Navigating Personal Data Protection in Indonesia

In late 2022, the Indonesian government took an important step in unifying the country’s data protection regulations that were previously regulated in separate laws and sectoral regulations. On October 17, 2022, this was enacted into a single personal data protection law through Law No. 27 of 2022 on personal data protection (“PDP Law”). The enactment of PDP Law which references the provisions set out under the European Union’s General Data Protection Regulation (“EU GDPR”) is intended to guarantee the rights of every individual to have adequate protection over their data.

What is personal data?

The PDP Law defines personal data as data on individuals who are identified or can be identified individually or combined with other information, either directly or indirectly, through electronic or non-electronic systems. Personal data is divided into the following categories:

1. Specific Personal Data, which includes health data and information; biometric data; generic data; crime records; child data; personal financial data; and/ or other data by provisions of laws and regulations; and
2. General Personal Data, which includes full name; gender; citizenship; religion; marital status; and/ or combined Personal Data to identify a person.

Who are the stakeholders involved in PDP Law?

PDP Law introduces several stakeholders or involved parties within personal data processing activities, including:

1. Personal Data Subject: An individual on which the personal data is associated with and enjoys the rights granted by the PDP Law regarding the protection of their data;
2. Personal Data Controller: Every individual or company, public agency, and international organization that acts individually or jointly in determining purposes and exercising control over the processing of Personal Data;
3. Personal Data Processor: An individual or company, public agency, and international organization that acts individually or jointly in processing Personal Data on behalf of Personal Data Controller; and
4. Data Protection Officer (“DPO”): An official or officer appointed by the personal data controller and Personal Data Processor to carry out the Personal Data Protection function, who may come from within and/ or outside the respective Personal Data Controller and Personal Data Processor.

Why is PDP Law necessary?

The enactment of the PDP Law is important for Indonesia because of the need to protect the rights of individuals in society regarding the processing of their data both electronically and non-electronically using data processing tools. The adequate protection of personal data will be able to provide public confidence to provide personal data for various greater societal interests without misuse or violating their rights. Thus, this PDP Law will create a balance between individual rights and the interests of society whose interests are represented by the state.

In light of the above, the government through the PDP Law grants several rights to personal data subjects regarding their data, which consists of:

1. Right to be informed which provides the rights for personal data subjects to know who is processing their personal data and identity clarity, basis of legal interest, purpose of requesting and using personal data, and accountability of parties that request personal data;
2. Right to rectification which provides the rights for personal data Subject to complete, update, and correct errors in their data;
3. Right to access which provides the rights for personal data Subject to access their personal data and additional information;
4. Right to erasure and restriction of processing which provides the rights for the personal data subject to terminate the processing, erasure, and/or destruction of their data;
5. Right concerning automated decision-making and profiling which provides the rights for personal data subjects to object to any decision-making actions based on automated processing and profiling;
6. Right to object which provides the rights for personal data subjects to object to the processing of their data and even profiling;
7. Right to claim compensation which provides the rights for personal data subjects to obtain compensation as well as obligations from those to be fulfilled by the personal data controller and the personal data processor; and
8. Right to data portability which provides the rights for personal data subjects to obtain and reuse their data for their purposes across various services.

The PDP Law also stipulates several obligations of the personal data controller and the personal data processor, including but not limited to showing proof of consent from the personal data subject, recording all personal data processing activities, protecting and ensuring the security of personal data, and convey the legality, purpose, and relevance of the processing of personal data. Additionally, the personal data controller and the personal data processor may be required to appoint a DPO to monitor and oversight the process of personal data processing activities.

Where does the PDP Law apply?

The PDP Law has a far-reaching scope as it applies to every individual or company, public agency and international organization that performs legal acts as regulated under the PDP Law:

1. Within the jurisdiction of the Republic of Indonesia; and
2. Outside the jurisdiction of the Republic of Indonesia, provided that such act has legal consequences:
3. Within the jurisdiction of the Republic of Indonesia; and/ or
4. For Personal Data Subject of Indonesian citizens outside the jurisdiction of the Republic of Indonesia.

In this regard, the PDP Law has extra-territorial scope as it would also cover any personal data of any Indonesian outside the jurisdiction of the Republic of Indonesia.

When is the deadline for compliance with PDP Law?

To comply with the PDP Law, the personal data controller, personal data processor, and other parties related to the personal data processing activities shall make internal adjustments in their policies and procedures regarding their business practices under the PDP Law by the latest 2 (two) years from the enactment date of the PDP Law, i.e. October 16, 2024.

Non-compliance or violation of the PDP Law may be subject to administrative sanctions in the form of a written warning, temporary suspension of Personal Data processing activities, deletion or destruction of Personal Data, indemnification of losses, and/ or administrative fines. It is noteworthy that the administrative fines will be in the amount of two percent of the annual income or annual revenue at the maximum against the violation variable.

Besides the administrative sanctions, the PDP Law also stipulates the following criminal sanctions:

1. Every person who intentionally and unlawfully obtains or collects personal data that do not belong to them to benefit themselves or other persons which may result in the loss of the personal data subject may be subject to a maximum imprisonment of five years and /or a maximum fine of five billion rupiah;
2. Every person who intentionally and unlawfully discloses personal data that does not belong to them may be subject to a maximum imprisonment of four years and/ or a maximum fine of five billion rupiah;
3. Every person who intentionally and unlawfully uses personal data that does not belong to them may be subject to a maximum imprisonment of five years and/or a maximum fine of five billion rupiah; and
4. Every person who intentionally creates false personal data or falsifies personal data to benefit themselves or other persons which may result in the loss of other persons may be subject to a maximum imprisonment of 6 (six) years and/or a maximum fine of six billion rupiah.

If criminal actions are conducted by a company, the sentence may be imposed on the management, controller, commanding officer, beneficial owner, and/ or company. However, the only sentence that may be imposed on the company is fines which is a maximum of 10 (ten) times the maximum sentence imposed. In addition to the fines, a company may be imposed on additional sentences in the form of:

1. Confiscation of profits and/or assets obtained or proceeds from such criminal actions;
2. Suspension of the entire or part of the Corporation’s business;
3. Permanent prohibition of doing certain actions;
4. Shutdown of the entire or part of the Corporation’s place of business and/or activities;
5. Fulfill the obligations that have been neglected;
6. Payment of compensation;
7. Revocation of license; and/ or
8. Dissolution of the Corporation.

How do companies comply with PDP Law?

 The Indonesian government is currently preparing and implementing regulations for the PDP Law. In the meantime, companies shall first carry out self-assessments to identify whether they are acting as the personal data controller/ processor or not. If yes, set out below several actions that shall be conducted by the personal data controller and personal data processor.

1. Conducting a gap assessment between their existing personal data protection policies and the PDP Law, including its existing personal data processing guidelines for internal employees, personal data protection policies, existing contracts with customers or vendors, or other parties;
2. Preparing and/ or updating a privacy notice for external of the company;
3. Preparing and/ or updating personal data protection policies and guidelines for internal use of the company; and
4. Appointing a DPO from within or outside of the company and implementing a privacy management technology platform.

• Previous Article Taxation of Foreign Sourced Income in Thailand Begins in 2024
• Next Article Philippines Enacts New E-Commerce Regulation