Professional Documents
Culture Documents
Information
Phone Number
Healthcare Data Genetic Data About Work
and Email
and Education
Responsibility
Data controller is responsible for the personal data processing performed by data
processors
Data Controller vs Data Processor
Data Controller Obligation
Providing relevant information on data processing activity to data subject, particularly the following
material information ("Information"):
Material update - prior notification is necessary for the change on the above Information.
Lawful Basis
Ensure that the receiving nation of the personal data has similar or higher level of
personal data protection
◼ Data controller must provide notification to data subject on the transfer of personal data in the
event of a merger, spin-off, acquisition, consolidation or dissolution
◼ Notification is given twice (before and after the corporate action)
◼ Notification can be given to data subject personally or through mass media (e.g., newspaper
announcement)
◼ Government may determine new agency to supervise the data protection sector
◼ The agency has broad duties and authorities including determining further policies/guidelines,
receiving complaints/reports, requesting data/information and imposing administrative
sanctions
Other Notable Provision
◼ Data Breach must be notified within 3 days to the data subject and the "data protection
authority"
◼ Scope of notification:
◼ the breached personal data
◼ when and how the personal data is breached
◼ efforts to handle and recover the breach incident
Sanctions
◼ Violation to data privacy related ◼ It can be applied to the following crimes: unlawful
requirements/compliances collection of personal data, unlawful disclosure of
personal data, or unlawful use of personal data
◼ Warning letters, suspension, deletion of personal data
and/or administrative fine ◼ Monetary penalty of IDR4-6 billion and/or
imprisonment of 4-6 years depending on the crime
◼ The administrative fine is at maximum 2% of the
annual income/revenue depending on the violation ◼ Extra sanctions may be imposed if the crime is
variable (the variable/formula to determine the fine conducted by entity, including, monetary penalty may
has not been determined in the PDP Law) be increased at maximum 10 times of the above
amount, payment compensation, revocation of
license and/or dissolution of the entity
Data Privacy in Practice
hhp.co.id