1. Introduction

IABF Law Group (“IABF”, “We”, “Us”, or “Our”) is a leading law firm in Indonesia, providing legal services to the business community since 2003.

We are committed to protecting the confidentiality, integrity, and security of Personal Data that we collect, use, or otherwise process. This Privacy Policy is issued in accordance with the Personal Data Protection Law Number 27 of 2022 (“PDPL”) and other applicable laws and regulations governing data protection in Indonesia.

By accessing Our websites, engaging Our legal or professional services, and/or otherwise providing Us with Your Personal Data (as defined below), You acknowledge and consent to the Processing (as defined below) of Your Personal Data in accordance with this Privacy Policy. If You do not agree with the terms set out herein, You should refrain from providing Your Personal Data.

2. Definitions

For the purposes of this Privacy Policy:

• “Personal Data” means any data related to an identified or identifiable natural person, as defined under the PDPL.
• “Processing” means any operation performed on Personal Data, including but not limited to collection, recording, storage, alteration, disclosure, or deletion.
• “You(r)” or “Data Subject” refers to any individual whose Personal Data is collected, held, or processed by IABF.

3. Scope of Application

This Privacy Policy applies to all Personal Data that We collect and process from You, clients, counterparties, service providers, job applicants, employees, visitors to Our websites, and other individuals whose data may be lawfully obtained by IABF in connection with its business activities.

4. Collection of Personal Data

We may collect Personal Data directly from You, from Our clients, from publicly available sources, and from third parties, including regulators, counterparties, professional advisers, recruitment agencies, and government bodies. The categories of Personal Data that may be collected include, without limitation, name, contact details, identification data, employment and professional information, financial information, specific Personal Data (such as health data, crime records, child data, personal financial data), and other information necessary for the provision of Our services.

5. Use of Personal Data

We may process Your Personal Data where:

• it is necessary for the performance of a contract with You or Your organisation;
• it is required for compliance with legal and regulatory obligations;
• You have provided Your consent to such use, or the organisation that You work for has obtained Your consent (where necessary);
• it is necessary for the establishment, exercise, or defence of legal matters;
• We or a third party have a legitimate interest in Processing, provided that such interests do not override Your rights under PDPL and other applicable laws and regulations on Personal Data Processing provisions.

We may use Your Personal Data to:

• maintain and develop Our relationship with You and Our clients;
• monitor and analyse Our business;
• facilitate Our internal business operations;
• fulfil Our legal obligation;
• identify services You may be interested in;
• send You legal updates, publications, marketing, and details of events;
• protect, establish, exercise, or defend legal and contractual rights; and
• process and respond to requests, enquiries, or complaints received from You.

6. Careers and Recruitment

If You apply for a job or work placement, You may need to provide Personal Data about Your education, employment, racial background, and state of health. Your application will constitute Your express consent to Our use of this Personal Data to assess Your application and to allow Us to carry out any monitoring activities which may be required of Us under applicable laws and regulations as an employer. We may also carry out screening checks, including but not limited to reference, background, financial probity, identity, eligibility to work, vocational suitability, and criminal record checks. We may also process Your data to consider You for other positions. We may exchange Your Personal Data with academic institutions, recruiters, screening check providers, health service providers, professional and trade associations, law enforcement agencies, referees, and Your current and previous employers. Without Your Personal Data, We may not be able to progress considering You for positions with Us.

7. Data Retention

Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulations. Retention periods are determined by Our internal policies, taking into account statutory requirements, professional obligations, and legitimate business interests in accordance with the applicable laws and regulations.

8. Disclosure of Personal Data

We may disclose Personal Data to, but not limited to:

• clients, counterparties, courts, arbitral tribunals, regulators, and government authorities;
• professional advisers, auditors, and insurers;
• third-party service providers engaged by Us for business operations (e.g., IT services, cloud, document storage, compliance);
• co-counsel, foreign law firms, and consultants in connection with cross-border matters; and/or
• in certain cases, Your Personal Data may be transferred to jurisdictions outside Indonesia. Where such a transfer occurs, We shall ensure that adequate safeguards are implemented, consistent with PDPL and international data transfer standards.

Please note that some of the third parties with whom We share Personal Data may be located outside Your country or the country from which the data were provided (collectively the “Jurisdiction of Origin”). While such third parties will often be subject to privacy and confidentiality obligations, You accept that, where lawful, such obligations may differ from and be less stringent than the requirements of the privacy laws of the Jurisdiction of Origin. In those cases, We are not responsible for imposing the laws of the Jurisdiction of Origin, and You may not be able to seek redress under those laws.

9. Rights of Data Subjects

You are entitled to exercise the following rights under the PDPL:

• Right to obtain information regarding identity clarity, basis of legal interest, purpose of requesting and using Personal Data, and accountability of parties Processing Your Personal Data;
• Right to complete, update, and/or correct errors and/or inaccuracies in Your Personal Data in accordance with the purpose of the Personal Data Processing;
• Right to access and obtain a copy of Your Personal Data in accordance with the provisions of PDPL;
• Right to end Processing, delete, and/or destroy Your Personal Data in accordance with the provisions of PDPL;
• Right to withdraw consent to the Processing of Your Personal Data;
• Right to object to a decision-making action that is based solely on automated Processing;
• Right to delay or limit the Personal Data Processing proportionally with the purpose of Personal Data Processing;
• Right to sue and receive compensation for violations of the Processing of Your Personal Data in accordance with the provisions of laws and regulations; and
• Right to obtain Your Personal Data from Us in a form that is in accordance with the structure and/or format commonly used or readable by an electronic system.

Requests to exercise these rights may be submitted in writing to the contact address as set out below.

10. Data Breach Notification

In the event of a Personal Data breach that is likely to result in significant harm, IABF will notify the affected Data Subjects and the relevant government authority on Personal Data protection within 72 hours after confirmation of the breach. Remedial actions will be taken to mitigate risks.

11. Data Security

We implement appropriate technical, organisational, and administrative measures to safeguard Personal Data against unauthorised access, loss, alteration, or disclosure. Access to Personal Data is strictly limited to authorised personnel who are bound by confidentiality obligations.

We take reasonable steps to hold Personal Data securely in electronic or physical form, including the following:

• We store Personal Data in access-controlled premises or in electronic databases requiring logins and passwords.
• We require Our third-party data storage providers to comply with appropriate Personal Data security industry standards.
• All partners and staff, and third-party providers with access to confidential Personal Data are subject to confidentiality obligations.
• All IABF partners and staff with access to confidential Personal Data receive training on Personal Data protection under applicable laws and regulations on Personal Data protection for the purpose of preventing failure to protect Personal Data, and We require Our third-party providers with access to confidential Personal Data to do the same.

12. Amendments to this Privacy Policy

We reserve the right to amend or update this Privacy Policy at any time to reflect changes in legal, regulatory, or operational requirements. The updated version shall be effective upon publication on Our official website, unless otherwise required by law.

13. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Indonesia. Any disputes arising hereunder shall be submitted to the exclusive jurisdiction of the competent courts of Indonesia.

14. Contact Information

For inquiries, complaints, or to exercise Your rights under this Privacy Policy, please contact Us at the following:

Email: mail@iab-net.com