PRIVACY POLICY 

 

WHO ARE WE AND HOW YOU CAN CONTACT US 

Contact details of the Data Controller: PT BBN Airlines Indonesia (hereinafter “We”, “Ours”, “Company”) process the personal data of its’ customers, potential customer, employees, candidates to employees, suppliers, partners etc. (hereinafter referred to as the you, your) personal data in accordance with the provisions of the legal acts regulating the legal protection of personal data and applying the highest technical and legal standards of protection and taking all necessary measures to prevent possible breaches of personal data protection. This Privacy Policy (hereinafter referred to as the "Privacy Policy") sets out the basic rules for the collection, processing, and storage of your personal data and other information related to you, the scope, purposes, sources, recipients of your personal data and your rights as a personal data subject and other important aspects of your use of the Company’s services. This information is important, so we hope you will read it carefully. 

As used in this Privacy Policy, the term “personal data” (the “Personal Data”) means any information relating to an identified or identifiable natural person (data subject); identifiable natural person means a person who can be identified, directly or indirectly, in particular by means of an identifier such as name, personal identification number, location and internet identifier or one or more physical identifiers of that natural person, features of physiological, genetic, mental, economic, cultural or social identity. 

As a general rule, in processing the personal data, we responsibly comply with Law of the Republic of Indonesia No. 27 of 2022 on Personal Data Protection (“PDP Law”) and other directly applicable legal acts regulating the protection of personal data, as well as instructions from competent authorities (as may be amended, modified, or replaced from time to time). In certain cases where the regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) applies to the Company and/or the data subjects, the Company shall also ensure its compliance with the GDPR requirements. 

In the event that you provide us with personal information other than your own (for example, identifying another person as a beneficiary), you are required to inform them as data subjects (managers, beneficiaries, representatives, etc.) of this Privacy Policy and its contents, as well as about the transfer of their personal data to the Company. If such information has already been provided to us, it will be considered that the necessary approval has been obtained. 

If you have any questions regarding this Privacy Policy or requests regarding the processing of your personal data, please contact us by email at [email protected]

By visiting the Company's websites and/or using the information contained therein and/or our services, you acknowledge and confirm that you have read, understood, and expressly agreed to this Privacy Policy. 

TO WHOM THE PRIVACY POLICY APPLIES 

This Privacy Policy applies to our website (https://bbnairlines.id/) (the Website) and any service provided by the Company or other activities of the Company where personal data is being processed. 

The terms and conditions of the Privacy Policy apply to you every time you access the content and/or the service we provide, regardless of which device (computer, cell phone, tablet, TV, etc.) you are using. 

This Privacy Policy does not apply to links to other entities websites provided on our websites; therefore, we recommend that you read the personal data processing rules applied on such websites. Version 1.0 By Order of the BOD Circular Resolution No. SK-BOD-20/08/BBN/2024 dated 13 August 2024 

WHAT PRINCIPLES DO WE COMPLY TO? 

When processing your personal data, we: 

  1. comply with current and applicable legislation, as applicable; 
  2. we will process your personal data in a lawful, fair, and transparent manner; 
  3. we will collect your personal data for specified, clearly defined and legitimate purposes and will not continue to process it in a way incompatible with those purposes, except to the extent permitted by law; 
  4. take all reasonable steps to ensure that personal data which are inaccurate or incomplete, having regard to the purposes for which they are processed, are rectified, supplemented, suspended or destroyed without delay; 
  5. we will keep them in such a form that your identity can be established for no longer than is necessary for the purposes for which the personal data are processed; 
  6. we will not disclose or divulge personal data to third parties except as provided in the Privacy Policy or applicable law; 
  7. ensure that your personal data is processed in such a way as to ensure the appropriate security of personal data through appropriate technical or organizational measures, including protection against unauthorized or unlawful processing of personal data and against unintentional loss, destruction, or damage. Contact details of our Data Protection Officer: [email protected].
WHAT PERSONAL DATA, FOR WHAT PURPOSE AND BASIS DO WE PROCESS The purpose of the processing of personal data. Why we process personal data? The categories of processed personal data. What kind of categories of personal data we process? On what legal basis do we process personal data? The period of processing 
Administration of our Website When you visit our website, data about your browsing on the Website is collected using cookies. We use necessary/technical cookies to ensure the proper functioning of the Website and/or other third-party cookies to improve your browsing experience (i.e., to consider your needs, to continuously improve the website and to make offers that suit your interests). Your consent (except for necessary cookies). You can find more information about cookies and their storage terms on our website at https://bbnairlines.id/cookie-policy. 
Responding to your general enquiries or requests of information Our website or other public business channels provide com contacts where you can contact us to consult us on issues that concern you. We will accept, review, and respond to all your messages. If you contact us by e-mail, regular mail, or phone, we may process the following personal data of yours: name, surname, e-mail, postal address, and the text of the correspondence and/or attached documents. This data will be processed for the administration of your enquiry. Please note that we may need to contact you to provide Your consent, which you express by contacting us by e-mail, mail, or phone. Communication with you will be handled until the enquiry is fully processed and stored for one year from the date of the last communication with you unless there is another legitimate purpose for storing it longer (e. g. business contract with you has been concluded and communication material 
The purpose of the processing of personal data. Why we process personal data? The categories of processed personal data. What kind of categories of personal data we process? On what legal basis do we process personal data? The period of processing 
Administration of our Website When you visit our website, data about your browsing on the Website is collected using cookies. We use necessary/technical cookies to ensure the proper functioning of the Website and/or other third-party cookies to improve your browsing experience (i.e., to consider your needs, to continuously improve the website and to make offers that suit your interests). Your consent (except for necessary cookies). You can find more information about cookies and their storage terms on our website at https://bbnairlines.id/cookie-policy. 
Responding to your general enquiries or requests of information Our website or other public business channels provide com contacts where you can contact us to consult us on issues that concern you. We will accept, review, and respond to all your messages. If you contact us by e-mail, regular mail, or phone, we may process the following personal data of yours: name, surname, e-mail, postal address, and the text of the correspondence and/or attached documents. This data will be processed for the administration of your enquiry. Please note that we may need to contact you to provide Your consent, which you express by contacting us by e-mail, mail, or phone. Communication with you will be handled until the enquiry is fully processed and stored for one year from the date of the last communication with you unless there is another legitimate purpose for storing it longer (e. g. business contract with you has been concluded and communication material 

DIRECT MARKETING 

For direct marketing purpose, we process your personal data in the following cases: 

  1. when we obtain your explicit consent to such processing; 
  2. when you are a customer of us who have not objected to the processing of personal data for the purpose of direct marketing, marketing of similar services or products. 

 

For direct marketing purpose, we process the following of your personal data: name, surname, email address, and (or) telephone number. 

With your expressed consent to receive direct marketing messages or newsletters you subscribe, you agree to receive our news about new services, products, invitations to events etc. 

We inform you that Visitors may at any time refuse our newsletters or other promotional messages by clicking on a link to this in our outgoing newsletters and/or messages (as applicable). 

HOW WE PROCESS YOUR PERSONAL DATA 

Our use of your personal data will always have a lawful basis. Most commonly, we use your personal data: 

  1. Where we need to conclude any contract and/or perform any contract we have entered into with you; 
  2. Where we need to comply with a legal obligation; 
  3. Where we have your explicit consent; 
  4. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interest. 

 

“Legitimate interest” means our interest to enhance our services, products, to manage the processes of businesses and activities. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. The legitimate interests that we pursue include: 

  1. to perform our services in a timely and professional manner and to ensure that our service provider are utilized to achieve the same; 
  2. to fulfil the requirements for money laundering and financing terrorism prevention, prevention of corruption, bribery, and fraud to be legitimate, reliable, and reputable business to our counterparties and authorities; 
  3. to handle fraud, corruption or other wrongdoings in the Company and to defend against requirements and/or claims and investigations of the competent authorities, litigations (if any) or, if necessary, to keep such data regarding possible investigations on allegedly illegal or criminal acts; 
  4. to assert and/or defend our legal claims (where applicable). 

 

HOW LONG WE WILL RETAIN YOUR PERSONAL DATA 

We will retain your personal data for as long as necessary to achieve and fulfil the purposes set out in this Privacy Policy, taking into account the nature of the services provided to you and the contracts you enter into, unless longer storage of personal data and related documents is required by applicable laws and regulations or is required for the defense of our legitimate interests in judicial, other public institutions etc. 

We ensure and take all necessary measures to avoid storing outdated or unnecessary personal data about you and to keep your personal data up-to-date and accurate. 

We will use your personal data for direct marketing purposes for 3 (three) years after you’re giving consent or after the end of the contractual relationship (direct marketing of similar services or products). 

 

In any case, we will inform you the erasure and/or destruction of your personal data in accordance with the Article 45 of the PDP Law (as applicable).

HOW DO WE PROTECT YOUR DATA? 

We responsibly implement appropriate organisational and technical personal data security measures intended for the protection of personal data against accidental or unlawful destruction, alteration, and disclosure as well as against any other unlawful processing. The security measures we implement include the protection of personnel, information, IT infrastructure, internal and public networks as well as office buildings and technical equipment. 

In the event of personal data breach of security and/or we determine the circumstances with which unauthorised access to personal data has been obtained, we will immediately inform you about it, in accordance with the applicable laws. 

TO WHOM IS YOUR DATA ARE DISCLOSED 

We may share some of your personal data with the following categories of third parties: 

  1. any Avia Solutions Group1 
  2. 1 AVIA SOLUTIONS GROUP (ASG) PLC, a private limited liability company, established and acting under the laws of the Republic of Ireland, legal entity code: 727348, registration address Building 9, Vantage West, Central Park, Dublin, D18 FT0C, Ireland. company (listed at https://aviasg.com/en/the-group/general-contacts) for the purposes set out in this Privacy Policy (for example, for the purposes of performance of contracts and the management of relationship with customer); 
  3. representatives acting on our behalf with respect to the promotion of our services in particular territories; 
  4. companies providing data centers, hosting, cloud, site administration and related services, software developers, providing, maintaining and developing companies, companies providing information technology infrastructure services, companies providing communication services; 
  5. credit and debit card companies used to facilitate payment transactions related to the provision of our services, banks and other credit and/or payment companies; 
  6. our professional advisors, auditors, lawyers and/or financial advisers; 
  7. our other service providers (data processors) or our subcontractors; 
  8. notaries, if the contract concluded with you requires a notarial form; 
  9. judicial officers, entities providing legal and/or debt recoveries services, subrogator of claim right; 
  10. companies providing advertising and marketing services; 
  11. companies providing archiving, physical and/or electronic security, asset management and/or other business services; 
  12. in accordance with the laws to state institutions, establishments, etc.; 
  13. law enforcement authorities at their request or on our own initiative if there is a suspicion that a criminal offense has been committed, as well as courts and other dispute resolution bodies, tax administrators; 
  14. in the event of a company restructuring, transfer/acquisition and/or business transfer/acquisition, to a third party acquiring the business and processing personal data for the same purposes as specified in this Privacy Policy and/or doing the Due Diligence by our and/or their legal and/or financial advisors, etc. 

 

INTERNATIONAL TRANSFERS 

The nature of the Company`s business means that the personal data collected through our services are stored in the Republic of Indonesia– outside the countries of the European Economic Area (hereinafter - EEA) as general rule. Please note that in non-EEA states, personal data may be subject to less protection than within the EEA, but we carefully evaluate the conditions under which such data will be processed and stored after being transferred to the above-mentioned entities. 

When we transfer your personal information to countries outside the EEA, we will ensure an adequate level of protection is guaranteed by making sure - where required by law - that at least one of the following appropriate guarantees have been implemented: 

Transfer is to countries which, according to the European Commission, offer an adequate level of protection to personal information (so-called “adequacy decision”); 

We use specific contracts, approved by the European Commission, which ensure the same protection to personal information as granted in the EEA; or 

We use other appropriate solutions to address cross-border transfers as required or permitted by Article 56 of PDP Law and Articles 46 and 49 of the GDPR. 

In other cases, we take all necessary measures to ensure that your personal data is transferred to the recipient safely processing the data.

DO WE APPLY AUTOMATED DECISION-MAKING OR PROFILING? 

We do not normally use automated decision-making under Article 10 and Article 34 paragraph (2) letter a of the PDP Law to initiate and execute contractual relationships. Should we apply this procedure in individual cases, we will inform you separately, if required by law. 

We process your personal data in a partially automated way in order to assess certain personal aspects (hereinafter - Profiling). We use profiling, for example, when we are required by law to prevent money laundering or manage financial risk. 

RIGHTS GUARANTEED TO YOU 

We guarantee the implementation of these rights and the provision of any related information at your request or in case of your query: 

  1. know (be informed) about the processing of your personal data; 
  2. to get access to your personal data which are processed by us; 
  3. request correction or addition, adjustment of your inaccurate, incomplete personal data; 
  4. require the destruction of personal data when they are no longer necessary for the purposes for which they were collected; 
  5. request delay or limitation of the processing of personal data proportionally in accordance with the purposes for which they were collected; 
  6. request the destruction of personal data if they are processed illegally or when you withdraw your consent to the processing of personal data or do not give such consent, when is necessary; 
  7. disagree with the processing of personal data or withdraw the previously agreed consent;
  8. request to provide, if technically possible, the provision of your personal data in an easily readable format according to your consent or for the purpose of performing the contract or request the transfer of data to another data controller. 

 

In order to exercise your rights, please send us the request by e-mail to [email protected] or directly coming to the Company by address at Sequis Tower, 23rd Floor - Unit 3 & 5, Jl. Jend Sudirman Kavling 71, SCBD Lot 11B, Senayan, Kebayoran Baru, Jakarta Selatan, Indonesia

Upon receipt of your request, we may ask you to provide proof of your identity or other identifying information to ensure that we are exercising your rights as a data subject and to prevent unauthorized disclosure of personal data or information to others who are not entitled to it. If we are unable to identify you, we will not be able to exercise your rights as a data subject. 

 

We will provide you with access to your personal data which are processed by us, including its copy and the track record of the process, perform a rectification, adjustment, and/or correction to your inaccurate personal data, within 3x24 hours after we receive your request (as applicable according to the PDP Law). As for the copy of your personal data, we will provide your request free of charge, except for certain conditions in which we may charge a fee commensurate with our administrative costs, including if your request is unfounded, repetitive, or disproportionate. 

In any other cases, we will respond to you within 30 (thirty) calendar days of receipt of your claim and the due date for submission of all documents necessary to prepare the answer. In exceptional circumstances, which may require us to have additional time, the deadline for replying may be extended for a further two months, depending on the complexity of the situation. In this case, we will inform you in writing about such extension within 1 (one) month from the receipt of the request and indicate the reasons for the delay. If we think we need to, we will stop the processing your personal data, except for storage, until your application is resolved. If you have legally waived your consent, or request for a delay or limitation to the processing of personal data proportionally, we will terminate, delay, or limit the processing of your personal data within 3x24 hours after we receive your request (as applicable according to the PDP Law), except in the cases provided for in this Privacy Policy and in the cases provided for by law when further processing of your personal data is binding on us by the legislation in force, the legal obligations we are facing, court judgements or binding instructions from the authorities. The response will be provided in the same way as your request was received. 

By refusing to comply with your requirement, we will clearly indicate the grounds for such refusal. 

If you disagree with our actions or the response to your request, you may apply for remedies available to you in accordance with Article 12 of PDP Law. In all cases, we recommend that you contact us before commencing a formal action so that we can find the right solution. 

WHAT HAPPENS IF OUR BUSINESS CHANGES HANDS? 

We may, from time to time, expand or reduce the scope of our business operations and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this notice, be permitted to use that data only for the same purposes for which it was originally collected by us. We will notify you of such changes in accordance with Article 48 of the PDP Law. 

LINKS TO OTHER WEBSITES 

Our website may contain links to other websites, which are not operated by us. We have no control over how your data is collected, stored, or used by such other websites and we advise you to check the privacy policies of any such websites before providing any data to them.

SOCIAL NETWORKS 

When you visit social networks, your personal data is processed by a specific social network, and we start processing your personal data when you visit the Company on social networks. Through various social media channels, we want to introduce you to our wide range of services/products and exchange ideas and opinions with you on important topics. 

Your personal data provided on the social network is processed for the following purposes: 

  1. communicate with our social network visitors; 
  2. respond to visitor inquiries; 
  3. obtaining statistical information; 
  4. conducting customer surveys, marketing campaigns, market analysis, lotteries, competitions or similar actions or events; 
  5. if necessary, defending the legitimate interests of the Company in institutions. 

 

Unless explicitly stated otherwise, the legal basis for data processing is Article 20 paragraph (2) letter f of the PDP Law. Our legitimate interests are to be able to answer your messages or questions and analyze our availability on social networks, to present our products and services. To the extent that you wish to enter into a contractual relationship with us with your request, the legal basis for such processing is Article 20 paragraph (2) letter b of the PDP Law. 

If we intend to process your personal data for any other purpose not mentioned above, we will notify you prior to such processing. 

Our pages on social networks are managed by specific social networks, so when you visit them, the processing of personal data is based on the social network privacy policies. With some social networks, depending on the social network policy, the purposes and scope of the processing, we are considered as joint data controllers. 

Currently, We use these social networks: 

LinkedIn : https://www.linkedin.com/company/bbn-airlines-indonesia/

Instagram : https://www.instagram.com/bbnairlinesindonesia/

 

Name of the social network and its Privacy Policy Personal Data We process Personal Data We process as joint data controllers 

LinkedIn 

You can read their privacy policy by clicking here: https://www.linkedin.com/legal/privacy-policy.  

Your LinkedIn username, when you comment, react to the publication, share posts, write us messages, Your location indicated on the personal account, Your activities on our site, e.g. Your page views, duration statistics, query, comment information, and more. We use statistical information (visits to our website, range of contributions, visits and average video transmission times, information about the countries and cities from which our visitors come, age range, gender). We receive anonymous statistics from LinkedIn through their service. The data controllers’ agreement can be found here: https://www.linkedin.com/legal/l/dpa  

Instagram 

You can read their privacy policy by clicking here: https://help.instagram.com/519522125107875/?helpref=uf_share  

Your Instagram username, when you comment, react to the publication, share posts, share content in stories section, write us messages, Your activities on our site, e.g. Your page views, duration statistics, query, comment information, and more. 

We use statistical information (visits to our website, range of contributions, visits and average video transmission times, information about the countries and cities from which our visitors come, age range, gender). We receive anonymous statistics from Instagram through their service. The data controllers’ agreement can be found here: https://help.instagram.com/494561080557017/?helpref=hc_fnav  

 

 

CHANGES TO OUR PRIVACY POLICY 

We reserve a right to change this Privacy Policy unilaterally from time to time (for example, if the law changes). We will notify you of such changes immediately through post on our websites. We recommend that you check this page regularly to keep up-to-date. 

This Privacy Policy applies from the date it is posted on the Website. Last review of the Privacy Policy: 13 August 2024. If you continue to use our services (such as the Website) after changing the terms of the Privacy Policy, you will be deemed to have read, understood, and agreed to the changed terms of the Privacy Policy.

Whatsapp