General Data Protection Regulation

1. Purpose

This User Data Deletion Policy establishes the requirements and procedures for the deletion, destruction, and anonymization of Personal Data processed by PT. Cloudun Technology Indonesia in compliance with:

Otoritas Jasa Keuangan
Personal Data Protection Law
POJK No. 29 of 2024
ISO/IEC 27001:2022
Other applicable laws and regulations of the Republic of Indonesia.

This policy aims to ensure that Personal Data deletion activities are conducted securely, consistently, and in an auditable manner while protecting the rights of data subjects and maintaining the confidentiality, integrity, and availability of information assets.

2. Scope

This policy applies to all:

employees;
contractors;
outsourced personnel;
third-party service providers;
systems;
applications;
databases;
storage media;
cloud infrastructure;

that process, store, transmit, or manage Personal Data on behalf of PT. Cloudun Technology Indonesia.

3. Definitions

3.1 Personal Data

Any data relating to an identified or identifiable individual, directly or indirectly.

3.2 Data Deletion

The process of removing Personal Data from active systems so that it is no longer accessible or used during normal business operations.

3.3 Data Destruction

The permanent elimination of data in such a way that it cannot be reconstructed or recovered.

3.4 Anonymization

The process of irreversibly removing identifiers from data so that individuals can no longer be identified.

3.5 Data Retention

The period during which Personal Data is stored for legal, regulatory, operational, contractual, or business purposes.

4. Data Deletion Principles

PT. Cloudun Technology Indonesia shall implement the following principles regarding Personal Data deletion:

Lawfulness
Data deletion activities shall comply with applicable laws and regulations.
Purpose Limitation
Personal Data shall be deleted once the purpose of processing has been fulfilled.
Data Minimization
Personal Data that is no longer necessary shall be deleted or anonymized.
Integrity and Confidentiality
Data deletion processes shall maintain information security and confidentiality.
Accountability
All deletion activities shall be documented and auditable.

5. Legal Basis for Data Deletion

Personal Data may be deleted under the following circumstances:

5.1 Data Subject Request

A data subject submits a valid request for deletion in accordance with applicable data protection laws.

5.2 Expiration of Retention Period

The applicable retention period has expired.

5.3 Withdrawal of Consent

The data subject withdraws consent for data processing.

5.4 Service Termination

The user account or business relationship has been terminated.

5.5 Regulatory or Legal Requirement

Deletion is required by regulators, courts, or law enforcement authorities.

6. Data Classification and Retention

Data Category	Examples	Retention Period	Post-Retention Action
Identity Data	Name, identification number, address	Based on regulatory requirements	Deletion or anonymization
Transaction Data	Transaction history	In accordance with regulatory and tax requirements	Restricted archive or destruction
System Logs	IP address, audit logs	As defined in security policy	Secure destruction
Verification Data	Identity documents, selfies	Based on compliance requirements	Permanent deletion
Marketing Data	Promotional email data	Until consent withdrawal	Deletion

7. Data Deletion Procedures

7.1 Deletion Request Submission

Data subjects may submit deletion requests through:

official company email;
application platform;
user portal;
customer support channels.

The Company shall verify the identity of the requester before processing any deletion request.

7.2 Request Evaluation

Deletion requests shall be evaluated considering:

statutory retention obligations;
audit requirements;
fraud investigation requirements;
regulatory obligations;
dispute resolution requirements.

Where retention is legally required, access to such data shall be restricted.

7.3 Deletion Methods

Secure deletion methods may include:

secure delete;
cryptographic erasure;
overwrite procedures;
physical media destruction;
anonymization.

7.4 Backup and Recovery Systems

Deleted data shall also be removed from:

backup systems;
disaster recovery environments;
archived storage;

in accordance with the Company’s backup retention schedule.

8. Security Controls for Data Deletion

To comply with ISO/IEC 27001:2022 controls, PT. Cloudun Technology Indonesia shall:

restrict deletion privileges to authorized personnel only;
implement least privilege access controls;
maintain deletion audit trails;
require approval workflows for sensitive data deletion;
verify deletion completion;
protect the integrity of security logs.

9. Audit and Documentation

All deletion activities shall be documented, including at minimum:

requester identity;
deletion timestamp;
category of deleted data;
deletion method used;
responsible personnel;
verification results.

Records shall be retained for audit, regulatory, legal, and compliance purposes.

10. Responsibilities

All personnel and third parties acting on behalf of PT. Cloudun Technology Indonesia are responsible for complying with this policy and maintaining the confidentiality and security of Personal Data.

11. Policy Violations

Violations of this policy may result in:

disciplinary measures;
termination of contractual relationships;
administrative sanctions;
civil or criminal legal actions in accordance with applicable laws and regulations.

12. Policy Review

This policy shall be reviewed periodically or whenever there are:

regulatory changes;
business process changes;
audit findings;
information security incidents;
significant technology or system changes.

13. Closing

PT. Cloudun Technology Indonesia is committed to ensuring that Personal Data deletion activities are conducted securely, lawfully, and in alignment with data protection and information security best practices.