Q1: What is the legislative and technology framework for governing personal information ("PI") in your jurisdiction? Does your jurisdiction have a dedicated data protection law?

A: Indonesia does have specific regulations governing PI, specifically on personal data protection in the electronic system under Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), which applies to personal data processing activities in electronic systems. Additionally, sector-specific regulations issued by the Financial Services Authority (Otoritas Jasa Keuangan or "OJK"), are applicable to certain sectors such as financial services. Prior to the issuance of PDP Law, PI protection is stipulated under the following laws and regulations:

  1. Law No. 11 of 2008 on Electronic Information and Transactions, as lastly amended by Law No. 19 of 2016 ("EIT Law");
  2. Government Regulation No. 71 of 2019 on Implementation of Electronic Systems and Transactions ("GR 71/2019") and
  3. Ministry of Communication and Informatics ("MoCI") Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems ("MoCIR 20/2016").

These regulations do not provide comprehensive guidelines and provisions on PI protection as PDP Law does. EIT Law and its implementing regulations do not sufficiently govern all aspects of personal data protection, including the concepts of personal data controller and processor, their obligations, data subject, and independent supervisory authority, as the European General Data Protection Regulation ("EU GDPR") does.

In addition to PDP Law, the Indonesian government is drafting a government regulation on personal data protection, which will become the implementing regulation of PDP Law. The regulation will further stipulate the implementing guidelines of PDP Law, including those on personal data and data transfers, also other relevant provisions on authority of the Personal Data Protection Institutions.

Specifically for the financial services sector, OJK has issued the following regulations on the mandatory PI protection:

  1. OJK Regulation No. 6/POJK.07/2022 on Consumers and Public Protection in the Financial Services Sector;
  2. OJK Circular Letter No. 14/SEOJK.07/2014 on Secrecy and Data Security and/or Costumer Personal Information; and
  3. OJK Regulation No. 11/POJK.03/2022 on Implementation of Information Technology in Public Banks.

OJK regulations are only applicable to businesses licensed by OJK, such as banks, insurance companies, fintech operators, financing institutions, and other financial services operators.

Q2: How is PI classified? Are there specific / additional regulations governing the processing of special or certain categories of personal information?

A: Under PDP Law, PI is classified into the following categories:

  1. General personal data consists of complete/full name, gender, nationality, religion, marital status, and/or combined personal data to identify an individual; and
  2. Specific personal data consists of a person's health data, biometric data, genetics data, criminal record, children's data, personal financial data, and/or other data in accordance with the laws and regulations.

Specific personal data such as personal health and financial data are further governed by government agencies such as the Ministry of Health (Menteri Kesehatan or "MoH"), OJK, Bank Indonesia ("BI"), the Ministry of Trade (Menteri Perdagangan or "MoT"), and other governmental offices. These government agencies further stipulate the applicable provisions on PI protection under:

  1. MoCIR 20/2016;
  2. MoH Regulation No. 24 of 2022 on Medical Records;
  3. OJK Regulation No. 13 of 2018 on Digital Financial Innovation in the Financial Services Sector;
  4. OJK Regulation No. 10/POJK.05/2022 on Information Technology-Based Collective Financing Services;
  5. BI Regulation No. 22/23/PBI/2020 on Payment Systems; and
  6. MoT Regulation No. 31 of 2023 on Business Licensing, Advertising, and Guidance and Supervision for Business Actors in Trade via Electronic Systems.

These authorities govern PI in their respective regulations, which define PI in a similar manner as PDP Law does. In principle, the authorities governing PI under other related data protection regulations may establish stringent provisions on specific types of data processing within their sectors, provided they do not contradict those outlined in PDP Law.

Q3: What are the grounds for processing PI in your jurisdiction?

A: Personal data processing shall only be conducted if the controller demonstrates one or more legal grounds of data processing as follows1:

  1. it has obtained an explicit consent from the data subject for one or more specific purposes conveyed by the controller to the data subject;
  2. the data processing is conducted for performing an obligation based on an agreement under which the data subject is one of the parties, or for fulfilling the data subject's request when entering into an agreement;
  3. the data processing is conducted for performing obligations of the controller;
  4. the data processing is conducted to protect the vital interests of the data subject;
  5. the data processing is conducted as part of the tasks carried out in the context of public interest or services, for exercising the authority of the controller; and/or
  6. the data processing is conducted to fulfil other legitimate interests by considering the objectives, needs, and balance of interests of the Personal Data Controller and the rights of the data subject.

An explicit consent must be provided in manual or electronic writing format. This consent must be furnished with the purpose of data processing or utilization.

Q4: What are the data breach notification/reporting requirements in your jurisdiction?

A: In the event of any breach of personal data, the controller is required to deliver a written notification to the data subject and the data protection authority no later than 3 x 24 hours after breach incident.2 Such written notification shall, at least, include3:

  1. details of the affected personal data;
  2. details of the personal data breach (i.e. when and how the data are disclosed); and
  3. measures taken by the controller in handling and recovering the disclosure of personal data.

If the data breach disrupts public services, or has a serious impact on the public interest, the controller is also required to notify the incident to the public.4

Q5: Who is the authority responsible for overseeing compliance with data protection laws, and what is the scope of its powers?

A: PDP Law stipulates that the data protection authority has to oversee personal data matters in Indonesia. The main tasks of the data protection authority are:

  1. formulating and establishing policies and strategies for personal data protection to guide data subjects, controllers, and processors;
  2. supervising the implementation of personal data protection;
  3. enforcing PDP Law; and
  4. facilitating alternative dispute resolutions.5

Up to the date of this questionnaire, the Indonesian government has not enacted the data protection authority.

All stakeholders, including the government, are given a maximum transitional period of two years since the enactment of PDP Law (i.e., until 17 October 2024). However, the government will establish such data protection authority before 17 October 2024, possibly together with the enactment of a Government Regulation of personal data protection.

Q6: Please provide the brief scope of penalties for breaches of data protection laws.

A: The scope of penalties of a breach of PDP Law includes administrative and criminal sanctions.

If the controller is charged with administration sanction, the maximum administrative sanction would be a fine of up to 2% of the annual income towards violation variables.6 The lower administrative sanctions that can be charged to an infringing controller include (i) written warning, (ii) temporary suspension of personal data processing activities, and/or (iii) deletion of personal data.7

PDP Law can impose a fine of between IDR4 billion and IDR6 billion, and imprisonment between 4 and 6 years on a criminal offender.

Besides the criminal sanctions, additional sentences in the form of confiscation of profits and/or assets and/or proceeds derived from the crimes and compensation payment can be imposed on the violators.

Q7: Is it mandatory for an organisation to appoint a specific individual to manage data protection compliance in your jurisdiction, for example, a data protection officer? If yes, what qualifications are needed for that role and what are the legal responsibilities?

A: Yes, it is mandatory for an organization, acting as both controller and processor, to appoint a data protection officer ("DPO") to manage the personal data protection compliance. PDP Law requires a DPO to be responsible for, at least, the following duties8:

  1. informing and advising the controller or processor to comply with PDP Law;
  2. monitoring and ensuring the compliance with PDP Law and the internal policies of the controller or processor;
  3. advising the controller and processor on data protection impact assessment ("DPIA"), and monitoring the performance of controllers and processors in managing the compliance with PDP Law; and
  4. coordinating with, or acting as a liaison in issues related to personal data processing.

Appointing a DPO is an obligation if the data processing activities meet the following criteria9:

  1. the personal data processing is done for public service/interest purposes;
  2. the controller's core activities have the nature, scope, and/or purpose requiring regular and systematic monitoring/processing of personal data on a large scale; and
  3. the controller's core activities include processing specific, crime-related personal data on a large scale.

A DPO must be hired based on aspects of professionalism, legal knowledge, personal data protection practices, and ability to fulfil his/her duties.10 Apart from PDP Law, the Minister of Manpower ("MoM") has already issued MoM Decree No. 103 of 2023 on Establishment of the Indonesian National Work Competency Standards for the Information and Communication Category, Primary Group of Activities in Programming, Computer Consultation, and Related Activities with the Expertise on Personal Data Protection to provide a guideline on the qualifications and competence standards in the recruitment/appointment of a DPO. The competence standards have three key elements, namely, knowledge, skill sets, and attitude.

These elements are further elaborated within the 19 competency units assessed by the organization on the prospective DPO.

Q8: Can you transfer PI outside of your jurisdiction? If yes, what are the conditions / restrictions placed on cross border transfers?

A: The disclosing controller can transfer PI overseas or perform cross border data transfers. A transfer can be legally performed by the disclosing controller through the compliance that is structured in a tiered compliance model, allowing flexibility based on the capability and/or circumstances of the disclosing controller. Kindly refer to the following points below on cross border data transfer criteria from the highest to lowest requirements:

  1. the recipient country has personal data protection level that is equal to, or higher than the one under PDP Law;
  2. the disclosing controller must ensure adequate and binding personal data protection measures by the data recipient.
  3. consent from the data subject.

If the disclosing controller fails to comply with the highest requirement, it becomes a subject to the lower requirement, and so forth until the controller fulfils its compliance.11

It is important to note that if a cross border data transfer occurs between ASEAN member states, the disclosing controller can perform the data transfer using the ASEAN Model Contractual Clauses for Cross Border Data Flows ("MCCs"). MCCs are contractual terms and conditions that are included in the binding agreements between a disclosing controller and the recipient party in a cross-border data transfer. Implementing MCCs helps the parties to ensure that the cross-an border data transfer is conducted in an appropriate manner that complies with the ASEAN Member States' legal and regulatory requirements that protects the data of the data subjects based on the principles of the ASEAN Framework on Personal Data Protection 2016.

Q9: Are there any data localisation requirements?

A: There are no data localisation requirements imposed on private electronic system companies ("Private ESO") in Indonesia. However, the Private ESO is allowed to manage, process, and/or store electronic systems and data in Indonesia or overseas.12 If a Private ESO performs data processing overseas, it must grant an access to the government authority (if requested) for the purpose of regulatory monitoring.13

Q10: What security obligations are imposed on both data controllers/ data fiduciaries and service providers engaged in PI processing?

A: Under PDP Law, there are obligations that must be fulfilled by controllers engaged in PI processing are as below:

  1. ensuring the accuracy, completeness, and consistency of processed personal data through the verification process.14
  2. rejecting the request to access a data subject if such request would jeopardize the data subject and national security.15
  3. conducting DPIA provided the data processing has a potential risk to the data subject16
  4. preparing and implementing the technical and operational measures to protect the personal data against unlawful accessing and processing.17
  5. determining the personal data security level by considering the nature and risks.18
  6. preserving confidentiality of personal data being processed.19
  7. preventing personal data from unlawful accessing by utilizing a security system and/or reliable, secure, and responsible electronic system.20
  8. monitoring every person involved in the data processing activities.21

Footnotes

1. Article 20 (2) of PDP Law

2. Article 46 (1) of PDP Law

3. Article 46 (2) of PDP Law

4. Article 46 (3) of PDP Law

5. Article 59 of PDP Law

6. Article 57 (3) of PDP Law

7. Article 57 (2) of PDP Law

8. Article 54 (1) of PDP Law

9. Article 53 (1) of PDP Law

10. Article 53 (2) of PDP Law

11. Article 56 of PDP Law

12. Article 21 (1) of GR 71/2019

13. Article 21 (2) and (3) of GR 71/2019

14. Article 29 (1) of PDP Law

15. Article 33 of PDP Law

16. Article 34 (1) of PDP Law

17. Article 35 (a) of PDP Law

18. Article 35 (b) of PDP Law

19. Article 36 of PDP Law

20. Article 39 (1) (2) of PDP Law

21. Article 37 of PDP Law

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.