Indonesia’s Personal Data Protection Law: An Overview of What to know and what to expect

The Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) has come into force. The Personal Data Controllers, Personal Data Processors, and other parties related to the processing of personal data must comply with the PDP Law no later than 2 (two) years following the enactment of the PDP Law.

The PDP Law applies to any person, public agency, or international organization that either collecting, processing or carrying out other legal activities related to personal data offshores and within the jurisdiction of Indonesia. Whereas, the offshore entities that having no legal entity in Indonesia shall comply with the PDP Law that pertains personal data of Indonesia citizens and/or having legal consequence domestically in Indonesia. However, household purposes or the processing of data by individual are not subject to the PDP Law.  

In essence, the PDP Law regulates the following matters;

  1. Type of personal data;
  2. Data subject rights;
  3. Procedures and obligations of personal data controllers and personal data processors;
  4. Personal data transfer;
  5. Data protection institution; and
  6. Sanctions and procedures in resolving personal data disputes.

We set out below few key takeaways from the PDP Law.

Controllers v. Processors

The PDP Law distinguishes between Personal Data Controllers (“Controllers”) and Personal data processors (“Processors”). As of the role, the Controllers is processing personal data through a legal consent from the individual and/or legal subject for one or more purposes, whilst the Processors is processing the personal data on behalf of the Controller. Nevertheless, the Controllers and Processors include any person, public body, or international organization.

Consent

Personal data Controllers or Processors cannot arbitrarily collect personal data belonging to someone. Whereas, the PDP Law requires written or recorded consent. In giving their consent, the subject of personal data must also obtain easy access, transparent, and clear information on the legality of the personal data processing, the purpose(s), and the rights of the personal data subject.

Personal Data Security System

PDP Law requires Controllers and Processors of personal data to maintain the security and confidentiality of personal data subjects by using a reliable, safe, and responsible security system. In addition, the Controllers are also obliged to supervise each party involved in the processing of personal data.

Data Protection Officer

To further ensure the security of the personal data subject, if the Controllers are processing specific personal data, then the Controllers are obliged to examine the impact of personal data protection to the subject. Moreover, if the processing of a specific personal data is carried out on a large scale, the personal data controller must appoint officer who carries out the function of protecting personal data (“Data Protection Officer”). The Data Protection Officer is appointed based on knowledge of the law and personal data protection practices. The Data Protection Officer can appointed from both internal and external entities of personal data controllers.

Notice

The Controller is obliged to notify the personal data subject for any deletion of personal data under their possession; failure to protect personal data under their possession; or corporate action performs by the Controller. Any failure of personal data protection will raise the obligation to notify the personal data subject and personal data protection agency no later than 3 x 24 hours.

Sanction

If the personal data controller fails to fulfil their obligations, the personal data controller is subject to the following sanctions (i) a written warning, (ii) temporary cessation of personal data processing activities, (iii) deletion or destruction of personal data, to (iv) administrative fines in the amount of a maximum of two percent of annual income or annual receipts against violation variable. In addition to sanctions, personal data subjects also have the right to sue and receive compensation for violations of processing personal data about themselves. The sanctions in the PDP Law will be imposed by a personal data protection agency that will be determined and responsible to the president of the Republic of Indonesia. Up to this point, there is no further regulation on this specific agency.

The PDP Law sets prohibits few actions relating to personal data, among others, (i) obtaining and collecting personal data that is not theirs with the intention of benefiting themselves or others which may result in the loss of the subject of personal data, (ii) disclosing and using personal data that does not belong to them or falsifying personal data with the intention of benefiting oneself and/or other people which can cause harm to others. If such prohibition is carried out by company, the penalty can be imposed on the management, control holder, order giver, beneficial owner, and/or the corporation itself. The penalty that can be imposed is a maximum of 6 years in prison and/or a maximum fine of Rp. 6,000,000,000 (six billion rupiah). On a separate note criminal sanctions that can be imposed on corporations are fines in the amount of 10 times the maximum penalty imposed. In addition, corporations may also be subject to additional penalties ranging from confiscation of profits to the closure of part or all the place of business and/or corporate activity.