Effective Date: 17 Januari 2022
KIRIM.EMAIL Also subject to GDPR and California Specific Rights regulations.
This Privacy Policy outlines the responsibilities of KIRIM.EMAIL (PT. Kirim Email Indonesia), users (customers of KIRIM.EMAIL), and subscribers (individuals whose data is collected by users), in compliance with Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 Tentang Perlindungan Data Pribadi (Law No. 27 of 2022 concerning Personal Data Protection).
KIRIM.EMAIL’s Responsibilities
KIRIM.EMAIL, as the email marketing service provider, ensures the protection of personal data and transparency in its processing. Our responsibilities include:
- Data Protection: KIRIM.EMAIL will implement technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction, in accordance with Indonesian Law No. 27 of 2022.
- Data Processing: KIRIM.EMAIL will process personal data strictly for the purposes specified in its agreement with users and as outlined in this Privacy Policy. KIRIM.EMAIL acts as a data processor on behalf of users, adhering to the principles of lawfulness, fairness, and transparency in its processing activities.
- Purpose Limitation: KIRIM.EMAIL will process personal data only for the specific purposes for which it was collected, as agreed upon with users and in accordance with this Privacy Policy.
- Data Minimization: KIRIM.EMAIL will collect and process only the minimum amount of personal data necessary for the specified purposes, avoiding the collection of excessive or irrelevant personal data.
- Data Retention: KIRIM.EMAIL will retain personal data only as long as necessary for the specified purposes or as required by law. KIRIM.EMAIL will establish and adhere to clear data retention schedules for different categories of personal data. Personal data will be deleted or anonymized once it is no longer needed.
- Data Access and Control: KIRIM.EMAIL provides users with the ability to access and control their subscribers’ personal data, subject to applicable legal requirements.
- Data Transfers: If KIRIM.EMAIL transfers personal data to third parties or outside Indonesia, it ensures that such transfers comply with Indonesian Data Protection Law. This includes ensuring that the recipient country has an adequate level of data protection or that adequate safeguards are in place, such as Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs). KIRIM.EMAIL will obtain explicit consent from subscribers for data transfers to countries without adequate data protection.
- Technical and Organizational Security Measures: KIRIM.EMAIL implements a range of technical and organizational security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include:
- Encryption: Encrypting personal data in transit and at rest using industry-standard encryption algorithms.
- Access Controls: Implementing strict access control mechanisms to limit access to personal data only to authorized personnel who require it for their job duties.
- Vulnerability Management: Regularly assessing and addressing potential security vulnerabilities in our systems and infrastructure.
- Employee Training: Providing regular data protection and security training to our employees to ensure they understand their responsibilities and best practices for handling personal data.
- Data Breach Notification: In the event of a data breach, KIRIM.EMAIL will promptly investigate the incident and notify the Indonesian Data Protection Authority (DPA) and affected data subjects within 72 hours of becoming aware of the breach, as Article 46 of the UU PDP requires. The notification will include details of the breach, the types of data affected, potential risks to data subjects, and measures taken by KIRIM.EMAIL to mitigate the impact of the breach.
- Transparency: KIRIM.EMAIL will be transparent about its data processing practices, and this Privacy Policy will be readily available to users and subscribers.
User Responsibilities
Users (customers of KIRIM.EMAIL) act as data controllers and are responsible for ensuring compliance with applicable laws regarding their subscribers’ personal data. Users must:
- Lawful Basis for Processing: Ensure they have a lawful basis for processing subscribers’ personal data, such as obtaining consent, fulfilling contractual obligations, or complying with legal requirements.
- Consent: Users must obtain explicit, informed, and specific consent from subscribers before importing their personal data into KIRIM.EMAIL’s platform. Consent must be freely given, specific to each purpose of processing, and subscribers must be informed about how their data will be processed. Consent can be provided in writing, recorded, electronically, or non-electronically.
- Transparency: Users must inform subscribers that their data will be processed by KIRIM.EMAIL on their behalf. Users should provide a link to this Privacy Policy to ensure transparency.
- Data Accuracy: Users are responsible for ensuring that the personal data of subscribers is accurate and up to date.
- Data Security: Users must take appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.
- Subscriber Rights: Users must respect and facilitate the rights of subscribers, such as access to data, rectification, erasure, objection to processing, data portability, and the right to change their personal data preferences, as provided under Indonesian Data Protection Law.
- Data Minimization: Users should collect only the data necessary for the specified purpose and avoid collecting excessive or irrelevant personal data.
- Clean and Valid Data Imports: Users are required to import only valid email addresses into KIRIM.EMAIL’s platform. This means:
- Users must ensure that all subscribers whose data is being imported have provided explicit consent and the email addresses are active and valid.
- It is strongly recommended that users import email addresses that have undergone prior verification to confirm their validity.
- KIRIM.EMAIL has an internal email verification system in place, which may identify and remove email addresses that are deemed invalid or potentially harmful to the platform’s data security.
- Invalid email addresses may include those that are no longer in use, contain syntax errors, or have been flagged as risky. In such cases, KIRIM.EMAIL may remove these emails to maintain data integrity and security.
Subscriber Rights
Subscribers (whose data is collected by users) are entitled to the following rights concerning their personal data:
- Right to Information: Subscribers have the right to be informed about the collection, use, and disclosure of their personal data.
- Right to Change: Subscribers have the right to change their personal data preferences that are being processed by KIRIM.EMAIL on behalf of users.
- Right to Rectification: Subscribers can request the correction of inaccurate or incomplete personal data.
- Right to Erasure: Subscribers can request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected or when consent is withdrawn.
- Right to Object: Subscribers can object to the processing of their personal data based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: Subscribers can withdraw their consent for data processing at any time. KIRIM.EMAIL and users will cease data processing within 3×24 hours of receiving the withdrawal request.
- Right to Data Portability: Subscribers have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- Right to Lodge a Complaint: Subscribers can file a complaint with the Indonesian Data Protection Authority (DPA) if they believe their rights have been violated.
Disclaimer
KIRIM.EMAIL acts as a data processor on behalf of users. KIRIM.EMAIL is not responsible for the actions of users in relation to the collection, use, or disclosure of subscribers’ personal data, especially actions that violate the Indonesian Data Protection Law or this Privacy Policy. Users are solely responsible for complying with Indonesian Data Protection Law and other applicable regulations when using KIRIM.EMAIL’s services.
KIRIM.EMAIL’s Liability
KIRIM.EMAIL will make commercially reasonable efforts to comply with this Privacy Policy and Indonesian Data Protection Law. However, KIRIM.EMAIL is not liable for any damages arising from:
- A user’s breach of this Privacy Policy or the Indonesian Data Protection Law.
- Unauthorized access to or disclosure of personal data that is beyond KIRIM.EMAIL’s reasonable control.
- Acts of God, war, terrorism, riots, or other events beyond KIRIM.EMAIL’s control.
Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of Indonesia. In the event of any dispute arising from this Privacy Policy, the courts of Indonesia shall have exclusive jurisdiction.
Updates to this Privacy Policy
KIRIM.EMAIL may update this Privacy Policy from time to time to reflect changes in regulations, business practices, or user feedback. Material changes will be communicated to users and subscribers via email or through in-platform notifications. A material change is defined as a change that significantly affects the way KIRIM.EMAIL processes personal data or impacts the rights of users and subscribers. The latest version of this Privacy Policy will always be available on KIRIM.EMAIL’s website.