DATA PROTECTION IN INDONESIA

IABF Law Firm (IABF) | View firm profile

In 2022, Law No. 27 of 2022 regarding Personal Data Protection (“PDP Law”) has been enacted as the primary law of personal data protection in Indonesia. Further to PDP Law, there are other law and regulations that also regulate regarding personal data protection in Indonesia, namely Law No. 11 of 2008 regarding Electronic Information and Transactions (“EIT Law”) as amended by Law No. 19 of 2016 regarding the Amendment of EIT Law (“EIT Law Amendment”), Government Regulation No. 71 of 2019 regarding Provisions of Electronic Systems and Transactions (“Reg. 71”) and its implementing regulation, Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (the “MOCI Regulation”).

DEFINITIONS

PDP Law defines Personal Data as: data about individuals who are identified or can be identified separately or in combination with other information either directly or indirectly through electronic or non-electronic systems.

Based on Article 4 of PDP Law, Personal Data consists of Specific Personal Data and General Personal Data.

Sensitive Personal Data

Specific Personal Data[1] includes:

  1. health data and information;
  2. biometric data;
  3. genetic data;
  4. crime records;
  5. child data;
  6. personal financial data; and/or
  7. other data in accordance with the provisions of the legislation.

General Personal Data

General Personal Data includes:

  1. full name;
  2. gender;
  3. citizenship;
  4. religion;
  5. marital status; and/or
  6. Personal Data combined to identify a person.

NATIONAL DATA PROTECTION AUTHORITY

Based on Article 58 of PDP Law, the implementation of Personal Data Protection is conducted by institution. The institution is determined by the President and is responsible to the President.

Pursuant to Article 59 of PDP Law, the institution shall implement:

  1. formulation and determination of Personal Data Protection policies and strategies that serve as guidelines for Personal Data Subject, Personal Data Controller, and Personal Data Processor;
  2. supervision of the implementation of Personal Data Protection;
  3. enforcement of administrative law against violations of PDP Law; and
  4. facilitation of dispute resolution out of court.

Furthermore, based on Article 60 of PDP Law, the institution has the authority to:

  1. formulate and establish policies in the field of Personal Data Protection;
  2. to supervise the compliance of the Personal Data Controller;
  3. impose administrative sanctions for breach of Personal Data Protection committed by the Personal Data Controller and/or Personal Data Processor;
  4. assist law enforcement officers in handling alleged criminal acts of Personal Data as referred to PDP Law;
  5. cooperate with other countries’ Personal Data Protection institutions in the context of resolving allegations cross-border Personal Data Protection violations;
  6. conduct an assessment of the fulfillment of the requirements for the transfer of Personal Data outside the jurisdiction Republic of Indonesia;
  7. give orders in order to follow up the results of supervision to the Personal Data Controller and/or Personal Data Processor;
  8. publish the results of the supervision of the Personal Data Protection in accordance with the provisions legislation;
  9. receive complaints and/or reports regarding alleged breach of Personal Data Protection;
  10. conduct inspections and searches on complaints, reports, and/or results of supervision of suspicion of breach of Personal Data Protection;
  11. summon and present any Person and/or Public Agency related to the allegation breach of Personal Data Protection;
  12. requesting information, data, information, and documents from any relevant Person and/or Public Agency alleged breach of Personal Data Protection;
  13. summon and present the necessary experts in the examination and investigation of allegations breach of Personal Data Protection;
  14. conduct inspections and searches on electronic systems, facilities, spaces, and/or places used by the Personal Data Controller and/or Personal Data Processor, including obtaining access to data and/or appoint a third party; and
  15. request legal assistance from the prosecutor’s office in resolving Personal Data Protection disputes.

REGISTRATION

There is no registration requirement in Indonesia for data controllers or data processing activities.

However, in Indonesia there are prevailing laws that regulate Electronic System Provider, where Personal Data Controller and/or Personal Data Processor may be categorized as Electronic System Provider.

Pursuant to Article 2 (2) of Reg. 71 an “Electronic System Provider” is either a:

  1. Public Scope Electronic System Provider; or
  2. Private Scope Electronic System Provider.

“Public Scope Electronic System Provider” includes:

  • the Agency[2]; and
  • an Institution appointed by the Agency.

The term Public Scope Electronic System Provider does not include any regulatory or supervisory authority in the finance sector.

According to Article 2 (5) Reg. 71, the term “Private Scope Electronic System Provider” includes:

  1. an Electronic System Provider that is regulated or supervised by a Ministry or Agency based on statutory provisions; and
  2. an Electronic System Provider that has a portal, site, or application in the network through the internet that is used to:
    • provide, manage, and/or operate, offer and/or trade goods and/or services;
    • provide, manage, and/or operate finance transaction services;
    • deliver material or paid digital content through data networks both by way of downloading through a portal or site, delivery via electronic mail, or through other application to the user’s device;
    • provide, manage, and/or operate communication services including but not limited to short messages, voice calls, video calls, electronic mails, and conversations within the network in the form of digital platforms, networking services and social media;
    • search engine services, Electronic Information provisioning services in the form of text, sound, picture, animation, music, video, movie, and game or combination of several and/or all of them; and/or
    • processing of Personal Data for community service operational activities related to the Electronic Transaction activities.

Article 6 Reg. 71 regulates that both Public Scope Electronic System Providers and Private Scope Electronic System Providers are obliged to conduct registration. The registration shall be submitted through electronically integrated business licensing services in accordance with the statutory provisions and it must be done before the Electronic System is used by the Electronic System User.

Therefore, if the Personal Data Controller and Personal Data Processor fall into the Electronic System Provider category, then it must be registered as an Electronic System Provider.

DATA PROTECTION OFFICERS

Personal Data Controller and Personal Data Processor are required to appoint officials or officers who carry out the Personal Data Protection function in the event that:

  1. Personal Data processing for the benefit of public services;
  2. the core activities of the Personal Data Controller have the nature, scope, and/or objectives that require regular and systematic monitoring of Personal Data on a large scale; and
  3. the core activities of the Personal Data Controller consist of processing Personal Data on a large scale for Personal Data of a specific nature and/or Personal Data related to criminal acts.

Pursuant to Article 53 (2) of PDP Law, the official or officer who conduct the Personal Data Protection function is appointed based on professionalism, knowledge of the law, Personal Data Protection practice, and ability to fulfill their duties. Moreover, Article 53 (3) states that the official or officer who conduct the Personal Data Protection function may come from within and/or outside the Personal Data Controller or Personal Data Processor.

The officer or officer who conduct the Personal Data Protection function has at least the following duties:[3]

  1. inform and provide advice to the Personal Data Controller or Personal Data Processor in order to comply with the provisions of PDP Law;
  2. monitor and ensure compliance with the PDP Law and the policies of the Personal Data Controller or Personal Data Processor;
  3. provide advice on assessing the impact of Personal Data Protection and monitoring the performance of Personal Data Controller and Personal Data Processor; and
  4. coordinate and act as a liaison for issues related to the processing of Personal Data.

COLLECTION & PROCESSING

Based on Article 16 (1) of PDP Law, processing of personal data includes:

  1. obtainment and collection;
  2. processing and analyzing;
  3. storing;
  4. correction and updates;
  5. displaying, announcing, transferring, distributing or disclosure; and/or
  6. deletion or removal.

To process Personal Data, based on Article 20 of PDP Law, the Personal Data Controller must have a basis which includes:

  1. explicit valid consent of the Personal Data Subject for 1 (one) or several specific purposes that has been submitted by the Personal Data Controller to the Personal Data Subject (Note: the consent of Personal Data processing is carried through written or recorded consent);
  2. fulfillment of agreement obligations in the event that the Personal Data Subject is a party or to fulfill the request of the Personal Data Subject at the time of entering into the agreement;
  3. fulfillment of the legal obligations of the Personal Data Controller in accordance with the provisions of laws and regulations;
  4. fulfillment of the protection of the vital interests of the Personal Data Subject;
  5. carrying out tasks in the context of public interest, public services, or exercising the authority of the Personal Data Controller based on the laws and regulations; and/or
  6. fulfillment of other legitimate interests by taking into account the objectives, needs, and balance of interests of the Personal Data Controller and the rights of the Personal Data Subject.

The processing of Personal Data Protection shall implement principles of Personal Data Protection which includes:[4]

  1. Personal Data collection is conducted in a limited and specific manner, legally valid, and transparent;
  2. Personal Data processing is conducted in accordance with its purpose;
  3. Personal Data processing is conducted by securing the rights of the Personal Data Subject;
  4. Personal Data processing is conducted accurately, completely, not misleading, up to date and can be accounted;
  5. Personal Data processing is conducted by protecting the security of Personal Data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or loss of Personal Data;
  6. Personal Data processing is conducted by notifying the purpose and processing activities, and as well as the failure of Personal Data protection;
  7. Personal Data is destroyed and/or deleted after the retention period ends or at the request of the Personal Data Subject, unless otherwise stipulated by laws and regulations; and
  8. Personal Data processing is conducted out responsibly and can be clearly proven.

TRANSFER

Article 21 (1) of MOCI Regulation states that displaying, announcing, transferring, broadcasting, and/or opening Personal Data access in the Electronic System can only be conducted:

  • By Consent (being defined as a written agreement either manually and/or electronically being given by the owner of Personal Data after obtaining a full explanation regarding the process for acquiring, collecting, processing, analyzing, storing, displaying, announcing, disseminating, storing, dis-playing, announcing, sending, and disseminating including the confidentiality or non-confidentiality of the Personal Data), except stipulated other-wise by laws and regulations; and
  • After its accuracy and compability with the purpose of obtaining and collecting such Personal Data is verified.

Transfer of Personal Data within the Jurisdiction of the Republic of Indonesia

Based on Article 55 of PDP Law, the Personal Data Controller may transfer Personal Data to other Personal Data Controller within Indonesia. Both of the Personal Data Controllers (who transfers and receives) must carry out Personal Data Protection as referred to PDP Law.

Transfer of Personal Data outside the Jurisdiction of the Republic of Indonesia

In conducting transfer of Personal Data outside the jurisdiction of the Republic of Indonesia, pursuant to Article 56 (2) of PDP Law, the Data Controller must ensure the domicile state of the Personal Data Controller and/or the Personal Data Processor that receives the transfer of Personal Data has a Personal Data Protection level that is equal to or higher than those that are regulated under PDP Law.

In the event that the Personal Data Controller fail to fulfil the provision Article 56 (2) of PDP Law (as mentioned above), based on Article 56 (3), the Personal Data Controller must ensure that there is adequate and binding Personal Data Protection. If the provisions of Article 56 (2) and (3) of PDP Law are not fulfilled, then the Data Controller must receive written consent from the Personal Data Subject.

BREACH NOTIFICATION

According to Article 46 (1) to (3) of PDP Law, in the case Personal Data Protection failure, Data Controller is obliged to notify in a written notification at the latest 3 x 24 hours to:

  • Personal Data Subject; and
  • Agency.

The written notification should contain at least:

  • The exposed Personal Data;
  • The period and the chronology of the exposed Personal Data; and
  • The efforts to handle and recover from the exposed Personal Data by the Data Controller.

In certain cases, Data Controller is obliged to notify the public about the failure of Personal Data Protection. What is meant by “in certain cases” is, among others, if the failure of Personal Data Protection interferes with public services and/or has a serious impact on the public interest, in accordance to the elucidation of Article 46 (3) of PDP Law.

ENFORCEMENT

PDP Law provides administrative sanctions and criminal penalties. The administration sanctions are in the forms of:

  • written warning;
  • temporary cessation of Personal Data processing activities;
  • deletion or destruction of Personal Data; and/or
  • administrative fines.

Moreover, the PDP Law provides criminal penalties ranging from:

  • a maximum fine of Rp. 5,000,000,000 and/or imprisonment for a maximum 5 years for unlawful Personal Data collection;
  • a maximum fine of Rp. 4,000,000,000 and/or imprisonment for a maximum 4 years for unlawfully disclosing Personal Data that does not belong to him/her;
  • a maximum fine of Rp. 5,000,000,000 and/or imprisonment for a maximum 5 years for using Personal Data that does not belong to him/her;
  • a maximum fine Rp. 6,000,000,000 and/or imprisonment for maximum 6 years for create false Personal Data or falsify Personal Data with the intention to benefit themselves or other persons which may result in the loss of other persons.

In addition to the criminal penalties as described above, additional sentences may be imposed in the form of confiscation of obtained profits and/or assets or proceeds from criminal acts and compensation payment.


JANUARY 2023


[1] Specific Personal Data is Personal Data which, if processed, can have a greater impact on the Personal Data Subject, including acts of discrimination and greater loss to the Personal Data Subject.

[2] Being defined as a legislative, executive and judicative agencies at the central and regional level and other agencies that are formed by the laws.

[3] Article 54 (1) of PDP Law.

[4] Article 16 (2) of PDP Law.

More from IABF Law Firm (IABF)