FINTECH COMPANY AND REGULATORY REQUIREMENTS ON PRIVACY AND DATA PROTECTION
In carrying out the business, Fintech company requires access and collection of personal data and financial data of their users. Fintech company has to understand that such data constitute privacy rights which is part of fundamental human rights. Fintech company must also aware how crucial it is to protect the privacy right for their business longevity. Therefore fintech company has to provide and treat data protection seriously by at least complying to regulations and apply an advance information technology facilities/infrastructures. Without protection and respect of privacy rights, the business of fintech will not gain trust and ultimately lost their consumers/users.
Financial Authority Service (“OJK”) Regulation No. 77/POJK.01/2016 on Information-Technology based Lending Service, and as further regulates under OJK circular letter No.18/SEOJK.02/2017 on Governance and Risk Management of Information Technology in Information Technology-Based Lending Services, among others stipulate:
The fintech company has obligations to:
(i) safeguard confidentiality, intactness, availability of personal data, transactional data and financial data of the users as of its collection until such data is being destroyed;
(ii) to guarantee that the following activities are based on a written approval of the respective owner :
• the collection,
• the use,
• the utility, and
• disclose
of personal data, transactional data and financial data;
(iii) to inform in writing to the owner of data if there is failure in protecting personal data.
(iv) to ensure authentication, verification and validation process in accessing, and processing of personal data, transactional data and financial data of the users.
(v) place the data center and disaster recovery center in Indonesia.
(vi) implement effective cyber security measures/policy/procedures; in order to prevent and handle any threat and attack to avoid disruption, failure and loss
The fintech is prohibited to:
(i) provide access of borrower’s identity information to lender, and vice versa shall not provide lender’s identity information to borrower;
(ii) provide/give by any means to any party regarding their users’ data and information
(iii) to share their users’ data and information to any party, except under a written approval of their users and/or being required by the regulations.
In addition to the above, OJK also requires the fintech company to register itself to the Ministry of Communication and Informatics (“MOCI”) as an Electronic System Operator (“ESO”).
Being as ESO, fintech company must also comply with MOCI Regulation No.20/2016 on Protection of Personal Data in Electronic System. This regulation among others sets out the followings:
Disclaimer: This article is intended as general information only and it does not constitute a legal advice. We accept no responsibility for any loss that may arise from reliance on this information. Please contact us if you need full legal advice.
Financial Authority Service (“OJK”) Regulation No. 77/POJK.01/2016 on Information-Technology based Lending Service, and as further regulates under OJK circular letter No.18/SEOJK.02/2017 on Governance and Risk Management of Information Technology in Information Technology-Based Lending Services, among others stipulate:
The fintech company has obligations to:
(i) safeguard confidentiality, intactness, availability of personal data, transactional data and financial data of the users as of its collection until such data is being destroyed;
(ii) to guarantee that the following activities are based on a written approval of the respective owner :
• the collection,
• the use,
• the utility, and
• disclose
of personal data, transactional data and financial data;
(iii) to inform in writing to the owner of data if there is failure in protecting personal data.
(iv) to ensure authentication, verification and validation process in accessing, and processing of personal data, transactional data and financial data of the users.
(v) place the data center and disaster recovery center in Indonesia.
(vi) implement effective cyber security measures/policy/procedures; in order to prevent and handle any threat and attack to avoid disruption, failure and loss
The fintech is prohibited to:
(i) provide access of borrower’s identity information to lender, and vice versa shall not provide lender’s identity information to borrower;
(ii) provide/give by any means to any party regarding their users’ data and information
(iii) to share their users’ data and information to any party, except under a written approval of their users and/or being required by the regulations.
In addition to the above, OJK also requires the fintech company to register itself to the Ministry of Communication and Informatics (“MOCI”) as an Electronic System Operator (“ESO”).
Being as ESO, fintech company must also comply with MOCI Regulation No.20/2016 on Protection of Personal Data in Electronic System. This regulation among others sets out the followings:
- ESO shall only obtain and collect personal data to the extent that such data is relevant and in line with its objective and purpose;
- the collection of personal data by ESO requires a written approval from the data owner;
- the use, utilization (pemanfaatan), process, and analysis of personal data by ESO requires a written approval from the owner of data, and such activities must in line with ESO’s purpose and objective;
- disclosing, opening access, and/ or distributing of personal data to any party is subject to a written approval of the data owner, except otherwise required by the regulations;
- the owner of personal data must have access to its data, to make renewal or correction of their data, and the right to delete their data;
- ESO shall respect and safeguard confidentiality of personal data;
- ESO shall keep personal data in electronic system in encrypted form;
- ESO shall protect/safeguard personal data from being misused by any party. And ESO shall be held accountable if the personal data under its control is being misused. In case failure of protection occurs, SEO shall inform the data owner at the latest 14 days as of such failure is noticed.
Disclaimer: This article is intended as general information only and it does not constitute a legal advice. We accept no responsibility for any loss that may arise from reliance on this information. Please contact us if you need full legal advice.