Arisakti Prihatwono of the Prihatwono Law Firm, acting as legal counsel to Mr. X, a Bandung resident and professional currently holding an active senior management position at a National Sharia Commercial Bank, provides an update on a case involving alleged misuse of personal data and the recording of a fictitious credit facility by Perumda BPR Bandung, a regional public company under the Bandung City Government.
Brief Chronology
In July 2025, the institution where Mr. X works conducted a random SLIK credit information check on its employees. The results revealed a record of non-performing credit (Collectability 5) under Mr. X’s name in the Financial Information Service System (SLIK) of the Financial Services Authority (OJK).
Mr. X has never been a customer of BPR Bandung nor applied for a loan at any BPR, let alone held a problematic credit facility. This finding prompted further internal inquiries.
The internal investigation showed that Mr. X’s core debtor data had been incorrectly reported by Perumda BPR Bandung. As a result, his personal data was used without a lawful basis, a fictitious credit facility was recorded, and a Collectability 5 entry appeared in SLIK—causing moral, reputational, and professional harm to a senior official in the banking industry.
Mr. X submitted a clarification letter on 21 July 2025, which was answered by Perumda BPR Bandung through Letter No. 800/297-PDA.BPR dated 25 July 2025, stating that Mr. X had never held any credit facility and that corrections would be made in SLIK. Mr. X then waited for two months, but no changes appeared in the SLIK report.
It is particularly ironic that this incident befell a banker who understands how the SLIK process should be carried out and how personal data ought to be protected, someone who is aware and able to take action. This raises serious concerns about what could occur if similar incidents were to affect members of the general public.
Due to the perceived lack of good faith, Prihatwono Law Firm issued a cease-and-desist letter on 15 October 2025 (No. 041/Ext-MF/X/2025). This was answered by Letter No. 580/434-POA.BPR dated 24 October 2025, signed by the President Director of Perumda BPR Bandung, who acknowledged that:
- The SLIK data under Mr. X’s name had been corrected.
- An apology had been extended.
- The incident was described as an “internal error”.
Legal Process
Given that this incident constitutes a serious violation of privacy rights, the Personal Data Protection Law, the Consumer Protection Law, various OJK regulations, as well as regional company governance standards, Mr. X has filed a lawsuit with the Bandung District Court under case number 502/Pdt.G/2025/PN Bdg.
The case is currently In the mediation phase and is scheduled to proceed to the next hearing on Wednesday, 3 December 2025, at the Bandung District Court.
Important Notes
- Risk to the Banking Industry
The misuse of personal data carries serious administrative, civil, and criminal consequences, including potential suspension of operations and substantial fines. This case indicates weak understanding and inadequate standard operating procedures for personal data protection within Perumda BPR Bandung. - Risk to Bandung Residents
This case has the potential to be the “tip of the iceberg” in terms of possible misappropriation of other residents’ data. If left unaddressed, such practices could affect social stability and even give rise to political issues, particularly given that BPR Bandung operates under the Bandung City Government. - Role of Regional Authorities
As shareholders and supervisory authorities of the regional company, the relevant government institutions are expected to ensure that governance and personal data protection practices within Perumda BPR Bandung and related entities are continuously strengthened. It is hoped that this case will serve as constructive momentum to improve oversight, policies, and implementation so that similar incidents can be prevented in the future.
Arisakti Prihatwono emphasizes that this legal action is taken to uphold citizens’ privacy rights, prevent similar incidents from occurring in the future, and ensure that regional companies implement governance in accordance with prevailing laws and regulations.
