Introduction


PT Reasuransi Indonesia Utama (Persero), also known as "Indonesia Re", recognizes the importance of personal data protection as regulated under Law No. 27 of 2022 concerning Personal Data Protection.

Indonesia Re is committed to implementing Personal Data Protection for all data related to an individual's personal data, which is involved in one or more Business Processes within Indonesia Re.

The scope of the regulated data refers to all personal data within the scope of Indonesia Re, whether in electronic or non-electronic form.

Personal Data Protection Principles


  1. Protection: This means that every processing of Personal Data is carried out by providing protection to the Data Subject regarding their Personal Data, and ensuring that such Personal Data is not misused.
  2. Legal Certainty: This means that every processing of Personal Data is conducted based on a legal basis to realize Personal Data Protection and all matters supporting its implementation, so that it gains legal recognition inside and outside of court.
  3. Public Interest: This means that in Personal Data Protection, public or broader societal interests must be considered. Such public interests include, among others, the interests of state administration and national defense and security.
  4. Benefit: This means that the regulation of Personal Data Protection must be beneficial for the national interest, particularly in realizing the ideal of public welfare.
  5. Prudence: This means that all parties involved in the processing and supervision of Personal Data must pay attention to all aspects that have the potential to cause losses.
  6. Balance: This means that Personal Data Protection is implemented to balance the right to Personal Data on one hand, with the legitimate rights of the state based on public interest on the other.
  7. Accountability: This means that all parties involved in the processing and supervision of Personal Data act responsibly, thereby being able to guarantee a balance of the rights and obligations of the related parties, including the Data Subject.
  8. Confidentiality: This means that Personal Data is protected from unauthorized parties and/or from unlawful Personal Data processing activities.

Responsibilities and Roles


  1. Responsibilities for the implementation of personal data protection include responsibilities in:
    1. Planning the implementation of personal data protection
    2. Monitoring and Evaluation of the implementation of personal data protection
    3. Reporting on personal data protection
    4. Acquisition and Collection of personal data
    5. Processing & Analysis of personal data
    6. Storage of personal data
    7. Correction and updating of personal data
    8. Display, announcement, transfer, dissemination, or disclosure of personal data
    9. Deletion/Destruction of personal data
    10. Fulfillment of data subject requests
  2. Roles in the implementation of personal data protection include:
    1. Data Subject
    2. Data Protection Officer – PDP Governance Officer
    3. Data Protection Officer – PDP Services
    4. Data Controller
    5. Data Processor
    6. Data Source
    7. Related Functions

Personal Data Protection Provisions


  1. The personal data protection rules are applied to personal data related to business processes conducted by the company, whether already stored or to be collected in the future.
  2. Personal Data Protection is implemented for all personal data within its scope, based on priorities, and in line with the provisions of the personal data protection governance policy.
  3. Personal data protection must be implemented within the compliance framework established in the information security management system policy and must refer to applicable data security standards.
  4. The planning of personal data protection must include the annual implementation plan for personal data protection provisions. This plan must cover the data scope and implementation milestones, the involved stakeholders, and the identification of critical issues related to the plan along with their mitigation strategies.
  5. The confidentiality level of the processed personal data must be determined to define the security mechanisms to be applied, referring to the applicable Data Security Guidelines.
  6. The established confidentiality level must be documented as metadata for each piece of personal data.
  7. For every stage of personal data processing, security mechanisms corresponding to the data confidentiality classification must be applied, referring to the applicable Data Security Guidelines.
  8. For personal data that was stored and collected in the past without the written agreement of the data owner, if processing of such data is required, the company must submit a request for data processing consent to the respective data owner.
  9. The request for data processing consent must provide at least 2 options: Agree and Disagree. Alternatively, an option to consent to only part of the request may be added.
  10. If the data owner mentioned in point 2 agrees to the request, the company may process the said data, but only for the purposes approved by the data owner.
  11. If the data owner mentioned in point 2 refuses or cannot confirm the consent request, the company is not permitted to process that personal data.
  12. Under the condition mentioned in point 5, if there is a situation that necessitates the company to process the data, the data can only be processed by removing personal identifiers from it, using a K-Anonymity mechanism.

Contact Us


For further information regarding Indonesia Re's Personal Data Protection, you can contact us at:

Indonesia Re Building
Jl. Salemba Raya No. 30
Central Jakarta 10430
Email: cosecretary@indonesiare.co.id