Search Content

Privacy Notice of PT XL Axiata Tbk.

(“Privacy Notice” atau “Notice”)

Document No.: CUS-PN-002

PT XL Axiata Tbk. (“XL Axiata”) is a telecommunications company legally domiciled in Indonesia, which is part of the Axiata Group Berhad (hereinafter referred to as "XL Axiata", or "us"). XL Axiata is the Data Controller of all personal information collected, unless stated otherwise. Contact details for XL Axiata are listed in the “Contact Us” section below.

In carrying out operational activities, we are always committed to protecting the personal data of parties related to XL Axiata, including the personal data of XL Axiata customers, contractors and business partners.

Our position on protecting your privacy can be summarized by the privacy protection principles below:

1. Applicability of the Privacy Notice

This Privacy Notice applies to personal information about yourself (“Personal Data”) that we collect, obtain, or process when you:

1. carry out business with XL Axiata, either as a contractor, vendor or XL Axiata business partner; and/or
2. become an XL Axiata customer, use XL Axiata products or services, use applications, visit XL Axiata facilities and/or websites.

In the case of a more specific privacy policy, the provisions related to privacy also follow that policy. We advise you to read this Privacy Notice together with our product/service terms and conditions as they may contain more specific information regarding those products/services.

In short, this Privacy Notice applies to:

1. All services offered by XL Axiata;
2. The entire XL Axiata administration system;
3. XL Axiata contractors, vendors and business partners;
4. Current and potential XL Axiata customers; and
5. Visitors to XL Axiata facilities.

2. Basis for Obtaining and Processing Personal Data by XL Axiata

In carrying out operational activities, XL Axiata is your Personal Data Controller who collects Personal Data based on legal grounds based on laws and regulations, and will depend on the type and purpose of collecting Personal Data.

In general, we collect and process Personal Data on several grounds, including:

1. Your agreement to this Privacy Notice;
2. To carry out operational activities as a form of fulfilling our contractual obligations to you, for example to provide network availability to your telephone number, process service bills to your credit card, and so on.
3. Carry out our obligations as controller of Personal Data in accordance with laws and regulations.
4. Carry out our obligations on the basis of legitimate interests while taking into account our objectives, needs and the balance of our interests and your rights.

If you have any questions regarding this matter, please contact us on the contact details provided in the "Contact Us" section below.

3. How XL Axiata collects your Personal Data

XL Axiata collects your Personal Data when you:

1. Collaborate with XL Axiata, for example in due diligence activities, registering your company in the procurement system and/or accounting and billing system, correspondence, registering your company to become an XL Axiata business partner.
2. Using XL Axiata's network, products and services.
3. Visit the facilities we provide, such as the office building and/or customer service center.
4. Ask questions as a customer, register, to obtain information or other services.
5. Respond to communications from us (such as SMS, electronic mail (email), questionnaires or surveys).
6. Interact with XL Axiata site, such as to learn about XL Axiata products and services, send application forms, fill out survey forms, use online services. (If your browser activates internet cookies, this can facilitate XL Axiata to track personal preferences, pages visited, and so on).
7. Participate on XL Axiata social media pages.
8. Participate in promotional events or XL Axiata loyalty programs.
9. Contact XL Axiata customer call center either physically, telephone or electronically to submit complaints or other services.

4. Personal Data that XL Axiata Collects from You

The Personal Data we may collect from you includes but is not limited to:

1. Contact information (such as full name, address, e-mail address and telephone number).
2. Identification information (such as date of birth, National Identity Card (KTP), Family Card (KK), passport, Taxpayer Identification Number (NPWP), Social Security Administration Agency (BPJS) number, Driving License (SIM), or other identifiers issued by the government).
3. Demographic information (such as age range, marital status, gender, nationality, religion, race, and ethnicity).
4. Photos and video recordings, such as photos and/or video recordings for documentation needs at the customer service center, photos that you submit for contests, the need for reporting on the implementation of agreements, as well as recordings from CCTV cameras.
5. Product- and service-specific information (such as preferences, closed user groups (CUGs), friends and family that you choose to include in your service package, credit limits).
6. Banking information (such as account numbers, credit card information, bill payment history).
7. Telecommunication information and XL Axiata services (such as call and SMS history, credit balance, transaction history, billing information, loyalty points).
8. Type and version of operating system, hardware version, device settings, software type, battery and signal strength, screen resolution, device identity (International Mobile Equipment Identity), brand and model, language, internet browser type and version, use and application version.
9. Geographical location information, such as the location obtained from your IP address or GPS, Base Station, Bluetooth or Wi-Fi signal, satellite, and the location of the telecommunications tower to which it is connected.
10. Some of our services use biometric information for identification or authentication. Biometric data can include fingerprint, voice, audio and/or video.
11. Information from and about the various technologies where our services are used (internet of things “IOT”), for example computers, phones and tablets, as well as devices that can be used interactively, connected technologies in homes or vehicles.

5. How XL Axiata use your Personal Data

We may obtain and process your Personal Data for the following purposes:

1. To provide our services and products:
   1. To provide products, services and offers that may be of interest to you.
   2. To inform you about benefits and changes to our products or services.
   3. To provide you with our latest offers, advertising and promotions.
   4. To respond and resolve your complaint.
   5. To understand how you use our services.
   6. To provide you with security updates, versions, features, options and controls related to your system or device.
2. To communicate with you:
   1. To send you service messages.
   2. When you participate in a survey.
   3. To provide notifications regarding your Personal Data, including in the event of a failure to protect your Personal Data.
   4. To send you information about our product and service offerings or those offered by third parties that we think may interest you.
3. In daily business operational activities:
   1. To process payments and respond to customer service requests.
   2. For research and studies related to our business operational activities.
   3. To perform accounting, auditing, reconciliation and billing activities, including law enforcement and crime prevention, protecting our and your legal rights, and carrying out our obligations under contracts to you and to our business partners.
4. For functionality, development and service improvement:
   1. To provide network connectivity, measure usage levels of our services, diagnose problems, and provide you with the latest security features.
   2. To test, modify, improve or develop new products, services and technologies and to identify existing trends.
   3. Contact you and examine and resolve any problems and complaints you encounter.
5. For advertising and marketing, as long as your data is relevant for these purposes:
   1. We may use your Personal Data to determine personalized product and service offerings specifically for you.
   2. We may use your device's physical location, combined with information about what advertisements you see and other information we obtain, to provide personalized content to you.
   3. You can choose to allow or reject these advertising offers. You can also refuse permissions requested via your device. However, if you choose to decline such offers and/or permissions, we may not be able to provide you with personalized services and content, which may benefit you.

6. Automated Decision Making

In some services and features, we use your Personal Data to generate automated decision making (including profiling) that may affect you. Automatic decisions are decisions regarding the provision and offering of services that are made automatically based on the results of algorithmic calculations, without any human intervention.

We use automated analysis to make predictions such as the types of products or services you may be interested in, or for profiling to prevent criminal activity. XL Axiata's artificial intelligence can lead to automatic processing of your Personal Data in various ways. If our automated decision-making initiatives or plans have significant consequences for you, we will implement measures to protect your rights, freedoms and interests, by conducting a Data Privacy Impact Assessment to identify measures that may appropriate to protect these rights, or obtain your consent as required by laws and regulations.

7. Information Regarding Children and Persons with Disabilities

Before using XL Axiata's network, products, and/or services, we will only collect and process Personal Data belonging to children under the age of 18 who have obtained approval from the parent or guardian of the owner of the Personal Data.

In the case of processing Personal Data belonging to persons with disabilities, consent can be given by the persons with disabilities concerned and/or their guardians.

8. Storage of Personal Data (Retention)

Personal Data that has been collected will be stored for the period necessary to fulfill the purposes stated above. We may retain your Personal Data to provide the services you have requested, or for other legitimate interests, such as complying with our legal obligations under laws and regulations and obligations from government authorities, resolving legal issues, and carrying out our business operational activities. The retention period for Personal Data is based on applicable legal requirements. However, if there are no relevant laws and regulations, your Personal Data will be stored for the required time. Furthermore, we may store this Personal Data in the form of printed or electronic copies.

We may store your data in data centers or archival storage facilities managed by us or by data storage service providers, for and on our behalf. All of our storage locations, systems and products are equipped with the necessary security controls to ensure the protection of Personal Data.

Retention periods may vary based on the type of information and legally required retention periods, the course of judicial proceedings, business conduct requirements, intellectual property rights exercise, agreements, operational requirements, and archiving. In the event that your Personal Data is deleted from our system, the data will be deleted or destroyed using appropriate security protocols so that it cannot be reconstructed or read again by unauthorized parties.

9. Third Party Sites and Services

This Privacy Notice does not discuss, and we are not responsible for, policies and practices carried out by third parties or other organizations that do not operate for and on behalf of XL Axiata, including policies and practices relating to privacy and security, collection, processing, use, storage and disclosure of Personal Data. This includes:

1. any third party that operates any platforms, websites, or services linked by XL Axiata services. The inclusion of a link on the XL Axiata service does not imply a relationship or affiliation between us and the platform or service provider.
2. application developers, application providers, social media platform providers, operating system providers, wireless service providers or telecommunications and network equipment manufacturers.

10. Security

We strive to process your information in a secure environment by preventing unauthorized or unlawful access. We also protect your Personal Data from loss or damage. We have implemented various types of physical, technical, and administrative safeguards to protect your Personal Data and our network from unauthorized access. These steps include:

1. Encryption while data is in transit or at rest.
2. Strict adherence to privacy and security practices.
3. ISO 27001 regarding Information Security Management Systems (ISMS) Certification.
4. Periodic data audits and reviews to improve our operational standards.
5. Restriction of access to Personal Data only to personnel on a need-to-know basis.

We require our suppliers and vendors to apply similar protections when they access or use the Personal Data we share with them. We also always encourage you and all users of XL Axiata services to protect the data, systems, networks and services they use. However, no technology, data transmission or system can be guaranteed to be 100% secure. Therefore, if you identify a leak of Personal Data, please notify us immediately in the manner listed in the "Contact Us" section below.

11. How XL Axiata Shares Your Information

We cooperate with other partners to provide services as part of fulfilling our obligations to you. When we share your Personal Data with our partners, we implement the necessary steps to limit the use of your Personal Data to lawful reasons only in accordance with this Privacy Notice, as well as adequate confidentiality and security measures. In addition to these purposes, we also share information with third parties to fulfill our legal obligations such as when requested by government authorities and to handle legal processes, to protect your vital interests, to carry out tasks in the public interest when requested by government authorities, public services, or the exercise of our authority based on laws and regulations, as well as to fulfill other legitimate interests by taking into account our goals, needs and the balance of our interests and your rights.

12. Corporate Action

We may disclose your Personal Data as part of our corporate actions to the extent necessary, such as in the event of a reorganization, merger, sale of company assets, establishment of a joint venture, transfer of all or part of our business, assets or shares (including in connection with bankruptcy). In the event of a corporate action that results in the transfer of Personal Data, we will notify you as required by law.

13. Communication Preferences and Choices

XL Axiata always takes necessary and reasonable steps to keep your Personal Data accurate, complete and up to date. You can choose not to receive promotional e-mails or other XL Axiata communications by contacting us at the contact details listed below. This choice does not apply to receiving product or service communications that are considered part of XL Axiata products or services (such as billing information or service expiration), unless you choose not to use the product or service anymore.

In addition, we do not require you to provide us with your Personal Data. The decision to provide Personal Data is voluntary. However, if you do not wish to provide the required Personal Data, you may not be able to continue activities or receive benefits from our services where such Personal Data is required.

14. Cross-border Transfers of Personal Data

We may transfer your Personal Data across geographic boundaries to other parties as long as we can ensure that the protection of their Personal Data is at the same level as we do. Transfer of Personal Data is carried out based on our standard contracts with data protection clauses or data transfer agreements with the same rights and obligations for the party receiving the information to protect the security and confidentiality of your Personal Data. XL Axiata does not share your Personal Data, except under the following conditions:

1. To Axiata group companies if necessary, and within the limits of applicable law.
2. As required by law, such as when it relates to judicial processes, dispute resolution, and/or similar legal processes.
3. With other operators we work with regard to call transfer or international roaming.
4. To protect our rights and protect your safety.
5. With our business partners in providing XL Axiata services, such as field technician providers, and contractors working for and on our behalf.
6. With our business partners in marketing activities for XL Axiata products and services, in which case no raw Personal Data is provided, because the information provided has generally been aggregated into aggregate data.
7. With third parties for educational, research and scientific development purposes.
8. With our sister companies, subsidiaries and affiliates, such as XL Axiata dealers.

In all cases, third parties must agree to strict obligations to maintain the confidentiality of Personal Data and use it only for the purpose for which it was obtained.

15. Exercise Your Rights

We respect your rights and privacy, and we always take the necessary steps to ensure that your personal data is always accurate and up to date. We guarantee you that:

1. You have the right to get information regarding clarity of identity, basis of legal interest, purpose of request and use of Personal Data, and accountability of XL.
2. You have the right to complete, update and/or correct errors and/or inaccuracies of Personal Data about you.
3. You have the right to access and request a copy of your Personal Data, in accordance with our policy in requesting a copy of the Personal Data.
4. By taking into account our obligations to store customer data based on laws and regulations, you have the right to ask us to postpone, limit, and to stop processing, and/or delete your personal data in our system. Please note that this may prevent us from continuing to provide some services to you.
5. You have the right to object to automatic decision-making by us.
6. You have the right to withdraw your consent from our processing of your Personal Data, except for basic communication services.

To exercise your rights, you must comply with all policies, procedures and steps that we have set. In the event that there is a request for service termination by you, this remains subject to our approval to the extent permitted by law. You can contact us in the ways listed in the "Contact Us" section listed below.

16. Consequences arising from your failure to provide Personal Data

You can use our products or services and access our platforms or websites without providing your Personal Data. However, some activities or services on our products, services, platforms or websites require us to collect certain Personal Data about you. If you cannot provide the Personal Data, then it can:

1. Makes you unable to continue the activity;
2. Cause us to be unable to respond to your request;
3. Restrict or prevent access to certain features;
4. Causes us to be unable to provide you with the latest information regarding promotions or launches of our services/products; and
5. Resulting in you not receiving the promotions we send.

17. Access or Correction of Customer Information

If you wish to correct or update your Personal Data, or to request access to your Personal Data held by us, you can contact us to make a written request in the manner listed in the "Contact Us" section below. If you wish to change your Personal Data, please note that we may still need to retain certain information for record-keeping purposes, and/or to complete any transactions you initiated prior to requesting the change (for example, when you make a purchase or enter a promotion, you may not may change the Personal Data provided until after the completion of the purchase or promotion). Some of your information may also remain in our systems and other records where necessary to comply with applicable laws. At your request and where the law requires us to do so, we will tell you what Personal Data we hold about you.

18. By providing us with your Personal Data, you agree that:

1. You have read and understand this Privacy Notice and agree to the use of your Personal Data as set out in this Privacy Notice.
2. In the event that you provide us with Personal Data relating to other individuals (such as your spouse, family members, friends or other parties), you represent and guarantee that you have obtained and obtained the consent of the individual to, and hereby agree to the name of the individual for use of the Personal Data as set out in this Privacy Notice.
3. All of your statements are true and correct to the best of your knowledge, and you do not knowingly omit harmful related information.
4. The consent that you give to us is made without duress from any party.

19. Contact Us

If you have questions about this Privacy Notice, or if you choose to exercise one of your rights above, you can contact us via:

1. For Customers           à [email protected].
2. For Vendor/Partners   à [email protected]
3. For Visitors                à [email protected]

20. Dispute Resolution

In cases of alleged violation of your privacy, in relation to the processing of your Personal Data by us, you can submit an objection to the competent authority based on statutory provisions.

21. Update to Privacy Notice

So long as it is necessary, XL Axiata has the right to update this Privacy Notice without prior notification to you. This Privacy Notice is the most current and will supersede any previous version. We strongly recommend that you check this Privacy Notice from time to time to be informed of any changes to the Privacy Notice.

22. Version information

This Notice was last updated on 22nd August 2023.