The practice of bundling consent in bancassurance partnerships triggers legal uncertainty and the risk of customer personal data leaks due to the incompleteness of pre-contractual norms in the Banking Law in conjunction with the PPSK Law, which conflicts with the PDP Law. This normative legal research uses a legislative, conceptual, and case-based approach with a qualitative method of legal material analysis. The research findings indicate that the validity of bundled consent in standard clauses is conditional because it contains a defect of consent resulting from abuse of circumstances (misbruik van omstandigheden). Such bundled consent is null and void as a basis for bank secrecy exceptions unless the business entity provides separate clauses (granular consent) and a genuine right to opt-out for customers. This study concludes that there is a need to reformulate legal liability through the application of strict liability for banks as the primary data controllers and joint liability with insurance companies. This reformulation is essential to shift the legal function toward early prevention to ensure the protection of customer privacy.
Copyrights © 2026