As a follow-up to our last client update (click here to read the client update) on the personal data protection framework in Indonesia, the personal data protection bill was finally numbered as Law No. 27 of 2022 on Personal Data Protection ("PDP Law") and came into effect on 17 October 2022.

Given the wide-reaching implications of the PDP Law on businesses, we have set out key facts about the PDP Law, as well as a compliance checklist below. We hope that this checklist can be a useful starting point for you in examining your data protection policies to ensure compliance with the new data protection framework in Indonesia.

Key Facts

  • The PDP Law grants a two-year transitional period from 17 October 2022 for data controllers, data processors, and other parties related to a data processing activity to adjust their data processing practices with the PDP Law's requirements.
  • However, based on our informal discussions with the relevant Indonesian government officials, some provisions of the PDP Law became effective immediately from 17 October 2022. These are the provisions on prohibited conducts related to data processing activities, which are considered as criminal offences.
  • The PDP Law does not apply retroactively to data processing activities carried out before 17 October 2022.
  • Administrative sanctions under the PDP Law range from written warning, temporary termination of personal data processing activities, deletion or destruction of personal data, and/or administrative fine. In addition, imprisonment, criminal fine, asset confiscation, asset freezing, license revocation, and business dissolution (among many others) may also apply.
  • The PDP Law will apply to businesses based both inside and outside of Indonesia. For further details on the application of the PDP Law to your businesses, please read our previous client update.

Compliance Checklist

This checklist gives a general overview of the key requirements of the PDP Law. Besides describing the relevant key provisions of the PDP Law, it details the actions that businesses should take to ensure compliance with the PDP Law.

Please note that this checklist is based on best market practice and is by no means exhaustive. We encourage clients to reach out to their counsels for further advice.

No. Reference to the PDP Law and Description

Recommended Actions

1. Lawful Basis for Processing Personal Data (Articles 20 and 21)

First, you should identify the applicable lawful basis for processing personal data before you commence any such processing. The PDP Law regulates six lawful bases for personal data processing.

The basis that is most appropriate for you will depend on the purpose for processing and your relationship with the data subject.

 In summary, the six lawful bases are:

(a)   explicit consent;

(b)   contractual obligation;

(c)   legal obligation;

(d)   vital interests;

(e)   public interest; and

(f)    (f) legitimate interest.

You should:

  • examine the various types of data processing that you carry out; 
  • identify the lawful bases that apply to you; and
  • internally and externally document the processing activities (e.g., internally in your records of processing activity/data inventory and externally in your privacy notice).

If you are relying on explicit consent as your lawful basis for processing personal data, you should review how you request consent from the data subject. The PDP Law sets a high standard for consent in that there must be a genuine choice (e.g., it cannot be a precondition of service and separate from other terms and conditions) and control over how you use the data subject's data.

If your current practice on obtaining consent does not meet the PDP Law's high standards or is poorly documented, you need to seek fresh PDP Law-compliant consent, identify a different lawful basis for your processing, or stop the processing.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.