ID
en
ru

ENGLISH


1. General Provisions
1.1. This Policy on the processing of personal data (hereinafter referred to as the "Policy") has been developed in compliance with the clause as stipulated under Laws No. 11 of 2008 on Information and Electronic Transaction jo. Laws No. 19 of 2016 on Amendment of Laws No. 11 of 2008 on Information and Electronic Transaction jo. Laws No. 01 of 2024 on Second Amendment of Laws No. 11 of 2008 on Information and Electronic Transaction (hereinafter referred to as the “Information and Electronic Transaction Laws”) and Laws No. 27 of 2022 on Personal Data Protection (hereinafter referred to as the “Personal Data Protection Laws”) to ensure the protection of the rights and freedoms of individuals during the processing of their personal data, including the right to privacy, personal and family confidentiality.
1.2. The Policy applies to all personal data processed by the group of companies PT BALI INVEST CLUB (PT BALI INVEST MANAGEMENT, PT BALI INVEST VILLA, PT BALI INVEST ADVISORS) (hereinafter referred to as the "Operator").
1.3. The Policy covers relations in the field of personal data processing that have arisen with the Operator both before and after the approval of this Policy.
1.4. In accordance with the Information and Electronic Transaction Laws and the Personal Data Laws, this Policy is published in open access on the Internet on the Operator's websites (including subdomains): https://bali-invest.online/, https://bali-invest.online/offer_ru, https://bali-invest.online/offer_eng, https://bali-invest.online/dolevie_rus, https://bali-invest.online/dolevie_eng.
1.5. Key terms used in the Policy:
1.5.1. Personal data - Personal Data is data about an identified or identifiable individual individually or in combination with other information either directly or indirectly through electronic or non-electronic systems related to a specific or identifiable User of the websites (including subdomains): https://bali-invest.online/, https://bali-invest.online/offer_ru, https://bali-invest.online/offer_eng, https://bali-invest.online/dolevie_rus, https://bali-invest.online/dolevie_eng.
1.5.2. Personal data operator (Operator) - any person, public body, and international organization acting individually or collectively in determining the purposes and exercising control of the processing of Personal Data.
1.5.3. Personal data processing - any action (operation) or set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, or destruction of personal data. Personal data processing includes:
  • Collection;
  • Recording;
  • Systematization;
  • Accumulation;
  • Storage;
  • Clarification (updating, modification);
  • Retrieval;
  • Use;
  • Transfer (distribution, provision, access);
  • Anonymization;
  • Blocking;
  • Deletion;
  • Destruction.
1.5.4. Automated processing of personal data - processing of personal data using computer technology;
1.5.5. Distribution of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
1.5.6. Provision of personal data - actions aimed at disclosing personal data to a specific person or a specific circle of persons;
1.5.7. Blocking of personal data - temporary suspension of personal data processing (except in cases where processing is necessary to clarify personal data);
1.5.8. Destruction of personal data - actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or resulting in the destruction of tangible media containing personal data;
1.5.9. Anonymization of personal data - actions resulting in the impossibility of determining, without the use of additional information, the affiliation of personal data to a specific personal data subject; Personal data information system - a set of personal data contained in databases and information technologies and technical means ensuring their processing.
1.6. Main rights and obligations of the Operator.
1.6.1. The Operator has the right to:
  • independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other laws;
  • delegate the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by law, on the basis of a contract concluded with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for by the Personal Data Law, maintain the confidentiality of personal data, and take necessary measures to ensure the fulfillment of the obligations provided for by the Personal Data Law;
  • obtain accurate information and/or documents containing personal data from the personal data subject;
  • in the event of the withdrawal of consent to the processing of personal data by the personal data subject, the Operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified in the Personal Data Law.
1.6.2. The Operator is obliged to:
  • organize the processing of personal data in accordance with the requirements of the Personal Data Law;
  • respond to inquiries and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
  • report to the authorized body for the protection of the rights of personal data subjects Integrated Public Service Portal of Ministry of Communication and Digital Indonesia at layanan.kominfo.go.id upon its request with the necessary information within 10 working days from the date of receipt of such a request. This period may be extended, but not more than for five working days. To do this, the Operator must send a reasoned notification to the Integrated Public Service Portal of the Ministry of Communication and Digital Indonesia at layanan.kominfo.go.id indicating the reasons for the extension of the period for providing the requested information;
  • in the manner determined by the executive authority authorized in the field of security, ensure interaction with the state system for detecting, preventing, and mitigating the consequences of computer attacks on the information resources of the Republic of Indonesia, including informing it about computer incidents that resulted in unauthorized transfer (provision, distribution, access) of personal data;
  • terminate the transfer (distribution, provision, access) of personal data, cease processing, and destroy personal data in the manner and cases provided for by the Personal Data Law.
1.7. Main rights of the personal data subject.
1.7.1. The personal data subject has the right to:
  • receive information related to the processing of their personal data, except in cases provided for by law. The information is provided to the personal data subject by the Operator in an accessible form and should not contain personal data relating to other personal data subjects unless there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it are established by the Personal Data Law;
  • request the Operator to clarify their personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or are not necessary for the stated purpose of processing, as well as take measures provided for by law to protect their rights;
  • give prior consent to the processing of personal data for the purpose of promoting goods, works, and services on the market;
  • withdraw consent to the processing of personal data;
  • appeal to the Integrated Public Service Portal of the Ministry of Communication and Digital Indonesia at layanan.kominfo.go.id or in court against unlawful actions or inaction by the Operator when processing their personal data.
1.8. Obligations of personal data subjects.
1.8.1. Personal data subjects are obliged to:
  • provide the Operator with accurate information about themselves;
  • notify the Operator about clarifications (updates, changes) of their personal data.
1.8.2. Persons who provide the Operator with inaccurate information about themselves or information about another personal data subject without the latter's consent are liable in accordance with the legislation of the Republic of Indonesia.
1.8.3. Control over compliance with the requirements of this Policy is carried out by the authorized person responsible for organizing the processing of personal data at the Operator.
1.8.4. Liability for violation of the requirements of the legislation of the Republic of Indonesia and regulatory acts in the field of personal data processing and protection is determined in accordance with the legislation of the Republic of Indonesia.

2. Purposes of Personal Data Collection
2.1 The processing of personal data is limited to achieving specific, predetermined, and lawful purposes. The processing of personal data incompatible with the purposes of its collection is not allowed.
2.2 Only personal data that corresponds to the purposes of its processing is subject to processing.
2.3 The Operator processes personal data for the following purposes:
2.3.1 Informing the User by sending emails; providing the User with access to services, information, and/or materials contained on the Websites (including subdomains).
2.3.2 Carrying out its activities, including the conclusion, execution, and termination of civil law contracts.
2.3.3 Providing the User with access to services, information, and/or materials contained on the websites (including subdomains).
2.3.4 The website also collects and processes anonymized data about visitors (including cookies) using internet statistics services (Yandex.Metrica, Google Analytics, and others).
2.3.5 The Operator is also entitled to send the User notifications about new products and services, special offers, and various events. The User can always opt out of receiving informational messages by sending an email to the Operator at marketing@baliinvestclub.com with the subject line "Opt-out of notifications about new products, services, and special offers."
2.3.6 Anonymized User data collected via internet statistics services is used to gather information about User actions on the website, improve the quality of the website, and its content.
2.4 The processing of Users' personal data may only be carried out to ensure compliance with laws and other regulatory legal acts.

3. Legal Grounds for Personal Data Processing
3.1 The legal grounds for personal data processing are a set of regulatory legal acts in accordance with which the Operator processes personal data, including:
3.1.1 The Constitution of the Republic of Indonesia;
3.1.2 The Civil Code of the Republic of Indonesia;
3.1.3 The Tax Code of the Republic of Indonesia;
3.1.4 Other regulatory legal acts governing the Operator's activities;
3.1.5 Contracts concluded between the Operator and personal data subjects;
3.1.6 Consent of personal data subjects for the processing of their personal data.

4. Scope and Categories of Processed Personal Data, Categories of Personal Data Subjects
4.1 The content and scope of processed personal data must correspond to the declared purposes of processing provided for in Section 2 of this Policy. Processed personal data must not be excessive in relation to the declared purposes of their processing. 4.2 The Operator may process personal data of the following categories of personal data subjects. 4.2.1 Clients, Users, and contractors of the Operator—for the purpose of conducting its activities:
  • Surname, first name;
  • Date and place of birth;
  • Passport details;
  • Residential registration address;
  • Contact details;
  • Taxpayer identification number;
  • Bank account number;
  • Email address;
  • Phone numbers;
  • Other personal data provided by clients and contractors (individuals) necessary for the conclusion and execution of contracts.
4.3 The Operator does not process biometric personal data (information that characterizes a person’s physiological and biological features, which can be used to establish their identity). 4.4 The Operator does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, or intimate life, except as provided by the legislation of the Republic of Indonesia.

5. Procedure and Conditions for Processing Personal Data
5.1 The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Republic of Indonesia.
5.2 Personal data is processed with the consent of the personal data subjects, as well as without it in cases provided by the legislation of the Republic of Indonesia.
5.3 The Operator processes personal data for each purpose of processing using the following methods:
  • Non-automated processing of personal data;
  • Automated processing of personal data with or without the transmission of the obtained information via information and telecommunication networks;
  • Mixed processing of personal data.
5.4 Employees of the Operator whose job duties include the processing of personal data are allowed to handle personal data.
5.5 The processing of personal data for each purpose specified in clause 2.3 of the Policy is carried out through:
  • Receiving personal data in oral and written form directly from the personal data subjects;
  • Entering personal data into the Operator’s logs, registers, and information systems;
  • Using other methods of processing personal data.
5.6 Disclosure to third parties and dissemination of personal data without the consent of the personal data subject are not permitted unless otherwise provided by law. Consent to process personal data authorized by the personal data subject for dissemination is documented separately from other consents of the subject for the processing of their personal data.
5.7 The Operator takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, dissemination, and other unauthorized actions, including:
  • Identifying threats to the security of personal data during processing;
  • Adopting local regulatory acts and other documents governing the relationships in the field of processing and protecting personal data;
  • Appointing individuals responsible for ensuring the security of personal data in the Operator’s structural divisions and information systems;
  • Creating the necessary conditions for working with personal data;
  • Organizing the accounting of documents containing personal data;
  • Managing the operation of information systems in which personal data are processed;
  • Storing personal data under conditions that ensure their security and exclude unauthorized access to them;
  • Organizing the training of the Operator's employees who process personal data.
5.9 The Operator stores personal data in a form that allows the identification of the personal data subject no longer than is required for each purpose of processing personal data unless the storage period is established by law or contract.
5.10 The storage period of personal data processed in personal data information systems corresponds to the storage period of personal data on paper media.
5.11 The Operator ceases the processing of personal data in the following cases:
  • When unlawful processing is identified. Deadline: within three business days from the date of identification;
  • When the purpose of processing has been achieved;
  • When the consent of the personal data subject for processing has expired or been withdrawn, and the processing is allowed solely based on consent under the Personal Data Law.
5.12 When the purpose of processing personal data has been achieved, or the consent of the personal data subject for processing has been withdrawn, the Operator ceases processing these data unless:
  • Otherwise provided by a contract in which the personal data subject is a party, beneficiary, or guarantor;
  • The Operator is authorized to process the data without the consent of the personal data subject based on provisions in the Personal Data Law or other laws;
  • Otherwise stipulated by another agreement between the Operator and the personal data subject.
5.13 Upon receiving a request from the personal data subject to cease processing their personal data, the Operator ceases processing within 10 business days from the date of receiving the request, except as provided by the Personal Data Law. This period may be extended by no more than five business days. In this case, the Operator must send the personal data subject a reasoned notification indicating the reasons for the extension.
5.14 When collecting personal data, including via information and telecommunication networks such as the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens using databases located on the territory of the Republic of Indonesia, except as provided by the Personal Data Law.

6. Updating, Correction, Deletion, and Destruction of Personal Data, Responses to Data Subject Requests for Access to Personal Data
6.1 Confirmation of the processing of personal data by the Operator, the legal grounds and purposes of the processing, as well as other information specified in the Personal Data Law, is provided by the Operator to the data subject or their representative within 10 (ten) business days from the date of the request or receipt of the data subject's or their representative's inquiry. This period may be extended by no more than five business days, for which the Operator must send the data subject a reasoned notice specifying the reasons for the extension.
The provided information does not include personal data related to other data subjects unless there are legal grounds for disclosing such personal data.
6.2 The request must include:
  • the number of the primary document identifying the data subject or their representative, details of its issuance date, and the issuing authority;
  • information confirming the data subject's relationship with the Operator (contract number, date of contract conclusion, conditional verbal designation, and/or other information), or information otherwise confirming the fact of personal data processing by the Operator;
  • the signature of the data subject or their representative.
6.3 The request may be submitted in electronic form and signed with an electronic signature in accordance with the legislation of the Republic of Indonesia.
6.4 The Operator provides the information specified in the Personal Data Law to the data subject or their representative in the same format in which the request was made, unless otherwise specified in the request.
6.5 If the data subject's request does not include all the necessary information required by the Personal Data Law, or the subject does not have access rights to the requested information, the Operator issues a reasoned refusal.
6.6 The data subject's right to access their personal data may be restricted under the Personal Data Law, including in cases where such access violates the rights and legitimate interests of third parties.
6.7 If inaccuracies in personal data are identified in a request by the data subject or their representative, or upon a request from the Ministry of Communication and Digital Indonesia, the Operator blocks the personal data related to the data subject from the time of such a request for the duration of verification, provided that blocking does not violate the rights and legitimate interests of the data subject or third parties.
6.8 If the inaccuracy of personal data is confirmed, the Operator corrects the personal data based on information provided by the data subject or their representative, the Ministry of Communication and Digital Indonesia, or other necessary documents within 7 (seven) business days of receiving such information and lifts the data blocking.
6.9 If unlawful processing of personal data is identified in a request by the data subject or their representative, or the Ministry of Communication and Digital Indonesia, the Operator blocks the unlawfully processed personal data related to the data subject from the time of the request.
6.10 If the Operator, the Ministry of Communication and Digital Indonesia, or another interested party identifies an incident of unlawful or accidental disclosure (provision, dissemination) of personal data (access to personal data) that violated the rights of data subjects, the Operator shall:
Within 24 hours, notify Integrated Public Service Portal of Ministry of Communication and Digital Indonesia at layanan.kominfo.go.id of the incident, the presumed reasons for the violation, the estimated harm caused to the rights of data subjects, measures taken to address the consequences, and provide the contact details of the person authorized by the Operator to interact with Integrated Public Service Portal of Ministry of Communication and Digital Indonesia at layanan.kominfo.go.id on matters related to the incident.
Within 72 hours, notify the Integrated Public Service Portal of Ministry of Communication and Digital Indonesia at layanan.kominfo.go.id of the results of the internal investigation into the incident and provide details of the individuals whose actions caused the incident (if applicable).
6.11 Procedure for the destruction of personal data by the Operator.
6.11.1 Conditions and timeframes for the destruction of personal data by the Operator:
  • Achieving the purpose of processing personal data or losing the necessity for such purposes – within 30 days;
  • Reaching the maximum storage period for documents containing personal data – within 30 days;
  • Providing confirmation by the data subject (or their representative) that personal data was unlawfully obtained or is not required for the stated purpose of processing – within 7 business days;
  • Withdrawal of consent by the data subject for processing their personal data if retention is no longer required – within 30 days.
6.11.2 Personal data must be destroyed upon achieving the purpose of processing or upon withdrawal of the data subject's consent unless:
  • Otherwise stipulated by a contract where the data subject is a party, beneficiary, or guarantor;
  • The Operator is authorized to process the data without the subject's consent based on the Personal Data Law or other federal laws;
  • Otherwise agreed upon by the Operator and the data subject in a separate agreement.
6.12 This document reflects any changes in the Operator's personal data processing policy. The policy is effective indefinitely until it is replaced by a new version.
6.13 The current version of the Policy is publicly available online at: https://bali-invest.online/