Professional Documents
Culture Documents
Indonesia's PDPL in
GDPR
Indonesia's PDPL In Comparison With The GDPR
Table of contents
Introduction 1
Scope of the Law 2
Personal & Sensitive Personal Data 3
Lawful Basis For Processing & Consent 4
Third-Party Processors 5
Data Subject Rights 6
Right to Information 6
Right to Modification of Data 7
Right to Obtain a Copy of Data 8
Right to Withdraw Consent 8
Right to End Processing 9
Right to Object 9
Right to Limit Processing of Data 10
Right to Data Portability 11
Right to Legal Action 11
Data Protection Impact Assessment 12
Cross-Border Data Transfers 13
Data Breach Notifications 15
Data Protection Officers 16
Records & Documentation 17
Regulatory Body 18
Penalties 20
How Securiti Can Help 21
Indonesia's PDPL In Comparison With The GDPR
Introduction
On 25 May 2018, the European Union's General Assembly put the General Data
Protection Regulation (the “GDPR”) into effect to ensure that individuals have greater
control over their personal data and organizations implement appropriate security
measures to protect the users’ personal data.
In the years since then, the GDPR has acted as the blueprint for numerous data
protection regulations worldwide. Indonesia's recently passed Personal Data Protection
Law (PDPL) is one such regulation. It contains several provisions that echo the GDPR,
especially when it comes to data protection principles.
Similar to the GDPR, the PDPL requires the organizations to collect personal data in a
limited, transparent, and lawful manner and process it only for the defined purpose.
Additionally, organizations must also ensure that the personal data collected is accurate,
adequately protected against any unauthorized access or use, and that the data subject
rights are guaranteed.
However, there are some differences as well that organizations need to take into
consideration.
Understanding the similarities and differences between the two regulations could prove
vital in any organization's compliance efforts. This comparison does just that by
comparing both the GDPR and the PDPL across fundamental categories giving you a
better comprehension of both.
vs
PDPL GDPR
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 1
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 2 Article 3 | Recitals 22-25
The PDPL is applicable to processing of personal The GDPR applies to entities that are established in
data by any corporation, individual, public body, or the EU as well as entities that are outside the EU but
international organisation. Such an entity may be are processing personal data belonging to natural
located either within Indonesia or outside that persons in the EU or are specifically targeting
handles' Indonesian citizens' personal data that may individuals in the EU.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 2
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 4 Articles 4(1), 9
Personal data itself is defined as "data about an The GDPR defines personal data as “any information
identified or identifiable individual individually or in relating to an identified or identifiable natural person
combination with other information either directly or (data subject)”. An identifiable natural person is one
indirectly through electronic or non-electronic who can be identified, directly or indirectly, in
systems".
particular by reference to an identifier such as a
PDPL classifies the personal data into two distinct name, an identification number, location data, an
categories i.e., general and specific.
online identifier, or to one or more factors specific to
the physical, the physiological, genetic, mental,
General personal data includes information such as economic, cultural, or social identity of that natural
Full name person.
Personal data that can be used to identify Under the GDPR, sensitive personal data (special
someone.
categories of personal data) include data revealing
racial or ethnic origin, political opinions, religious or
On the other hand, specific personal data includes
philosophical beliefs, or trade union membership,
information pertaining to
genetic data, biometric data for the purpose of
Health data & information uniquely identifying a natural person, data
Biometric data concerning health or data concerning a natural
person’s sex life or sexual orientation.
Genetic data
Financial data is not sensitive personal data under
Criminal records the GDPR. While data belonging to minors has been
Minor's data provided specific and additional protection under the
Financial data.
GDPR, it is not categorized as sensitive personal
data.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 3
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Articles 20, 21, 22 Article 6
Under the PDPL, organizations may only proceed Under the GDPR, data processing activities may be
with processing data subjects' personal data if they initiated on any of the following lawful bases
have a concrete lawful basis for doing so. The basis The data subject's consent has been obtained
can include any of the following for one or more specific purposes; the GDPR
Valid explicit consent from the data subject for requires such consent to be freely given,
one or more particular purposes that the data informed, unambiguous, and specific
controller has disclosed to the data subject Processing is necessary for the performance
has been gained of a contract to which the data subject is a
Processing is necessary for the fulfilment of party or in order to take steps at the request of
the legal or contractual obligations of the data the data subject prior to entering into a
controller contract
Processing is necessary for the fulfilment of a Processing is necessary for compliance with a
data subject's request while entering into a legal obligation to which the controller is
contract or an agreement or protection of data subject
subject’s vital interests Processing is necessary to protect the vital
Processing is necessary for the fulfilment of interests of the data subject or of any other
tasks and duties or exercise of authority by the natural person
data controller in the public interest, and Processing is necessary for the performance
public services under law and regulations of a task carried out in the public interest or in
Processing is necessary to fulfil the data the exercise of official authority vested in the
controller's legitimate interests and the data controller
subjects' rights.
Processing is necessary for purposes of
legitimate interests pursued by the controller
or a third party, except where such interests
are overridden by the interests or fundamental
rights and freedoms of the data subject, which
require protection of personal data, in
particular where the data subject is a child.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 4
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
Third-Party Processors
PDPL GDPR
Articles 51, 52, 53 Article 28
The PDPL allows the data controllers to appoint the As per the GDPR, where a data processor decides to
data processors. The data processor is required to outsource part or all of its data processing
perform the data processing activities as directed by obligations to a third party with the prior written
the data controller and the responsibility for authorization of the controller, such third party may
processing in this instance will fall on the data be referred to as a “sub-processor.”
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 5
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
Under the GDPR, data subject’s rights requests must be honoured within one month of the receipt
of the request. On the other hand, the PDPL requires organizations to fulfil data subject’s rights
request within 72 hours of the receipt of such request.
1 Right to Information
PDPL GDPR
Articles 5 Article 13, 14 | Recitals 60, 61, 62
The PDPL states that all data subjects have the right This right requires the controllers to provide certain
to gain information that provides clarity related to information to the data subject when personal data is
the data controller or processor's identity, what legal collected from the data subject or from another
interests are being protected, why their data is being source. Any relevant information in connection to the
processed, what methods are being used to process data processing must be given in a concise,
their data and accountability of the party requesting transparent, intelligible, and easily accessible form,
the personal data..
using clear and plain language to the data subject.
In exercising any right, the data subject can submit a Data controllers must provide at least the following
request electronically or non-electronically to the information to data subjects
data controller.
The identity and contact details of the data
controller, data controller’s representative, and its
Once the data subject makes such a request, the
DPO, where applicable
data controller or processor has 72 hours to comply
with the request. It can only be rejected if granting The purpose and legal basis of the processing
such a request would endanger the data subject The legitimate interests pursued by the controller
themselves or any other persons, as well as the or a third party where the processing is based on
national security.
legitimate interests
The categories of personal data collected
The recipients of the personal data;
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 6
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Articles 6 Article 16 | Recitals 65
All data subjects have the right to request All data subjects have the right to obtain rectification
modifications to data that has become outdated/ of inaccurate personal data concerning them,
incomplete/incorrect since it was collected.
without undue delay, from the controller. This right is
The data controller must update and correct any closely interrelated with Article 5(1)d of the GDPR,
discrepancies within 72 hours of the receipt of the which places an obligation on data controllers to
request. Once updated and corrected, the data ensure all personal data collected by them remains
controller is required to inform the data subject. accurate at all times.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 7
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 7 Article 15
Data subjects can request a copy of all data collected The GDPR entitles data subjects to access their
on them by a data controller or processor. This copy personnel data. This includes the data subject’s right
must be provided to the data subject free of charge to receive confirmation as to whether or not personal
unless a fee would be required for administrative or data concerning them is being processed and the
other purposes. right to receive a copy of their personal data
undergoing processing from the controller. If the
data subject requests further copies, the controller
may charge a reasonable fee for their provision,
based on administrative costs. If the data subject
makes a request through electronic means, the
information should be provided in a commonly used
electronic form, unless otherwise requested by the
data subject.
PDPL GDPR
Article 9 Article 7, 17
Data subjects have the right to withdraw their The GDPR grants data subjects the right to withdraw
consent to processing their personal data anytime their consent at any time. The GDPR further
they want. Once consent is withdrawn, the data mandates controllers to inform the data subjects of
controller and processor have a legal obligation to their right to withdraw consent at the time of
stop the processing of the data subject's data within obtaining consent, and to make consent withdrawal
72 hours. Additionally, they must delete any and all as easy as providing consent. The withdrawal of
personal data that has been collected on the data consent should not affect the lawfulness of any
subject until then. processing based on consent before its withdrawal. If
a data subject withdraws their consent, and such
consent forms the sole legal basis of any processing
activity, the data subject has the right to obtain from
the controller, erasure of their personal data, without
undue delay.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 8
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 8 Article 17 | Recitals 65, 66
PDPL provides data subjects with the right to request The GDPR provides data subjects the right to request
an end to processing their personal data and delete erasure or deletion of their personal data without
or destroy the personal data related to him/her. undue delay under specific and limited
circumstances. The right to erasure applies when
personal data is no longer necessary for the purposes
it was collected for, where consent is withdrawn by
the data subject in the case of consent based data
processing, when the data subject objects to data
processing based on legitimate interests, when the
data subject objects to data being processed for
direct marketing purposes, when data is unlawfully
processed, when personal data has to be erased for
compliance with a legal obligation or in the case of a
data processing of data belonging to minors.
6 Right to Object
PDPL GDPR
Article 10 Article 21, 22 | Recitals 69, 70
Data subjects are entitled to object to any automated The GDPR gives data subjects the right to object to
decision-making processes, including profiling, that data processing based on certain grounds.Data
may significantly impact or have legal consequences subjects have the right to object to the processing of
for him/her their personal data where the processing is based on
legitimate interests, public interest, or the consent of
the data subject. As a consequence of a valid
objection, the data controller must no longer process
the data subject’s personal data unless it can
demonstrate compelling and legitimate grounds for
the processing. These grounds must be sufficiently
compelling to override the interests, rights, and
freedoms of the data subject.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 9
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 11 Article 18 | Recitals 67
Data subjects have the right to postpone or limit the Data subjects can request a restriction on the
processing of their personal data in accordance with processing of their data by a data controller if
the purpose of processing.
the data subject contests the accuracy of the
Once such a request is made, the data controller personal data
must honor the request, postpone or restrict the the processing is unlawful, and the data
processing of the data subject's data within 72 hours, subject opposes the erasure of the personal
and inform the data subject of the request being data and requests the restriction of their use
fulfilled.
instead
the controller no longer needs the personal
data for the purposes of the processing, but
they are required by the data subject for the
establishment, exercise, or defense of legal
claims
the data subject objects to processing.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 10
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 13 Article 20 | Recitals 68
Like most data regulations, the PDPL also provides The GDPR defines the right to data portability as the
data subjects the right to obtain a copy of all data right to receive personal data in a "structured,
collected on them by a data controller or data commonly used, and machine-readable format and
processor in a commonly used, machine-readable to transmit the data to another controller without any
format. hindrance." This right may be exercised only when it
is technically feasible to do so.
PDPL GDPR
Article 12 Article 82 | Recitals 146, 147
Data subjects have the right to initiate legal All persons who suffer from any material or non-
proceedings against a data controller or data material damage as a result of an infringement of the
processor and receive fair compensation in case of GDPR, are entitled to receive compensation for such
violation of any of the provisions of PDPL during the damage from the relevant controller or processor.
processing of personal data.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 11
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 34 Article 35 | Recitals 75, 84, 89 90, 91, 92, 93
Organizations subject to the PDPL must carry out a As per the GDPR, data controllers are required to
data protection impact assessment (‘DPIA’) if any of undertake a data protection impact assessment
the data processing activities are likely to pose a (‘DPIA’) if their data processing activities are likely to
significant risk to the data subjects. Some high-risk pose a high risk to the rights and freedoms of natural
activities include persons.
of the data subjects' rights in any way. A DPIA should take into consideration the nature,
scope, context, and purposes of the processing and
should include
an assessment of the risks to the rights and
freedoms of the data subject
the measures envisaged to address these risks,
including safeguards, security measures, and
mechanisms to ensure the protection of personal
data
a systemic description of the envisaged
processing operations and the purposes of
processing, including, where applicable, the
legitimate interests being pursued by the
controller; and
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 12
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 55,56 Article 44-50 | Recitals 101-116
The PDPL allows for cross-border transfer of The GDPR has an extensive list of provisions that deal
personal data as long as any of the following with various aspects of cross-border data transfers.
conditions are met Data controllers are required to inform the data
The recipient country has its own Personal subjects of their intention regarding the transfer of
Data Protection Law equivalent regulation; o data to a third country at the time personal data is
collected from the data subject, including
If such a regulation does not exist, the data information on the existence or an absence of an
controller must ensure that the country has adequacy decision by the Commission, or in case of
adequate and binding personal data transfers based on appropriate safeguards, the
protection measures in place; o means by which to obtain a copy of them.
If such measures are not in place, the data As per the GDPR, personal data transfers to a third
controller must have obtained the data country or international organization may take place
subject's permission whose data is to be only where an adequate level of protection is
transferred. ensured (adequacy to be determined by the EU
Commission) or there are safeguards in place to
ensure the level of protection is essentially equivalent
to that currently guaranteed inside the EU.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 13
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 14
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 46 Article 33-34 | Recitals 85-88
Organizations that suffer a data breach must notify In case of a data breach that is likely to result in a risk
both the affected data subjects and the regulatory to natural persons’ rights and freedoms, the GDPR
body about the breach via a written notice within 72 requires the affected organization to notify the
hours. The breach notification must contain at least relevant supervisory authority without undue delay
the following information and not later than 72 hours after becoming aware of
The affected data the breach. The information may also be provided in
phases, and a justification must accompany any
How the data was compromised delay.
Steps being taken to remedy the situation and Similarly, the affected data subjects must also be
prevent any future similar incidents. informed without undue delay if the data breach
poses a high risk to the rights and freedoms of
natural persons.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 15
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Articles 53, 54 Article 37 | Recitals 97
The PDPL requires all organizations to appoint a The GDPR requires all organizations to appoint a
dedicated data protection officer (DPO) to oversee all data protection officer (DPO) under the following
aspects of an organization related to data circumstances
processing, data protection, and data monitoring a public authority is carrying out the data
activities.
processing activities (except for courts in their
The DPO must be hired based on their judicial capacity)
professionalism, knowledge of the law, personal data core activities of the organization include
protection practices, and ability to fulfill their duties regular and systematic monitoring on a large
diligently. Additionally, the DPO may be an internal scale; o
employee or an external contractor.
Informing and advising the data controller and The controllers or processors must publish the
processor on how best to comply with PDPL contact details of the DPO and communicate them to
Monitoring and ensuring compliance with the supervisory authority.
PDPL
Monitoring the performance of data controller
and processor related to data protection
Coordinate and act as a liaison for issues
related to data processing.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 16
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
PDPL GDPR
Article 31, 32 Article 30, 33 | Recitals 13, 42, 82
The PDPL requires organizations to maintain a record Data controllers (and their representatives, where
of all their personal data processing activities.
applicable) are required to maintain a record of
Additionally, organizations must also provide the data processing activities. Organizations that employ
subjects access to the personal data processed on fewer than 250 people are exempt from this
them and information related to all related requirement unless their data processing activities
processing activities related to their data. are likely to pose a risk to the rights and freedom of
the data subjects, the processing is not occasional,
or the processing includes special categories of data
or personal data relating to criminal convictions and
offenses.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 17
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
Regulatory Body
PDPL GDPR
Article 58, 59, 60, 61 Article 51-55, 57, 58 | Recitals 117-124, 127-129, 131-133, 137
The PDPL differs from the GDPR significantly in this The GDPR requires all member states of the EU to
particular aspect. There is no central regulatory body have their own public authority to both monitor the
in Indonesia to oversee the enforcement of the PDPL. implementation of the GDPR within their country and
However, the PDPL does require the formulation of to oversee cooperation with other such bodies in
such a body that would assume all enforcement- other EU countries as well as the Commission
related responsibilities prescribed within the PDPL.
(‘supervisory authority’).
Reporting directly to the President of Indonesia, this The primary duties and tasks of such supervisory
body's primary duties will include authorities, on their territory, include, but are not
Establishing personal data protection policies limited to
that will provide guidance to data subjects, Monitoring and enforcement of the GDPR
data controllers and data processors Raising public awareness related to the risks,
Imposing administrative fines for violations of rules, safeguards, and rights concerning data
the law by data controllers and data processing
processors Providing information to any data subject
Assisting law enforcement agencies in concerning the exercise of their rights
handling criminal activities related to personal Handling complaints lodged by a data subject
data
Establishing data protection certification
Cooperation with other international data mechanisms and carrying out periodic reviews
protection agencies in the context of resolving of these certifications
allegations of cross-border personal data
protection violations Keeping internal records of infringements of
the GDPR
Carrying out assessments to judge the
fulfillment of requirements for personal data Carrying out investigations in the form of data
transfers outside the jurisdiction of Indonesia protection audits
Receive complaints and reports related to Obtaining access to all personal data and to all
potential violations of personal data protection information necessary for the performance of
laws its tasks
Conduct inspections and searches on Ordering the data controller or processor to
complaints, reports, and/or results of bring processing operations into compliance
supervision on allegations of potential with the GDPR;
violations of personal data protection laws;
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 18
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
responsible personnel from data controllers The performance of the tasks of each supervisory
and data processors alleged to have authority shall be free of charge for the data subject
committed violations of personal data and, where applicable, for the data protection officer.
protection
Each supervisory authority is granted certain
Conduct inspections and searches of all investigative, corrective, and advisory powers under
facilities, spaces, and place used by data the GDPR. The exercise of such powers is subject to
controllers and data processors alleged to appropriate safeguards. Each member state of the EU
have committed violations of personal data may also confer additional powers on its supervisory
protection authorities.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 19
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
Penalties
PDPL GDPR
Article 67, 68, 69, 70, 71, 72, 73 Article 83, 84 | Recitals 148-150, 152
The PDPL arguably has some of the strictest Compared to the PDPL, the GDPR has a more
penalties in place for organizations and personnel straightforward and uniform approach towards
within organizations found to be responsible for non- levying fines on organizations that are non-compliant
compliance with the law. In addition to regulatory with its provisions. The official text calls on national
fines, some offenses carry possible jail sentences. authorities to adequately assess fines for each
The PDPL prescribes the following penalties for specific violation, as these fines must be "effective,
violations and non-compliance proportionate and dissuasive for each individual
Anyone who intentionally and unlawfully case."
obtains, collects and uses personal data The member states of the EU are required to
belonging to others will be liable to a fine of 5 prescribe other penalties in relation to the
billion Indonesian rupiahs ( approximately infringements of the GDPR, especially those
$332,000 per offense) and/or a maximum infringements which are not subject to the foregoing
prison sentence of 5 years. administrative fines pursuant to Article 83, and take
Intentional and unlawful disclosure of personal all measures necessary to ensure that they are
data of others will lead to a fine of 4 billion implemented. Such penalties shall be effective,
Indonesian rupiahs ( approximately $265,000 proportionate and dissuasive.
per offense) and/or a maximum prison For severe violations, organizations may face a fine of
sentence of 4 years. €20 million or up to 4% of their total annual global
Any organization that has interfered with the turnover for the preceding fiscal year, whichever is
sanctity of the personal data collected to higher.
benefit itself or others will face a fine of up to For less severe violations, organizations may face a
6 billion Indonesian rupiahs or approximately fine of €10 million or up to 2% of their total annual
$400,000 per offense. The person most global turnover for the preceding fiscal year,
directly responsible for this will face a prison whichever is higher. The severity of the violation
sentence of up to 6 years depends on the circumstances of each individual
PDPL imposes administrative sanctions which case and the specific type of the infringement under
can be in the form of 2% of annual revenue or the GDPR.
annual acceptance of the violation variable
The PDPL also allows for confiscating all
profits and assets of an organization found
guilty of the above mentioned violations.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 20
should be consulted prior to making any decision in reliance on the information contained in these materials.
Indonesia's PDPL In Comparison With The GDPR
Securiti, a market leader in providing enterprise data compliance and governance solutions, offers
organizations the chance to comply with all their data-related obligations effectively and efficiently.
Thanks to its state-of-the-art artificial intelligence and machine-learning-based algorithms, Securiti
can offer organizations various solutions that help their compliance efforts.
Request a demo today and see how Securiti can help your organization comply with the GDPR,
PDPL, and any other major data regulation worldwide.
Securiti has made every attempt to ensure the accuracy and reliability of the information provided in these materials. However, the information is provided “as is” without warranty of any
securiti kind. Securiti does not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained in these materials. Legal counsel 21
should be consulted prior to making any decision in reliance on the information contained in these materials.
Learn how Securiti can help
you comply with Indonesia’s
PDPL & the EU's GDPR
Sign up for a Demo Contact us