In the era of digital transformation in the banking sector, there has been an increasing practice of sharing customer data with third parties, such as service providers or vendors. This practice poses legal challenges, particularly concerning the fulfillment of the principles of necessity and proportionality in the protection of personal data. This study aims to analyze the implementation of these two principles in the collaborative practices between banks and vendors regarding the protection of customers’ personal data. This normative juridical research employs a conceptual and statutory approach, using legal materials obtained from national and international regulations, academic journals, and best practices in the banking sector. The findings indicate the need for clear and comprehensive internal bank policies on personal data protection in third-party data processing, serving as a guideline to ensure compliance with personal data protection principles.

Journals:

Agusta, H. 2020. Perlindungan Data Pribadi Penerima Pinjaman dalam Transaksi Pinjam Meminjam Uang Berbasis Teknologi Informasi (Peer to Peer Lending). Jurnal Hukum & Pembangunan, Vol. 50, No. 4: p.795.

Anggraeni, S. F. 2018. Polemik Pengaturan Kepemilikan Data Pribadi: Urgensi untuk Harmonisasi dan Reformasi Hukum di Indonesia. Jurnal Hukum & Pembangunan, Vol. 48, No. 4, Article 7: p.819.

Balya Al, M. D. 2023. Kemajuan Teknologi dan Pola Hidup Manusia dalam Perspektif Sosial Budaya. Tuturan: Jurnal Ilmu Komunikasi, Sosial, dan Humaniora, Vol. 1, No. 3: p.275.

Black, G., & Stevens, L. 2013. Enhancing Data Protection and Data Processing in the Public Sector: The Critical Role of Proportionality and the Public Interest. Scripted, Vol. 10: p.93.

Hardiyanti, S. E. 2024. Inovasi dalam Layanan Perbankan Berbasis Internet of Things (IoT): Peluang dan Tantangan di Era Digital. Maeswara: Jurnal Riset Ilmu Manajemen dan Kewirausahaan, Vol. 2, No. 3: p.362.

Iswandari, B. A. 2022. Jaminan Keamanan Data Pribadi Warga Negara dalam Penyelenggaraan Urusan Pemerintahan Berbasis Elektronik (E-Government). Dharmasisya, Vol. 2, No. 1: p.80.

Marius, J. A. 2006. Perubahan Sosial. Jurnal Penyuluhan, Vol. 2, No. 2: p.125.

Meškić, Z., & Samardžić, D. 2017. The Strict Necessity Test on Data Protection by the CJEU: A Proportionality Test to Face the Challenges at the Beginning of a New Digital Era in the Midst of Security Concerns. Croatian Yearbook of European Law & Policy, Vol. 13, No. 1: p.133–168.

Prasad. 2024. Impact of Poor Data Quality on Business Performance: Challenges, Costs, and Solutions. SSRN Electronic Journal.

Rannie, B. W. 2023. Legal Protection of Customer Personal Data in the Banking Sector. ARRUS Journal of Social Sciences and Humanities, Vol. 3, No. 5: p.712.

Ridho, M. R., et al. 2024. Peran Big Data dalam Pengembangan Strategi Perbankan Syariah. Jurbisman, Vol. 2, No. 4: p.1352.

Suwondo, D. 2022. The Legal Protection of Personal Data in the Perspective of Human Rights. Law Development Journal, Vol. 5, No. 4: p.425.

Tan, S., Alexander, C., & Tantimin, T. 2023. An Academic Analysis of Data Privacy Frameworks in Indonesia. Barelang Journal of Legal Studies, Vol. 1, No. 1: p.72–89.

Wulansari, E. M. 2020. Konsep Perlindungan Data Pribadi sebagai Aspek Fundamental Norm dalam Perlindungan terhadap Hak atas Privasi Seseorang di Indonesia. Jurnal Surya Kencana Dua: Dinamika Masalah Hukum dan Keadilan, Vol. 7, No. 2: p.268.

Books:

Ellis, E. (Ed.). (1999). The principle of proportionality in the laws of Europe. Oxford: Hart Publishing.

Gunardi. (2022). Buku ajar metode penelitian hukum. Jakarta: Damera Press.

Marzuki, P. M. (2017). Penelitian hukum (Edisi Revisi). Jakarta: Kencana.

Subekti, R. (1985). Aneka perjanjian. Jakarta: (penerbit tidak disebutkan).

Usanti, T. P., & Shomad, A. (2017). Hukum perbankan. Jakarta: Kencana.

Internet:

Data Protection Commission. “Quick Guide to the Principles of Data Protection.” https://www.dataprotection.ie/, accessed on October 5th 2025.

DPO Centre. “Data Retention and the GDPR: Best Practices for Compliance.” https://www.dpocentre.com/data-retention-and-the-gdpr-best-practices-for-compliance, accessed on September 25th 2025.

European Data Protection Supervisor. “Necessity & Proportionality.” https://www.edps.europa.eu/data-protection/our-work/subjects/necessity-proportionality, accessed on September 21st 2025.

PT Bank Tabungan Negara (Persero), Tbk. “Kebijakan Privasi BTN”. https://www.btn.co.id/Privacy-Policy, accessed on October 4th 2025.

Regulation:

The 1945 Constitution of the Republic of Indonesia.

Law Number 27 of 2022 concerning Personal Data Protection.

European Union. (2000). Charter of Fundamental Rights of the European Union.

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016: General Data Protection Regulation (GDPR).

Interview:

Interview with Mr. Andri Irwanza Humardhani as Data Privacy Department Head at BTN on September, 23rd 2025.