Introduction
Indonesia Re is committed to implementing Personal Data Protection for all data related to an individual's personal data, which is involved in one or more Business Processes within Indonesia Re.
The scope of the regulated data refers to all personal data within the scope of Indonesia Re, whether in electronic or non-electronic form.
Purpose
Legal Basis
Personal Data Protection Provisions
- The personal data protection rules are applied to personal data related to business processes conducted by the company, whether already stored or to be collected in the future.
- Personal Data Protection is implemented for all personal data within its scope, based on priorities, and in line with the provisions of the personal data protection governance policy.
- Personal data protection must be implemented within the compliance framework established in the information security management system policy and must refer to applicable data security standards.
- The planning of personal data protection must include the annual implementation plan for personal data protection provisions. This plan must cover the data scope and implementation milestones, the involved stakeholders, and the identification of critical issues related to the plan along with their mitigation strategies.
- The confidentiality level of the processed personal data must be determined to define the security mechanisms to be applied, referring to the applicable Data Security Guidelines.
- The established confidentiality level must be documented as metadata for each piece of personal data.
- For every stage of personal data processing, security mechanisms corresponding to the data confidentiality classification must be applied, referring to the applicable Data Security Guidelines.
- For personal data that was stored and collected in the past without the written agreement of the data owner, if processing of such data is required, the company must submit a request for data processing consent to the respective data owner.
- The request for data processing consent must provide at least 2 options: Agree and Disagree. Alternatively, an option to consent to only part of the request may be added.
- If the data owner mentioned in point 2 agrees to the request, the company may process the said data, but only for the purposes approved by the data owner.
- If the data owner mentioned in point 2 refuses or cannot confirm the consent request, the company is not permitted to process that personal data.
- Under the condition mentioned in point 5, if there is a situation that necessitates the company to process the data, the data can only be processed by removing personal identifiers from it, using a K-Anonymity mechanism.
Responsibilities and Roles
- The responsibility for implementing personal data protection includes responsibility for:
-
Planning the implementation of personal data protection
-
Monitoring and Evaluating the implementation of personal data protection
-
Reporting on personal data protection
-
Acquisition and Collection of personal data
-
Processing & Analysis of personal data
-
Storage of personal data
-
Correction and updating of personal data
-
Display, announcement, transfer, dissemination, or disclosure of personal data
-
Deletion/destruction of personal data
-
Fulfillment of data subject requests
-
- The roles in the implementation of personal data protection include:
-
Data Subject
-
Data Protection Officer – PDP Governance Officer
-
Data Protection Officer – PDP Services
-
Data Controller
-
Data Processor
-
Data Source
-
Related Functions
-
Personal Data Protection Provisions
-
Personal data protection rules are applied to personal data related to business processes conducted by the company, both data already stored and data to be collected in the future.
-
Personal Data Protection is implemented for all personal data within its scope, based on priorities, and in line with the provisions of the personal data protection governance policy.
-
Personal data protection must be implemented within the compliance framework established in the information security management system policy and must refer to applicable data security standards.
-
Personal data protection planning must include the planning for the implementation of personal data protection provisions on an annual basis. This plan must cover the data scope and implementation milestones, the involved stakeholders, and the identification of critical issues related to the plan along with their mitigation strategies.
-
The confidentiality level of the personal data being processed must be determined to define the security mechanisms applied, referring to the applicable Data Security Guidelines.
-
The established confidentiality level must be documented as metadata for each piece of personal data.
-
For each stage of personal data processing, security mechanisms corresponding to the data's confidentiality classification must be applied, referring to the applicable Data Security Guidelines.
-
For personal data that was stored and collected in the past without written agreement from the data owner, if processing of this data is required, the company must submit a request for data processing consent to the respective data owner.
-
The request for data processing consent must provide at least 2 options: 'Agree' and 'Disagree'. Alternatively, an option to 'Partially Agree' to the submitted request may be added.
-
If the data owner mentioned in point 8 agrees to the request, the company may process the data in question, but only for the purposes approved by the data owner.
-
If the data owner mentioned in point 8 refuses or cannot confirm the consent request, the company is not permitted to process that personal data.
-
Under the conditions mentioned in point 11, if a situation arises that requires the company to process the data, the data may only be processed by removing personal identifiers from it, using a K-Anonymity mechanism.
Personal Data Subject Rights
Types of Personal Data
- Prospective Employees: External personnel undergoing the recruitment process to become employees, through various recruitment methods conducted.
- Employees: Personnel serving as staff, both active and inactive, who have routine rights and obligations to the company. Employees include organic employees, contract employees, interns, personnel in work practice programs, and retirees.
-
Customers: Includes customers who are life insurance participants or general insurance participants.
-
Event Participants: Participants of activities organized by the company, both routine and occasional events. Events include activities such as free homecoming programs, survey activities, competitions, exhibitions, etc.
-
Partner's Persons in Charge (PIC): Personnel representing organizations that use products/services organized for B2B purposes. Partner PICs include PICs from ceding companies or reinsurance companies.
-
Supplier's (Vendor's) Persons in Charge (PIC): Personnel representing supplier/vendor companies.
-
SLR Program Recipients (Social and Environmental Responsibility): Personnel representing organizations or individuals who receive benefits from the SLR programs organized by the company.
-
Entity Visitors/Guests: External personnel entering the company's work area for a specific purpose.
-
Directors/Commissioners: Personnel holding strategic roles in the company. A special grouping for this personal data is due to the sensitivity of the data and the potential reputational risk arising from the misuse of personal data within this group.
Personal Data Storage Period
Personal Data Security Protection Statement
Contact Us
For further information regarding Indonesia Re's Personal Data Protection, you can contact us at:
Indonesia Re Building
Jl. Salemba Raya No. 30
Central Jakarta 10430
Email: cosecretary@indonesiare.co.id
Follow Us
