decisions made automatically, and request processing limitations under certain situations.
6.6 Data Transfer
Users can obtain and transfer their personal data to another data controller securely and structured, ensuring interoperability of information systems.
6.7 Compensation and Complaint Submission
In case of a violation, users have the right to file compensation claims and submit complaints to the relevant authorities, as well as receive fair and speedy handling of such complaints.
6.8 Mailtarget Data Access and Change Restrictions
Mailtarget strictly protects personal data and may refuse access or change data if it could potentially endanger the security, physical or mental health of users and other individuals. We will also refuse if such action discloses personal data belonging to others without permission or is contrary to the interests of national defense and security. This policy ensures that user security and privacy are met in accordance with Article 33 of the Personal Data Protection Act.
Mailtarget is committed to facilitating the exercise of these rights through efficient procedures, supporting transparency, and maintaining the integrity and confidentiality of users' personal data.
7. Data Retention
Mailtarget is committed to managing user data effectively and in accordance with data retention regulations prescribed by the Personal Data Protection Law. Further information about data retention can be found in Mailtarget's official policy in the MTARGET Data Protection Policy.
7.1 Data Storage
Data storage is carried out according to relevance and effectiveness for legitimate purposes. All data is stored considering strict security and privacy policies.
7.2 Retention Limitations
Personal data is managed within a determined time period according to operational standards and business needs, as stipulated in Article 42 of the Personal Data Protection Law. After the retention period ends or the processing purpose is achieved, data will be reviewed for deletion or destruction.
7.3 Deletion and Update
Mailtarget implements data deletion or updating mechanisms to maintain a balance between efficiency and security. Data that is no longer relevant will be deleted or updated to maintain the integrity and accuracy of information as per Article 44 of the Personal Data Protection Law.
8. Data Security
Mailtarget has a strong commitment to user data security, implementing measures following the Personal Data Protection Act and international standards like GDPR. We ensure personal data is managed with diligence and maximum protection.
8.1 Protection and Security per Standards
We ensure data protection from unauthorized access, disclosure, or alteration in accordance with Article 16 of the Personal Data Protection Law. We use the latest and standardized security systems, are ISO 27001:2013 certified, and use encryption technology to protect personal data from cyber threats and illegal access.
8.2 Strict Access Management
Access to personal data is restricted only to authorized personnel and for predetermined purposes. We utilize two-factor authentication and role-based access control to tighten information security.
8.3 Periodic Audit and Monitoring
Referring to Article 37 of the Personal Data Protection Law, Mailtarget conducts regular audits and monitoring of all data processing activities to ensure that all activities comply with established security standards.
8.4 Vulnerability Testing and Risk Assessment
Mailtarget regularly conducts vulnerability testing and risk assessment, following Article 34 of the Personal Data Protection Law, to identify potential threats and take mitigating actions.
8.5 Data Confidentiality
According to Article 36 of the Personal Data Protection Law, ensuring data confidentiality is a priority. Personal data is treated as confidential information and can only be accessed by authorized personnel.
8.6 Availability and Disaster Recovery
We ensure data is accessible whenever needed, with disaster recovery mechanisms designed to maintain data availability even if operational disruptions occur.
8.7 Data Security Notification
Mailtarget implements early detection systems and real-time alert systems to report security failures. If a data security breach occurs, Mailtarget will notify affected users and related authorities within 3x24 hours, including breach details and corrective actions:
8.7.1 Proactive Response
In the event of an incident related to user information, proactive response steps will be taken.
8.7.2 User Notification
Users will be given notification in a timely manner to ensure transparency.
8.7.3 Recovery Guidance
Mailtarget will provide guidance related to necessary prevention and recovery steps.
Mailtarget is committed to ensuring users' personal data security by adhering to all applicable international standards and local regulations, providing comprehensive protection across all digital security aspects.
9. Data Transfer
Mailtarget understands the importance of keeping personal data secure when it must be transferred, both domestically and cross-border. We comply with strict regulations to ensure data transfer is conducted safely and in accordance with the Personal Data Protection Act.
9.1 Legal Compliance
Each data transfer is conducted in accordance with applicable legal requirements, including obtaining consent from users if necessary and ensuring the destination country (if outside Indonesia) has adequate data protection in accordance with Article 21 and Article 55 of the Personal Data Protection Law.
9.2 Security during Transfer
Personal data is protected during transfer using encryption methods and strong security protocols to prevent unauthorized access and ensure data integrity.
9.3 Strict Control and Procedures
We implement stringent controls and procedures to ensure that data transfer is only conducted with trusted third parties and have data protection policies aligned with Mailtarget's standards.
9.4 Agreements with Third Parties
Any third party receiving data from Mailtarget must meet security and privacy commitments specified in the data agreements to ensure consistent data protection according to Article 51 of the Personal Data Protection Law.
9.5 Monitoring and Reporting
Data transfer is monitored regularly to ensure compliance and process efficiency. If a violation occurs, we have a quick reporting and response mechanism to handle the incident.
10. Termination of Data Collection and Data Deletion
Mailtarget upholds data protection principles by ensuring that data collection and deletion termination are conducted ethically and in accordance with the Personal Data Protection Act.
10.1 Data Collection Termination
Collection termination is conducted after processing purposes are achieved or based on user requests. We ensure this process is transparent and easily accessible for users.
10.2 Deletion of Unnecessary Data
Personal data no longer necessary for its initial collection purpose will be deleted following the provisions of Article 44 of the Personal Data Protection Law. This includes data for which the retention period has expired or is no longer relevant.
10.3 Right to Request Deletion
Users have the right to request the deletion of their data, especially if the data is no longer relevant or if the user withdraws consent for its processing per Article 8 of the Personal Data Protection Act.
10.4 Security during Deletion
The data deletion process is conducted using methods that ensure data cannot be recovered or accessed again, maintaining the confidentiality and security of personal information until the end.
10.5 Documentation and Reporting
All data termination and deletion activities are documented and monitored to ensure no procedural violations occur. In case of an incident, we promptly take mitigation steps and report it in accordance with regulations.
11. Protection of Children and Persons with Disabilities
Mailtarget responsibly safeguards the protection of personal data for children and persons with disabilities as per the Personal Data Protection Act,
11.1 Special Treatment for Children’s Data
Children's personal data is processed with special attention. We require parental or legal guardian consent before processing children's data, ensuring all purposes and uses are clearly explained in accordance with Article 25 of the Personal Data Protection Law.
11.1.1 Guardian Consent
All child data processing activities must involve explicit consent, involving parents or guardians to provide informed consent.
11.2 Processing Data of Persons with Disabilities
Personal data of persons with disabilities is treated with special policies. Communications and processing are conducted in a way that considers their unique needs, requiring consent from the person with a disability or official guardian following Article 26 of the Personal Data Protection Law.
11.2.1 Access and Communication
We provide accessible communication methods for people with disabilities, ensuring information can be obtained in a manner that is suitable and comfortable for them.
11.3 Confidentiality and Security
Children’s and persons with disabilities’ data is managed with a high level of confidentiality and protection, maintaining the integrity and security of information at all times.
12. Data Controller Liability Exceptions
In fulfilling personal data protection obligations, Mailtarget acknowledges certain situations require exceptions to the data subjects' rights, following the Personal Data Protection Act.
12.1 National Security and Defense
Personal data may be processed without consent in cases involving national defense and security interests.
12.2 Law Enforcement
Exceptions apply within law enforcement processes requiring data processing as part of an official investigation.
12.3 Public Government Interests
To facilitate public government interests, data may be used as needed without further consent.
12.4 Financial Supervision
Data processing can be conducted for interests related to financial services supervision, monetary matters, payment systems, and financial stability.
12.5 Scientific Research and Statistics
Personal data may be excluded for use in statistical and scientific research activities, where subjects' privacy and anonymity are maintained.
13. Data Protection Officer (DPO)
Mailtarget appoints a Data Protection Officer (DPO) responsible for ensuring compliance with data protection regulations and acting as a contact person for users. We ensure compliance with standards like ISO 27001:2013 and continuously update related documentation.
13.1 Appointment of Personal Data Protection Officer
A professional and knowledgeable DPO in law and data protection practice is selected. Their primary task is to ensure Mailtarget complies with all legal provisions related to personal data processing according to Article 53 of the Personal Data Protection Law.
13.2 DPO's Main Functions
The DPO is responsible for (According to Article 54 of the Personal Data Protection Law):
13.2.1 Providing advice and information to data controllers about legal obligations.
13.2.2 Ensuring Mailtarget's internal policies comply with the Personal Data Protection Act.
13.2.3 Providing advice on data protection impact assessment and monitoring related performance.
13.2.4 Coordinating and acting as a contact point with data protection authorities and responding to issues related to data processing.
13.3 Risk-based Approach
In performing their duties, the DPO considers risks related to data processing by understanding the context and processing objectives and providing appropriate mitigation advice.
Through this commitment, Mailtarget ensures all data-related activities are conducted with full compliance with legal standards, prioritizing the protection of users' personal data.
14. Policy Updates
Mailtarget is committed to regularly updating its personal data protection policy to ensure it aligns with regulatory changes and best practices.
14.1 Routine Review
This policy will be reviewed regularly to ensure it remains relevant and effective, considering the latest legal and technological developments.
14.2 Transparency and Notification
Any significant changes to the data protection policy will be communicated to users through appropriate communication channels, ensuring transparency and clear understanding.
14.3 Ongoing Commitment
Mailtarget continues to commit to protecting users' personal data and enhancing data security practices in line with implemented policy changes.
15. Contact Information
For questions or requests related to Personal Data Protection, users can contact Mailtarget via email: [email protected]