Privacy Notice Esin Indonesia

PT Esin Group Indonesia

Last updated: February 2026

PT Esin Group Indonesia (“Esin”, “we”, “our”, or “us”) is committed to protecting personal data and respecting the privacy rights of individuals in accordance with applicable laws and regulations of the Republic of Indonesia, including Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi and its implementing regulations (collectively, the “PDP Law”).

This Privacy Notice explains how we collect, use, disclose, store, transfer, and otherwise process personal data in connection with our business activities and professional services.

1. Scope of this Privacy Notice

This Privacy Notice applies to personal data processed by PT Esin Group Indonesia in connection with its business activities, including personal data of individuals located in Indonesia or otherwise subject to the PDP Law.
It applies to processing activities relating to:
• provision of professional advisory services;
• corporate, immigration, tax, accounting, and business consultancy services;
• client onboarding, know-your-client (KYC), and compliance procedures;
• website access and digital communications;
• recruitment and employment-related processes;
• interactions with business partners, vendors, and service providers.

2. Personal Data Controller and Processor

For purposes of the PDP Law:
• PT Esin Group Indonesia may act as a Personal Data Controller, where we determine the purposes and means of processing personal data;
• We may engage third-party service providers acting as Personal Data Processors under written agreements ensuring compliance with the PDP Law; and/or
• a Personal Data Processor, where we process personal data on behalf of clients in connection with professional engagement.
Where acting as a processor, processing shall be performed strictly in accordance with written instructions and applicable law.

3. Categories of Personal Data

We may collect and process the following categories of personal data:
(a) General Personal Data
• full name;
• gender;
• citizenship;
• religion;
• marital status; and/or
• combined personal data that may identify a person; and
• contact information (email address, telephone number, residential or business address);

(b) Specific Personal Data (where applicable)
In limited circumstances and strictly where necessary or permitted by law, we may process:
• health information and data;
• biometric data;
• genetic data;
• criminal records;
• children’s data;
• personal financial data; and/or
• other data required under applicable law

4. Sources of Personal Data

Personal data may be obtained from:
• data subjects directly;
• clients or authorised representatives;
• publicly available sources;
• regulatory or governmental authorities;
• third-party service providers; or
• other lawful sources.

5. Purposes of Processing

Personal data is processed for legitimate business purposes, including but not limited to:
• delivering professional and consultancy services;
• client due diligence and regulatory compliance;
• regulatory filings and submissions;
• contract administration and engagement management;
• billing, accounting, and payment processing;
• internal governance, audit, and risk management;
• recruitment and human resources administration;
• communication and relationship management;
• improvement of operational efficiency and service quality; and
• compliance with legal obligations.

6. Legal Basis for Processing

Processing of personal data is carried out based on one or more lawful grounds under the PDP Law:
• consent of the data subject;
• fulfilment of contractual obligations;
• compliance with legal or regulatory obligations;
• performance of duties in the public interest, where applicable;
• legitimate interests pursued by Esin that do not override the rights of data subjects;
• protection of vital interests where applicable.
Where processing is based on consent, data subjects may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to such withdrawal.

7. Disclosure and Sharing of Personal Data

Personal data may be disclosed to:
• affiliated entities within the Esin Group;
• professional advisers and consultants;
• regulatory or governmental authorities where required by law;
• financial institutions or payment providers;
• technology and administrative service providers;
• other parties authorised by the data subject or permitted under applicable laws.
All disclosures are limited to lawful and necessary purposes consistent with this Privacy Notice.

8. Cross-Border Data Transfers

Given the regional nature of our operations, personal data may be transferred to jurisdictions outside Indonesia, including to affiliated entities or service providers located overseas Cross-border transfers shall be conducted in accordance with Article 56 of the PDP Law and applicable regulations.
Where cross-border transfers occur, Esin will ensure:
• adequate and reasonable data protection standards in the recipient country;
• implementation of binding contractual safeguards;
• obtaining explicit consent from the data subject, where required under law; and/or
• compliance with applicable transfer requirements under Indonesian law.
Where the recipient country does not provide an adequate level of protection, Esin will implement appropriate contractual, organisational, and technical safeguards to ensure lawful processing to be acceptable and/or equivalent to Indonesian PDP law.

9. Data Retention

Personal data will be retained only for as long as necessary to:
• fulfil the purposes set out in this Privacy Notice;
• satisfy legal, regulatory, accounting, or reporting obligations;
• comply with statutory limitation periods;
• resolve disputes or enforce contractual rights.
Retention periods are determined based on contractual duration, statutory limitation periods, regulatory requirements, and operational necessity. Upon expiry of the retention period, personal data will be securely deleted, or otherwise disposed of in accordance with applicable requirements.

10. Security Measures

We implement appropriate technical, administrative, and organisational safeguards to protect personal data against:
• unauthorised access;
• accidental loss or destruction;
• unlawful processing;
• alteration or disclosure.
Security measures include access restriction controls, internal confidentiality obligations, secure storage systems, and periodic review of data handling practices.

11. Personal Data Breach Management

In the event of a personal data breach, Esin will:
• conduct assessment and mitigation measures;
• take necessary actions to minimise impact; and
• notify relevant authorities and/or affected data subjects no later than 3 x 24 hours after discovery, where required under the PDP Law.

12. Rights of Data Subjects

In accordance with Chapter V within PDP Law, data subjects may have the right to:
• obtain information on processing activities;
• access and request copies of personal data;
• request correction or updating of inaccurate data;
• withdraw consent (where applicable);
• request delay, restriction or termination of processing;
• request deletion or destruction of personal data;
• object to certain processing activities;
• object to automated decision-making that has legal or significant impact;
• seek compensation for violations of personal data protection;
• file a complaint with the relevant supervisory authority; and
• exercise other rights provided under applicable law.
We may require verification of identity before processing any request to exercise data subject rights.
Requests may be submitted through the contact details below.

13. Contact Information

For privacy-related inquiries, please contact:
PT Esin Group Indonesia
Ciputra World One, DBS Bank Tower
28th Floor, Unit 2802
Jakarta, Indonesia
Email: info@esinbiz.com

14. Cookies and Website Data

When you access our website, we may automatically collect certain technical information, including IP address, browser type, device information, pages visited, and referring URLs.

We may use cookies and similar tracking technologies to:
• ensure website functionality;
• analyse website traffic and usage patterns;
• improve user experience;
• maintain website security.
Essential cookies are necessary for website operation and do not require consent. Non-essential cookies (including analytics or marketing cookies) will only be activated after obtaining your consent. You may manage or withdraw your cookie preferences at any time through the Cookie Settings feature available on our website.
Where required by law, consent will be obtained prior to placing non-essential cookies.

15. Amendments

Esin reserves the right to amend or update this Privacy Notice to reflect changes in legal, regulatory, or operational requirements. The latest version will be made available through our official communication channels and website.