Personal Data Protection Law

Bimo Harimahesa & Adhika Wiyoso | May 2023

Overview
What is Personal Data? Why it is important to protect Personal Data?

Name, Surname, IP Address, Login and

Social Profile
Address Cookies Password

Information
Phone Number
Healthcare Data Genetic Data About Work
and Email
and Education

Car Number Financial Racial and

Geolocation
Plate Information Ethnic Origin

Mobile Devices Political Views Passport

Pre-PDP Law: Main Legal Basis

Relevant Law and Regulations prior to PDP Law

Law No. 11 of 2008 on Electronic Information Transaction, as amended by law No.

19 of 2016

Government Regulation No. 71 of 2019 on the Implementation of Electronic

Systems and Transactions

Minister of Communication and Informatics Regulation No. 20 of 2016 on the

Protection of Personal data in Electronic System
New PDP Law – Status, Applicability, Coverage
Law No. 27 of 2022 on Personal Data Protection
Status and Applicability
◼ Enacted on 17 October 2022
◼ 2-year transitional period – adjustment,
implementing regulations preparation,
DPA establishment
◼ Transitional period – for all provisions or
excluding prohibitions and criminal
sanctions?
Coverage
◼ Indonesian individuals, entities, public
institutions.
◼ International organizations and offshore
parties with effect in Indonesia or
Indonesian citizens abroad.
◼ Exclusion: data processing within
private or household space – to what
extent?
Types of Personal Data

Specific Personal Data vs General Personal Data

◼ Specific personal data - health data, biometric data, crime records, child data,
personal financial data
◼ General personal data - full name, gender, citizenship, religion and other information
◼ Level of risk and impact toward data subject

Processing of Specific Personal Data

◼ Triggers additional requirements, but no special treatment of processing (yet?)
◼ Appointment of Data Protection Officer
◼ Data Protection Impact Assessment - if processing has high risk potential to data
subject
Data Controller vs Data Processor

Responsibility

Data controller - determines purpose of data processing

Data processor – processes personal data on behalf of data controller

Data controller is responsible for the personal data processing performed by data
processors
Data Controller vs Data Processor
Data Controller Obligation

Responsibility over data processor's Obtainment of lawful basis of processing

processing activities. personal data.

Providing relevant information on data processing activity to data subject, particularly the following
material information ("Information"):

Legality of data Purpose of data Type and relevance of Retention

01 processing 02 processing 03 personal data to be processed 04 period

Details regarding Period of data Rights of data

05 information collected 06 processing 07 subject

Material update - prior notification is necessary for the change on the above Information.
Lawful Basis

Protection of vital interest, e.g.,

Explicit valid consent
serious medical treatment

Fulfillment of contractual obligations,

e.g., collection of necessary data to Bases of Carrying out duties in the context of
provide service to customers (e.g.,
Processing public interest or public services
home address, purchase history,
contact information) Personal Data

Fulfillment of legal obligations of data Fulfillment of other legitimate interest,

controller, e.g., disclosing personal e.g., use or sharing of personal data in
data to authority due to legal case of an emergency or a data
compliance requirement breach incident
Data Subject Right

Some of the Data Subject Right

◼ Right to access ◼ Right to withdraw consent
◼ Right to update or correct information ◼ Right to object automated decision
◼ Right to deletion making (i.e., profiling)

Data Controller Responsibility

◼ To fulfill the request in timely manner, e.g., right to access and right to update must
be fulfilled within 3 days
◼ Data controller can be exempted to fulfill certain data subjects for the interest
of government supervision (e.g., law enforcement, public interest, defense
and security)
Transfer of Personal Data

Offshore transfer can be conducted if any of the following is fulfilled:

Ensure that the receiving nation of the personal data has similar or higher level of
personal data protection

Ensure adequate and binding personal data protection

There is consent from the data subject

Other Notable Provision

Announcement on Certain Corporate Actions

◼ Data controller must provide notification to data subject on the transfer of personal data in the
event of a merger, spin-off, acquisition, consolidation or dissolution
◼ Notification is given twice (before and after the corporate action)
◼ Notification can be given to data subject personally or through mass media (e.g., newspaper
announcement)

Data Protection Authority

◼ Government may determine new agency to supervise the data protection sector
◼ The agency has broad duties and authorities including determining further policies/guidelines,
receiving complaints/reports, requesting data/information and imposing administrative
sanctions
Other Notable Provision

Data Breach Incident Notification

◼ Data Breach must be notified within 3 days to the data subject and the "data protection
authority"
◼ Scope of notification:
◼ the breached personal data
◼ when and how the personal data is breached
◼ efforts to handle and recover the breach incident
Sanctions
Administrative Sanctions
◼ Violation to data privacy related
requirements/compliances
◼ Warning letters, suspension, deletion of personal data
and/or administrative fine
◼ The administrative fine is at maximum 2% of the
annual income/revenue depending on the violation
variable (the variable/formula to determine the fine
has not been determined in the PDP Law)
Criminal Sanctions
◼ It can be applied to the following crimes: unlawful
collection of personal data, unlawful disclosure of
personal data, or unlawful use of personal data
◼ Monetary penalty of IDR4-6 billion and/or
imprisonment of 4-6 years depending on the crime
◼ Extra sanctions may be imposed if the crime is
conducted by entity, including, monetary penalty may
be increased at maximum 10 times of the above
amount, payment compensation, revocation of
license and/or dissolution of the entity
Data Privacy in Practice

What you need to know and be concern about

◼ Public awareness + legal process in Indonesia

◼ Privacy policy – read it, know what they do with your data
◼ Cookies?
◼ Unauthorized use of personal data – consider technology development, something to be
concerned with
◼ Data breach cases
Questions
Hadiputranto, Hadinoto & Partners is a member firm of Baker & McKenzie International, a global law firm with member
law firms around the world. In accordance with the common terminology used in professional service organizations,
reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an
"office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some
jurisdictions. Prior results do not guarantee a similar outcome.
© 2022 HHP Law Firm

hhp.co.id