The Legal Responsibility of Bank Central Asia for the Protection of Customer’s Personal Data in Cases of Misuse by Third Parties

Abstract

The advancement of technology in the digital era has significantly impacted various sectors, including banking, particularly in the management and protection of customers' personal data. Banks are legally and ethically responsible for safeguarding the personal information entrusted to them. This study aims to analyze the legal protection and liability of Bank Central Asia (BCA) in cases involving the misuse of customer personal data by third parties.

The research is grounded in an empirical legal approach, supported by statutory analysis. It examines key regulations in Indonesia, including Law No. 27 of 2022 on Personal Data Protection, OJK Regulation No. 44 of 2024 on Bank Secrecy, Law No. 1 of 2024 in conjunction with Law No. 11 of 2008 on Electronic Information and Transactions, among others. The study explores the extent of bank obligations, customers’ legal remedies in the event of data breaches, and institutional accountability. Field data were collected through interviews and case analysis involving banking practices and third-party collaborations. The findings indicate that while the regulatory framework provides a solid foundation, gaps remain in enforcement and monitoring mechanisms, especially in third-party partnerships. The study emphasizes the need for stricter regulatory implementation, enhanced legal literacy among customers regarding their data privacy rights, and improved institutional oversight to ensure more effective protection of personal data in the digital banking landscape.