Banks will need to revisit their product terms and conditions and disclosures to ensure that they contain all the information required for customers to consent.
he recently enacted Personal Data Protection (PDP) Law No. 27/2022 gives consumers a new hope for adequate protection of their data. Businesses, including financial services providers who use consumer personal data in the course of their business, must have a solid understanding of this law, especially if they process data not only to comply with the regulation but also to grow and benefit their business.
The PDP is not new to the financial services sector, especially banks. Many of the requirements stipulated in this law are already mandated by a number of implementing regulations under the Banking Law. Meanwhile, rules under the Law on Electronic Information and Transactions apply to banks that use financial and information technology in their services.
Banks that have operated in compliance with current regulations will find it relatively easy to make the necessary adjustment to comply with this PDP law. However, there are several aspects of this law that require more attention in order to be impactful and useful not only for consumers as the personal data owner or data subject, but also for banks in achieving their business objectives.
The first is the concept of personal data. According to the law, personal data is data about individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly, via an electronic or non-electronic system.
Customer data processed by banks include not only individual customer data but also corporate customer data. Corporate customer data includes, among other things, the company's name, phone number and address, as well as a list of board of directors, commissioners and shareholders. Although this law does not apply to company data, it does apply to the processing of data of individuals associated with the company.
The second is the rules concerning processing. This law specifies two parties who can conduct processing activities: the controller and the processor. While the controller determines the purposes for and has control over processing, the processor can carry out processing on the order of controller and on controller's behalf.
According to this provision, the bank, as a controller, has the authority to perform a variety of operations on the customer data it manages, such as filtering and analysis, storage, updates, transfers, dissemination, disclosure and deletion.
Share your experiences, suggestions, and any issues you've encountered on The Jakarta Post. We're here to listen.
Thank you for sharing your thoughts. We appreciate your feedback.