Privacy Notice Maybank Marathon

 
  1. Introduction

    This Privacy Notice applies to personal data and information managed by PT Bank Maybank Indonesia Tbk (“Organizer”) from the time a runner of the Maybank Marathon (“Runner”) registers and provides Personal Data to the Organizer, in accordance with the applicable terms and conditions governing the processing of Personal Data by the Organizer.

    The Organizer acknowledges the importance of Personal Data protection as regulated under Law No. 27 of 2022 on Personal Data Protection, including its implementing regulations as promulgated and amended from time to time (“PDP Law”), which applies to the Organizer. Accordingly, the Organizer is committed to complying with the provisions of the PDP Law and the relevant regulations and implementing rules in order to maintain confidentiality and ensure the protection of the Runner’s Personal Data in accordance with applicable laws and regulations.

    Personal Data as referred to in this Privacy Notice shall mean data relating to an identified or identifiable individual, whether identified separately or in combination with other information, either directly or indirectly, which may be used to identify, contact, or track a Personal Data subject through electronic or non-electronic systems as contemplated under the PDP Law, related regulations, and Section C of this Privacy Notice. Personal Data shall also include personal data contained in identity documents that can identify an individual (including photographs), telephone numbers, and email addresses (“Personal Data”).

    This Privacy Notice, including any amendments thereto from time to time (“Privacy Notice”), explains how the Organizer carries out the processing of Personal Data, which includes the acquisition, collection, processing, analysis, storage, correction, updating, display, announcement, transfer, dissemination, disclosure, deletion, and/or destruction of the Runner’s Personal Data (“Personal Data Processing”). This Privacy Notice may be accessed by the Runner via https://www.maybankmarathon.com (“Website”), in connection with the Runner’s participation in the Maybank Marathon organized by the Organizer and/or third parties cooperating with the Organizer (“Third Parties”).

    This Privacy Notice shall apply when the Runner becomes a participant in the Maybank Marathon running race.

    The Runner is required to read and fully understand this Privacy Notice in order to be informed of and understand the Personal Data Processing practices and the protection measures implemented by the Organizer with respect to the Runner’s Personal Data.
  2. Representations and Warranties of the Runner in Relation to the Provision of Personal Data

    The Runner hereby represents and warrants that:

    1. The Runner has read and fully understood all matters set forth in this Privacy Notice (including the Personal Data Processing carried out by the Organizer pursuant to this Privacy Notice);
    2. The Runner consents to and confirms the authenticity, completeness, and accuracy of the Personal Data provided by the Runner to the Organizer; and
    3. The Runner consents to and understands that the Runner shall apply Personal Data protection principles in accordance with the PDP Law if, at any time in the future and for any reason whatsoever, the Organizer or Third Parties provide Personal Data to the Runner. In certain circumstances, the Runner may be requested to provide the Personal Data of other individuals (such as emergency contacts) to the Organizer. Where the Runner provides the Personal Data of another individual for Processing by the Organizer, the Runner represents and that the Runner has lawfully obtained explicit consent from such individual as the Personal Data subject, and the Runner hereby understands that the Organizer relies on the Runner’s representations and warranties in carrying out the Personal Data Processing of such individual or relevant party. The Organizer shall not be responsible or liable if the Personal Data provided by the Runner, in particular the Personal Data of other individuals, including any personal data belonging to other individuals that is provided by the Runner to the Organizer, has been obtained unlawfully or if the Runner’s representations and warranties are false. The Organizer may, at any time if deemed necessary, request evidence of consent from the Runner in relation to the Personal Data of other individuals disclosed by the Runner.
  3. Types of the Runner’s Personal Data and Methods of Collection

    The types of the Runner’s Personal Data collected depend on the purposes of the Personal Data Processing to be achieved. The Personal Data collected may include, but are not limited to, the following:

    1. Identity data of the Runner, including full name, photograph, place and date of birth, sex, handwritten and or electronic signature, as well as other information contained in the Runner’s official identification documents, such as the National Identification Number (NIK) and or passport number.
    2. Contact data, including email address, mobile telephone number, postal address, and emergency contact details.
    3. Device data, including information relating to the type and model of the device used by the Runner to access and carry out activities on the Website, internet protocol address, and geographical location data, as required in connection with the organization of the Maybank Marathon. Such data may include, but are not limited to, username, password, recovery email address, display photograph, and cookies – text files containing information and Personal Data, such as the Runner’s name and password – used to identify the Runner’s personal device when accessing the Website. Cookies are used to identify the Runner and to enhance the Runner’s experience when browsing the Website, including for the purpose of personalizing information that constitutes Personal Data.
    4. Specific financial data, including transaction history and the Runner’s payment channels, such as credit cards, debit cards, and bank accounts.
    5. Medical data, including blood type and other specific medical conditions.
    6. Identity data of parents or legal guardians who are responsible for Runners under 18 (eighteen) years of age.
    7. Other Personal Data as required under applicable laws and regulations, including feedback and reporting data.

    In certain circumstances, the Organizer may collect the Personal Data of children under 18 (eighteen) years of age after obtaining consent from the relevant parent or legal guardian in accordance with applicable laws and regulations. The Personal Data processed by the Organizer is obtained from the Runner, either directly or indirectly through Third Parties, including through the completion of registration forms, submission of electronic and non electronic documents, uploading data through applications or the Website, email, and other communication channels designated by the Organizer. For example, Personal Data is collected when the Runner registers to participate in the Maybank Marathon by completing the registration form on the Website for the purpose of carrying out Personal Data Processing.
  4. Processing of the Runner’s Personal Data

    The Personal Data Processing carried out by the Organizer includes the following:
    1. Acquisition and Collection
      In relation to the acquisition and collection of Personal Data, the Organizer shall:
      1. Determine the lawful basis for the Personal Data Processing prior to the acquisition and collection of Personal Data;
      2. Clearly determine the purposes of the acquisition and collection of Personal Data, taking into account the interests of the Personal Data subject;
      3. Limit the scope and amount of Personal Data collected in accordance with the predetermined purposes;
      4. Determine and implement secure mechanisms for the acquisition and collection of Personal Data;
      5. Provide information regarding the purposes of the Personal Data Processing prior to the acquisition and collection of Personal Data; and
      6. Apply the principles of Personal Data Processing in the acquisition and collection of Personal Data in accordance with applicable laws and regulations.
    2. Processing and Analysis
      In relation to the processing and analysis of Personal Data, the Organizer shall:
      1. Determine mechanisms and or standards for data quality implementation to ensure that the Personal Data being processed and analyzed is accurate and complete;
      2. Provide information to the Personal Data subject if the processing and analysis of Personal Data is carried out beyond or in addition to the original purposes of such processing and analysis;
      3. Conduct a Personal Data Protection Impact Assessment for the processing and analysis of Personal Data that poses a high potential risk to the Personal Data subject;
      4. Facilitate the rights of the Personal Data subject to submit objections to decision making actions that are based solely on automated Personal Data Processing; and
      5. Apply the principles of Personal Data Processing in the processing and analysis of Personal Data in accordance with applicable laws and regulations.
    3. Storage
      In relation to the storage of Personal Data, the Organizer shall:
      1. Determine and implement security controls for stored Personal Data, whether in physical or electronic form;
      2. Establish and implement Personal Data retention mechanisms;
      3. Determine the Personal Data retention period in accordance with applicable laws and regulations and the Organizer’s internal policies;
      4. Implement measures to prevent failures in Personal Data Protection in relation to the storage of Personal Data by:
        1. Applying encryption and or data masking;
        2. Creating backup copies of Personal Data; and
        3. Applying encryption and or data masking to backup copies of Personal Data;
      1. Restrict the parties that are permitted to access Personal Data;
      2. Identify, record, and or document the storage locations and storage media of Personal Data; and
      3. Apply the principles of Personal Data Processing in relation to the storage of Personal Data in accordance with applicable laws and regulations.
    4. Rectification and Updating
      In relation to the rectification and updating of Personal Data, the Organizer shall:
      1. Facilitate the Personal Data subject to complete, update, and or rectify any errors and or inaccuracies in Personal Data;
      2. Verify the Personal Data of the Personal Data subject; and
      3. Apply the principles of Personal Data Processing in the rectification and updating of Personal Data in accordance with applicable laws and regulations.
    5. Display, Announcement, Transfer, Dissemination, or Disclosure
      In relation to the display, announcement, transfer, dissemination, or disclosure of Personal Data, the Organizer shall:
      1. Have a lawful basis for Personal Data Processing prior to displaying, announcing, transferring, disseminating, or disclosing Personal Data, unless otherwise provided under applicable laws and regulations;
      2. Comply with the criteria for cross border transfers of Personal Data outside the jurisdiction of the Republic of Indonesia as stipulated under applicable laws and regulations;
      3. Implement Personal Data security controls in accordance with applicable laws and regulations;
      4. Limit the disclosure of Personal Data in accordance with the purposes of Personal Data Processing that have been determined and consented to by the Personal Data subject and that do not contravene applicable laws and regulations;
      5. Apply the principles of Personal Data Processing in the display, announcement, transfer, dissemination, or disclosure of Personal Data in accordance with applicable laws and regulations.
    6. Deletion or Destruction
      In relation to the deletion or destruction of Personal Data, the Organizer shall:
      1. Delete or destroy Personal Data, except where such Personal Data remains within the applicable retention period as required under applicable laws and regulations;
      2. Implement secure mechanisms for the deletion or destruction of Personal Data;
      3. Facilitate the fulfillment of the rights of the Personal Data subject to request the deletion of Personal Data, insofar as such request does not contravene applicable laws and regulations;
      4. Take action on valid and lawful requests from the Personal Data subject to delete Personal Data, provided that such deletion does not contravene applicable laws and regulations;
      5. Carry out the deletion or destruction of Personal Data in accordance with applicable laws and regulations, including the following:
        1. Delete or destroy Personal Data across all Personal Data storage locations;
        2. Retain evidence of the deletion or destruction of Personal Data in the form of an official record of deletion; an
        3. Provide evidence of the deletion or destruction of Personal Data to the Personal Data subject; and
      6. Apply the principles of Personal Data Processing in the deletion or destruction of Personal Data in accordance with applicable laws and regulations.
  5. Purposes of Personal Data Processing

    The Organizer shall act as a Personal Data controller in processing the Runner’s Personal Data, where the purposes of such Personal Data Processing shall be related to the Runner’s participation in the Maybank Marathon, including the following:

    1. Implementation of the Maybank Marathon Event
      The Organizer shall collect, use, and process information and the Runner’s Personal Data for the purposes of organizing and implementing the Maybank Marathon, including but not limited to the Runner’s participation in the Maybank Marathon, the race pack collection process, the processing and provision of sample photographs and documentation of the Runner during participation in the series of Maybank Marathon activities, as well as the fulfillment of other administrative and operational obligations. The Organizer shall also be entitled to process the Runner’s Personal Data for medical handling purposes in the event that the Runner is involved in an accident or a medical emergency condition during participation in the Maybank Marathon.
    2. Enhancing the Runner’s Experience in the Maybank Marathon
      The Organizer shall use information and the Runner’s Personal Data to enhance the Runner’s experience in the Maybank Marathon, including conducting data analysis and audits, improving event quality, identifying usage trends, assessing the effectiveness of Maybank Marathon activities, and carrying out marketing campaigns related to the Maybank Marathon.
    3. Communication with the Runner
      The Organizer shall use and verify the information and the Runner’s Personal Data collected by the Organizer, including the Runner’s email address, in order to interact directly with the Runner. For example, the Organizer shall send photo download links after the Runner completes the purchase of photographs. In addition, subject to the Runner’s consent, the Organizer shall be entitled to send messages to inform the Runner of the Organizer’s products and or services related to the Maybank Marathon.
  6. Legal Basis for the Processing of the Runner’s Personal Data

    Each Personal Data Processing carried out by the Organizer shall be conducted in accordance with the purposes of the Personal Data Processing. The legal bases for the Personal Data Processing relied upon by the Organizer shall include the following:

    1. The explicit and lawful consent of the Runner to this Privacy Notice;
    2. The fulfillment of contractual obligations to provide the Maybank Marathon event experience to the Runner as well as for other purposes in accordance with the provisions of this Privacy Notice;
    3. The fulfillment of legal obligations pursuant to applicable laws and regulations;
    4. The performance of obligations and the consideration of the Organizer’s needs on the basis of the fulfillment of other legitimate interests, while taking into account the purposes, needs, and the balance of interests of the Organizer as the Personal Data controller and the rights of the Runner as the Personal Data subject; and or
    5. Other legal bases for Personal Data Processing in accordance with applicable laws and regulations.
  7. Processing of the Runner’s Personal Data by Third Parties

    The Organizer may share and or disclose the Runner’s Personal Data to Third Parties for the purpose of carrying out further Personal Data Processing in accordance with the purposes and legal bases of the Personal Data Processing.

    The Runner hereby understands that the Personal Data Processing carried out by the Organizer may be performed by Third Parties in accordance with the Personal Data Processing instructions provided by the Organizer. Personal Data Processing by Third Parties on behalf of the Organizer is carried out for the purposes of Personal Data Processing or based on the consent provided by the Runner, such as hospitals or on site medical staff, photographers, and other parties that cooperate with the Organizer (including but not limited to the Race Director, partners for the fulfillment and delivery of event requirements).
  8. Storage, Deletion, and Security of Personal Data
    1. The Runner hereby provides explicit consent to the Organizer that the Organizer may transmit, store, use, and process the Runner’s Personal Data on servers located at data centers designated by the Organizer. Such data centers may be managed by Third Parties in accordance with applicable laws and regulations. Notwithstanding the foregoing, the Personal Data Processing of the Runner in connection with the Maybank Marathon shall continue to be governed by this Privacy Notice in accordance with applicable laws and regulations.
    2. After the Runner’s Personal Data is no longer required for the Maybank Marathon activities or for the purposes of Personal Data Processing as described in this Privacy Notice, the Organizer shall take steps which the Organizer deems necessary, including deleting, destroying, anonymizing, and or preventing access to or the Processing of the Runner’s Personal Data for any purposes other than those stipulated in this Privacy Notice.
    3. Notwithstanding the circumstances referred to in paragraph 2 above, there may be situations where certain portions of the Runner’s Personal Data remain stored by Third Parties for other Personal Data Processing purposes as set out in this Privacy Notice.
    4. The Organizer shall endeavor to implement appropriate physical, technical, and procedural security measures to protect the Runner’s Personal Data against loss, misuse, copying, damage, or modification, as well as unauthorized or unlawful access or disclosure, loss, or damage.
    5. Notwithstanding that the Organizer has taken measures which the Organizer considers to be the best and optimal to protect the Runner’s Personal Data (including the use of security methods and technologies provided internally by the Organizer as well as by Third Parties that may assist in securing the Personal Data provided by the Runner), the Organizer cannot fully guarantee the security of the Runner’s Personal Data. However, the Organizer shall use its best efforts to protect and maintain the security of the Runner’s Personal Data. The Organizer shall not be responsible for any security breaches or any acts of Third Parties or any events beyond the control of the Organizer, including but not limited to acts of government authorities, computer hacking, unauthorized access to computer data and storage devices, computer crashes, security and encryption breaches, poor quality of the Runner’s internet services or telephone services, and other similar events.
    6. Personal Data Retention Period

      The Organizer shall store and process the Runner’s Personal Data in accordance with applicable laws and regulations, including but not limited to Law Number 27 of 2022 on Personal Data Protection, as well as the Organizer’s internal policies.

      The Runner’s Personal Data processed for the purposes of registration, Runner verification, implementation of the Maybank Marathon activities, communication, and enhancement of the Maybank Marathon experience shall be retained for a maximum period of 5 (five) years from the end of the relevant Maybank Marathon event. Where such retention is required for the fulfillment of legal obligations or the implementation of applicable laws and regulations, such Personal Data may be retained for a longer period as required under applicable laws and regulations.

      Where necessary, the Runner may access further information regarding the security measures implemented by the Organizer to safeguard the Runner’s Personal Data by contacting the Organizer through the channels or contact details set out in Section J of this Privacy Notice
  9. Rights of the Runner as a Personal Data Subject

    The Runner, as a Personal Data subject, is entitled to the rights stipulated under applicable laws and regulations relating to Personal Data protection. The Organizer is consistently committed to ensuring that the Runner may exercise the Runner’s rights in connection with the Personal Data Processing, subject to applicable laws and regulations (including any limitations and exceptions thereunder), as follows:

    1. The right to obtain information;
    2. The right to obtain access to and or copies of personal data;
    3. The right to complete, update, and or rectify errors and or inaccuracies in personal data;
    4. The right to terminate personal data processing;
    5. The right to delete personal data;
    6. The right to data portability, or the right to obtain and or use the runner’s personal data from the organizer as the personal data controller in a form that is structured and or in a commonly used format or that is readable by electronic systems;
    7. The right to interoperability, namely the right to use and transmit the runner’s personal data to another personal data controller;
    8. The right to withdraw consent to personal data processing;
    9. The right to defer or restrict personal data processing in a proportional manner; and
    10. The right to file a claim and receive compensation in the event of a violation of personal data processing arising from the fault or negligence of the organizer which directly causes loss to the Runner.
    If the Runner intends to submit a request to exercise the Runner’s rights as set out above, the Runner may submit such request through the channels or contact details set out in Section J of this Privacy Notice.

    The Organizer shall carry out a verification and screening process in respect of all requests submitted by the Runner to exercise the Runner’s rights as a Personal Data subject and shall respond to the Runner’s request within 72 (seventy-two) hours as of the date the Organizer receives the Runner’s request. For the purpose of responding to the Runner’s request, the Organizer shall be entitled to request the Runner to provide information or supporting documentation to substantiate such request. After the Organizer has verified the information and supporting documentation provided by the Runner, the Organizer shall inform the Runner of the consequences of exercising the Runner’s rights. Upon obtaining the Runner’s consent to such consequences, the Organizer shall process the Runner’s request within the time period stipulated under applicable laws and regulations.

    Nevertheless, subject to applicable laws and regulations and under certain conditions, the Organizer shall be entitled to refuse a request submitted by the Runner to exercise the Runner’s rights as a Personal Data subject (including the Runner’s right to request the deletion or destruction of Personal Data under the control of the Organizer), provided that there is no prohibition or restriction under applicable laws and regulations, including but not limited to where such deletion or destruction would have an impact on:
    1. National defense and security interests;
    2. The interests of law enforcement processes;
    3. The public interest in the administration of the state;
    4. The interests of supervision of the financial services sector, monetary affairs, payment systems, and financial system stability carried out in the administration of the state;
    5. Statistical and scientific research interests;
    6. The necessity to implement applicable laws and regulations, for example in relation to the prevention of criminal acts;
    7. The irrelevance of the request to the personal data processing activities carried out by the organizer or to the runner as the personal data subject;
    8. Risks to the security, physical health, or mental health of the personal data subject and/or other persons; and/or
    9. Any impact resulting in the disclosure of another person’s personal Data.
  10. Organizer Contact Details

    If the Runner has any questions or complaints in connection with this Privacy Notice and the Personal Data Processing activities carried out by the Organizer, including where the Runner intends to exercise the Runner’s rights as a Personal Data subject, the Runner may contact the Organizer via email at: info@maybankmarathon.com
  11. Language

    This Privacy Notice may be translated into languages other than the Indonesian language. In the event of any inconsistency between the Indonesian language version and any other language version, the Indonesian language version of this Privacy Notice shall prevail.
  12. Governing Law

    This Privacy Notice shall be governed by and construed in accordance with the laws of the Republic of Indonesia.

  13. Changes or Updates to this Privacy Notice

    The Organizer may amend, supplement, and or replace this Privacy Notice from time to time by providing notice through the Website, in order to ensure that this Privacy Notice remains aligned with the procedures and practices implemented by the Organizer in carrying out Personal Data Processing, including for the purpose of complying with applicable laws and regulations.

    The Runner may periodically access this Privacy Notice through the Website.