Privacy Statement
JTB PDPL Privacy Policy (Indonesia)
This Privacy Policy (“Policy”) sets out the basis in which PT. JTB Indonesia (“we”, “us”, or “our”) may collect, use, disclose, or otherwise process personal data of users in accordance with the Indonesian Personal Data Protection Law No 27 Year 2022 (“PDPL”). This policy applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose, or process personal data for our purposes.
1. Personal Data
As used in this Policy: “customer” means an individual who (a) has contacted us through any means to find out more about any goods or services we provide, or (b) may, or has, entered into a contract with us for the supply of any goods or services by us; and “personal data” means any data related to identified or identifiable individuals, separately or in combination with other information, directly or indirectly, through an electronic or non-electronic system.
Other terms used in this Policy shall have the meanings given to them in the PDPL (where the context so permits).
Other terms used in this Policy shall have the meanings given to them in the PDPL (where the context so permits).
2. Collection, Use, and Disclosure of Personal Data
1. We generally do not collect your personal data unless:-
(a) It is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after:
(i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and
(ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes, or
(b) Collection and use of personal data without consent is permitted or required by the PDPL or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).
2. We may collect and use your personal data for any or all of the following purposes:-
(a) Operating our website and/or its subdomains (“website”);
(b) Performing our statutory functions and administering our activities;
(c) Communicating with our members and customers;
(d) Updating your personal and contact information;
(e) Performing obligations in the course of or in connection with our provisions of the goods and/or services requested by you;
(f) Verifying your identity;
(g) Responding to, handling, and processing queries, requests, applications, complaints, and feedback from you;
(h) Managing your relationship with us;
(i) Processing payment or credit transactions;
(j) Complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;
(k) Statistical, analysis, planning and reporting,
(l) Any other purposes for which you have provided the information; and
(m) Any other incidental purposes related to or in connection with the above.
(n) Marketing Purposes
3. This Policy does not apply to aggregated information which summarises statistical information about groups of members, and which does not include name, contact information, or any other information that would allow any particular individual to be identified.
4. We may disclose your personal data:-
(a) Where necessary to enforce the Terms of Use;
(b) Where such disclosure is required for performing obligations in the course of or in connection with our provisions of the goods and services requested by you;
(c) To third party service providers, agents, and other organisations we have engaged to perform any of the functions with reference to the above-mentioned purposes;
(d) If required by law or in the good faith belief that such action is necessary to:
(i) Conform to the edicts of the law or comply with legal processes served on us or the Website;
(ii) Protect and defend our rights or property; and
(iii) Act under exigent circumstances to protect the personal safety of users of the Website; or
(iv) Where your consent has been obtained for disclosure.
3. Withdrawing Your Consent
1. The consent that you provide for the collection, use, and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop collecting, using, and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.
2. Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within 10 (ten) business days of receiving it.
3. Whilst we respect to your decision to withdraw your consent please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described in Clause 1 above.
4. Please note that withdrawing consent does not affect our right to continue to collect, use, and disclosure personal data where such collection, use, and disclosure without consent is permitted or required under applicable laws.
4. Access to and Correction of Personal Data
1. If you wish to make an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data OR a correction request to rectify or update any of your personal data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.
2. We will respond to your request as soon as reasonably possible. Generally, our response will be within thirty (30) business days. Should we not be able to respond to your request within that given time period after receiving your request, we will inform you in writing within thirty (30) business days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPL).
5. Protection of Personal Data
1. To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical, and technical measures.
2. You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.
6. Accuracy of Personal Data
We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete, and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer in writing or via email at the contact details provided below.
7. Retention of Personal Data
1. We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.
2. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.
8. Transfers of Personal Data Outside of Indonesia
If there are transfers of personal data to countries outside of Indonesia, we will obtain your consent for the transfer to be made and we will take appropriate steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPL.
9. Use of Cookies
1. The Website may place and access certain cookies on your computer and/or any other electronic device used to access the Website. We use cookies to improve your experience using the Website and to improve the efficacy of our Services. We have carefully chosen these cookies and had taken steps to ensure that your privacy policy is protected and respected at all times.
2. Users of the Website are advised that if they wish to deny the use and saving of cookies from this Website onto their computers and/or other electronic devices, they should take the necessary steps within their internet browsers’ security settings to block all cookies from this Website.
3. You can choose to delete the cookies at any time. However, you may lose any information that enables you to access the Website more quickly and efficiently including but not limited to personalisation settings.
10. External Websites
The Website contains links to external websites. We make no representations as to the quality, suitability, functionality or legality of the material on external websites that are linked to, or to and goods and services available from, such websites. The material is only provided for your interest and convenience. We do not monitor or investigate such external websites and we accept no responsibility or liability for any loss arising from the content or accuracy of the material and any opinion expressed in the material should not be taken as our endorsement, recommendation, or opinion. This Policy does not extend to your use of such external websites. You are advised to read the privacy policy or statement of such external websites before using them.
11. Data Protection Officer
You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:
Contact Number: +62 361 708761
Email Address: privacy.id@jtbap.com
Address: Jalan By Pass Ngurah Rai No 88, Kelan Abian – Tuban – Bali - Indonesia
12. Effect of Policy and Changes to Policy
1. This Policy applies in conjunction with any other notices, contractual clauses, and consent clauses that apply in relation to the collection, use, and disclosure of your personal data by us.
2. We may revise this Policy from time to time without any prior notice. You may determine if such revision has taken place by referring to the date on which this Policy was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
13.Information for EU Citizens
This part of the document integrates with and supplements with the information contained in the rest of the policy and is provided by the business running this Site and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, and “our”.
JTB GDPR Privacy Policy
The provisions contained in this section apply to all EU citizen users, according to the GDPR. Users are referred to below, simply as “you”, “your”, and “yours”), and for such consumers, these provisions supersede any possibility divergent or conflicting provisions containing in the privacy policy.
The protection of your personal data is of great importance to JTB (“PT.JTB Indonesia”). This Privacy Policy therefore intends to inform you about how the JTB (“PT.JTB Indonesia”), whose entities may act as data controllers or processors, collect and processes your personal data that you submit or disclose to us, in the case where the General Data Protection Regulation (“GDPR”) applies to such collection or processing.
JTB (“PT.JTB Indonesia”) routinely collects, uses, stores and transfers a variety of data, including Personal Data. JTB Group is committed to ensure the privacy of Personal Data throughout its global business, and make sure its employees and business partners also take the necessary measures to protect Personal Data.
This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Our Privacy Policy applies to you in the case where the GDPR applies to such collection or processing and is available on our website and through other channels. In all your dealings with us you must ensure that others you may represent are aware of the content of our Privacy Policy and consent to you on their behalf.
We encourage you to read this Privacy Policy carefully. If you do not wish your personal data to be used by us as set out in this Privacy Policy, please do not provide us with your personal data. Please note that in such a case, we may not be able to provide you with our services, and your customer experience may be impacted.
1. Your Personal Data
This refers to a combination of personal data such as your name, address, telephone number, email address, travel preference and special needs/disabilities/dietary requirements that you supply us or is supplied to us, including your social preference, activities and any information about other persons you represent such as those on your booking. Your personal data is collected when you contact us, make a booking, use our website(s)/apps, link to or from our website(s)/apps, connect with us via social media and any other engagement we or our business partner have with you.
2. Processing of Your Personal Data
Data processes
We may collect and process your personal data for the purposes set out below and disclose your personal data to the JTB (“PT.JTB Indonesia”) companies for business purposes and also to our service providers who act as ‘controller’ or ‘processor’ on our behalf. These purposes include:
a. Fulfilling the contract with you and legal obligations (Articles 6(1)(b) and (c) of the GDPR: In order for you to travel abroad, it may be mandatory as required by government authorities at the point of departure and/or destination to disclose and process your personal data for immigration, border control and/or any other purposes. Also we need to provide airlines/accommodation providers with your name, passport number, contact details, and other related information in accordance with their terms and conditions. If you do not provide us with this personal data, we might not be able to offer our services to you.
b. Fulfilling your and our legitimate interests (Article 6(1)(f) of the GDPR): Where it is in both your and our benefit that we further process your personal data as part of our business administration, maintaining service quality, customer care, business management, risk assessment/management, security, and operation purposes.
c. Consent: For marketing purposes and other similar data processes that may require your authorization for their processing (Article 6(1)(a) of the GDPR). We will usually inform you before collecting your data if we intend to use your data for such purposes or if we intend to disclose your personal data to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we used to collect your data.
d. Explicit consent (Article 9(2)(a) of the GDPR): Information such as health or religion may be considered ‘sensitive personal data’ under the GDPR. This personal data might include information necessary to arrange bookings and travel plans, including your allergies, disabilities, and other relevant health information. We collect it to provide you with our services, cater to your needs or act in your interest, and we are only prepared to accept sensitive personal data on the condition that we have your positive consent.
We will process your data for as long as possible in order to fulfil our service to you and comply with the applicable fiscal, tax, securities and commercial law regulations on retention of business and financial documentation.
Children
Our products and services are intended for adult customers. However, we may knowingly collect and process personal data on children under seventeen (17). On these occasions, we will take account of this event when processing the personal data of children and implementing the legal basis for such processing. For example, where the processing of personal data of children is based on their consent such as the processing of his/her sensitive personal data, we will seek the consent of parents, tutors, or other adults holding parental responsibility over children, if required under the GDPR.
Links to other sites
We may propose hypertext links from our websites to third-party websites or Internet sources. We do not control and cannot be held liable for third parties’ privacy practices and content. Please read carefully their privacy policies to find out how they collect and process your personal data.
Data transfers
JTB Group
When we process your personal data, we will store it on our systems located within the European Economic Area (EEA), which comprises the Member States of the EU, Norway, Iceland and Liechtenstein, as well as outside the EEA. In the event of a merger, reorganization, acquisition, joint venture, assignment, spin-off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all personal data to the relevant third party.
Your data may also be processed by staff operating outside the EEA who work for us or for one of our suppliers (e.g., travel guides, transportation services). Such staff may be engaged in, among other things, the provision of support services.
Service providers
For the purpose of providing you with our services, including your booking of flight, hotel, security, incident/accident management etc., we may disclose and process your personal data outside of the EEA countries. In order for you to travel abroad, it may be mandatory as required by government authorities at the point of departure and/or destination to disclose and process your data for immigration, border control and/or any other purposes. Also we need to provide airlines/accommodation providers with your name, passport number, contact detail, etc. in accordance with their terms and conditions.
Legal compliance and security
It may be necessary for us – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – to disclose your personal data. We may also disclose your personal data if we determine that, due to purposes of national security, law enforcement, or other issues of public importance, the disclosure is necessary or appropriate.
We may also disclose your personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.
Safeguards to protect your personal data
Where we share your data with a data processor, we will put the appropriate legal framework in place in order to cover such transfer and processing (Articles 26, 28 and 29). Furthermore, where we transfer your data from EEA to any entity outside the EEA, we will put appropriate legal frameworks in place, notably Binding Corporate Rules (Article 47 GDPR), controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EU) Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Articles 44 ff. GDPR), or we will share your data based on rules of the GDPR.
By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, in particular, by adopting Standard Contract Clauses (for transfers among certain JTB companies and with third-parties) where possible.
3. Our Records of Data Processes
We handle records of all processing of personal data in accordance with the obligations established by the GDPR (Article 30), both where we might act as a controller or as a processor. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required (Article 31).
4. Security Measures
We process your personal data in a manner that ensures their appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. We use appropriate technical or organisational measures to achieve this level of protection (Article 25(1) and 32 GDPR). We will retain your personal information for as long as it is necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
5. Notification of Data Breaches to the Competent Supervisory Authorities
In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess it promptly. Depending on the outcome of our assessment, we will make the requisite notifications to the supervisory authorities and communications to the affected data subjects, which might include you (Articles 33 and 34 GDPR).
6. Processing Likely to Result in High Risk to your Rights and Freedoms
We have mechanisms and policies in place in order to identify data processing activities that may result in high risk to your rights and freedoms (Article 35 of the GDPR). If any such data processing activity is identified, we will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organisational safeguards are in place in order to proceed with it.
In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 GDPR).
7. Your Rights
You have the following rights:
– Access to personal data: You have the right to be provided full information about your personal data that we hold.
– Data correction: You have the right to require that we correct any incorrect information we hold about you.
– Data deletion: You may also have the right to ask that we delete your personal data. Please note that certain conditions may apply to the exercise of this right.
– Restriction on processing of personal data: You may have the right to ask that we restrict the use of your personal data. Please note that certain may conditions apply to the exercise of this right.
– Object to processing of personal data: You may have the right to object to the use of your personal data by us. Please note that certain conditions may apply to the exercise of this right.
– Portability of personal data: You may have the right to receive your personal data in a structured and commonly used format. Please note that certain conditions may apply to the exercise of this right.
– You also have the right to obtain from us a copy of the Binding Corporate Rules or of any Standard Contract Clauses that we use if we transfer your personal data outside the EEA and take such arrangement.
To exercise your rights, or if you require further information about how your personal data is used by us, you can contact the staff member in charge of your travel or write to us at: privacy.id@jtbap.com
Following is the procedure when you want to execute these rights;
1) Upon receiving your request, we will contact you to confirm the request is being handled, and we will indicate the reasonable timeframe for us to respond.
2) Our special team will make an initial assessment of the request to decide whether it is a valid request and whether confirmation of identity is required.
3) If no further action from you is required, we will proceed with the processing of your request.
4) At the end of our assessment and internal procedure, we will provide a confirmation as to our compliance or processing of your request.
5) For any unfounded or excessive (e.g., further repeated) requests, we may charge a reasonable fee based on administrative costs.
8. When you want to complain about your personal data
We have appointed appropriate staff with management support to oversee and ensure compliance with the GDPR. You can bring complaints in writing by contacting the JTB Data Protection Team at emmy_f.id@jtbap.com
You can also contact the JTB Data Protection Team members or other employees to complain about the way we handle your personal data. The employees to have been confronted with the complaint will inform you about the contract details to file a complaint in accordance with the present procedure or pass the complaint to the JTB Data Protection Team whichever appropriate.
After receiving the complaint the Data Protection Team will send an acknowledgement of receipt within one week to you. The confirmation may include further questions necessary for the clarification of the issues. The Data Protection Team or local Human Resources Department will provide an answer to you as soon as reasonably practicable, but no later than one month upon receiving the complaint. If, due to complexity of the complaint, a substantive response within one month cannot be provided, you will be notified with a reasonable estimate of the timeframe, but not exceeding two months from the notice.
You may also raise the complaint to the relevant Data Protection Authority or lodge a claim with a court of competent jurisdiction.
9. Changes to our Privacy Policy
We may revise or update this Privacy Policy from time to time. Any changes we may make to our Privacy Policy in the future will be posted on this webpage. If we make changes which we believe are significant, we will inform you through the website to the extent possible and seek your consent where applicable.
10. Contact
Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to
Jalan By Pass Ngurah Rai No.88, Kelan Abian – Tuban- Bali - Indonesia
Email: privacy.id@jtbap.com
11. About Cookie
PT.JTB Indonesia (hereinafter “JTB”) automatically collect limited information about your computer when you visit our site. JTB records the IP address of visitors in the case of a problem occurring on our server, as well as for statistical purposes. The IP address of a user may be the same each time, or it may be different – this depends on the method of connection i.e. dial-up or constant connection (e.g. DSL or cable modem). In both cases, it is extremely difficult to gain personal information from the IP address of a visitor, and we will never attempt to find out this information from you.
JTB uses cookie information to provide better services, secure security, analyse and distribute appropriate advertisements to customers. If you came to our site by clicking on a link on a different site, we will also record this information. This kind of information helps us understand our users’ preferences and measure the effectiveness of various advertising. It will also help us to customize the content of our website and to improve our service. All information is collectively integrated into our database (as opposed to being collected individually from each user) and is used as a general overview of all our users.
Third-party companies may distribute advertisements or obtain behavioural information for the purpose of advertising their company.
Small data text files called “cookies” will be sent to your computer’s hard drive. These cookies help us recognize previous visitors and also identify the route history of users. We cannot identify any personal information stored in these cookies, nor can we gain access to any information stored on your hard drive. In addition, we cannot access information from cookies sent from other websites. Information collected will only be used as described above, and also to improve our website.
Each user can prevent their browser from accepting new cookies, however in this case cookies from all websites will be blocked, not only cookies sent from JTB. As every browser is different, it is best to go to the Help portion of the toolbar of your browser to explain how to block cookies.
※ If you change browser, delete cookie, etc., you need to set opt-out and opt-in again
Exhibit
ASIA/PACIFIC Companies
• JTB PTE LTD / JTB Asia Pacific Headquarters
• JTB PTE LTD / JTB Singapore office
• JTB (Thailand) Ltd.
• Japan Travel Bureau (Malaysia) Sdn. Bhd
• PT. JTB Indonesia
• 世帝喜旅行社股份有限公司
• JTB-TNT (JTB Vietnam)
• JTB India Private Limited
• Tour East Singapore (1996) Pte Ltd
• JTB Asia Pacific Phil. Corp.
• PT. Panorama JTB Tours Indonesia
• BIG S’ Holiday Pte. Ltd.
• JTB Oceania Pty Ltd
• JTB Australia Pty Ltd
• JTB New Zealand Limited