General Data Protection Regulation (GDPR) Policy
Effective Date: 28 August 2021
This GDPR Policy outlines the data protection principles and practices followed by CigaretKretek Indonesia (“We,” “Us,” or “Our”) in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This policy describes how personal data of individuals within the European Union (EU) is collected, processed, stored, and protected.
- Personal Data: Any information relating to an identified or identifiable natural person (“data subject”).
- Data Controller: Entity that determines the purposes and means of processing personal data.
- Data Processor: Entity that processes personal data on behalf of the data controller.
- Data Subject: Individual to whom the personal data belongs.
3. Data Collection and Processing
We collect and process personal data for specific and legitimate purposes. Data subjects are informed of the processing activities and have the right to provide explicit consent or withdraw consent at any time. Personal data collected includes, but is not limited to, names, contact information, demographic information, and any other data necessary for the intended purposes.
4. Legal Basis for Processing
We ensure that there is a legal basis for processing personal data, such as consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. The legal basis for processing is clearly communicated to data subjects.
5. Data Subject Rights
We respect the rights of data subjects as outlined in the GDPR, including the right to access, rectify, erase, restrict processing, object to processing, data portability, and the right not to be subject to automated decision-making.
6. Data Security
We implement appropriate technical and organizational measures to ensure the security of personal data. This includes encryption, access controls, regular security assessments, and staff training.
7. Data Transfers
When transferring personal data outside the EU, we ensure that the recipient country provides an adequate level of data protection, or we implement appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules.
8. Data Breach Notification
In the event of a data breach that poses a risk to the rights and freedoms of data subjects, we will promptly notify the relevant supervisory authority and affected data subjects as required by the GDPR.
9. Data Retention
Personal data is retained for no longer than necessary for the purposes for which it was collected or as required by law. A clear data retention policy is in place to determine the duration of data storage.
10. Complaints and Queries
Data subjects have the right to lodge complaints with a supervisory authority if they believe that their data protection rights have been violated. Questions and concerns regarding data protection can be directed to [Your Contact Information].
11. Changes to the GDPR Policy
We may update this GDPR Policy as necessary to reflect changes in our data processing activities or legal requirements. Data subjects will be informed of any significant changes.