Privacy notice of Deutsche Bank AG, Jakarta Branch
In accordance with the Act of the Republic of Indonesia Number 27 of 2022 concerning Personal Data Protection (“Personal Data Protection Act” or “PDPA”), the following information provides an overview of how Deutsche Bank AG, Jakarta Branch uses information we hold about individuals (this is known as “personal data”), such as private clients, authorized representatives, signatories, ultimate beneficial owners, guarantors, beneficiaries, and individual business or supplier contacts (all referred to below as “you”). This Notice also outlines your rights under the PDPA.
1. Who is legally responsible for the handling of your personal data and who can you contact about this subject?
Deutsche Bank AG, Jakarta Branch (“bank,” “we,” or “us”) is a branch of Deutsche Bank AG (“Deutsche Bank”), a multinational bank headquartered in Germany. When you provide personal data to us, we act as a “personal data controller.” It means:
- we “control” your personal data, including making sure it is kept secure; and
- we make certain independent decisions on how to use and protect your personal data – but only to the extent that we have informed you about the use and/or obtained consent from you or are otherwise permitted by law.
We are required to handle or “process” your personal data securely and otherwise in accordance with the PDPA. Should you have queries or complaints about the way in which we process your personal data, you may raise these with your usual DB relationship or business contact or, if you wish to exercise any of your rights as a data subject, with our Data Protection Officer. The contact details are at the end of this Notice.
2. What personal data might we hold about you and where do we get it from?
We will only hold personal data about you that is relevant in the context of the business relationship which we have with you or the organization that you represent or are related to. Some of this information we will obtain directly from you. We also collect and process personal data from a range of other sources, which may include your employer, other Deutsche Bank entities and affiliates, other companies and financial institutions, publicly available sources (e.g., registers of companies or assets, internet websites), and from providers of business-risk screening services, such as credit reference agencies, anti-fraud databases, sanctions lists, and databases of news articles.
The types of personal data that we collect and process may include (but are not limited to):
- Name, contact details, specimen signature, employment information;
- Records relating to our business relationship and relevant services, including data derived from your usage of our IT platforms (including electronic communications), mobile apps, recorded telephone lines, office buildings, and from your engagement with our marketing activities;
- KYC (know-your-customer) data, such as nationality, passport details, social security number, national ID number, date and place of birth, source of wealth, rationale for use of corporate structures, relationships with public officials, criminal record, marital status and details of dependents, knowledge of financial products and services, risk appetite, capacity for loss, tax status, domicile;
- Financial information, such as creditworthiness, bank account details, income, pension, investments, assets, liabilities, outgoings, investment objectives.
The personal data we collect may be in paper, electronic, or any other forms.
If you fail to provide such personal data which we need to adopt or retain you (or the organization you represent) as our client, we may not be able to provide or continue providing you (or your organization) with the relevant products or services (or any part thereof), or comply with any applicable laws, regulations or guidelines, and norms of regulatory bodies or other competent authorities).
When we collect your personal data, we will, as necessary to fulfill any of the purposes stated in Section 3, use it, process it, update it, arrange it, share it within Deutsche Bank and with third parties, including regulators and public authorities, store it, and delete it.
3. What will we use your personal data for (purposes) and does the law allow this (lawful bases)?
The purposes for which we process your personal data are summarized below, together with the specific grounds under the PDPA (see sub-headings in bold) which allow us to do this:
- For the performance of a contract
It may be necessary for us to process your personal data to perform a contract with you (or the organization you represent or are related to), in connection with our banking and financial services business, or to take steps at your (or your organization’s) request prior to entering into a contract. For further details, please refer to your (or your organization’s) contractual documentation with us. - For compliance with a legal obligation or acting in the public interest
As a bank, we are subject to several statutory and regulatory obligations that may require us to collect, store, or disclose personal data, such as for anti-money laundering purposes or to respond to investigations or disclosure orders from the police, regulators of Deutsche Bank, and tax or other public authorities (including outside Indonesia). - For the purposes of legitimate interests
Where necessary, we process your personal data to serve our legitimate interests or those of a third party. The PDPA permits this only insofar as such interests are not outweighed by a greater need to protect your privacy. Cases where we rely on our legitimate interests to process your personal data include (but are not limited to):- Know-your-customer and creditworthiness checks;
- Client and vendor relationship management;
- Business analysis and development of products and services;
- Activities relating to information security and building security, including use of CCTV recording;
- Managing the risks and optimizing the efficiency of Deutsche Bank’s operations (including outsourcing functions within and outside of Deutsche Bank;
- Recording of telephone lines and monitoring of electronic communications for business and compliance purposes;
- Prevention and detection of financial crime, investigation of complaints;
- Evaluating, bringing or defending legal claims;
- Business restructurings;
- Audits;
- Marketing of Deutsche Bank products (unless you have objected/unsubscribed).
We will not engage in direct marketing activities without your consent.
- On the basis of your explicit consent
If we wish to process your personal data in a way not covered by the legal justifications above, we will obtain your explicit consent. Where you give consent, you are entitled to withdraw it at any time by contacting your Relationship Manager or our Data Protection Officer. Note that withdrawing your consent does not render our prior handling of your personal data unlawful, and that such withdrawal might have an impact on our ability to continue to provide our services or fulfil our obligations in the same way in future.
4. Who might we share your personal data with?
Where necessary to fulfil your (or your organization’s) instructions to us and for the other purposes outlined above, we may share information about you with a range of recipients including (but not limited to) the following: credit reference agencies, background screening providers, financial institutions, funds, payment recipients, payment and settlement infrastructure providers, exchanges, regulators, courts, public authorities (including tax authorities), branches, affiliates, or subsidiaries of Deutsche Bank, service providers/personal data processors, professional advisors, auditors, insurers, and potential purchasers of elements of our business. These recipients could be located outside Indonesia.
Where we need to transfer or share your personal data, we will carefully assess the legitimacy, propriety, and necessity of the data sharing. We will comply with and require the recipient to take all the data protection measures required pursuant to the PDPA and relevant laws and regulations (for instance, signing a contract that defines the obligations of the parties in terms of data protection).
5. Will we send your personal data to other countries?
Deutsche Bank and its clients are active globally. Therefore, information relating to you may, in line with the purposes described above, be transferred to other countries. We store and maintain data on storage platforms in various locations (including on cloud) in line with Deutsche Bank’s data strategy. We may also use service providers (within Deutsche Bank or third-party providers) located in another country.
Where the laws of that jurisdiction do not provide a level of protection equal to or higher than that provided in the PDPA, we require the recipient, through contractual undertaking, to apply the same level of protection as would be necessary under the PDPA. We will also comply with the relevant requirements of the PDPA and other applicable laws, such as obtaining your consent, where required.
6. How long will we use and keep your data for?
In general terms, we will continue to use or otherwise process your personal data if a legal basis or justification exists. We retain your personal data as long as necessary for the purposes for which we obtained it (see Section 3 above). In making decisions about how long to retain personal data, we take account of the following:
- The termination date of the relevant contract or business relationship;
- Any retention period required by law, regulation, or internal policy;
- Any need to preserve records beyond the above periods to be able to deal with actual or potential audits, tax matters, or legal claims.
We adhere to the retention and disposal requirements under the relevant Deutsche Bank policies and applicable regulations. Records and personal data that are eligible for disposal in accordance with Deutsche Bank’s retention policy undergo a process of vetting (such as legal holds review) and approvals before they are permanently disposed of or erased in accordance with internal procedures.
7. What data protection rights do you have?
Subject to certain exceptions and limitations, by law you have the right to:
- Be informed of the details of the processing of your personal data. This includes receiving information about who processes your personal data, the legal basis for the processing, and the purposes for which they are being processed.
- Request correction of the personal data we hold about you. This enables you to have incomplete, inaccurate, or misleading data we hold about you to be corrected or supplemented.
- Request access to and copy your personal data. This enables you to receive a copy of the personal data we hold about you and request information about personal data we obtained.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, such as during the time it might take us, for instance, to respond to your claim that the data is inaccurate or where the retention period has ended but you request further retention for establishing or defending a legal claim. You also have the right to request the termination of processing of your personal data.
- Request not to be subject to automated decision making. This enables you to ask us not to make any decision about you that affects your legal position (or has some other significant effect on you) based purely on automated processing of your data. (We do not as a rule make decisions of this nature based solely on automated processing and without any human assessment whatsoever. We would notify you specifically if we did.)
- File a lawsuit with the appropriate court and a complaint to the relevant data protection authority under the circumstances recognized under the PDPA and be compensated in accordance with laws.
- Request us to transfer personal data you gave to another personal data controller.
- Withdraw your consent to the processing of your personal data. See Section 3(d) above.
To exercise any of these rights, please submit your request via email with the subject line “Data Subject Request,” followed by the nature of the request (for example, "Data Subject Request to Access Data”) to the Data Protection Officer at the email address given at the end of this Notice. Your request must include your identity (with proof of identification and/or relationship to the data subject), specify clearly and in detail the personal data you are requesting, and supply us with such information as we may reasonably require in locating the requested data.
8. How do we protect your personal data?
Personal data security is our top priority. We always endeavour to safeguard your personal data against unauthorized or accidental access, alteration, or loss. We maintain this commitment to information security by implementing appropriate physical, technical, and organizational measures to secure your personal data. We have policies and processes in place to handle and report incidents that may involve personal data.
We maintain strict security to prevent unauthorized access to our systems that contain personal data and customer data. We exercise strict management over our staff members who may have access to your personal data, including but not limited to access controls applied to different positions, confidentiality obligation agreed by staff members, formulation and implementation of data privacy and information security-related policies and procedures, and data privacy and information security trainings to staff. These security measures are reviewed and updated regularly.
9. Updates to this Privacy Notice
We may update this Privacy Notice from time to time to clarify it or address changes in law or our business operations.
We may also notify you in other ways about the processing of your personal data, such as in specific product documentation. If you have any questions regarding subsequent updates, please contact us.
10. Contact information / Data Protection Officer
Deutsche Bank AG, Jakarta Branch
Compliance Department
Attention: Data Protection Officer
Address: Deutsche Bank Building, No. 80 Jalan Imam Bonjol, Jakarta 10310, Indonesia
Tel.: +62 21 2964 4401
Email address for general communications and inquiries: dbjk.dpo@list.db.com
Email address for data subject requests: dbjk.datasubjectrequest@list.db.com