Privacy Policy

Privacy Policy

APP respects the privacy of all visitors who visit this Website.

This Privacy Policy explains visitors how we use their personal data received from this Website and informs them of their data protection rights.

  1. Data Controller

Data Controller of the personal data collected and processed through this Website is Asia Pulp & Paper Group (APP), whose registered office is at Sinar Mas Land Plaza, Tower II, 5th floor JI. M.H. Thamrin No. 51 Jakarta 10350, Indonesia.

  1. Collection of Information

APP gathers information on visitors in the following areas: the date and time of access to this Website, the referring Internet address, and other aggregate or generic information on the Website statistics, e.g. what pages customers access or visit, etc.

APP also collects and stores any information that our visitors voluntarily submit via the input forms or email addresses within this Website, such as an information-request, survey, and/or site registrations.

In particular, the main ways we collect information from this Website are the following:

  • When a visitor visits, or uses and interacts with this Website, for example to take steps to request or use online-available services or to request any other information;
  • When the visitor provides information to or interacts with any of APP careers or job openings pages;
  • When the visitor contacts us (via contact details made available on this Websites), or send us correspondence;
  • When the visitor voluntarily subscribes to APP Blog Posts.
  • when the visitor adds information to online forms or to data fields on this Website. This will be the information that is visible to the visitor, and may include his/her name, nationality, contact information (e.g. email, postal address and phone/mobile number) and general information the visitor decides to share.

Information may also be received from other sources. For example:

  • Third party support services: For the performance of this Website services and to allow us to maintain appropriate records and to support ongoing queries, we may receive data about the visitor or visitor’s website activities from our group companies or third-party providers (e.g. to support website maintenance);
  • Device data: This Website automatically takes certain device information in order to optimise visitors’ website experience (for example, allowing this Website to automatically adapt screen size as appropriate for the device visitors are using to browse thisWebsite). This data also supports this Website analytics. More information on cookies can be found in our Cookies policy at this link [FF1] .
  • Marketing data: Visitors’ contact details or other information may be shared with us by third parties partners, where there is appropriate notice and in compliance with applicable data protection laws. Visitors have the right to ask us not to use their personal data for marketing purposes. Please see Visitors’ data protection rights below for further information.
  • Public sources of data: We may use public sources of data, for example, to support website functionality (e.g. to support authenticate or fraud checks), and/or to maintain the accuracy of the data we hold.

  1. Use of Information / personal data

APP uses the information / personal data for the following purposes and on the basis of the following legal grounds.

Managing visitors’ requests

We will process data in managing visitors’ requests made on or via our websites (e.g. through the contact or blog form or into any other website data form or data field). We will also process data in providing and maintaining personalised website experiences.

Applicable Legal grounds: Legitimate Interests in running effective website services.

Enhancing website experience

We pre-fill website data fields to enhance and streamline visitors’ online experience.

Applicable Legal grounds: Legitimate Interests in enhancing, simplifying and streamlining website experiences.

Internal research and development

For internal research, development, analytics, analysis and reporting purposes, e.g. to predict trends or performance, develop new products or to evidence compliance with regulatory requirements.         

Applicable Legal grounds: Legitimate Interests in assessing and improving performance, managing compliance, monitoring trends and developing new products.

Marketing activities

We will obtain visitors’ consent to market communications to them using electronic means (e.g. email, text etc.), and may share visitors’ details for electronic marketing communications with other companies of our group, where visitors give consent for this to happen.

We will use profiling and carry out research and analytics activities to inform our marketing strategies, to create a better understanding of our customers and visitors; to support our website advertising, and to better improve the website information, functionality and the services we provide.         

Applicable Legal grounds: Consent. Please note that where we collect visitors’ personal data with consent, visitors may withdraw their consent for us to use their information in any of these ways at any time. Please see section Visitors’ data protection rights below for further details (The right of consent withdrawal does not affect the lawfulness of processing that was based on that consent before its withdrawal).

Records maintenance and general administration

To maintain our records, administer and maintain our websites, support visitors’ queries and any other internal operations and administrative purposes (for example, this will include supporting our audit requirements and in responding to any enquiries visitors may make, including any data protection rights they raise).   

Applicable Legal grounds: Legitimate Interests in maintaining appropriate websites, records and service administration.

Network and information security

To maintain our network and information security in order for us to take steps to protect visitors ’information against loss or damage, theft or unauthorised access. And to maintain appropriate server locations (for example, we may work with third parties to support appropriate use of cloud services).        

Applicable Legal grounds: Legitimate Interests as appropriate for ensuring network and information security.

Management of legal and regulatory requirements

To manage legal and regulatory requests and requirements, meet or defend legal rights or for the prevention/detection of crime or any other public authority or criminal investigation body, or for the safeguarding of national security.

Applicable Legal grounds:

  • Legitimate Interests in complying with law and regulation, including responding to regulators.
  • Legal Obligation

  1. Who we share personal data with.

We may share visitor’s personal data with:

  • Those third parties who need to handle it so we can provide to the visitors the services, information they have requested, for example, to provide support services and for optimised website services (for example information technology, such as hosting service providers, customer services, website analytics support).
  • APP group companies (e.g. its parents, subsidiaries, affiliates and their respective directors, officers, employees, and agents) in line with the data uses set out in this Privacy Policy. In particular, personal data provide by the visitors through this Website may be accessed by members of our group of companies only as necessary for service and system maintenance and support, aggregate analytics, business continuity, IT and administrative purposes.
  • Public authorities, if we are under a duty to disclose or share visitor’s personal data in order to comply with any legal or regulatory obligation or requests, or in order to enforce these terms or to investigate actual or suspected breaches.

  1. Information about international data transfers.

APP website uses servers which are hosted in Singapore. We may also share website personal data with suppliers or group companies located outside of the European Union where this is necessary for the purposes described above. To this respect, we apply safeguards to add to the data protections, including:

  • an assessment of the adequacy of the third country in question. In details, we do internal checks to identify the existence or absence of any adequacy decision by the European Commission.
  • use of European Commission approved model contract terms where appropriate, and assessment of Privacy Shield certification for US located entities where applicable. We also assess where applicable where a supplier is able to demonstrate to us they have Binding Corporate Rules. (Binding Corporate Rules is a GDPR – recognised Data Protection mechanism to ensure adequate personal data transfers). We may work with suppliers which are able to demonstrate to us they are Privacy Shield certified.

  1. Data retention period.

We will keep visitors personal data for as long as we need them to provide the services, information requested. We may also keep them to comply with our legal obligations, respond to queries and resolve any disputes, to meet our legitimate interests and to enforce our rights.    

The criteria we use to determine storage periods include the following: Information we have told visitors about storage periods on this Website or in website terms and conditions. We will also use criteria such as applicable contractual provisions that are in force, legal statutory limitation periods, applicable regulatory requirements and industry standards.

  1. Visitors data protection rights.

Visitors have rights in connection with their personal data, including:

  • to withdraw consent where they have given it. In particular, ifvisitors have given us consent to process their personal data, including for electronic marketing communications, they have the right to withdraw that consent at any time. Just use the unsubscribe options presented, for example, these are present in the email communications sent by us.
  • to be informed and have access to their personal data, to correct or complete inaccurate data, and in certain circumstances to restrict, request erasure, object to processing. In details, visitors can ask for access to the personal data we hold about them, object to the processing, request that we correct any mistakes, restrict or stop processing or delete it. If visitors do ask us to delete or stop processing them, we will not always be required to do so. If this is the case, we will explain why.
  • to ask us to provide them with their personal data in a usable electronic format and transmit them to a third party (right to data portability). This right only applies in certain circumstances. Where it does not apply, we will explain why.


If visitors do need or want to get in touch with us for any reason regarding their data protection rights, they can get in touch using the email address below, and add into the subject header that it relates to data protection rights.

  • Email:

If visitors are not satisfied, they have also the right to lodge a complaint with their local data protection supervisory authority.          

  1. Links to other websites

This Website may contain links to other websites run by other organisations which we do not control. This policy does not apply to those other websites‚ so we encourage visitors to read their privacy statements. We are not responsible for the privacy policies and practices of other websites and apps (even if visitors access them using links that we provide) and we provide links to those websites solely for visitors’ information and convenience. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content or thoroughness.

  1. Keeping visitors’ information secure

We will take all steps reasonably necessary to ensure that visitors’ personal data are treated securely and in accordance with this privacy policy.        

We require all of our services providers to have appropriate measures in place to maintain the security of your information.          

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect personal data, we cannot guarantee the security of visitors’ personal data transmitted over the internet; any transmission is at visitor’s own risk. Visitors’ information will be kept in a secure environment protected by a combination of physical and technical measures such as encryption technologies or authentication systems to prevent any loss, misuse, alteration, disclosure, destruction, theft or unauthorised access.