Privacy Notice of PT XL Axiata Tbk.
(“Privacy Notice” atau “Notice”)
Document Numbers : PN-C-DP-003
PT XL Axiata Tbk. ("XL Axiata") is a telecommunications company part of Axiata Group Berhad legally domiciled in Indonesia, including its subsidiaries and affiliates, both directly and indirectly related (hereinafter referred to as "XL Axiata" or "we"). XL Axiata is the Data Controller of all personal information collected from data subjects as covered in this Notice, unless stated otherwise. Contact details for XL Axiata are listed in the "Contact Us" section below.
In carrying out operational activities, we are always committed to protecting the personal data of parties related to XL Axiata, including personal data of customers, contractors, and business partners of XL Axiata.
Our position on protecting your privacy can be summarised by the following privacy protection principles:
TRANSPARENT
We are always open about what, why and how we collect and protect your Personal Data so that you can make appropriate decisions and give us consent.
RIGHTS
We respect your rights as an individual, so your Personal Data remains entirely under your control.
USAGE
We use your Personal Data only for specific purposes that we state in this Notice, and we will store it only as long as necessary for these purposes or as required by regulations.
SECURITY
We have established strong cyber security practices in line with leading industry standards to protect the Personal Data you have shared with us.
TRANSFER
We are very careful when transferring your Personal Data to third parties such as vendors, contractors, business partners and government authorities.
ACCURACY
We will process your Personal Data accurately, completely, not misleadingly, up-to-date, and responsibly.
A. Applicability of Privacy Notice
This Privacy Notice applies to personal information about you ("Personal Data") that we collect, obtain, or process when you:
1. Conduct business with XL Axiata, either as a contractor, vendor, or business partner of XL Axiata; and/or
2. Become an XL Axiata customer, use XL Axiata products or services, use applications, visit XL Axiata facilities and/or websites.
In the case of more specific privacy policies, privacy provisions also follow those policies. We recommend that you read this Privacy Notice together with our product/service terms and conditions as those documents may contain more specific information regarding those products/services.
In brief, this Privacy Notice applies to:
1. All services offered by XL Axiata;
2. All XL Axiata administrative systems;
3. XL Axiata contractors, vendors, and business partners;
4. Current and prospective XL Axiata customers; and
5. Visitors to XL Axiata facilities.
B. Basis for Obtaining and Processing Personal Data by XL Axiata
In carrying out operational activities, XL Axiata is the Controller of your Personal Data that collects Personal Data based on valid legal grounds under laws and regulations and will depend on the type and purpose of Personal Data collection.
In general, we collect and process Personal Data on several grounds, including:
1. Your consent to this Privacy Notice;
2. To carry out operational activities as a form of fulfilling our promises to you, for example to provide network availability to your phone number, process service bills to your credit card, and so on.
3. Carrying out our obligations as controllers of Personal Data against laws and regulations.
4. Carrying out our obligations on the basis of legitimate interests while taking into account the objectives, needs, and balance of our interests and your rights.
If you have questions about this, please contact us at the contact details provided in the "Contact Us" section below.
C. How XL Axiata Collects Your Personal Data
XL Axiata collects your Personal Data when you:
1. Collaborate with XL Axiata, for example in due diligence activities, registering your company in procurement and/or accounting and billing systems, correspondence, registering your company to become an XL Axiata business partner.
2. Use XL Axiata networks, products, and services.
3. Visit our facilities, such as office buildings and/or customer service centres.
4. Submit enquiries as a customer, register, obtain information, or other services.
5. Respond to our communications (such as SMS, electronic mail (email), questionnaires or surveys).
6. Interact with XL Axiata websites, such as to learn about XL products and services, submit application forms, fill out survey forms, use online services. (If your browser enables internet cookies, this may facilitate XL Axiata to track personal preferences, visited pages, etc.).
7. Participate in XL Axiata social media pages.
8. Participate in XL Axiata promotional events or loyalty programmes.
9. Contact XL Axiata customer call centre either physically, by telephone, or electronically to submit complaints or other services.
D. Personal Data that XL Axiata Collects from You
Personal Data that we may collect from you includes but is not limited to:
1. Contact information (such as full name, address, electronic mail (e-mail) address and telephone number).
2. Identification information (such as date of birth, National Identity Card (KTP), Family Card (KK), passport, Tax Identification Number (NPWP), Social Security Number (BPJS), Driving License (SIM), or other identification issued by the government).
3. Demographic information (such as age range, marital status, gender, nationality, religion, race, and ethnicity).
4. Photos and video recordings, such as photos and/or video recordings for documentation needs at customer service centres, photos you send for contests, reporting needs for agreement implementation, and CCTV recordings.
5. Product and service-specific information (such as preferences, closed user groups (CUGs), friends and family you choose to include in your service package, credit limits).
6. Banking information (such as account numbers, credit card information, bill payment history).
7. Telecommunications and XL Axiata service information (such as call and SMS history, credit balance, transaction history, billing information, loyalty points).
8. Operating system type and version, hardware version, device settings, software type, battery and signal strength, screen resolution, device identity (International Mobile Equipment Identity), brand and model, language, internet browser type and version, application usage and version.
9. Geographic location information, such as location obtained from your IP address or GPS, Base Station, Bluetooth or Wi-Fi signals, satellites, and connected telecommunications towers.
10. Some of our services use biometric information as identification or authentication. Biometric data may include fingerprints, voice, audio, facial recognition features and/or video.
11. Information from and about various technologies where our services are used (internet of things "IOT"), for example computers, phones and tablets, as well as devices that can be used interactively, connected technology at home or vehicles.
E. How XL Axiata Uses Your Personal Data
Your Personal Data may be obtained and processed by us for the following purposes:
1. To provide our services and products:
a. To provide products, services, and offers that might interest you.
b. To notify you about benefits and changes to our products or services.
c. To provide you with our latest offers, advertisements, and promotions.
d. To respond to and resolve your complaints.
e. To understand how you use our services.
f. To provide you with security updates, versions, features, options, and controls related to your systems or devices.
2. To communicate with you:
a. To send you service messages.
b. When you participate in surveys.
c. To convey notifications regarding your Personal Data, including in the event of a failure in protecting your Personal Data.
d. To send you information about our product and service offerings or those offered by third parties that we think might interest you.
3. In daily business operations:
a. To process payments and respond to customer service requests.
b. For research and studies related to our business operations.
c. To conduct accounting, auditing, reconciliation and billing activities, including law enforcement and crime prevention, protecting our legal rights and yours, and fulfilling our contractual obligations to you and our business partners.
d. To process decision-making both by us and by our third-party partners, including business partners and service providers.
4. For functionality, development, and service improvement:
a. To provide network connectivity, measure service usage levels, diagnose problems, and provide you with the latest security features.
b. To test, modify, improve or develop new products, services and technologies and to identify existing trends.
c. Contact you and check and resolve issues and complaints you face.
5. For advertising and marketing, as long as your data is relevant for these purposes:
a. We may use your Personal Data to determine personalised product and service offerings specifically for you.
b. We may use your device's physical location, combined with information about what advertisements you view and other information we obtain, to provide personalised content for you.
c. You can choose to allow or reject these advertising offers. You can also reject permissions requested through your device. However, if you choose to reject these offers and/or permissions, we may not be able to provide you with personalised services and content, which might be beneficial to you.
F. Automated Decision Making
In some services and features, we, either by ourselves or through our third-party business partners, may use your Personal Data to generate automated decision-making (including profiling) that may affect you. Automated decisions are decisions related to the provision and offering of services that are made automatically based on algorithmic calculations, without human intervention.
We, either by ourselves or through our third-party business partners, use automated analysis to improve your experience in using our services such as through prediction of the types of products or services you are interested in, or for profiling to prevent criminal acts. Artificial intelligence may lead to automated processing of your Personal Data in various ways. If these automated decision-making activities have significant consequences for you, we will implement steps to protect your rights, freedoms and interests, by conducting a Data Privacy Impact Assessment to identify appropriate steps to protect those rights or obtain your consent as required by laws and regulations.
G. Information Regarding Children and Persons with Disabilities
Before using XL Axiata networks, products and/or services, we will only collect and process Personal Data belonging to children under 18 years of age who have obtained consent from parents or legal guardians of the Personal Data owner.
In the case of processing Personal Data belonging to persons with disabilities, such consent may be given by the owner of the Personal Data directly or in cases where direct consent is not possible, it may be given by the legal guardian of the Personal Data owner.
H. Personal Data Storage (Retention)
Personal Data that has been collected will be stored for the period necessary to fulfill the purposes mentioned above. We may store your Personal Data to provide services you request, or for other legitimate interests, such as complying with our legal obligations under laws and regulations and obligations from government authorities, resolving legal issues, and carrying out our business operations. The Personal Data retention period is based on applicable legal requirements. However, if there are no relevant laws and regulations, your Personal Data will be stored for as long as necessary. Furthermore, we may store this Personal Data in printed or electronic copy form.
We may store your data in data centres or archive storage spaces managed by us or by data storage service providers, for and on behalf of us. All our storage locations, systems, and products are equipped with necessary security controls to ensure the protection of Personal Data.
Retention periods may vary based on the type of information and legally required retention periods, ongoing judicial processes, business implementation needs, intellectual property rights implementation, agreements, operational needs, and archiving. When your Personal Data is deleted from our system, such data will be deleted or destroyed using
appropriate security protocols so that it cannot be reconstructed or read again by unauthorised parties.
I. Third Party Sites and Services
This Privacy Notice does not address, and we are not responsible for, policies and practices carried out by third parties or other organisations that do not operate for and on behalf of XL Axiata, including policies and practices relating to privacy and security, collection, processing, use, storage, and disclosure of Personal Data. This includes:
1. Any third party operating platforms, websites, or any services linked by XL Axiata services. The inclusion of links on XL Axiata Services does not imply association or affiliation between us and the provider of such platform or service.
2. Application developers, application providers, social media platform providers, operating system providers, wireless service providers or telecommunications and network equipment manufacturers.
J. Security
We strive to process your information in a secure environment by preventing unauthorised or unlawful access. We also protect your Personal Data from loss or damage. We have implemented various types of physical, technical, and administrative safeguards to protect your Personal Data and our networks from unauthorised access. These measures include:
1. Encryption during data transit or at rest.
2. Strict compliance with privacy and security practices.
3. Information Security Management Systems (ISMS) ISO 27001 certification.
4. Regular data audits and reviews to improve our operational standards.
5. Restricting access to Personal Data only to personnel who have a need to know such data.
We require our suppliers and vendors to implement similar protections when they access or use Personal Data that we share with them. We also continuously encourage you and all XL Axiata service users to protect their data, systems, networks, and services they use. Nevertheless, no technology, data transmission or system can be guaranteed 100% secure. Therefore, if you discover any Personal Data breach, please notify us immediately in the manner listed in the "Contact Us" section below.
K. How XL Axiata Shares Information
We work with our other partners to provide services as part of fulfilling our obligations to you. When we provide your Personal Data to our partners, we implement necessary measures to limit the use of your Personal Data only for legitimate reasons in accordance with this Privacy Notice, as well as adequate confidentiality and security measures. In addition to these purposes, we also share information with third parties to fulfill our legal obligations such as when requested by government authorities and to handle legal processes, to protect your vital interests, to carry out tasks in the public interest when requested by government authorities, public services, or the exercise of our authority under laws and regulations, as well as to fulfill other legitimate interests by taking into account the objectives, needs, and balance of our interests and your rights.
L. Corporate Actions
In the event of corporate actions such as reorganisation, merger, consolidation, sale of company assets, establishment of joint ventures, transfer of all or part of our business, assets, or shares (including in connection with bankruptcy) that may impact the processing of your Personal Data, such as in terms of disclosure or transfer of Personal Data to related parties, the implementation of these activities will be carried out in accordance with applicable laws and regulations, including regarding the delivery of notifications to you.
M. Communication Preferences and Choices
XL Axiata always takes necessary and reasonable steps to keep your Personal Data accurate, complete, and up-to-date. You can choose not to receive promotional electronic mail (e-mail) or other XL Axiata communications by contacting us at the contact information details mentioned below. This choice does not apply to receiving product or service communications considered part of XL Axiata products or services (such as billing information or service validity period), unless you choose to no longer use such products or services.
Additionally, we do not require you to provide your Personal Data to us. The decision to provide Personal Data is voluntary. However, if you do not wish to provide the required Personal Data, you may not be able to continue activities or receive benefits for our services where such Personal Data is required.
N. Cross-Border Personal Data Transfer
We may transfer your Personal Data across geographical boundaries to other parties as long as it can be ensured that their Personal Data protection is at the same level as what we do. Personal Data transfer is carried out based on our standard contracts with data protection clauses or data transfer agreements with similar rights and obligations for parties receiving such information to protect the security and confidentiality of your Personal Data.
XL Axiata does not share your Personal Data, except in the following conditions:
1. To Axiata group companies if necessary, and within the limits of applicable legal rules.
2. As required by law, such as when relating to judicial proceedings, dispute resolution, and/or similar legal processes.
3. With other operators who work with us to perform call transfers or international roaming.
4. To protect our rights and protect your security.
5. With our business partners in providing XL Axiata services, such as field technician providers, contractors working for and on behalf of us.
6. With our business partners in XL Axiata product and service marketing activities, in which case no raw Personal Data is provided, as the information provided is generally combined into aggregate data.
7. With third parties for educational, research, and scientific development purposes.
8. With our sister companies, subsidiaries and affiliates, such as XL Axiata dealers.
In all cases, third parties must agree to strict obligations to maintain the confidentiality of Personal Data and use it only for the purpose for which the information was obtained.
O. Use Your Rights
We respect your rights and privacy and we always take necessary steps to ensure that your Personal Data is always accurate and up-to-date. We guarantee you that:
1. You have the right to obtain Information about clarity of identity, legal interest basis, purpose of request, and use of Personal Data, and XL's accountability.
2. You have the right to complete, update, and/or correct errors and/or inaccuracies in Personal Data about you, including requesting us to delete your Personal Data (right to be forgotten).
3. You have the right to access and request copies of your Personal Data, in accordance with our policy in requesting copies of such Personal Data. Regarding Personal Data copies, you have the right to obtain them in a format that you can store and transfer for data portability purposes.
4. While still taking into account our obligations regarding customer data storage based on laws and regulations, you have the right to request us to suspend processing, restrict processing, stop processing, and/or delete your Personal Data in our system. Please note that this may prevent us from continuing to provide some services to you.
5. You have the right to object to automated decision-making by us.
6. You have the right to withdraw your consent from the processing of your Personal Data by us, as long as it is not related to basic telecommunications services.
To exercise your rights, you are required to follow all policies, procedures, and steps that we have established. In the event of a service withdrawal request by you, this remains subject to our approval to the extent permitted by law.
You can visit the nearest XL Center to exercise these rights.
P. Consequences of not providing your Personal Data
You can use our products or services and access our platforms or websites without providing your Personal Data. However, some activities or services that exist on our products, services, platforms, or websites require us to collect certain Personal Data about you. If you cannot provide such Personal Data, then this may:
1. Cause you to be unable to continue with that activity;
2. Cause us to be unable to respond to your request;
3. Limit or prevent access to certain features;
4. Cause us to be unable to provide you with up-to-date information regarding our promotions or service/product launches; and
5. Result in you not receiving promotions that we send.
Q. Access or Correction to Personal Data
Requests related to access and/or copies of Personal Data contained with us will be carried out in accordance with applicable laws and regulations and procedures we implement, including regarding the use of security features such as the form or method of using media for delivering such Personal Data.
If you want to change your Personal Data, please note that we may still need to store certain information for recording purposes, and/or to complete any transactions you initiated before requesting such changes (for example, when you make a purchase or participate in a promotion, you may not be able to change the Personal Data provided until after the completion of that purchase or promotion). Some of your information may also remain in our systems and other records if necessary to comply with applicable law.
R. By providing your Personal Data to us, you agree that:
1. You have read and understood this Privacy Notice and agree to the use of your Personal Data as set out in this Privacy Notice.
2. In the event that you provide us with Personal Data relating to other individuals (such as your spouse, family members, friends or other parties), you represent and warrant that you have obtained and received consent from such individuals to, and hereby agree on behalf of such individuals for the use of such Personal Data as set out in this Privacy Notice.
3. All your statements are true and accurate to your knowledge, and you have not deliberately omitted related information that is detrimental.
4. The consent you give us is made without any coercion from any party.
S. Contact Us
If you have questions about this Notice, you can contact us through the Data Protection Office team at [email protected]
T. Dispute Resolution
In cases of alleged/violations of your privacy in connection with the processing of your Personal Data, you can file objections with the relevant regulatory.
This Privacy Notice was last updated on 14 February 2025.