PRIVACY NOTICE

PT BANK RAKYAT INDONESIA (PERSERO) Tbk.

("BRI Privacy Notice")

Effective Date: 1^st March 2025

PT Bank Rakyat Indonesia (Persero) Tbk. (referred to as "BRI" or "We") is fully aware that Personal Data is a valuable asset. We are commited to maintaining the confidentiality and security of your Personal Data and privacy rights when interacting with us.

This Privacy Notice explains how we process Personal Data, from obtaining and collecting, processing and analyzing, storing, correcting and updating, displaying, announcing, transferring, disseminating, or disclosing, and deleting or destroying your Personal Data. This Privacy Notice applies to any processing of your Personal Data, related to our products, services, applications, websites, and other platforms, unless covered by a separate Privacy Notice, including:

1. Banking services/products consist of savings, loans, credit cards, investments, insurance/bancassurance, and other banking services including but not limited to BRILink services or other banking services provided by BRI.
2. Websites, applications, social media, or other electronic platforms provided or used by BRI such as mobile banking, and so on.
3. Other services are provided by BRI either face-to-face, online or other media.

(hereinafter referred to as "Services")

This Privacy Notice applies to you, including:

1. Every individual who interacts with us or is authorized to interact with us in using our products and services;
2. Anyone who utilizes our banking services or delas with us (for example: guardians, attorneys based on Power of Attorney, parties who sign agreements with us); or
3. Parties related to the use of our Products and Services.

(hereinafter referred to as "You”)

We understand the importance of your privacy. Please take a moment to carefully read this Privacy Notice to understand how we handle your Personal Data. We are committed to always improving our products and services to you and continually improving our ability to protect the privacy and security of your personal data.

I. Personal Data that We Collect

We may collect identifying and/or identifiable information itself or in combination with other information either directly or indirectly through electronic and/or non-electronic systems (“Personal Data”). In addition, we may collect your Personal Data in various forms and purposes, including purposes permitted under applicable laws and regulations.

The data we collect will depend on the type of product or service you use. We may collect your Personal Data, among others, through:

1. Data collected from you directly:

1. When you submit a service registration using physical form, form available on our site/application/platform, visiting to our operational workstation, and through our other forms of application to you, including but not limited to:
   • Personal information, for example: full name, place and/or date of birth, birth mother's maiden name, religion, nationality, education, hobbies, marital status and gender.
   • Contact information, for example: domicile/correspondence address, email address, cell phone number, landline number, emergency contact information and social media accounts.
   • Information related to identity, for example: copy of identity card (Resident Identification Card/Passport) and identity card number.
   • Information related to job, for example: job, position, office address, and office telephone number.
   • Financial information, for example: income, normal daily transactions and tax-related information.
   • Credential information, for example: username and password for mobile banking and other online services.
   • Biometrics information, for example: fingerprints and face photo that we collect for identification and verification purposes.
   • Other information required/required by laws and regulations in providing services.
2. When you take part in our survey program, examples of information or opinions that you provide are related to your participation in our survey program.
3. Other information that you provide to us when you fill out a form or communicate with us, whether face to face, telephone, email, online, social media, and other media.

2. Data that is automatically collected from your device while using Our Services (Site, Application, and Platform):

1. Information related to your device, including but not limited to Internet Protocol (IP Address), technical specifications, and other uniquely identifying data.
2. Information regarding your location or mobile positioning.

3. Data collected or provided regarding the use of our Services:

1. Financial Information and Information related to Your Relationship with Us, including but not limited to Your balance information, information about the products and services you use, your loan history, payment history, transaction history, transactional behavior, and information related to the process of resolving complaints and disputes.
2. Information we use to identify you, including but not limited to signature, account number, ID number, CIF (Customer Identification File), and additional information we receive from external sources that we require for identification or regulatory compliance purposes.
3. Records/history of correspondence and other communications between you and Us by email, letters, live chat, text messages, social media, and chat apps, including but not limited to voice conversation recordings, written conversation history, and other interaction history between Us and You.
4. Information related to the results of verifying your data or information in implementing fraud prevention, information in the context of implementing anti-money laundering and preventing terrorism financing, and our series of risk management actions.
5. Information related to credit risk analysis and rating (credit risk rating).
6. Information in the form of your image taken by us through CCTV footage when you are at our location or through photos or videos taken by us or our representatives when you attend an event organized by us.
7. Other information related to information exchanges carried out to support our legal obligations.

4. Data collected from Third Parties:

We may collect your Personal Data from other BRI Group entities, affiliation, third parties who collaborate with us, or as permitted by statutory regulations. The third parties we mean include regulators, vendors, agents, partners, and other parties who provide services to us or carry out data processing on our instructions.

1. Information that you ask us to collect for you, including but not limited to: information about your account at a bank or other company including your transaction history.
2. Information provided by government institution, including but not limited to Sistem Layanan Informasi Keuangan (SLIK), Citizen Information (Dukcapil), dan information related legal entity that provided by Ministry of Law & Human Right.
3. Information provided by third-party service providers, including but not limited to information as a basis for us to carry out or prevent or address fraud, information in the context of implementing anti-money laundering and preventing terrorism financing, customer due diligence, or verifying the information you provide to us, and other information we need to provide Our Services to you.
4. We obtain your Personal Information to implement or support government or related agency work programs, such as the distribution of social assistance funds.
5. Your Personal Information in the context of implementing a referral program to provide our products or services.
6. Your Personal Information for registration of our services/products initiated by your employer in the event/when/if your employer registers you to obtain our services/products.

5. Information about other parties that you provide to us:

You may provide us with the Personal Data of other third parties including but not limited to your partner, family members, friends, workers, or other individuals. In that case, you are responsible and guarantee to us that you have obtained documentation regarding the consent to the collection, use, disclosure, and other data processing of personal data by us from that individual.

Under certain circumstances, we collect personal data of children and personal data of persons with disabilities where the consent of parents or guardians is required in accordance with the provisions of laws and regulations.

II. Purpose of Processing Personal Data

1. We will process your Personal Data accordance to your consent or for other reasons (legal basis) in accordance to regulations. Other reasons are:
   • Fulfilment of contractual obligations between us and you.
   • Compliance with legal obligations as mandated by law.
   • Safeguarding the vital interest of individuals whose Personal Data is concerned.
   • Serving public interest, providing public services, or exercising authority by statutory regulations.
   • Pursuit of other legitimate interests, considering our objectives, needs, and the balance of interests between us and the rights of the data subjects.
2. The purposes of Processing your Personal Data are as follows:
   • Delivering our products or services both offline and online.
   • Supporting banking operations.
   • Conducting identification or verification processes prior to delivering services or registering individuals as customers/consumers, inclusive of customer due diligence, enhanced due diligence, and credit scoring.
   • Fulfilling obligations to implement Anti-Money Laundering (APU), Prevention of Terrorism Financing (PPT), and Prevention of Funding for the Proliferation of Weapons of Mass Destruction (PPPSPM) based on applicable laws, including reporting to authorized institutions/agencies regarding Money Laundering/Terrorism Financing and/or Funding the Proliferation of Weapons of Mass Destruction.
   • Prevent, detect, investigate, and counter money laundering, terrorism financing, financing of the proliferation of weapons of mass destruction, fraud, unlawful acts, or harmful activities.
   • Analyze and manage risks and ensure the continuity of our business.
   • Respond to, process and handle your complaints, questions, requests and suggestions.
   • Manage our relationship with you.
   • Ask you to provide input, feedback or participate in surveys, as well as conduct research and/or analysis for statistical or other purposes.
   • Design services/products and/or to review, develop and improve the quality of our products and services.
   • Conduct consumer behavior analytics, market preferences, and trends, including analyzing how you use our products or services.
   • Carry out data analysis to better understand your circumstances and preferences so that we can ensure that we can provide the best service and offer products or services tailored to your conditions or needs.
   • Conduct audits, administer business operations, and carry out our internal policies and procedures.
   • Correspond with Our lawyers, surveyors, valuers and brokers.
   • Sending you marketing information, advertisements, surveys from our services and products, both traditional marketing and online advertising, including informing you of updates/changes/maintenance of our services. Further provisions regarding product and service offerings refer to VI. Products and Services Offerings.
   • Providing or delivering our services or products and/or BRI Group, affiliates or other parties who collaborate with us.
   • Organizing a series of events, loyalty programs, raffles, and so on.
   • To follow up on resolving problems related to access to the Service (troubleshoot).
   • Resolving disputes, credit arrears including billing, and other Service-related issues.
   • Ensuring the safety and security of our premises (including but not limited to carrying out CCTV monitoring and visitor registration).
   • Facilitate company business transactions such as mergers, acquisitions, asset sales, or other corporate actions involving us and/or our affiliates.
   • Ensuring the security and continuity of our business.
   • Protecting legal rights and fulfilling the obligations of us, employees or management regarding compliance with applicable laws and regulations, for example:
     • Respond to requests for information or inquiries from authorized agencies or institutions.
     • To protect the safety of us, you, or other people or for legitimate interests in the context of national security, law enforcement processes, state administration, the interests of monitoring the financial services sector, monetary, payment systems, and financial system stability. Aggregate data and its processing are intended for statistical purposes and scientific research in the context of state administration, and emergencies that the Government has determined.
     • Comply with document archiving, reporting, and licensing requirements as mandated by applicable regulations.
   • For other purposes notified to you when we collect your Personal Data.
3. We can use automatic processing of Personal Data to help us in making decisions. This includes when you apply for our products and services, when we make credit decisions, and when we take preventive measures to investigate fraud, money laundering, terrorism, and other financial crimes. We can also use technology to help us identify risks in customer account transaction activities. This can include assessing credit, opening accounts, preventing or investigating fraud or financial crimes, and verifying the validity of transactions based on your authorization.
4. To enhancing our service delivery, facilitating decision making, and safeguarding against money laundering, terrorism, fraud, and other financial crimes, we can employ automated profiling, including behavioral analysis. When profiling leads to automated decisions concerning you, we will provide you with timely notification and offer you the opportunity to engage in a discussion about these decisions with us. For additional information, we kindly direct you to section X. Contact Us and encourage you to reach out to us.

III. Transfer or Disclosure of Personal Data

1. We may need to disclose your Personal Data with other companies, organizations, and individuals, including the BRI Group (see list of subsidiary companies), affiliates, regulators, and other parties who collaborate with us in providing Services to you by considering the legal basis for the purposes or any other purposes permitted by statutory regulations:
   • To facilitate the provision of services, products, or other interactions among us, you, and/or service providers.
   • To internal audits and/or digital forensics related to criminal acts or violations of regulations or policies within BRI, the BRI Group and our affiliates.
   • To help detect, prevent, and address fraud, financial crimes, illegal actions, or activities harmful to both parties.
   • To implement, protect, defend, or enforce the rights of BRI Group, including taking necessary actions to address credit arrears issues with you.
   • For law enforcement, court purposes, dispute resolution, our supervisory body, auditors, and any party appointed or requested by our supervisory body to carry out investigations or audits of our activities.
   • To comply with or carry out the provisions required or required by applicable laws and regulations (including but not limited to responding to regulatory questions, inspections, inquiries, and investigations and trials in criminal cases as well as judicial interests in divorce case or civil cases between us and customers and/or audit process, comply with legal requirements or archiving and reporting provisions based on law), for the purposes specified in the applicable laws and regulations.
   • For company business transaction processes such as mergers, acquisitions, consolidations, or sales of our assets, your Personal Data may be disclosed and transferred as part of the transaction.
   • For legal processes between you and us or between you and other parties, in connection with, or related to our services that are relevant for such legal processes.
   • To provide mutual assistance in criminal matters.
   • To respond a request for financial information for tax purposes based on statutory regulations.
   • For the benefit of other agencies for state administration at the central level and the public interest in accordance with the duties and authorities in the Law.
   • To carry out tasks in the monetary, macroprudential, and payment system sectors by Bank Indonesia.
   • The importance of carrying out tasks in the field of deposit insurance and resolution by the Deposit Insurance Corporation.
   • For inter-bank information exchange activities.
   • Other valid reasons (legitimate interest) for doing so, for example, to manage risk, confirm your identity, prevent fraud, efficiency of data sharing within a business group, administrative transfers within the BRI Group, or facilitate other companies providing the services you request.
   • Other matters which have received your approval or are based on your authority.
2. BRI Group and our affiliates can exchange or disclose your Personal Data within the BRI Group, jointly controlled entities, and affiliates. For synergy BRI Group in the form of sharing resources, such as infrastructure and technology with each other to provide you with the best services and for the purposes set out in this Privacy Notice.
3. If we need to provide or disclose your Personal Data, we will only provide or disclose your Personal Data to other parties if we believe there is more benefit for you, with your consent, and/or required by applicable laws and regulations. We will make reasonable efforts to protect and maintain the security of your Personal Data before providing and disclosing it to other parties.
4. If we disclose your personal data to BRI Group entities, affiliates, or other parties who collaborate with us, we will always ask our affiliates or other parties who collaborate with us to maintain the confidentiality and security of your personal data by the provisions/applicable laws.
5. We can send or transfer your Personal Data to and be processed outside the territory of the Unitary State of the Republic of Indonesia, including countries that may not have the same level of Personal Data protection. We will endeavor to take reasonable steps to ensure that your Personal Data remains subject to standards of security comparable to the requirements set out in this Privacy Notice.
6. We can send or transfer your Personal Data to carry out our contract with you, to fulfill legal obligations, to protect the public interest, and/or for our legitimate interests. You need to know that several countries have ratified international legal instruments that require us to share certain information, for example, with tax authorities. However, we will only share your information with authorized parties.
7. We can share aggregate or anonymous information both within and outside the BRI Group with other third parties. For this reason, your Personal Data cannot be identified. For example, we may share information about transaction trends in Indonesia to help with research.

IV. Products and Services Offerings

1. We can use your information to provide you with offers regarding BRI products and services, affiliates, and BRI Group, as well as products and services from other third parties who collaborate with us. We can send you products and services offerings through various communication channels, such as post, email, telephone, text messages, and chat apps, with your consent. You can change your preferences about how you receive products and services offers. To make these changes, you can contact us using the contact information provided in this Privacy Notice or modify your preferences through the available channels.
2. If you make changes or ask us not to send products and services offers, please note that we will need time to update our systems and records to reflect your request. During this time, you may continue to receive messages regarding products and services offers.
3. Please note that even if you request not to receive messages offering products and services, we will continue to use your contact information to send you important information, such as changes to terms and conditions, your transaction information, or to inform you of legal and regulatory obligations, provide our services. This is necessary to provide our services to fulfill our obligations to you.

V. Storage of Personal Data

1. We will store Personal Data as stated above if it is necessary to achieve the purpose for which the Personal Data was collected, while you are still using the service, or as long as such storage is required or permitted in accordance with BRI's data retention policy and applicable laws and regulations in the Republic of Indonesia.
2. We may store your information longer if necessary to comply with statutory or legal requirements, help to detect or prevent fraud and financial crimes, respond to requests and comply with regulations from regulators, judicial and law enforcement investigation processes, resolve disputes or legal issues, and others.
3. We only need to store information for a limited time, We can destroy, delete, or anonymize it promptly. We comply with the provisions for deletion or destruction of Personal Data according to applicable laws and regulations.

VI. Security

1. The confidentiality of your personal data is of utmost importance to us. We are committed to providing best efforts included physical, technical, and organizational procedures to protect and secure your Personal Data from access to collection, processing, analysis, storage, disclosure, correction and deletion by unauthorized parties.
2. You are responsible for maintaining the confidentiality of the detail of your Personal Data, including protecting the information about username, password, PIN, Debit/Credit Card Number, CVV/CVC Code and OTP Code (One-Time Password) from anyone as well as maintaining and being responsible for the security of the devices that you use in transactions.

VII. Rights of The Data Subject

1. You may have certain rights regarding Personal Data that is in our possession and control, based on applicable laws and regulations, these rights may include : the right to receive information about how your data is being used, the right to update/correct your data, the right to access data, the right to end processing, delete, destroy your data, the right to revoke your consent, the right to object to automated processing, the right to delay or restrict on data processing, and/or other rights provided by statutory regulations. You have the right to contact us in accordance with the applicable laws and regulations. You can reach us using the contact information provided in this Privacy Notice or through the channels we offer, (such as: by our mobile banking or by visiting our operational offices).
2. We kindly ask for your understanding that, in accordance with applicable laws and regulations, there may be instances where we are unable to fulfill your request in part or in full. This may be necessary if the Personal Data includes information about other individuals or is deemed irrelevant to the request.
3. You are responsible for ensuring the information you provide is accurate and up-to-date and you should notify us of any changes as soon as possible. If there are any concerns regarding the accuracy and completeness of your data/information/documents, we have the right to reconsider the transaction or potentially discontinue our business relationship with you.
4. When sharing information with others (for example, joint account holders, beneficiaries, or dependents), it is essential to notify them about how to access this Privacy Notice and obtain their consent for the use of their information as outlined herein.
5. When you decide to revoke your consent for the processing of your Personal Data, it's important to understand the potential consequences. Depending on the specific circumstances and the nature of the consent being revoked, you may find that certain or all of our services become unavailable to you.

VIII. AMENDMENTS AND UPDATES

1. We encourage you to read and understand this Privacy Notice and all its provisions. Specifically, you give us your consent to process your Personal Data in accordance with this Privacy Notice.
2. This Privacy Notice may be changed or amended from time to time to ensure that it is consistent with our future developments, and/or changes in legal or regulatory requirements. We suggest that you always read carefully and check this page from time to time for any changes to our Privacy Notice. In the case we change or update this Privacy Notice, We will notify you of any such amendments by means of a general notice published on the sites, applications, platforms, your registered email address, and/or other media in accordance with the applicable laws and regulations.

IX. Language

This Privacy Notice is arranged and released in English and Indonesian Version. You can choose the language of this Privacy Notice when you change your language settings. If there are some discrepancies between these two languages, the Indonesian version shall prevail.

X. Contact Us

1. BRI Headquarters: Gedung BRI, Jln. Jenderal Sudirman Kav.44 -46, Jakarta 10210, Indonesia. The further information about BRI can be accessed by: About BRI
2. If you have any questions about this Privacy Notice, please contact us at our customer service using the contact below:
   • Call Center: 1500 017
   • Email: callbri@bri.co.id