This Privacy Notice applies to personal data and information managed by PT Bank Maybank Indonesia Tbk (“Organizer”) as of May 24, 2025, in accordance with the applicable terms and conditions governing the processing of Personal Data by the Organizer.

The Organizer understands the importance of protecting Personal Data as regulated under Law No. 27 of 2022 on Personal Data Protection and its implementing regulations, as enacted and amended from time to time (hereinafter referred to as “PDP Law”), which are applicable to the Organizer. Therefore, the Organizer is committed to implementing the provisions of the PDP Law and related or implementing regulations to ensure the confidentiality and protection of your Personal Data in accordance with prevailing laws and regulations.

For the purposes of this Privacy Notice, “Personal Data” means data about an individual who is identified or can be identified either individually or in combination with other information, whether directly or indirectly, and which can be used to identify, contact, or track the Data Subject through electronic or non-electronic systems as defined in the PDP Law, its related regulations, and Section C of this Privacy Notice. Personal Data also includes individual information found on identity cards that can identify a person (including your photo), phone number, email address, and your date of birth.

This Privacy Notice, including any updates from time to time (“Privacy Notice”), explains how the Organizer processes your Personal Data, which includes the acquisition, collection, processing, analysis, storage, correction, updating, display, publication, transfer, distribution, disclosure, deletion, and/or destruction of your Personal Data (hereinafter referred to as "Personal Data Processing") through the use of https://www.maybankmarathon2025.com (the “Site”), for the purpose of participating in the Maybank Marathon and/or by third parties cooperating with the Organizer (“Third Parties”) (hereinafter referred to as the “Purpose”).

This Privacy Notice applies to all users (collectively referred to as “Runners”).

The Runner declares and warrants that:

1. The Runner has read and understood all the information presented in this Privacy Notice (including the Personal Data Processing carried out by the Organizer under this Privacy Notice);
2. The Runner consents to the authenticity, completeness, and accuracy of the Personal Data provided to the Organizer;
3. The Runner consents to and understands that the Runner will apply the principles of Personal Data protection in accordance with the PDP Law if, in the future, for any reason, the Third Party including the Organizer provides Personal Data to the Runner. In certain circumstances, the Runner may be asked to provide another person’s Personal Data (such as an emergency contact) to the Organizer.
   
   If the Runner provides another person’s Personal Data to be processed by the Organizer, the Runner declares and warrants that they have lawfully obtained the explicit consent of that individual as the Data Subject, and hereby understands that the Organizer relies on such declarations and warranties to carry out the Personal Data Processing of the said individual/party.
   
   The Organizer is not responsible if the Personal Data provided by the Runner—especially the Personal Data of other individuals (including Third Party personal data disclosed by the Runner to the Organizer)—was obtained unlawfully or if the declarations and warranties made by the Runner are proven to be false. The Organizer may request proof of consent from the individual whose Personal Data was disclosed by the Runner at any time if necessary.

The types of Personal Data collected from Runners depend on the intended purpose of the Personal Data Processing. The data collected may include the following:

1. Identity Data, including full name, photo, place and date of birth, gender, signature (wet and/or electronic), and identity card along with the Personal Data contained therein (such as National Identification Number (NIK) and/or passport number).
2. Contact Data, including email address, mobile phone number, and mailing address.
3. Device Data, including device details such as the type/model of the device used to access and perform activities on the site, Internet Protocol (IP) address, geographic location (geolocation, as required for providing services), username, password, recovery email, display picture, and cookies. Cookies are small text files containing personal data—such as your name and password—used to identify your device when using the Site. Cookies are used to recognize the Runner and enhance the Runner's browsing experience on the Site (to personalize data and services access). Runners may control cookies via their browser settings; however, this may affect the performance or quality of the services.
4. Specific Financial Data, including transaction history and payment channels such as credit cards or bank accounts.
5. Medical Data, including blood type and specific medical conditions.
6. Other Personal Data, in accordance with applicable laws and regulations, such as suggestions and reports.

1. Collection and Acquisition
   In the context of acquiring and collecting Personal Data, the Organizer will:
   1. Determine the legal basis for processing before collecting or acquiring Personal Data;
   2. Clearly define the purpose for collecting and acquiring Personal Data, considering the interests of the Data Subject;
   3. Limit the amount of Personal Data collected to only what is necessary for the stated purpose;
   4. Establish secure mechanisms for acquiring and collecting Personal Data;
   5. Provide information related to the purpose of processing before acquiring and collecting the Personal Data; and
   6. Apply Personal Data processing principles in the acquisition and collection process in accordance with applicable laws and regulations.
2. Processing and Analysis
   For the purpose of processing and analyzing Personal Data, the Organizer will:
   1. Establish mechanisms and/or quality standards to ensure the Personal Data being processed and analyzed is accurate and complete;
   2. Notify the Data Subject if processing or analysis is done beyond the original stated purpose;
   3. Conduct a Personal Data Protection impact assessment for processing and analysis activities that may pose high risks to the Data Subject;
   4. Facilitate the Data Subject’s right to object to decisions made solely through automated processing; and
   5. Apply Personal Data processing principles in accordance with applicable laws and regulations.
3. Storage
   In storing Personal Data, the Organizer will:
   1. Determine and apply controls to secure Personal Data stored physically or electronically;
   2. Establish and implement Personal Data retention mechanisms;
   3. Define the retention period of Personal Data according to legal requirements;
   4. Prevent failures in protecting Personal Data during storage by:
   1. Applying encryption and/or data masking;
   2. Creating backup copies of Personal Data; and
   3. Encrypting and/or masking backup data;
   5. Restrict access to Personal Data;
   6. Be aware of, record, and/or document the storage locations and media of Personal Data; and
   7. Apply the principles of Personal Data processing regarding storage in accordance with applicable laws and regulations.
4. Correction and Updates
   For correcting and updating Personal Data, the Organizer will:
   1. Facilitate the Data Subject in completing, updating, or correcting any errors or inaccuracies in their Personal Data;
   2. Verify the Personal Data provided by the Data Subject; and
   3. Apply Personal Data processing principles for correction and updates as per the laws and regulations.
5. Display, Disclosure, Transfer, Distribution
   For displaying, announcing, transferring, distributing, or disclosing Personal Data, the Organizer will:
   1. Have a valid legal basis before taking such actions unless otherwise regulated by law;
   2. Comply with requirements for cross-border data transfers in accordance with relevant laws;
   3. Apply Personal Data security controls as stipulated by applicable regulations;
   4. Limit the disclosure of Personal Data to the agreed purpose and as permitted by the Data Subject, ensuring compliance with the law; and
   5. Apply processing principles during display, disclosure, transfer, or distribution in accordance with the law.
6. Deletion or Destruction
   In terms of deletion or destruction of Personal Data, the Organizer will:
   • Delete or destroy Personal Data unless it is still within the retention period as required by law;
   • Implement secure deletion or destruction mechanisms;
   • Facilitate the Data Subject's right to request data deletion, provided it does not conflict with legal obligations;
   • Respond to valid requests for deletion by:
   1. Deleting or destroying the Personal Data per legal procedures;
   2. Removing Personal Data from all storage locations;
   3. Keeping records of the deletion or destruction in the form of an official report; and
   4. Providing proof of deletion or destruction to the Data Subject; and
      Apply the principles of Personal Data processing in deletion or destruction according to relevant regulations.

The Organizer acts as the controller of Personal Data in processing the Runner’s Personal Data, where the purpose of processing the Runner’s Personal Data relates to participation in the Maybank Marathon, including but not limited to:

1. Providing Organizer’s Services
   The Organizer uses the Runner’s information and personal data to provide services, including enabling participation in the Maybank Marathon. For instance, processing event photo samples and race photos that the Runner searches for. The Organizer may also process personal data for medical handling if the Runner experiences a medical emergency during the event.
2. To Communicate with the Runner
   The Organizer uses and verifies personal data collected, such as the Runner’s email address, to interact directly. For example, by sending a photo download link after the Runner completes a photo purchase. The Organizer may also send messages containing information relevant to its services and offer products, programs, or services that may be of interest to the Runner in relation to the Maybank Marathon.

Each processing activity carried out by the Organizer is based on a lawful basis that aligns with the specific purpose for which the Personal Data is processed. The legal bases used by the Organizer include:

1. Explicit and lawful consent given by the Runner to this Privacy Notice;
2. Fulfillment of contractual obligations to provide the event experience or for other purposes stated in this Privacy Notice;
3. Compliance with legal obligations under applicable laws and regulations;
4. Legitimate interest in carrying out the Organizer's responsibilities and business needs, while considering the purpose, necessity, and balance between the Organizer’s interests as the data controller and the rights of the Runner as the data subject; and/or
5. Any other legal basis as provided under applicable laws and regulations.

The Organizer may share/disclose the Runner’s Personal Data to third parties for further processing in accordance with the purposes and legal bases for Personal Data Processing as applied by the Organizer.

1. The Runner explicitly consents to the Organizer transmitting, storing, using, and processing their Personal Data on servers located in data centers designated by the Organizer. These data centers may be operated by Third Parties in accordance with applicable legal provisions. Nonetheless, the processing of the Runner’s Personal Data related to the Maybank Marathon experience will remain subject to this Privacy Notice and relevant laws.
2. Once the Runner’s Personal Data is no longer required for the Maybank Marathon experience or for other purposes described in this Privacy Notice, the Organizer will take necessary steps to delete, destroy, anonymize, and/or prevent access to or processing of such data for any purpose other than those outlined in this Privacy Notice.
3. Some of the Runner’s Personal Data may still be retained by Third Parties for the purposes stated in this Privacy Notice.
4. The Organizer seeks to maintain appropriate physical, technical, and procedural safeguards to protect the Runner’s Personal Data from loss, misuse, copying, damage or alteration, and unauthorized or unlawful access or disclosure.
5. Although the Organizer has taken what it considers the best and most appropriate measures to protect the Runner’s Personal Data (including using internal and third-party technology for data security), the Organizer cannot fully guarantee the absolute security of any Personal Data transmitted. The Organizer is not responsible for any data breaches or actions by third parties or events beyond its reasonable control, including but not limited to government actions, hacking, unauthorized data access, hardware failure, security breaches, encryption failures, poor internet or phone service quality, etc.
6. If necessary, Runners may access more information regarding the Organizer’s data protection measures by contacting the Organizer through the channel listed in Section J.

As a data subject, the Runner has rights granted under applicable personal data protection laws, and the Organizer is committed to enabling the Runner to exercise those rights, subject to legal conditions, restrictions, and exceptions. These rights include:

1. The right to be informed;
2. The right to access and/or obtain a copy of Personal Data;
3. The right to complete, update, and/or correct inaccuracies in Personal Data;
4. The right to terminate Personal Data Processing;
5. The right to delete Personal Data;
6. The right to data portability (to obtain and/or use your data in a commonly used and machine-readable format);
7. The right to data interoperability (to transmit Personal Data to other controllers);
8. The right to withdraw consent for Data Processing;
9. The right to delay or limit Data Processing proportionally; and
10. The right to file a complaint and receive compensation in the event of unlawful or negligent Data Processing that causes direct harm to the Runner.

Runners may submit requests to exercise these rights through the contact listed in Section J. The Organizer will verify and assess all requests and respond within 3 business days (3 x 24 hours) from receipt. For verification, the Organizer may request additional information or documentation. Once verified, the Organizer will inform the Runner of any consequences, and upon the Runner’s consent, will proceed in accordance with applicable legal deadlines.

However, under certain conditions, the Organizer may reject a Runner’s request to exercise their rights, including deletion or destruction of data, if prohibited or restricted by law-especially where such deletion may affect:

1. National defense and security interests;
2. Legal enforcement processes;
3. Public interests in government operations;
4. Financial regulatory oversight, monetary policy, payment systems, and financial stability;
5. Statistical and scientific research interests.
6. The Organizer may also refuse requests if the Runner still has obligations or relationships with the Organizer or Third Parties.

The Organizer may revise, update, and/or amend this Privacy Notice from time to time (with notice to the Runner) to reflect current processing practices and ensure compliance with applicable laws.