Indonesia’s New Personal Data Protection Law

SSEK Law Firm

Indonesia September 30 2022
Indonesia’s Personal Data Protection (PDP) Bill, which was first discussed in 2012, was
at last passed by the House of Representatives on September 20, 2022. The PDP Bill will
become the PDP Law once it is ratified by President Joko Widodo. If the President does
not sign the bill into law, it will automatically become law 30 days as of the bill’s
approval date.
Prior to the PDP Law, personal data protection in Indonesia was regulated under
Minister of Communication and Informatics Regulation No. 20 of 2016 regarding
Personal Data Protection in Electronic Systems, dated December 1, 2016 (“MOCI
Regulation 20/2016”), and Government Regulation No. 71 of 2019 regarding
Implementation of Electronic Systems and Transactions, dated October 10, 2019 (“GR
71/2019”).
The scope of these regulations was limited to personal data protection in electronic
systems. The PDP Law will be the first comprehensive law in Indonesia to govern
personal data protection in both electronic systems and non-electronic systems.
This legal alert highlights key provisions of the PDP Law that organizations should note,
in particular as they prepare to comply with the PDP Law during the transition period. For
clarity, we refer to the newly approved PDP Bill as the PDP Law here.
A. Scope of the PDP Law
Article 2 of the PDP Law provides that the law shall apply to any person (the definition of
“person” in the PDP Law includes individuals and corporations), public agency, and
international organization that carries out legal actions in Indonesia. It further provides
that the law applies to any person that carries out legal actions outside of the  
Indonesian jurisdiction if these actions have legal consequences in the Indonesian
jurisdiction and/or for Indonesian Data Subjects residing outside of Indonesia.
This means that any offshore entity that processes Personal Data in any of the above-
mentioned manners will also be subject to the PDP Law.
The PDP Law shall not be applicable to the processing of Personal Data by individuals
for the purpose of personal or household activities.
Further exemptions apply for the processing of Personal Data for the following
purposes, in the context of implementing the provisions of law:

1. national defense and security interests;

2. law enforcement interests;

3. public interest in the context of state administration; or

4. in the interest of the supervision of the financial services sector, and monetary,
payment system, and financial system stability carried out in the context of state
administration.

The PDP Law does not provide any further explanation regarding the above exemptions.
B. Definition and Types of Personal Data
The PDP Law defines Personal Data as any data concerning a person, whether identified
or who may be identified independently or combined with other information, either
directly or indirectly, through an electronic or non-electronic system. The individuals to
whom Personal Data is attached are referred to as Data Subjects.
Personal Data is further classified into two types:
1. General Personal Data, which consists of full name, gender, citizenship, religion,
marital status, and/or Personal Data which is combined to identify a person (e.g.,
phone number and IP address). The previous draft of the PDP Bill only referred to
General Personal Data as any data not classified as Specific Personal Data. So, the
PDP Law provides a more specific definition of General Personal Data.
2. Specific Personal Data, which consists of health data and information, biometric
data, genetic data, criminal records, children’s data, personal financial data, and/or
any data in accordance with the provisions of the prevailing laws and regulations. In
 the elucidation of the PDP Law, Specific Personal Data is further defined as
Personal Data the processing of which may have a significant impact on the Data
Subject, including acts of discrimination.
Compared to the earlier drafts of the PDP Bill, the PDP Law simplifies the scope of
Specific Personal Data. Previously, information regarding religion/faith, sexual
orientation and/or activity, political views, and physical and/or mental disability was also
included under Specific Personal Data. In the PDP Law, information on religion is now
considered General Personal Data, and information regarding sexual orientation and/or
activity and political views has been completely removed. Information on physical
and/or mental disability is included in “health data and information” as Specific Personal
Data.
Aside from the classification of Personal Data, the PDP Law requires special procedures
for the processing of Personal Data in certain cases. For example, processing the
Personal Data of children and persons with disabilities requires, inter alia, the party
processing the personal data to obtain the consent of the Data Subjects’ parent (for
children) and/or legal guardian.
C. Personal Data Controller and Personal Data Processor
The PDP Law introduces to Indonesia express provisions and definitions for Personal
Data Controller and Personal Data Processor. There is no reference to Personal Data
Controller and Personal Data Processor in MOCI Reg. 20/2016, while GR 71/2019 briefly
mentions Personal Data Processor without further explanation of the term. We note that
prior to the PDP Law, the terms “Controller” and “Processor” were commonly understood
in practice by the relevant government officials when it came to the obligations of
business actors.
Personal Data Controller is defined in the PDP Law as any person, public body or
international organization acting individually or jointly in determining the objectives and
exercising control over the processing of Personal Data (“Controller”). And Personal
Data Processor refers to any person, public body or international organization acting
individually or jointly to process Personal Data on behalf of a Personal Data Controller
(“Processor”).
Further, since the Processor cannot determine the objectives and exercise control over
the processing of Personal Data by itself, a Processor can only process Personal Data
after being appointed by a Controller, on behalf of the Controller.
The rights and obligations under the PDP Law that parties must comply with are subject
to the respective role played by the party in processing Personal Data. As the party that
determines the objective of processing, the obligations of the Controller are significantly
greater than those of the Processor. For example, a Controller is responsible for the
processing of Personal Data and must demonstrate accountability in fulfilling its
obligations to implement the principles of Personal Data Protection at all times,
including when the processing is carried out by a Processor.
However, if the Processor conducts Personal Data processing beyond the orders and
purposes set by the Controller, the responsibility for the Personal Data processing shall
shift to the Processor.
D. Rights and Obligations of Data Subjects, Controllers and Processors
1. Rights of Data Subjects
The rights of Data Subjects are set out under Article 5 to Article 14 of the PDP Law. Data
Subjects are entitled to clarity of identity information on why their Personal Data is being
requested and how it will be used, and information on the accountability of the parties
requesting the Personal Data. They can also request that any Personal Data that is
incorrect and/or inaccurate be rectified and/or updated.
One of the highlights of the PDP Law is that Data Subjects are allowed to withdraw their
consent for the processing of their Personal Data that has been granted to the Personal
Data Controller and are also entitled to cease and/or limit the processing, deletion,
and/or destruction of Personal Data. Data Subjects can request to  withdraw their
consent by submitting a recorded request, delivered either electronically or non-
electronically, to the Personal Data Controller.
The PDP Law does not set out the obligations of Data Subjects.
2.  Obligations of Controllers
The PDP Law does not set out the rights of Controllers. The obligations of Controllers
are set out under Article 20 to Article 49 of the PDP Law.
In certain cases, Article 50 of the PDP Law exempts Controllers from their obligations.
These exemptions relate to national security, law enforcement, public interest, and
supervision in the financial sector.
Aside from such exemptions, certain rights of Data Subjects can be refused by
Controllers in certain circumstances. For example, Article 33 of the PDP Law provides
that Controllers can refuse the request of a Data Subject to change its personal data and
Article 44 of the PDP Law provides that a Controller may still process personal data even
if the Data Subject has requested the Controller to postpone and/or restrict the data
processing, subject to the fulfillment of certain conditions.
3. Obligations of Processors
As with Controllers, the PDP Law only sets out the obligations of Processors, not their
rights. The obligations of Processors are set out under Article 51 and Article 52 of the
PDP Law, with Article 52 emphasizing that certain obligations applicable to Controllers
are also applicable to Processors. These obligations include (i) ensuring the accuracy,
completeness, and consistency of Personal Data in accordance with the provisions of
laws and regulations; (ii) maintaining a record of all Personal Data processing activities;
and (iii) protecting and ensuring the security of processed Personal Data.
E. Basis for Personal Data Processing
Article 20 of the PDP Law specifies the basis for Personal Data Processing by
Controllers, as follows:

1. Consent: An explicit consent must be obtained from the Data Subject. Such
consent shall relate to one or more purposes which have been explained to the
Data Subject;

2. Contract: Fulfilment of contractual obligations to which the Data Subject is a

party, or to fulfil the request of the Data Subject at the time of entering into an
agreement;

3. Legal Obligation: Fulfillment of the legal obligations of the Controller in

accordance with the applicable laws;

4. Vital Interest: Protection of the Data Subject’s vital interests;

5. Public Task: Implementation of tasks in the context of public interest, public

services, or the implementation of the authority of the Data Controller in
accordance with the applicable laws; and/or

6. Legitimate Interest: Fulfillment of other legitimate interests which shall be carried

out by balancing the Data Controller’s interests and the Data Subject’s rights.

F. Data Protection Impact Assessment

The PDP Law requires a Data Controller to carry out a Data Protection Impact
Assessment (“DPIA”) if the Personal Data processing carries a high potential risk for the
Data Subject. Under Article 34 of the PDP Law, Personal Data processing with a high
potential risk includes:

1. automatic decision-making that has legal consequences for or a significant

impact on the Data Subject;

2. processing of Specific Personal Data;

3. processing of Personal Data on a large scale;

4. processing of Personal Data for the systematic evaluation, scoring or monitoring

of Data Subjects;

5. processing of Personal Data for matching or combining a group of data;

6. the use of new technologies in the processing of Personal Data; and/or

7. processing of Personal Data that limits the exercise of the rights of the Data
Subject.

Further provisions on the DPIA are expected to be issued in a Government Regulation.

G. Appointment of Data Protection Officer
If any of the following conditions under Article 53 of the PDP Law are met, a Controller
and Processor are required to appoint a Data Protection Officer (“DPO”):
 1. Processing of Personal Data for the interest of public services;

2. The nature, scope, and/or objective of the Data Controller's main activities require
regular and systematic monitoring of large-scale Personal Data; or

3. The Data Controller’s main activities involve the processing of Specific Personal
Data on a large scale and/or Personal Data relating to criminal acts.

A DPO shall carry out the function of Personal Data Protection and can be an existing
employee of the Controller and Processor or recruited externally. The DPO must have the
necessary professionalism, legal knowledge, and Personal Data Protection experience to
fulfill their duties. The functions of a DPO are to be further regulated under a
Government Regulation.
H. PDP Institution
Article 58 of the PDP Law provides that an Institution shall be created by and directly
responsible to the President to oversee the implementation of Personal Data Protection
practices.
The authorities of the Institution are further specified in Article 59 of the PDP Law, as
follows:

1. formulate and stipulate policies and strategies on Personal Data Protection to

serve as guidance for Data Subjects, Personal Data Controllers, and Personal
Data Processors; 

2. supervise the implementation of Personal Data Protection;

3. enforce administrative law for violations of the PDP Law; and

4. facilitate the resolution of Personal Data Protection disputes outside of court.

It is understood that the Institution shall be the supervisory authority with respect to the
implementation of Personal Data Protection and will further play a role in facilitating the
resolution of disputes outside of court, as mentioned in letter (d). Based on the
elucidation thereto, "facilitation of dispute resolution outside of court" is meant as the
provision of dispute resolution facilities through procedures agreed upon by the parties,
namely settlement out of court by means of consultation, arbitration, negotiation,
mediation, conciliation, or expert judgment in accordance with the provisions of laws
and regulations.
Further provisions regarding the implementation of Personal Data Protection by the
Institution shall be provided in a Presidential Regulation. And the procedures for
implementing the authority of the Institution are to be stipulated in a Government
Regulation.
I. Cross-Border Transfer of Personal Data
A Controller is allowed to transfer personal data to another Controller within the
jurisdiction of Indonesia. The PDP Law further allows the cross-border transfer of
Personal Data from a Controller to a Controller and/or Processor outside the jurisdiction
of Indonesia if:

1. the recipient’s country has an adequate or higher level of Personal Data

protection than that stipulated in the PDP Law;

2. there exists an adequate level of binding Personal Data protection; or

3. the consent of the Data Subject for the cross-border data transfer has been
obtained.

Please note that the fulfilment of the above conditions shall be in sequence, meaning, in
the event condition (1) is not fulfilled, then the Controller shall move to the fulfillment of
condition (2), and only if both (1) and (2) are not fulfilled can the Controller move to the
fulfillment of condition (3). It is implied that if condition (1) is already fulfilled, there is no
need for the Controller to fulfill conditions (2) or (3).
The implementation of cross-border data transfer is to be further regulated by a
Government Regulation.
J. Notification Requirements
The following notification requirements must be fulfilled as applicable:
a. Notification in light of the failure of Personal Data Protection (Article 46 of the PDP
Law)
Controllers that fail to protect Personal Data are required to submit written notification
no later than 3 x 24 hours to the Data Subject and Institution. This notification shall at
least contain: (i) the disclosed Personal Data; (ii) when and how the Personal Data was
disclosed; and (iii) efforts to handle and recover the disclosed Personal Data by the
Personal Data Controller.
In the elucidation of Article 46 of the PDP Law, “failure of Personal Data Protection” is
further elaborated as a failure to protect a person's Personal Data in terms of the
confidentiality, integrity, and availability of the Personal Data, including violations of
security, whether intentional or unintentional, leading to the destruction, loss, alteration,
disclosure, or unauthorized access to Personal Data transferred, stored, or processed
In certain cases, the Personal Data Controller shall be obliged to notify the public of the
failure of Personal Data Protection. For example, notification is required if the failure of
Personal Data Protection interferes with public services and/or has a serious impact on
the public interest.
b. Notification in light of certain corporate actions  (Article 48 of the PDP Law)
If a Controller is a legal entity that performs a merger, separation, acquisition,
consolidation, or dissolution of a legal entity, it is required to submit a notification of the
transfer of Personal Data to the Data Subject. The notification must be submitted prior
to the aforementioned corporate actions. Further provisions regarding the procedures to
deliver a notification shall be regulated in a Government Regulation.
Additionally, the elucidation of Article 48 provides an explanation of “notification,” which
is a notification to the Data Subject or notification in general through the mass media,
either by electronic or non-electronic means.
K. Sanctions and Prohibitions
The PDP Law provides the following prohibitions and sanctions in relation to violations
of the law:
1. Prohibitions on the Use of Personal Data
Expressed prohibitions on the use of personal data are regulated under Article 65 and
Article 66 of the PDP Law as follows:

1. Every Person is prohibited from unlawfully obtaining or collecting Personal Data

that does not belong to such Person with the intention of benefiting themselves
or another person which may result in the loss for the Data Subject. Violation of
this is subject to maximum imprisonment of five years and/or a maximum fine of
Rp5 billion.

2. Every Person is prohibited from unlawfully disclosing Personal Data that does not
belong to themselves. Violation of this is subject to maximum imprisonment of
four years and/or a maximum fine of Rp4 billion.

3. Every Person is prohibited from using Personal Data that does not belong to such
Person in a manner that contravenes the law. Violation of this is subject to
maximum imprisonment of five years and/or a maximum fine of Rp5 billion.

4. Every Person is prohibited from creating false Personal Data or fake Personal
Data with the intention of benefiting themselves or other persons that may cause
harm to other persons. Violation of this is subject to maximum imprisonment of
six years and/or a maximum fine of Rp6 billion.

Additional penalties may also be imposed in the form of confiscation of profits and/or
assets obtained or proceeds from criminal acts and indemnity payment.
2. Administrative Sanctions
Violations of certain articles in the PDP Law are subject to administrative sanctions
under Article 57 of the PDP Law. These administrative sanctions, which shall be
imposed by the Institution, are as follows:

1. written warning;

2. temporary suspension of Personal Data processing activities;

3. deletion or destruction of Personal Data; and/or

4. administrative fines.

With regard to administrative fines, the PDP Law stipulates that the maximum fine is 2%
of the concerned party’s annual income or revenue. Further provisions on administrative
sanctions and the procedures for the imposition of administrative fines will be provided
in Government Regulations.
3. Criminal Sanctions
If the criminal act as referred to in Article 67 and Article 68 of the PDP Law is committed
by a corporate entity, the PDP Law stipulates that criminal sanctions will be imposed
only in the form of criminal fines. These fines will be imposed on the management,
controller, instructor, beneficial owner, and/or the corporation itself. The administrative
fines for corporate entities can be up to 10 times the maximum fines for individuals.
Additional criminal sanctions may be imposed on corporate entities, including (a)
confiscation of profits and/or assets obtained or proceeds from criminal acts; (b)
suspension of all or part of the business of the corporation; (c) permanent prohibition on
certain activities; (d) closure of all or part of the business premises and/or activities of
the corporation; (e) fulfillment of the neglected obligation; (f) payment of compensation;
(g) revocation of licenses; and/or (h) dissolution of the corporation.
L.Transition Period
Pursuant to the PDP Law, Controllers, Processors, and other relevant parties who
process Personal Data have two years to comply with the provisions of the PDP Law.
Once the transition period has elapsed, organizations must comply with all the
provisions of the PDP Law. In ensuring compliance with the law, organizations must at
least do the following:

 ensure that all processing of Personal Data has a lawful basis;

 verify the accuracy, completeness and consistency of Personal Data;

 keep records on all activities relating to Personal Data processing;

 comply with the requests of Data Subjects with respect to their Personal Data
(this is unless there are circumstances under which the rights of the Data Subject
and/or the obligations of the Data Controller are exempted);

 carry out a DPIA before performing high-risk Personal Data processing;

 prepare and implement adequate technical operational guidelines for the security
of Personal Data;

 oversee the processing of Personal Data by other parties that are controlled by
the organization;

 appoint a DPO if the conditions are met;

 notify the Data Subject and the Institution in the event of the failure to protect
Personal Data. Such notification must be provided at the latest 3 x 24 hours from
when the organization is aware of the failure;

 notify the Data Subject in the event of a corporate action (merger, spin-off,
acquisition, consolidation, or dissolution); and
  comply with orders from the relevant authorities.
https://www.lexology.com/library/detail.aspx?g=31320d3a-2e25-4a03-97e3-f58f641c8e3c