Procedures Related to Information Security and Personal Data Protection
The company does not rent, sell, or provide data in any
form to third parties except for the purpose of financial transactions/services. The
company minimizes requests for personal data in accordance with transaction
requirements and stores personal data as permitted by laws and business needs. Bank
Mandiri is committed to promptly destroying data after the specified storage period
as required by business needs and permitted by laws. The company also does not
obtain personal data from any third party unless regulated by regulatory
requirements.
Bank Mandiri possesses and enforces internal procedures, IT Information Procedure
and Data Security Procedure. All related policies and procedures are periodically
reviewed and serve as references for similar processes in subsidiary companies. The
Standard Operating Procedures related to information security and data protection
include:
a. Information Technology Standard Operating Procedure (SOP) Number K4.SP7 of 2023
b. Data Management Standard Operating Procedure (SOP) Number S11.P3.MND of 2023
Mandiri Subsidiary Management Principles Guideline (MSMPG)
The data referred to in this SPO includes all data stored in the Bank's database
system affecting assets and liabilities, including commitments and contingencies.
This SPO regulates data management activities as well as governance over the data as
the basis for the end-to-end process, including:
The Data Management Standard Operating Procedure (SPO)
prohibits the sharing of customers' personal data and/or information with third
parties, coercing prospective customers to agree to share data as a condition of
product/service agreements, utilizing the personal data of prospective customers
whose applications for product/service usage have been rejected by the Bank, or
using the personal information of prospective customers withdrawing their
applications for product and/or service usage. Exceptions are made if there is
written or electronic consent from the customer or if it is regulated by legal
provisions.
Bank Mandiri treats the data or personal information of customers/prospective
customers and/or a group of customers/prospective customers in a manner that ensures
the security of the data and/or personal information by conducting periodic
eligibility and security checks. Any use of data must have obtained consent from the
customers/prospective customers and/or the group of customers/prospective customers.
The Bank ensures that any data processing it carries out is limited to its intended
purpose, safeguards data ownership, is accurate, complete, non-misleading,
up-to-date, and accountable, while also considering the purpose of the processing.
Bank Mandiri protects the security of personal data from loss, unauthorized access,
and unauthorized disclosure, as well as from alteration or destruction of personal
data. The processing of personal data is carried out by informing the purpose of
collection, processing activities, and failures in protecting personal data.
Personal data is destroyed and/or deleted unless it is still within the retention
period as required based on the provisions of laws and regulations.
Mandiri Group Cybersecurity Framework,
More Detail