Telkom has established a working unit responsible for managing Environmental, Social, and Governance (ESG) aspects, namely the Sustainability unit within the Group Sustainability & Corporate Communication Department, led by the SVP of Group Sustainability & Corporate Communication.

In Company Regulation Number: PD.202.62/r.01/HK250/COP-A0200000/2024 regarding the Organization of the Group Sustainability & Corporate Communication Department, it is stated that the SVP of Group Sustainability & Corporate Communication serves as the orchestrator for the governance of sustainability initiatives, which include environmental, social, and governance (ESG) aspects. In carrying out these duties and responsibilities, the SVP of Group Sustainability & Corporate Communication reports directly to the President Director.

Based on Company Regulation Number: PR.202.72/r.02/HK.250/COP-A0200000/2024 regarding the Organization of the Sub-Department of Group Sustainability & Corporate Communication, it is listed that the SVP of Group Sustainability & Corporate Communication bears the responsibility for ESG management by performing key activities, including:

1. Ensuring the availability of policies, governance, and management mechanisms within the Group Sustainability & Corporate Communication Department;
2. Ensuring the availability of long-term and annual work plans, budgeting, and performance evaluations for group sustainability & corporate communication functions;
3. Ensuring the availability of an appropriate ESG framework;
4. Ensuring the availability of ESG goals, targets, and initiatives;
5. Coordinating the implementation and evaluation of initiatives; and
6. Ensuring integrated reporting and governance related to sustainability through a dashboard across the Telkom Group.

SVP of Group Sustainability & Corporate Communication holds the authority to determine methods, parameters, and formative evaluations for ESG activities, as well as to coordinate with Subsidiaries/partners/agencies in implementing ESG programs.

In carrying out ESG management activities, the SVP of Group Sustainability & Corporate Communication is assisted by the VP of Sustainability, who has the following duties and responsibilities:

1. Ensuring the determination of an appropriate ESG framework, including a joint operating model, and ensuring accountability for each Working Unit within the Telkom Group;
2. Ensuring the establishment of ESG goals, targets, and initiatives across all entities, including collaboration with CFU/FU/DFU and subsidiaries;
3. Ensuring effective collaboration with relevant Working Units to design an integrated dashboard for monitoring ESG initiatives;
4. Ensuring the implementation of ESG program management across all CFU/FU/DFU, including subsidiaries;
5. Ensuring the oversight, evaluation, and reporting of sustainability ESG initiatives to the Board of Directors/Board of Commissioners and other stakeholders;
6. Ensuring the availability of periodic sustainability reports in accordance with domestic/overseas capital market regulations, including periodic sustainability reports required by investors and the capital market community;
7. Ensuring the implementation of ESG program management related to the accountability of the Group Sustainability & Corporate Communication Department;
8. Ensuring the management of branding and communication, both internally and externally, regarding the implementation of ESG programs; and
9. Ensuring the availability of policies, governance, management mechanisms, and activities to enhance communication and corporate branding related to the Company’s sustainability implementation.

The sustainability governance structure within the Telkom Group is integrated through the formation of a Sustainability Committee in 2025, chaired by the President Director and consisting of directors overseeing risk, network and IT, and human capital, supported by an ESG working group made up of the Heads of relevant Working Units.

In carrying out its duties and responsibilities, the Sustainability Committee coordinates with other committees under the Board of Commissioners and the Board of Directors, which include the Committee for the management of social and environmental responsibility (TJSL), the Committee for risk, compliance, and revenue assurance management, the Committee for audit management, and the Committee for nomination and remuneration management.

Telkom’s risk management implemented in two policies: Board of Directors Regulation No. PD.614.00/r.02/HK.290/COP-K0A10000/2024 dated September 3, 2024 about Corporate Risk Management, and Finance and Risk Management Director’s Regulation No. PR.614.00/r.02/HK200/COP-K0000000/2024 on Guidelines for the Implementation of Corporate Risk Management. Telkom’s risk management policy refers to the ISO 31000:2018 Risk Management – Principles and Guidelines standard, which consists of three main components:

1. Principles

   Risk Management Principles serve as the foundation for how risk management operates to ensure value is created and protected. Among these principles are:

   1. Integrated

      Risk management is an integral part of all the Company’s activities.

   2. Structured and Comprehensive

      In its implementation, the Company employs a structured and comprehensive approach to ensure consistent and comparable results.

   3. Customized

      The risk management framework and processes must be tailored and proportional to the Company’s external and internal contexts, in line with the Company’s objectives.

   4. Inclusive

      Appropriate stakeholder involvement at the right time ensures that their knowledge, views, and perceptions can be taken into account, thereby enhancing awareness of risk management through well-informed decision-making.

   5. Dynamic

      Risks can emerge, change, and disappear as the Company’s internal and external contexts evolve. Risk management practices must anticipate, detect, acknowledge, and respond to such changes and events in an appropriate and timely manner.

   6. Best Available Information

      Risk management is based on historical, current, and future expectations. Risk management explicitly considers the limitations and uncertainties associated with such information and expectations. Information must be timely, clear, and accessible to relevant stakeholders.

   7. Human and Culture Factors

      Behavior and culture significantly influence all aspects of risk management at every level and stage of the Company’s activities.

   8. Continuous Improvement

      Risk management is continuously refined through learning and experience.

2. Framework (Kerangka Kerja)

   The framework governs the commitment to Telkom’s risk management roles and function distribution, including:

   1. Leadership and Commitment (Kepemimpinan dan Komitmen)
      1. The Board of Directors ensures that risk management is integrated into all Company activities and must demonstrate leadership and commitment by
         1. Adjusting and implementing all components of the framework.
         2. Issuing statements or policies that establish the approach, plan, or actions for risk management.
         3. Ensuring that the necessary resources are allocated to manage risks.
         4. Defining authority, responsibility, and accountability at the appropriate levels within the Company.
      2. Risk management is an inseparable part of the Company’s objectives, governance, leadership and commitment, strategy, targets, and operations.
   2. Integration (Integrasi)
      1. Risk management is an inseparable part of the Company’s objectives, governance, leadership and commitment, strategy, targets, and operations.
      2. Integrating risk management into the Company is a dynamic and iterative process, which must be tailored to the Company’s needs and culture.
      3. Risks are managed in every part of the Company’s structure, where everyone within the Company is responsible for managing risks.
   3. Design (Desain)
      1. The design of the risk management framework is carried out by examining and understanding the Company’s external and internal contexts.
      2. The Board of Directors and the Board of Commissioners demonstrate and articulate their continuous commitment to risk management through policies, statements, or other forms, which are then communicated within the Company and to stakeholders.
      3. Authority, responsibility, and accountability related to risk management are defined and communicated at all levels within the Company.
      4. Management ensures the appropriate allocation of resources for risk management.
      5. The Company establishes an approved communication and consultation approach to support the framework and facilitate the effective implementation of risk management.
   4. Implementation (Implementasi)

      Implementing risk management requires stakeholder involvement and awareness, enabling the Company to explicitly consider uncertainties in decision-making.

   5. Evaluation (Evaluasi)

      The Company evaluates the effectiveness of the risk management framework by periodically measuring the performance of the risk management framework.

   6. Improvement (Perbaikan)
      1. The Company monitors and adjusts the risk management framework to anticipate external and internal changes.
      2. The Company continuously enhances the suitability, adequacy, and effectiveness of the risk management framework and the way risk management processes are integrated.
3. Process (Proses)

   The risk management process is an integral part of decision-making within the Company, integrated into its structure, operations, and processes, and applied at the strategic, operational, program, or project level. The risk management process consists of:

   1. Communication and Consultation
      1. Communication is intended to increase risk awareness and understanding.
      2. Consultation involves feedback and information gathered to support decision-making.
      3. Communication and consultation help relevant stakeholders understand risks, serving as a basis for making decisions and explaining why certain necessary actions are taken.
      4. Communication and consultation with both external and internal stakeholders take place at every step of the risk management process.
   2. Scope, Context, and Criteria
      1. Determining the scope, context, and criteria is done to tailor the risk management process, facilitating effective risk assessment and appropriate risk treatment.
      2. Determining the context of the risk management process is based on an understanding of the Company’s external and internal environment and must reflect the specific environment of the activity to which the risk management process will be applied.
      3. The Company specifies the amount and type of risk it can accept relative to its objectives. The Company must also establish criteria for evaluating the significance of risks and for supporting decision-making.
   3. Risk Assessment
      1. Risk identification

         This is the process of finding, recognizing, and describing risks in achieving the Company’s objectives. Relevant, appropriate, and up-to-date information is crucial in identifying risks.

      2. Risk analysis

         This is the process of understanding the nature and characteristics of risks, including their level. Risk analysis involves detailed consideration of uncertainties, sources of risk, consequences, likelihood, events, scenarios, controls, and their effectiveness. An event may have multiple causes and consequences and may also affect various objectives.

      3. Risk evaluation

         This is the process that supports decision-making. Risk evaluation involves comparing the results of risk analysis with established risk criteria to determine where additional actions are needed.

   4. Risk Treatment
      1. Risk treatment involves selecting and implementing options to address risks, which include:
         1. Avoiding risk
         2. Accepting risk
         3. Mitigating risk
         4. Sharing/transferring risk
      2. The risk treatment plan must be integrated into the Company’s management plans and processes through consultation with relevant stakeholders.
   5. Monitoring & Review
      1. Monitoring and review aim to ensure and enhance the quality and effectiveness of the design, implementation, and outcomes of risk management processes.
      2. Monitoring and review must be conducted at all stages of the process, encompassing planning, information gathering and analysis, documenting results, and providing feedback.
   6. Recording & Reporting
      1. The risk management process and its results must be documented and reported through an appropriate mechanism.
      2. Reporting is an integral part of the Company’s governance and is intended to improve the quality of dialogue with stakeholders while supporting the Board of Directors and the Board of Commissioners in fulfilling their responsibilities.

Telkom applies the three lines model in risk governance to implement risk management, with the following functions and roles:

1. The first line, as the risk owner unit, directly identifies and manages risks within business processes.
2. The second line, as the risk management and compliance function, reviews transactions, measures, monitors, and addresses risks in aggregate, and develops risk management methodologies and policies.
3. The third line, as the internal audit function, ensures that governance and risk control are effectively implemented by the Company.

Telkom’s risk management policy covers the following:

1. Establishing an integrated risk strategy from subsidiaries to Telkom.
2. Determining risk appetite, risk tolerance, and risk limits, taking into account risk capacity.
3. Defining a risk taxonomy.
4. Determining the use of risk measurement methods and risk management information systems.
5. Developing contingency plans for worst-case scenarios.

In determining the risk appetite statement (RAS), Telkom may adopt four (4) attitudes toward risk, as follows:

1. Intolerant, meaning:
   1. Being very cautious when taking risks and preferring to maintain stability and consistency in business operations; and
   2. Basing business decisions on capital preservation.
2. Conservative, meaning:
   1. Exercising caution in taking risks, selecting certain manageable risks but still prioritizing business stability; and
   2. Making business decisions aimed at protecting value from significant unexpected risks, which includes avoiding exposure to major market fluctuations and being able to bear minor burdens.
3. Moderate, meaning:
   1. Being willing to take risks within certain limits to achieve growth and profits, but still mindful of protecting against major losses; and
   2. Making business decisions that simultaneously consider growth opportunities and risk impact, while being able to bear moderate burdens.
4. Strategic, meaning:
   1. Actively implementing strategies involving risk management as an integral part of the business plan, accepting higher risks to achieve greater growth and innovation; and
   2. Making business decisions based on risk analysis and potential long-term investment returns, while being able to bear substantial burdens.

Risk management monitoring and evaluation is conducted, among other methods, through an annual assessment of the risk maturity index. The risk maturity index assessment is carried out using evaluation methods in accordance with applicable regulations and/or industry best practices. The dimensions of the risk maturity index assessment include:

1. Risk culture and capability
2. Risk organization and governance
3. Risk framework and compliance
4. Risk processes and controls
5. Risk models, data, and technology

The risk management bodies involved in the implementation of risk management include the Board of Commissioners, the Board of Directors, the Audit Committee, the Risk Monitoring Committee, the Integrated Governance Committee, the Director responsible for Risk Management, the Director responsible for Financial Management, and the unit responsible for internal audit functions. Additionally, other parties involved in risk management implementation include unit heads/senior leaders, employees, and subsidiaries.

Telkom has established an Environmental, Social, and Governance (ESG) management policy to support the Companys sustainability, as outlined in Company Regulation Number: PD.704.00/r.00/HK290/DSC-M0200000/2025 on Sustainability Governance of Telkom Group.

This policy is designed to provide guidelines for implementing ESG management activities/mechanisms within Telkom Group. It aims to ensure that ESG management is carried out adequately and proportionally in line with Telkom Group’s developments, Good Corporate Governance (GCG) principles, and prudence while supporting the achievement of Sustainable Development Goals (SDGs).

The implementation of sustainability within Telkom Group is guided by the principles of integrity, outcomes-focused, equity, risks and opportunities, evidence-based, and maturity. Additionally, sustainability is structured around three main pillars: Environmental, Social, and Governance.

The Environmental pillar serves as a framework for assessing corporate and/or supplier/partner activities that impact the environment. Key topics under this pillar include climate change & energy management and resource management.

The Social pillar provides a framework for assessing corporate activities that impact social actions, including employees (both direct and indirect), customers, and surrounding communities. Key topics under this pillar include customer relations, digital inclusivity & community engagement, diversity, equity & inclusion, and employee health & safety.

The Governance pillar assesses decision-making quality, governance structure, and the distribution of responsibilities among stakeholders. Key topics under this pillar include regulatory compliance, ethical business practices, cybersecurity & data protection, and Good Corporate Governance (GCG).

ESG management is carried out based on a risk and opportunity management framework that considers leadership & commitment, integration, design, implementation, evaluation, and continuous improvement.

ESG management is implemented to:

1. Facilitate stakeholder engagement.
2. Systematically integrate stakeholder expectations and interests.
3. Support well-informed decision-making for a better future for the organization and/or Company.

ESG management activities include:

1. Identification of ESG risks and opportunities.
2. ESG impact assessment and evaluation.
3. Setting ESG targets, strategies, and programs.
4. ESG reporting, disclosure, and communication.

The orchestration of ESG management implementation is the responsibility of the Sustainability management unit.

A Respectful Workplace (RWP) is a safe working environment that respects and protects human dignity, promotes mutual respect, and is free from discrimination, exclusion, restrictions, bullying, harassment, and all forms of mental or physical violence. This applies to all individuals interacting within the Company to create an inclusive, conducive, and productive work environment, supporting corporate sustainability and upholding human rights.

Telkom is committed to fostering an inclusive and healthy work environment as part of the implementation of its core values (AKHLAK: Amanah, Kompeten, Harmonis, Loyal, Adaptif, Kolaboratif), especially Harmonis, to encourage employees to enhance creativity, productivity, and engagement in interactions for optimal job performance. This is formalized in Company Regulation Number: PR.209.10/r.00/HK.200/COP-A0700000/2023, dated June 27, 2023, on Respectful Workplace.

This policy derives from the Circular Letter of the Minister of SOEs No: SE-3/MBU/04/2022, dated April 14, 2022, on Respectful Workplace Policy in State-Owned Enterprises and refers to Minister of Manpower Regulation No. 88 of 2023 on Guidelines for the Prevention and Handling of Sexual Violence in the Workplace. Furthermore, the push for the implementation of DEIB (Diversity, Equity, Inclusivity, and Belonging) at the global level remains a key focus for the coming years.

There are three types of violations under the Respectful Workplace Policy (RWP):

1. Discrimination refers to any distinction, exclusion, restriction, or marginalization—whether direct or indirect—based on religion, ethnicity, race, language, social status (including marital or economic status), gender, political views, disabilities, or other factors. It results in the reduction or denial of human rights and freedoms, leading to unequal opportunities or differential treatment in company activities and social interactions in the workplace.
2. Violence includes any actions, behaviors, threats, coercion, or arbitrary deprivation imposed on others in the workplace—whether in public or private—that cause physical, psychological, sexual, or economic harm or suffering.
3. Harassment encompasses any words, actions, behaviors, or gestures—whether in person or through communication media—that violate legal human rights regulations, with the intent to intimidate or cause physical, psychological, sexual, or economic harm. This creates an intimidating, offensive, or humiliating work environment, making it difficult for individuals to perform their duties and increasing risks to safety, health, and well-being.

Forms of Discrimination include:

1. Gender-based discrimination
2. Discrimination based on ethnicity, religion, race, or inter-group differences (SARA)
3. Age-based discrimination
4. Political viewpoint discrimination
5. Discrimination based on disabilities or physical conditions
6. Discrimination based on educational background

Forms of Violence include:

1. Physical assault, abuse, or other forms of attacks, with or without weapons
2. Coercion and extortion to force or prevent an action
3. Direct or indirect threats
4. Threats or hostage-taking related to employees economic rights, such as withholding salaries or overtime pay
5. Rape and sexual assault
6. Forced sexual acts involving victims who are disabled, unconscious, or otherwise incapacitated

Forms of Harassment include:

1. Physical (actions or contact)
2. Verbal (spoken words or expressions)
3. Non-verbal (gestures or signals)
4. Visual (inappropriate images or displays)
5. Emotional (psychological manipulation or abuse)
6. Written (offensive messages or texts)

Telkom has a mechanism for handling and following up on RWP violations, which includes report intake, investigation, support, protection, sanction imposition, and victim recovery. If an individual experiences or witnesses an RWP violation, Telkom provides multiple reporting channels, including the official website (https://id.deloitte-halo.com/telkomwbs/), email (rwp@telkom.co.id), line managers, regional Human Capital (HC) representatives, and Human Capital Service Operations. The handling process is based on key principles, ensuring that reporting mechanisms are accessible, sympathetic, and serious, with guaranteed confidentiality, a victim-centered approach, gender equality and disability inclusion, independence, protection of rights (for victims, witnesses, and the accused), and measures to prevent retaliation or recurrence of violations.

Telkom has raised employee awareness through company-wide training and first responder training for employees who may receive RWP violation reports. The company has also established a task force to manage reporting, investigation, support, and protection, consisting of Telkom employees from both the parent company and subsidiaries.

In 2024, Telkom received the United Nations WEP Award in the Gender-Responsive Workplace category. This award recognizes UN Women’s acknowledgment of Telkom’s commitment to gender equality and women’s empowerment in the workplace. This achievement also reflects the implementation of Telkom’s core values (AKHLAK), which guide the company and all members of TelkomGroup.

Telkom has established a policy for managing the Company’s business continuity, as outlined in Company Regulation Number: PD.616.00/r.00/HK200/COO-D0030000/2015, dated December 31, 2015, on the Business Continuity Management System (BCMS). This regulation serves as a guideline for determining strategic actions to quickly and effectively safeguard, maintain, and restore the Company’s business continuity from various incidents, including threats, disruptions, and/or disasters, while ensuring the protection of stakeholder interests, reputation, and Company value.

To ensure business continuity, the Company has established the Enterprise Business Continuity Plan Scenario, which includes the following activities:

1. Defining the methodology scenario;
2. Conducting Business Impact Analysis (BIA);
3. Performing risk assessments to identify potential threats and disruptions, both from internal and external factors;
4. Developing a Business Continuity Plan Strategy Exercise and Testing (BCP-SET) based on the risk assessment results, including planning, strategy formulation, testing, and simulations.

The details of the Business Continuity Plan Strategy Exercise and Testing (BCP-SET) are documented and supported by Business Impact Analysis (BIA) and Risk Assessment documents, the Disaster Recovery Plan (DRP), and records of BCP/DRP test plans and results.

To anticipate and address disasters that may disrupt business continuity, Telkom has established a Disaster Management Policy, regulated by Company Regulation Number: PR 616.01/r.01/HK200/COP-D0030000/2023, dated June 27, 2023, on Disaster Management Guidelines. This regulation provides guidance for addressing disasters (natural, non-natural, and social) that may affect employees and the Company.

This regulation covers the following scope:

1. Disaster management, including natural disasters, non-natural disasters, and social disasters;
2. Disaster response by the designated organization and Crisis Management Team (CMT);
3. Disaster response escalation mechanisms;
4. Disaster management budget allocation;
5. Disaster response command posts; and
6. Disaster response evaluation and reporting.

Disaster response is initially handled by the designated organization at the affected location, led by the head of the designated organization. This is done when the damage caused by the disaster does not significantly impact employees, Company assets, and/or the Company’s reputation. Disaster response by the designated organization utilizes resources from the unit or business unit according to the normal conditions of the location or region. The disaster response by the designated organization is carried out as follows:

1. The leader of the designated organization is responsible for:
   1. Instructing all personnel in the building/area affected by the disaster (employees, partners, tenants, guests/customers) to immediately evacuate according to the procedures in place, with assistance from the security and safety unit or guards.
   2. Instructing the security and safety unit or guards to coordinate the evacuation of personnel and the protection of Company assets.
   3. Gathering information about the disaster and taking the following actions:
      1. If there are no casualties among personnel and/or no significant damage to Company assets, instructing all personnel to resume normal activities.
      2. If there are casualties among personnel that can be managed by the designated organization and/or there is damage to Company assets that does not affect administrative functions, production equipment, or business operations, instructing all personnel to resume normal activities.
      3. If the designated organization cannot handle the disaster, or if there are casualties and/or significant damage to production equipment, or if the damage has a large impact on employees, Company assets, and/or the Company’s reputation, or if the government declares a disaster, the head of the designated organization must report to the CMT Regional/ National CMT and forward the report to the Human Capital & Business Partner unit as the National Emergency Response Coordinator for disaster response escalation.
   4. After activities return to normal:
      1. Requesting assistance from health unit personnel to provide first aid to any casualties;
      2. Instructing the relevant functional units to repair any damaged production equipment to support business operations.
   5. Reporting the disaster to senior management with a copy sent to the National CMT Secretary, including:
      1. Evaluation report on the disaster’s impact on the Company (casualties, damage to production equipment, and business operations);
      2. Report on the actions taken in response to the disaster.
   6. Notifying the completion of the disaster response once the disaster has been handled by the designated organization.
2. The security and safety unit or guards in the designated organization are responsible for:
   1. Checking the affected building/area for personnel and Company assets;
   2. Providing first aid to any casualties, and if needed, transporting casualties to the nearest clinic/hospital;
   3. Saving assets by shutting off electricity, gas, and water, extinguishing fires, turning on water pumps, activating fire hydrants, etc., to prevent further damage if necessary;
   4. Recording/identifying casualties and Company assets that have been damaged;
   5. Securing the environment and safeguarding the affected building/area.
3. The National CMT Secretary follows up on disaster reports from the designated organization’s leadership, providing input for accelerating disaster response and preparing reports for National CMT leadership and Senior Leaders related to the disaster and its response.
4. Disaster response mechanism by the designated organization and the escalation mechanism to CMT.

If disaster response cannot be carried out by the designated organization, the head of the designated organization can escalate the matter to the CMT leadership progressively. CMT disaster response is activated when:

1. The designated organization cannot manage the disaster;
2. The damage caused by the disaster significantly affects employees, Company assets, and/or the Company’s reputation; or
3. A local government declaration states that a disaster has occurred.

Disaster response by CMT is carried out through CMT Regional, Regional, and National. CMT is activated proportionally by the CMT leadership according to the level of the disaster when:

1. The disaster causes casualties but does not significantly affect production equipment, and the existing organization cannot manage the disaster, CMT Regional, Regional, and National are activated with limited activation;
2. The disaster causes casualties and/or significant damage to production equipment, and the designated organization cannot manage the disaster, the CMT Regional is fully activated, while CMT National is activated as needed (full/limited activation);
3. The disaster causes casualties and/or significant damage to production equipment, and CMT Regional cannot manage the disaster because the affected area spans multiple regions, CMT National is fully activated (full activation).
4. If the disaster causes casualties and/or significant damage to production equipment, and the CMT Regional is unable to manage the disaster because the affected area spans across more than one region, then the National CMT will be fully activated (full activation)

Telkom has established a dedicated working unit responsible for managing Environmental, Social, and Governance (ESG) aspects, known as the Sustainability unit, led by the VP of Sustainability.

According to Company Regulation Number: PR.202.72/r.02/HK.250/COP-A0200000/2024 on the Organization of the Sub-Department of Group Sustainability & Corporate Communication, the Sustainability unit has the following duties and responsibilities:

1. Ensuring the establishment of an appropriate ESG framework, including a joint operating model, while maintaining the accountability of each Working Unit within Telkom Group.
2. Ensuring the determination of ESG goals, targets, and initiatives across all entities, including collaboration with CFU/FU/DFU and subsidiaries.
3. Ensuring the effectiveness of collaboration with relevant Working Units in designing an integrated dashboard for monitoring ESG initiatives.
4. Ensuring the implementation of ESG programs across all CFU/FU/DFU, including subsidiaries.
5. Ensuring the monitoring, evaluation, and reporting processes of ESG sustainability initiatives to the Board of Directors, Board of Commissioners, and other stakeholders.
6. Ensuring the availability of periodic sustainability reports that comply with domestic and international capital market regulations, including sustainability reports required by investors and the capital market community.
7. Ensuring the implementation of ESG programs related to the accountability of the Group Sustainability & Corporate Communication Department.
8. Managing branding and communication, both internally and externally, regarding ESG program implementation.
9. Ensuring the availability of policies, governance mechanisms, and management frameworks to enhance communication and corporate branding related to sustainability implementation.

Additionally, Telkom has established the Sustainability Committee, chaired by the President Director. The Sustainability Committee is responsible for overseeing ESG management activities and mechanisms by integrating all ESG functions to facilitate coordination and collaboration in achieving ESG objectives. This is outlined in Company Regulation Number: PD.704.00/r.00/HK290/DSC-M0200000/2025 on Telkom Group Sustainability Governance.

The Sustainability Committee is responsible for ensuring the effective implementation of ESG management across Telkom Group, ensuring that all ESG management activities and mechanisms are properly executed through the following actions:

1. Supervising, establishing, and providing direction on ESG goals, plans, strategies, roadmaps, policies, initiatives, and performance indicators, including climate change aspects.
2. Ensuring that the Company effectively implements sustainability programs in the ESG sector.
3. Monitoring the mitigation of risks and opportunities related to the Company’s operational activities in terms of ESG.
4. Overseeing ESG performance achievements, including climate change, based on evaluations by third-party assessors, ESG rating agencies, investors, and other stakeholders.
5. Ensuring the publication of Sustainability Reports, including climate change disclosures, in compliance with applicable regulations and in alignment with the needs of shareholders and other stakeholders.

Telkom has established a policy governing business ethics within the Telkom Group, as outlined in Company Regulation Number: PD 201.01/r.00/PS150/COP-B0400000/2014, dated May 6, 2014, on Business Ethics within the Telkom Group. This policy aims to enhance adaptability to external environmental changes by upholding the principles of Good Corporate Governance (GCG) and fostering a high-performing, sustainable business that adheres to ethical standards in compliance with applicable laws and regulations.

This policy regulates both employee ethics and business ethics. Employee ethics refers to the value system or norms applied by all employees and leaders in their daily work, covering the following behaviors:

1. Key Employee Behaviors:
   1. Employee capacity and capability
   2. Obligations and prohibitions
   3. Information confidentiality
   4. Infrastructure
   5. Work environment
2. Key Leadership Behaviors:
   1. Leadership conduct
   2. Conduct of the Board of Directors
   3. Conduct of the Chief Executive Officer (CEO) and Chief Financial Officer (CFO)

Business ethics refers to the value system or norms adopted by the Company as a guideline for its management and employees in interacting with their environment. This includes the following areas:

1. Relations with regulators
2. Relations with stakeholders
3. Additional provisions

Telkom has established its corporate sustainability governance, as outlined in Company Regulation Number: PD.704.00/r.00/HK290/DSC-M0200000/2025 on Telkom Group Sustainability Governance. Through this regulation, Telkom has formed the Sustainability Committee, chaired by the President Director, with members including directors responsible for risk, network and IT, and human capital, as well as supported by the ESG working group consisting of relevant unit heads.

The Sustainability Committee is responsible for managing the ESG governance activities and mechanisms, integrating all ESG functions to facilitate coordination and collaboration in achieving ESG objectives.

The Sustainability Committee has the responsibility for ensuring the effective implementation of ESG management within Telkom Group, ensuring that all ESG management activities and mechanisms are properly executed through the following actions:

1. Supervising, establishing, and providing direction on ESG goals, plans, strategies, roadmaps, policies, initiatives, and performance indicators, including climate change.
2. Ensuring that the Company effectively implements sustainability programs in the ESG sector.
3. Monitoring the implementation of risk mitigation and opportunities arising from the Companys operational activities concerning ESG.
4. Overseeing ESG performance achievements, including climate change, based on evaluations from third-party assessors, ESG rating agencies, investor interests, and/or other stakeholders.
5. Ensuring the publication of Sustainability Reports, including climate change disclosures, in compliance with applicable regulations and to meet the needs of shareholders and other stakeholders.

In carrying out its duties and responsibilities, the Sustainability Committee coordinates with other committees under the Board of Commissioners and Board of Directors, which include the Social and Environmental Responsibility (TJSL) Committee, Risk, Compliance, and Revenue Assurance Committee, Audit Committee, and Nomination and Remuneration Committee.

Telkom has established its corporate sustainability governance, as outlined in Company Regulation Number: PD.704.00/r.00/HK290/DSC-M0200000/2025 on Telkom Group Sustainability Governance. Through this regulation, Telkom has formed the Sustainability Committee, chaired by the President Director, with members including directors responsible for risk, network and IT, and human capital, as well as supported by the ESG working group consisting of relevant unit heads.

The Sustainability Committee is responsible for managing the ESG governance activities and mechanisms, integrating all ESG functions to facilitate coordination and collaboration in achieving ESG objectives.

The Sustainability Committee has the responsibility for ensuring the effective implementation of ESG management within Telkom Group, ensuring that all ESG management activities and mechanisms are properly executed through the following actions:

1. Supervising, establishing, and providing direction on ESG goals, plans, strategies, roadmaps, policies, initiatives, and performance indicators, including climate change.
2. Ensuring that the Company effectively implements sustainability programs in the ESG sector.
3. Monitoring the implementation of risk mitigation and opportunities arising from the Companys operational activities concerning ESG.
4. Overseeing ESG performance achievements, including climate change, based on evaluations from third-party assessors, ESG rating agencies, investor interests, and/or other stakeholders.
5. Ensuring the publication of Sustainability Reports, including climate change disclosures, in compliance with applicable regulations and to meet the needs of shareholders and other stakeholders.

In carrying out its duties and responsibilities, the Sustainability Committee coordinates with other committees under the Board of Commissioners and Board of Directors, which include the Social and Environmental Responsibility (TJSL) Committee, Risk, Compliance, and Revenue Assurance Committee, Audit Committee, and Nomination and Remuneration Committee.

Telkom has established corporate security and safety governance as outlined in the Board of Directors Decree Number: KD.37/UM400/COO-D0030000/2010 concerning the Management of Corporate Security and Safety (Enterprise Security & Safety Governance). This policy regulates various security and safety activities regarding the Company’s assets, ranging from physical and non-physical security to implementation and occupational health.

The Company adopts 11 (eleven) basic principles for Corporate Security and Safety Management, namely:

1. Security and Safety are Company concerns. Security and Safety are managed as corporate "issues", with program scopes covering all Company assets including but not limited to employees, products, planning, policies, procedures, systems, technology, networks, and Company information.
2. Security and Safety are managed based on Risk. Determination of an adequate level of Security and Safety must be based on acceptable levels of Risk by the Company, whether operational, market, strategic, or financial Risk.
3. Security and Safety are the responsibility of leadership. The management of Security and Safety is the accountability of the Company leadership.
4. Security and Safety are business needs. Security and Safety are necessary for business continuity, and thus, the Corporate Security and Safety Plan must align with Company strategy, policies, risk management plans, and compliance requirements.
5. Aware and trained employees. All employees must understand their rights, obligations, and responsibilities as part of Corporate Security and Safety Management. The Company must have programs to cultivate awareness and compliance among all employees regarding Security and Safety aspects, which can be outlined in their job descriptions and responsibilities.
6. Clear role and responsibility mapping. Security and Safety managers must be individuals with qualifications in the field. The determination of roles, responsibilities, and functions of Security and Safety management must be clear, so that separation of functions, accountability, and risk management can be effective.
7. Contained within policy. Corporate Security and Safety Management must be elaborated through a series of policies and procedures supported by budgets and competent human resources.
8. Availability of adequate resources. Parties involved in Security and Safety management must have sufficient resources, authority, and time to build and maintain an effective and efficient Corporate Security and Safety system.
9. A reference in system development. All stages of system development—hardware or software systems, including acquisition, initiation, technical requirements, system architecture/design, testing, operation, maintenance, and deactivation—must consider Security and Safety aspects.
10. A planned, structured, and measurable program. Security and Safety must be an integral part of Company strategy, capital, and operational plans, and must be achievable and executable through effective controls and parameters.
11. Review and Audit. To ensure that the Corporate Security and Safety Plan has been created, implemented, and maintained according to the established Risk level, regular and periodic reviews and audits must be conducted and reported to the Company’s Risk Committee for follow-up.

Corporate Security and Safety Management is implemented in every Work Unit with the objective of ensuring the execution of Corporate Security and Safety management and addressing Security and Safety risks in Company operations.

The objectives of implementing Corporate Security and Safety Management are:

1. To ensure coordination and communication of all Security and Safety risks to ascertain that management has adequately considered and responded to these Risks promptly;
2. To ensure the implementation of the Corporate Security and Safety Plan within job duties and responsibilities, and its application in each business process; and
3. To manage Corporate Security and Safety in alignment with the Company’s Security and Safety strategy, risk management, and Security and Safety Plan.

The principles of Corporate Security and Safety System Management are:

1. The function of Security and Safety must be embedded in every employee’s mindset, especially within the Security & Safety Unit as the main executor of the Security and Safety system;
2. The Security & Safety Unit may engage in cooperation with other institutions in accordance with applicable regulations;
3. The organization of the Security and Safety system adheres to a functional unity approach, taking into account principles of unified command and unified security area;
4. Implementation of the Corporate Security and Safety Plan through policy/business process/work procedures/other document forms must be carried out inherently and continuously within the Company;
5. The Corporate Security and Safety Plan prioritizes preemptive and preventive approaches; and
6. The implementation of the Corporate Security and Safety Plan must consider the principles of cost-benefit as well as effectiveness and efficiency.

In the activities of Corporate Security and Safety Management, the Corporate Security and Safety Plan is prepared through a structured process involving all Work Units, based on Company business needs, applicable regulatory provisions, and cooperation with external parties if necessary. The Security and Safety Plan is operationalized through policies/business processes/work procedures/other document forms that serve as guidelines for all employees in their roles to maintain Corporate Security and Safety.

The scope of Security management based on systems and objectives is divided into two (2) groups:

1. Physical Asset Security (physical security), which consists of:
   1. Environmental Security, including access control to Company premises; protection of asset locations from disturbances and risk of damage; and ensuring that Company assets do not pose dangers/risks to communities surrounding Company asset locations;
   2. Personnel Security, including securing and escorting persons or officials classified as important, issuing and managing identity cards for every personnel, ensuring that all personnel present at Company locations carry out activities in line with the agreed purposes, evacuating personnel during emergencies, and periodically fostering awareness of the importance of Security and Safety among all personnel.
2. Non-Physical Asset Security (non-physical security), which consists of:
   1. Network System Security, including preventing illegal/unauthorized access to the network system, minimizing interruptions and disruptions to the network system, blocking invasive applications, programs, and software that can interfere with or damage network systems and their data, and applying the use of integrated and reliable network security systems;
   2. Information System Security, including unauthorized use, modification, or destruction of Company information, maintaining the security of computer devices, networks, and data storage media, and ensuring the Company’s proprietary rights/copyrights over information.

The scope of Safety management is as follows:

1. Occupational Safety and Health Management System (SMK3), which includes:
   1. Preventing, reducing risks, and mitigating the impacts of work accidents;
   2. Preventing, reducing Risks, and controlling fires;
   3. Preventing exposure to hazardous electrical currents;
   4. Preventing and controlling occupational diseases, both physical and psychological;
   5. Providing first aid for accidents;
   6. Maintaining cleanliness, health, and orderliness;
   7. Providing personal protective equipment;
   8. Creating harmony between employees, work equipment, and work environment;
   9. Maintaining all types of buildings.
2. Insurance management for Company personnel; and
3. Occupational Safety and Health Committee (P2K3), established by the highest-ranking official in the workplace, with members from various elements of management, employees, Occupational Safety and Health (K3) Supervisors, and employee union representatives.

The Organizational Structure of P2K3 consists of:

1. Chairperson: Head of Work Unit;
2. Secretary: Employee with a K3 Supervisor certificate from the Ministry of Manpower;
3. Members: representatives from management, Work Units, employees, K3 Supervisors, and Employee Unions.

The function of P2K3 is to assist Company management in formulating policies and work guidelines aimed at improving Occupational Safety and Health. The main duties of P2K3 are to provide recommendations to Company management on Occupational Safety and Health matters and to help improve supervision, counseling, training, research, and maintenance of the work environment in accordance with K3 standards, while also preventing potential negative impacts. In addition, the administration of P2K3 management is the responsibility of the Security & Safety Unit.

The Corporate Security and Safety Management Strategy is carried out through 4 (four) steps:

1. Preemptive and Preventive, a strategy to prevent the occurrence of Security and Safety disturbances within the Company;
2. Detection, a strategy to perform early identification of Security and Safety disturbances within the Company;
3. Recovery, a strategy for recovery after the occurrence of Security and Safety disturbances within the Company;
4. Corrective, a strategy to repair Security and Safety disturbances with the aim of preventing recurrence of the same disturbances.

The Security Plan may include:

1. General Plan, planning/programming the strength and capability to be deployed against security targets in normal situations;
2. Emergency Situation Security Plan, planning/programming the strength and capability to be deployed against security targets in emergency situations;
3. Special Security Plan, planning/programming the strength and capability to be deployed against security targets in special situations such as bomb threats/disturbances, hostage-taking, hijacking, sabotage, assassination, kidnapping, etc.;

Meanwhile, the Safety Plan may include reducing the risk of work-related accidents and reducing the risk of health issues caused by work or the work environment.

Evaluation of Security and Safety performance is carried out at least once a year by the Security & Safety Unit in the form of monitoring, inspection, and assessment. Meanwhile, a comprehensive audit of Security and Safety performance is conducted periodically at least once a year or incidentally by a specially appointed team, and if deemed necessary, by an External Auditor. The evaluation and audit implementation refers to applicable evaluation and audit standards. The results of the evaluation and/or audit are reported hierarchically to Company management for follow-up and continuous improvement. Rewards and punishments may be applied based on the evaluation and audit results, taking into account the available budget and applicable regulations.

Telkom is committed to protecting information assets to minimize the risks posed by various threats that may disrupt business continuity, maximize the utilization of business opportunities, and maintain the Companys reputation. This commitment is realized through the establishment of Company Regulation Number: PD.406.00/r.01/HK200/COP-D0500000/2024 dated December 18, 2024, concerning Information Security Governance.

The scope of this regulation includes general policies on Information Security Governance, organizational controls, personnel controls, physical controls, technological controls, and compliance with Information Security Governance.

The principles of Information Security management include confidentiality, integrity, and availability.

The framework for implementing Information Security is carried out under the following provisions:

1. Information security must be controlled throughout the entire information lifecycle, from creation to destruction;
2. Information Security management is conducted through the implementation of a set of controls designed to comprehensively protect information;
3. A set of Information Security Controls includes policies, regulations, processes, procedures, organizational structures, and hardware or software components;
4. The implementation of Information Security Controls must be carried out and supported by all personnel according to their roles/authority and involve relevant stakeholders; and
5. Information Security Controls must be continuously implemented and monitored, reviewed, and periodically improved to meet business needs and applicable Information Security requirements.

Organizational control is a category of control that involves managing the risks associated with information assets through policies, procedures, and structures that regulate and oversee an organizations security practices while ensuring integration with governance, risk management, and compliance processes.

Organizational controls include:

1. The Information Security management role map, designated by the director in charge of Information Security;
2. Segregation of duties, separating development and operation functions;
3. Management responsibilities, ensuring all personnel implement information security measures in accordance with Information Security policies, Specific Topic Policies, and established procedures;
4. Relationships with authorities, maintaining communication with relevant authorities such as law enforcement, policymakers, utility suppliers, emergency services, and health and safety organizations, including fire departments, telecommunications providers, electricity suppliers, and water suppliers;
5. Relationships with special interest groups, maintaining relations with specialized security forums and professional associations;
6. Threat Intelligence, collecting and analyzing Information Security Threats to generate relevant insights, contextual awareness, and actionable intelligence, including business movement monitoring;
7. Information Security in Project Management, ensuring that Information Security is integrated into Project Management for all projects regardless of complexity, size, duration, discipline, and application area;
8. Asset inventory, conducted accurately, updated consistently, and aligned with other inventories. Each identified asset must have an assigned owner and classification type;
9. Asset return, requiring personnel or other relevant stakeholders to return assets upon employment termination, contract completion, or agreement expiration;
10. Access control, establishing and implementing physical and logical access control rules based on business needs and Information Security requirements;
11. Identity management, overseeing the entire Identity Lifecycle in accordance with applicable regulations;
12. Authentication information, managing the allocation and administration of authentication information through proper management processes, including guidelines on handling authentication data securely;
13. Access rights, ensuring access rights to information and assets are granted, reviewed, modified, and revoked based on policies set by the director overseeing Information Security;
14. Information Security in Supplier relationships, ensuring Information Security is applied from the commencement of supplier product or service usage until termination;
15. Inclusion of Information Security aspects in supplier contracts, defining and agreeing on relevant Information Security requirements for each supplier of ICT products and services based on the nature of the engagement;
16. Monitoring, reviewing, and managing supplier service changes routinely;
17. Information Security for cloud services usage, ensuring processes for acquiring, utilizing, managing, and discontinuing cloud services align with Information Security requirements;
18. Incident Security Management planning and preparation, establishing and communicating processes, roles, and responsibilities for managing Information Security incidents;
19. Information Security Incident assessment and decision-making, determining whether an event qualifies as an incident and prioritizing based on consequences and impact;
20. Information Security Incident response, ensuring responses align with documented procedures;
21. Lessons learned from Information Security Incidents, leveraging incidents to strengthen and improve Information Security controls;
22. Evidence collection, ensuring records remain complete and unaltered, electronic evidence copies match originals, and information systems function correctly during evidence capture;
23. Information Security during disruptions, developing plans to maintain appropriate levels of security during disruptions, including business continuity and recovery processes for critical operations;
24. ICT readiness for business continuity, planning, implementing, maintaining, and testing ICT continuity strategies in alignment with business continuity objectives; and
25. Documentation of operational procedures, regularly reviewed and updated as needed.

Personnel control is a category of control focused on managing information asset risks related to individuals.

Personnel controls include:

1. Personnel selection, involving background checks on candidates before and after joining the Company, ensuring compliance with business needs, classified information access levels, and perceived risks;
2. Work terms and conditions related to Information Security, outlining personnel and Company responsibilities;
3. Information Security awareness, education, and training, conducted regularly to update employees on Information Security Policies and specific topic procedures relevant to their roles;
4. Disciplinary process, established in Company policy and communicated to enforce actions against personnel or stakeholders violating Information Security Policies;
5. Post-employment or reassignment responsibilities, ensuring compliance with work agreements, contracts, or terms, and communicating obligations to personnel and stakeholders;
6. Information Security in remote work, ensuring security measures protect information accessed, processed, and stored remotely; and
7. Reporting of Information Security Events, ensuring incidents or suspicions are reported through designated Company channels.

Physical control is a category of control focused on managing information asset risks associated with physical objects.

Physical controls include:

1. Physical security perimeters, defined and utilized to protect areas storing information and related assets;
2. Physical entry, ensuring Secure Areas have appropriate access points and entry controls;
3. Office, room, and facility security, designed and implemented according to Information Security standards;
4. Physical security monitoring, ensuring confidentiality and protection from unauthorized access;
5. Protection against physical and environmental threats, assessed for risk potential before initiating critical operations;
6. Secure Area work protocols, ensuring all activities within Secure Areas are accounted for;
7. Clear desk and clear screen policies, reducing risks of unauthorized access, loss, or damage to information;
8. Placement and protection of supporting infrastructure, ensuring security measures;
9. Protection of off-premises assets;
10. Security of storage media, utility systems, and cabling; and
11. Maintenance, disposal, and reuse of supporting infrastructure, ensuring confidentiality, integrity, and availability.

Technological control is a category of control focused on managing information asset risks related to technology use.

Technology controls include endpoint device security, privileged access management, access restrictions, program access controls, secure authentication, capacity management, malware protection, configuration management, backup policies, logging, network security, secure development lifecycle, and change management.

Evaluations of the effectiveness of Information Security policies, systems, and security measures are conducted at least once per year.

Telkom is committed to delivering value creation based on the needs of stakeholders through business alignment with guarantees for Personal Data Protection in order to achieve business benefits (benefit realization). Telkom complies with Law Number 27 of 2022 concerning Personal Data Protection, which is manifested through the issuance of Company Regulation Number: PD.407.00/r.00/HK270/COP-M0600000/2024 dated August 27, 2024 concerning Personal Data Protection Governance of the Telkom Group.

This regulation aims to provide guidance that Personal Data Protection is carried out to achieve value creation based on the needs of the Companys stakeholders through business alignment with Personal Data Protection guarantees so that the implementation of Personal Data Protection governance in the Company can realize business benefits (benefit realization), optimize risk management (risk optimization), and optimize resource management (resource optimization).

The scope of this regulation includes:

1. Legal Basis for Personal Data Processing;
2. Personal Data Access Control;
3. Accuracy, Security, and Confidentiality of Personal Data;
4. Control of Personal Data Processing; and
5. Supervision of Personal Data Protection.

The principles of Personal Data Protection within the Company include:

1. The principle of protection and legal certainty;
2. The principle of public interest and utility;
3. The principle of prudence;
4. The principle of balance;
5. The principle of accountability; and
6. The principle of confidentiality.

The types of Personal Data protected include specific Personal Data and general Personal Data. Specific Personal Data includes health data and information, biometric data, genetic data, criminal records, child data, personal financial data, and other data in accordance with statutory provisions. General Personal Data includes full name, gender, nationality, religion, marital status, and personal data combined in a way that identifies an individual.

The legal basis for Personal Data Processing includes:

1. Explicit lawful consent from the Personal Data Subject;
2. Fulfillment of contractual obligations;
3. Fulfillment of legal obligations by the Personal Data Controller Unit in accordance with statutory provisions;
4. Fulfillment of vital interests of the Personal Data Subject;
5. Performance of tasks in the public interest, public services, or execution of authority by the Personal Data Controller Unit based on statutory regulations; and/or
6. Fulfillment of other legitimate interests, taking into account the purposes, needs, and balance between the interests of the Personal Data Controller Unit and the rights of the Personal Data Subject.

In Personal Data Processing, the Personal Data Controller Unit must provide information to the Personal Data Subject, in writing or electronically using appropriate technology, regarding the legality and purpose of Personal Data Processing, type; relevance; and retention period of documents containing Personal Data, details of the information collected, processing duration, as well as the rights of the Personal Data Subject. This information includes:

1. Identity of the Personal Data Controller Unit and/or Personal Data Processor Unit in accordance with statutory provisions;
2. Source of collection and purpose of Personal Data transfer;
3. Legal basis and purpose of Personal Data Processing;
4. Types of Personal Data;
5. Legal basis for the use of Personal Data;
6. Period for which Personal Data will be used, stored, and destroyed;
7. Procedures for storing and managing Personal Data;
8. Information on parties who will use the data in case the Personal Data Controller Unit involves a data processor;
9. Mechanism for consent and withdrawal of consent when processing is based on explicit lawful consent or contractual obligations;
10. Mechanism for obtaining access and/or copies, submitting objections, access; copies; verification; and correction of Personal Data; and
11. Security measures to protect Personal Data.

Termination, Suspension, and Restriction of Processing are carried out under the following conditions:

1. The Personal Data Controller Unit must terminate the Processing of Personal Data if the Personal Data Subject withdraws consent.
2. The Personal Data Controller Unit must suspend and restrict the Processing of Personal Data, either partially or wholly, no later than 3 x 24 (three times twenty-four) hours from the receipt of such request.
3. The Personal Data Controller Unit must notify the Personal Data Subject once the suspension or restriction is carried out.

Access Control for Personal Data is implemented as follows:

1. The Personal Data Controller Unit must grant access to the Personal Data Subject within a maximum of 3 x 24 (three times twenty-four) hours after receiving the access request.
2. The Personal Data Controller Unit must reject access requests from the Personal Data Subject to change data if:
   1. It endangers the physical or mental health of the subject or others;
   2. It results in the disclosure of other individuals Personal Data; and/or
   3. It conflicts with national defense and security interests.
3. The Personal Data Controller Unit and Personal Data Processor Unit must protect Personal Data from unlawful processing and prevent unauthorized access.

To ensure the accuracy, completeness, and consistency of Personal Data:

1. The Personal Data Controller and Processor Units must carry out verification;
2. The Personal Data Controller Unit must update and/or correct any errors and/or inaccuracies in the Personal Data;
3. The Personal Data Controller Unit must notify the Personal Data Subject of any updates or corrections.

The Personal Data Controller Unit, Personal Data Processor Unit, and all involved parties are obligated to protect and ensure the security of the Personal Data being processed by:

1. Developing and implementing technical and operational measures to protect Personal Data from processing activities that contradict applicable regulations;
2. Determining the level of Personal Data security by considering the nature and risks involved in its processing.

In the processing of Personal Data, confidentiality must be maintained by the Personal Data Controller and Processor Units.

For processing Children’s and Persons with Disabilities’ Personal Data, the Personal Data Controller Unit must obtain consent from the child’s parent or guardian, or from the guardian of the person with disabilities, in accordance with statutory provisions.

Personal Data Processing involves the following activities:

1. Processing must be limited, specific, lawful, and transparent in accordance with its intended purposes;
2. The Personal Data Controller and Processor Units must record all Personal Data Processing activities;
3. The Personal Data Controller Unit must conduct a Data Protection Impact Assessment (DPIA) when the processing presents high potential risk to the data subjects.

The Personal Data Controller Unit must terminate Personal Data Processing once the retention period has ended, the processing purposes have been fulfilled, or upon request by the Personal Data Subject.

Additionally, the Personal Data Controller Unit must delete Personal Data when it is no longer necessary for the purpose, when the subject withdraws consent, when requested by the subject, or when the data was obtained and/or processed unlawfully.

The Personal Data Controller Unit must destroy Personal Data when its retention period has ended and destruction is indicated in the retention schedule, when requested by the subject, when it is unrelated to ongoing legal proceedings, or when obtained/processed unlawfully.

The Personal Data Controller Unit is responsible for the processing of Personal Data and must demonstrate accountability in fulfilling Personal Data Protection principles.

Supervision of Personal Data Protection is carried out as follows:

1. The Personal Data Controller and Processor Units must supervise all parties involved in Personal Data Processing under the Controller’s control.
2. Supervision includes the obligation to conduct a Data Protection Impact Assessment (DPIA) before developing applications/information systems/software and/or using new technology in data processing.
3. The DPIA must be conducted and documented independently by the Personal Data Controller Unit and reported to the organizational unit responsible for Personal Data Protection, Information Technology, and Cybersecurity.

In the event of a Personal Data Protection Failure, the Personal Data Officer Unit of the Controller must notify the Data Subject and the Personal Data Protection Authority (PDP Authority) in writing no later than 3 x 24 (three times twenty-four) hours. If public services are disrupted, there is serious societal impact, or the Controller cannot guarantee that the data subject will be notified directly, the Controller must also inform the public.