New Global Guide Highlights Indonesia's Data Protection And Cybersecurity Landscape

This country-specific Q&A provides an overview of Data Protection & Cybersecurity laws and regulations applicable in Greece.

1. Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).

   The main regulations governing data protection, privacy and cybersecurity in Indonesia include:
   1. Law No. 27 of 2022, dated October 17, 2022, regarding Personal Data Protection ("PDP Law"): main framework for general privacy and data protection in Indonesia, both electronic and physical, across all types of activities (e.g., collection, processing, utilization, etc.).
   2. Law No. 11 of 2008, dated April 21, 2008, regarding Electronic Information and Transaction, as last amended by Law No. 1 of 2024 ("EIT Law"): serves as the umbrella regulation for electronic transactions and also pertains, to a certain extent, to the protection of personal data and cybersecurity.
   3. Government Regulation No. 71 of 2019, dated October 4, 2019, regarding the Implementation of Electronic Systems and Transactions ("GR 71/2019"): one of the implementing regulations for the EIT Law, which mainly governs Electronic System Providers ("ESPs") and the maintenance of electronic systems in the context of personal data protection.
   4. Minister of Communication and Informatics ("MOCI") Regulation No. 20 of 2016, dated November 7, 2016, regarding the Protection of Personal Data within Electronic Systems ("MOCI Reg. 20/2016"): an implementing regulation for the EIT Law that elaborates on the collection of personal data and its protection within electronic systems.
   5. MOCI Regulation No. 5 of 2020, dated November 16, 2020, regarding the Implementation of Private ESPs, as last amended by MOCI Regulation No. 10 of 2021, dated May 21, 2021 ("MOCI Reg. 5/2020"): another implementing regulation for the EIT Law, further regulates the registration requirement for ESPs in the private sector.
   6. Ministry of Communication and Digital Affairs ("MOCDA") (previously the MOCI) Regulation No. 5 of 2025, dated March 18, 2025, regarding Public ESPs ("MOCDA Reg. 5/2025"): an implementing regulation for the EIT Law, which further regulates the registration requirement for ESPs in the public sector.
   7. Other institutional rules or circular letters (circular letters are not regulations per se but can serve as guidance to interpret the stance of authorities) issued by relevant institutions such as the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara or "BSSN").

   All current regulations governing the protection of personal data and the operation of electronic systems apply extraterritorially in this context.

2. Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?

   The Indonesian government, through the MOCDA (formerly the MOCI) and BSSN, is drafting several new regulations related to data protection, privacy, and the broader cybersecurity landscape. Following the enactment of the PDP Law, the Indonesian government is in the process of finalizing and enacting the Draft Government Regulation on the Implementation of the PDP Law ("Draft GR on PDP"). This will be the first implementing regulation for the PDP Law and will provide detailed provisions on various aspects of personal data protection, including the obligations of personal data controllers, the role of personal data protection officers, and further clarification on consent requirements. In early 2024, a new amendment to the EIT Law was enacted. This amendment primarily introduces additional regulatory frameworks, including certification requirements for electronic signatures and documents, enhanced protection for minors in electronic systems, and an expanded list of prohibited actions — such as defamation and doxing — particularly through social media platforms. Following the amendment of the EIT Law, the government is expected to issue revisions to GR 71/2019, along with new regulations on online child protection, artificial intelligence ("AI") policy, content moderation, and cybersecurity legislation.

3. Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register / obtain a licence

   Yes. Both MOCI Reg. 5/2020 and MOCDA Reg. 5/2025 mandate that Electronic System Providers (ESPs) in both the public and private sectors must be registered with the MOCDA, as evidenced by the issuance of an ESP registration certificate. For reference, public and private sector ESPs are defined as follows:
   • Private ESP refers to the implementation of electronic systems by individuals, business entities, or community groups.
   • Public ESP refers to electronic systems operated by a state administrative agency or an institution appointed by such an agency.

   A Private ESP may be categorized as a Public ESP if it is formally appointed through a legal instrument.

   MOCDA Reg. 5/2025 explicitly excludes Public ESPs that act as regulatory and supervisory authorities in the financial sector.

   While MOCI Reg. 5/2020 does not specify any exemptions, it sets out the criteria for ESPs that must be registered, including:

   1. ESPs that are regulated by or under the supervision of a specific government ministry or agency; and/or
   2. ESPs that operate any online portal, site, or application accessible via the internet that is used for:
      1. Providing, managing, and/or operating the offering or trade of goods and/or services;
      2. Providing, managing, and/or operating financial transaction services;
      3. Distributing paid digital materials or content through data networks, whether by downloads, email, or other applications sent to users' devices;
      4. Providing, managing, and/or operating communication services, including but not limited to SMS, voice or video calls, emails, and online chats via digital platforms, online services, or social media;
      5. Operating search engine services or providing electronic information in the form of text, audio, images, animations, music, videos, films, games, or any combination thereof;
      6. Processing personal data for public service operational activities related to electronic transactions.

   In practice, private ESPs that are directly accessible to end consumers are generally required to register. However, private ESPs that provide backend systems, such as those involved in payment system infrastructure, typically are not subject to this registration requirement.

4. How do the data protection laws in your jurisdiction define "personal data," "personal information," "personally identifiable information" or any equivalent term in such legislation (collectively, "personal data")? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., "controller", "processor", "data subject", etc.)?

   The most commonly used term in Indonesian legislation is "Personal Data." While multiple definitions exist across different regulations, they share a common essence and are accompanied by key qualifications, as outlined below: Under the PDP Law, GR 71/2019, and Reg. 5/2020, Personal Data is defined as data concerning an individual who is identified or identifiable, either on its own or in combination with other information, whether directly or indirectly, through electronic or non-electronic systems. In the EIT Law, Personal Data is defined as Certain Individual Data that is stored, maintained, with its validity preserved and its confidentiality protected. Reg. 20/2016 defines Personal Data as certain individual data whose accuracy is stored, maintained, and secured, and whose confidentiality is protected. Pursuant to the PDP Law, Personal Data is further classified into two categories:
   1. General Personal Data, which includes full name, gender, nationality, religion, marital status, and/or other personal data that, when combined, can be used to identify an individual; and
   2. Specific Personal Data, which includes data related to an individual's health, biometric and genetic information, criminal records, children's data, personal financial data, and any other data as may be designated under applicable laws.

   The EIT Law also recognizes the term "Certain Individual Data", defined as any true and real information that is attached to and identifiable, directly or indirectly, to a specific individual, and whose use is governed by applicable laws and regulations.

   Additionally, the PDP Law recognizes the term "Information", defined as information, statements, ideas, and signs that contain value, meaning, or messages, including data, facts, and explanations that can be seen, heard, or read, presented in various forms and formats in line with the development of information technology, whether electronically or non-electronically.

5. What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a "legal basis" for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.

   Based on the PDP Law, the general principles governing the processing of personal data in Indonesia include:
   1. Personal data must be collected in a limited, specific, lawful, and transparent manner;
   2. The processing of personal data must be carried out in accordance with its intended purpose;
   3. The processing must guarantee the rights of the Personal Data Subject;
   4. Personal data must be processed accurately, completely, not misleadingly, in an up-to-date manner, and accountably;
   5. The processing must ensure the security of personal data from unauthorized access, disclosure, alteration, misuse, destruction, and/or loss;
   6. The purposes and activities of processing, as well as any failures in personal data protection, must be communicated;
   7. Personal data must be destroyed and/or deleted after the retention period ends or upon the request of the Personal Data Subject, unless otherwise stipulated by law; and
   8. The processing of personal data must be carried out in a responsible and demonstrably accountable manner.

   Furthermore, the processing of personal data must be based on a valid legal basis, which includes:

   1. Consent: Explicit and informed consent from the Personal Data Subject for one or more specific purposes, as conveyed by the Personal Data Controller;
   2. Contract: Fulfillment of contractual obligations when the Personal Data Subject is a party to the contract, or to meet the request of the Personal Data Subject prior to entering into a contract;
   3. Legal Obligation: Compliance with legal obligations imposed on the Personal Data Controller under prevailing laws and regulations;
   4. Vital Interest: Protection of the vital interests of the Personal Data Subject;
   5. Public Task: Execution of tasks in the public interest, delivery of public services, or the exercise of official authority by the Personal Data Controller in accordance with the law;
   6. Legitimate Interest: Fulfillment of other legitimate interests, provided there is a balance between the interests of the Personal Data Controller and the rights of the Personal Data Subject.

   Regarding data retention, MOCI Reg. 20/2016 stipulates that personal data stored within an electronic system must be retained for a minimum of five years, starting from the point at which the data subject ceases to use the system. In practice, this five-year period is often applied as a general benchmark for personal data retention.

6. Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?

   In general, the applicable personal data protection regulations require the obtainment of express consent prior to processing personal data. Under the PDP Law, when processing personal data based on consent, the data controller is required to provide the following information (collectively referred to as "Consent Information"):
   1. The legal basis for processing the personal data;
   2. The purpose of processing the personal data;
   3. The type and relevance of the personal data to be processed;
   4. The retention period for documents containing personal data;
   5. A description of the information collected;
   6. The duration of personal data processing; and
   7. The rights of the personal data subject.

   Consent for the processing of personal data must be obtained either in writing or in recorded form and can be conveyed electronically or non-electronically. Both methods have the same legal validity.

   Such Consent Information must be provided in the Indonesian language (bilingual is permissible). If there is any change to the previously provided Consent Information, the Data Controller must notify the Personal Data Subject prior to implementing such change.

   Similarly, GR 71/2019 requires ESPs to obtain valid consent from the owner of the personal data for one or more specific and clearly disclosed purposes. "Valid consent" is defined as consent that is explicitly given, and not inferred from inaction, negligence, or obtained under coercion.

   In practice, consent may be incorporated within broader documents — such as terms of service — or bundled with other matters, provided that explicit consent is clearly given by the relevant individual.

   As a matter of practice, consent within electronic systems must be obtained through an opt-in mechanism, a declaration, or another affirmative action by the data subject. A click-to-accept action is generally considered sufficient to constitute valid consent.

7. What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children's data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?

   The PDP Law has yet to set specific guidance on how one should treat Specific Personal Data differently from General Personal Data. However, it does contain several articles on the treatment of children's personal data and the personal data of persons with disabilities, as follows:
   1. For children's data, the consent of their parents or guardian must be obtained;
   2. For persons with disabilities, the processing of personal data must be carried out in a specific manner in accordance with applicable regulations. However, further clarification on the precise procedures is still pending, as the relevant implementing regulation has yet to be issued. Additionally, consent must be obtained from the person with a disability and/or their guardian prior to processing their personal data.

   Additionally, when processing Specific Personal Data, organizations must obtain clear consent by explaining the type and purpose of the data collected, appoint a Data Protection Officer ("DPO") if handling large volumes of sensitive data, and conduct a Data Protection Impact Assessment ("DPIA") if the processing poses a high risk to individuals.

8. Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.

   Yes, under the PDP Law, the processing of personal data may be exempt from certain obligations in specific circumstances, including:
   1. for the interests of national defense and security;
   2. for the purposes of law enforcement;
   3. in the public interest within the context of state administration; or
   4. for the supervision of financial services, monetary policy, payment systems, and financial system stability carried out as part of state administration.

   In such scenarios, certain obligations of the data controller and certain rights of the data subject may be restricted.

9. Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?

   Yes. Under the PDP Law, a DPIA must be conducted to evaluate potential risks associated with the processing of personal data. The DPIA also identifies the measures that must be taken to mitigate these risks, safeguard the rights of data subjects, and ensure compliance with the PDP Law. The data controller is required to carry out a DPIA if the personal data processing carries a high potential risk to the data subject. Personal data processing which has a high potential risk includes:
   1. automatic decision-making that has legal consequences or a significant impact on the data subject;
   2. processing of specific personal data;
   3. processing of large-scale personal data;
   4. processing of personal data for purposes of systematic evaluation, scoring, or monitoring activities related to data subjects;
   5. processing of personal data for the activity of matching or combining a group of data;
   6. the use of new technologies in the processing of personal data; and/or
   7. processing of personal data that limits the exercise of the rights of the data subject.

10. Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children's data or health data)?

    Currently, there are no specific codes of practice available, aside from those discussed in numbers 7 and 10 above. It is also worth noting that the MOCDA is in the process of drafting a regulation concerning online child protection.

11. Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).

    Yes, the PDP Law requires personal data controllers to maintain records of all personal data processing activities. However, it does not provide detailed guidance on the specific manner in which such records should be maintained. In addition, GR 71/2019 and MOCI Reg. 20/2016 impose obligations on ESPs – and, by extension, personal data controllers operating electronic systems – to maintain an audit trail of all activities within the system, including the processing of personal data. In practice, the record-keeping obligation under the PDP Law is generally fulfilled through a Record of Data Processing Activities (ROPA), which tracks all personal data processing activities within an organization. Additionally, the mechanism for maintaining such records is often embedded during the development phase of the electronic system. Depending on the design and implementation of the system, this may already meet regulatory requirements, though a case-by-case assessment is needed to ensure full compliance.

12. Do the data protection laws in your jurisdiction require or recommend data retention and/or data disposal policies and procedures? If so, please describe such requirement(s).

    Yes. Although the PDP Law does not specify a mandatory retention period, other regulations set out applicable timeframes for storing personal data in electronic systems. These regulations include MOCI Reg. 20/2016 and Government Regulation No. 80 of 2019, dated November 25, 2019, regarding Trade through Electronic Systems ("GR 80/2019"). Under these regulations, the following retention periods generally apply:
    1. Personal data: 5 years after the data subject ceases to use the electronic system;
    2. Financial transaction data: 10 years from the date the data is obtained.

    Certain sectors may impose longer retention periods; for example, medical records must be kept for at least 25 years.

    The obligation to dispose of or destroy personal data applies in specific situations, such as upon a request from the data subject or once the retention period has expired. An organization may also delete personal data if it is no longer relevant to the original purpose of processing or retain it longer if required by law.

13. Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?

    Consultation is required or encouraged in several situations, including prior to conducting cross-border personal data transfers, in carrying out a DPIA, in the event of a failure in personal data protection within an electronic system, and for the facilitation of out-of-court dispute resolution.

14. Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?

    In certain types of personal data processing, organizations, whether acting as a data controller or data processor, may be required to appoint a DPO. A DPO must be appointed in the following situations:
    1. When personal data processing is conducted in the context of public services;
    2. When the core activities of the Controller involve the regular and systematic monitoring of personal data on a large scale; and
    3. When the core activities consist of large-scale processing of specific personal data and/or data related to criminal acts.

    The DPO plays a key role in ensuring compliance and accountability in personal data processing. The duties of a DPO under the PDP Law include:

    1. informing and advising the data controller or data processor on compliance with applicable legal provisions;
    2. monitoring and ensuring compliance with the PDP Law and internal policies;
    3. providing advice on DPIAs and overseeing their implementation; and
    4. acting as a liaison and coordinating on issues related to the processing of personal data.

15. Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).

    Yes. Pursuant to GR 71/2019, ESPs are required to provide, educate, and train personnel responsible for the security and protection of electronic system facilities and infrastructure. In addition, the Draft GR on PDP also mandates that data controllers establish internal personal data protection policies that include periodic training and capacity building.

16. Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).

    Yes. Indonesian data protection laws require data controllers to inform data subjects about their personal data processing activities in several situations. This includes:
    1. When obtaining personal data based on consent, the data controller must provide the required Consent Information;
    2. Before making any changes to the Consent Information or updates to the purpose of processing;
    3. In the event of a personal data protection failure, the data controller must notify the data subject within 3×24 hours of becoming aware of the incident. In certain cases, the controller must also notify the general public;
    4. When a legal entity acting as a data controller undergoes a merger, spin-off, acquisition, consolidation, or dissolution, the controller must notify the data subjects both before and after the corporate action. This notice may be delivered publicly through electronic or non-electronic mass media.

17. Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?

    Yes. Under the PDP Law:
    1. A Data Controller is any individual, public entity, or international organization, acting alone or jointly, that determines the purpose and exercises control over the processing of personal data.
    2. A Data Processor is any individual, public entity, or international organization, acting alone or jointly, that processes personal data on behalf of the controller.

    The PDP Law also recognizes the concept of a Joint Controller, where two or more controllers jointly determine the purpose and means of processing. This is indicated by (i) an agreement between the controllers outlining roles, responsibilities, and the relationship between them; (ii) a shared objective and jointly determined method of processing; and (iii) a designated point of contact appointed collectively by the controllers.

    In terms of implications, controllers bear greater responsibilities and obligations than processors. For example, controllers are responsible for ensuring a valid legal basis for processing, and for providing notifications to data subjects and government authorities when required.

18. Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?

    With regard to automated decision-making or profiling, the PDP Law does not explicitly prohibit or restrict these activities. However, it grants personal data subjects the right to object to decisions made solely through automated processing, including profiling, if such decisions have a significant impact on them. The PDP Law defines profiling as any activity used to identify an individual, including but not limited to their employment history, economic status, medical records, personal preferences, interests, aptitudes, behavior, location, or movements. In addition, activities like monitoring, tracking, or using cookies must follow general personal data protection rules. This includes getting the data subject's consent and, if the activity poses a high risk to their rights, carrying out a DPIA.

19. Please describe any restrictions on targeted advertising and/or behavioral advertising. How are these terms or any similar terms defined?

    There is no specific regulation in Indonesia that directly governs targeted advertising or behavioural advertising. However, if personal data is involved, such activities must comply with the general provisions of personal data protection laws. GR 80/2019 addresses electronic marketing more generally. It states that electronic marketing must be conducted in good faith and in accordance with applicable consumer protection and advertising laws. Such marketing may be carried out through various channels, including (i) registered mail, (ii) email, (iii) online sites, (iv) electronic media, or (v) other forms of electronic communication. Parties conducting electronic marketing must clearly explain the technical mechanisms and the substance of the terms and conditions for obtaining approval electronically. An offer is considered accepted when the recipient agrees to those terms and conditions. For an electronic offer to be valid and binding, there must be a clear and specific expression of intent, along with terms and conditions that are honest, fair, and balanced, and subject to certain time limitations. In regulated sectors such as banking and financial services, marketing activities are further governed by sector-specific regulations, which generally require explicit consent from the data subject.

20. Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term "sale" or such related terms defined?

    Indonesian laws do not specifically regulate the sale of personal data. However, any activity involving the transfer or disclosure of personal data, including for commercial purposes, must comply with the general personal data protection principles under the PDP Law. This includes obtaining a valid legal basis, such as the consent of the data subject, and ensuring that the data is not used beyond the stated purposes.

21. Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?

    Please refer to our response to question number 19.

22. Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?

    Biometric data is classified as specific personal data under Indonesian law, as discussed in our response to question number 7.

23. Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning ("AI").

    Data protection laws in Indonesia are currently silent on AI. However, the use of AI may fall under the category of new technologies, which can trigger the requirement to conduct a DPIA before its implementation. In addition, AI is addressed through non-binding institutional guidelines, specifically MOCI Circular Letter No. 9 of 2023, dated December 19, 2023, regarding the Ethics of Artificial Intelligence ("MOCI CL 9/2023"). This circular provides ethical guidance for the implementation of AI, emphasizing principles such as inclusivity, humanity, privacy and personal data security, accessibility, transparency, credibility and accountability, personal data protection, sustainable environmental development, and intellectual property protection.

24. Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)

    The PDP Law allows the transfer of personal data outside of Indonesia under certain conditions. The transfer is permitted if one of the following requirements is met:
    1. The recipient country has an equal or higher level of personal data protection than Indonesia;
    2. There are adequate and binding personal data protection safeguards in place; or
    3. The data subject has given consent to the transfer.

    The above requirements are not fully in effect yet, mainly because there is no Data Protection Authority ("DPA") in place. For now, in cases of cross-border data transfers involving electronic systems, ESPs must notify the MOCDA both before and after the transfer. While the regulations do not explain the procedure for such notification, the MOCDA has provided an internal template for the notification letter to help guide the process.

25. What personal data security obligations are imposed by the data protection laws in your jurisdiction?

    The PDP Law requires organizations to protect personal data in their possession or control by securing it against unauthorized access, disclosure, unlawful modification, misuse, damage, and/or loss. While the PDP Law does not prescribe specific security measures, if personal data controllers also qualify as ESPs, they must comply with specific security requirements under GR 71/2019, which governs the operation and protection of electronic systems.

26. Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?

    Yes. The PDP Law defines a "security breach" as a "failure of personal data protection." A "failure of personal data protection" refers to a failure to protect personal data in terms of its confidentiality, integrity, or availability, including security breaches, whether intentional or unintentional, that result in the destruction, loss, alteration, disclosure, or unauthorized access to personal data while it is being transmitted, stored, or processed. When such a failure occurs, the PDP Law requires the data controller to report the incident to the authorities (specifically the Personal Data Protection Authority, which has not yet been established) and to the affected data subjects within 3×24 hours from when the failure is discovered. The notification must include at least (i) details of the personal data that was disclosed, (ii) when and how the data was disclosed, and (iii) the measures taken by the data controller to address and rectify the disclosure. In certain circumstances, the data controller is also required to inform the public if the failure disrupts public services or has a serious impact on the public interest. Separately, GR 71/2019 also obliges ESPs to immediately report any serious system failures or disruptions caused by external actions to the relevant ministries or institutions, as well as to law enforcement authorities. In practice, this generally includes reporting to the MOCDA, the BSSN (for cyber-related incidents), and any sector-specific institution.

27. Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.

    Yes, the PDP Law provides the following rights to data subjects:
    1. Right to transparency regarding data usage;
    2. Right to complete, update, and/or revise their personal data;
    3. Right to access their personal data;
    4. Right to request the termination of the processing, deletion, and/or destruction of their personal data;
    5. Right to withdraw consent;
    6. Right to object to automatic processing;
    7. Right to postpone or limit data processing;
    8. Right to claim and seek indemnification; and
    9. Right to acquire and use personal data and transfer the data to another controller (data portability)

    Currently, the PDP Law does not provide further elaboration on how these rights must be fulfilled, except for the rights listed in items 2, 3, 5, and 7. These specific rights must be fulfilled by the data controller within 3×24 hours from the receipt of the request. Typically, companies fulfill these obligations by providing the contact information of the data controller on their websites or offering an opt-out option through their websites.

    The exercise of the rights listed above may be restricted under the following circumstances:

    1. In the interest of national defense and security;
    2. In the interest of law enforcement processes;
    3. In the public interest for the purpose of state administration;
    4. In the interest of supervision in the sectors of financial services, monetary matters, payment systems, and financial system stability conducted for state administration purposes; or
    5. In the interest of statistical or scientific research.

28. Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?

    
    Yes, an individual may file a civil lawsuit in court, either based on tort or breach of contract. This right is expressly provided under the PDP Law for violations relating to personal data processing, and under Regulation 20/2016 for failure to protect personal data.

29. Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?

    
    Yes, this right is granted under the PDP Law. In general, immaterial damages – such as emotional distress, harm to reputation, or similar non-pecuniary losses – are only considered in cases involving death, defamation, or bodily harm. Outside of these circumstances, claims for immaterial damages are subject to strict scrutiny by the courts.

30. How are data protection laws in your jurisdiction typically enforced?

    The PDP Law provides for dispute resolution through alternative means and court proceedings. However, enforcement remains limited. Violations constituting crimes follow standard legal procedures, while the MOCDA may impose administrative sanctions on businesses like ESPs. Civil lawsuits may also be filed by personal data subjects to claim compensation for losses.

31. What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?

    Under the PDP Law, non-compliance with data protection requirements may lead to:
    1. Administrative Sanctions – including written warnings, suspension of data processing activities, deletion or destruction of personal data, and administrative fines (up to 2% of annual income or revenue). Administrative sanctions under GR 71/2019 and MOCI Reg. 20/2016 also include access blocking, delisting from registered ESPs, and public announcements.
    2. Criminal Sanctions – including imprisonment (4–6 years) and criminal fines. If committed by a corporation, fines can be up to 10 times the maximum fine for individuals. Additional corporate sanctions include profit confiscation, business suspension, prohibition of certain activities, closure, license revocation, and dissolution.

    Separately, under the EIT Law, breaches involving personal data in electronic systems may result in imprisonment (6–12 years) and fines ranging from IDR 600 million to IDR 12 billion. Corporate sanctions may also apply, with enhanced penalties.

32. Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?

    Currently, the only regulation governing the imposition of administrative fines relates to violations by private ESPs in fulfilling their obligations concerning user-generated content takedown. This is regulated under MOCI Regulation No. 172 of 2024, dated March 5, 2024, regarding the Implementation Guidelines for Non-Tax State Revenue from the Imposition of Administrative Fines for Violations by Private ESPs Related to User-Generated Content Takedown Obligations, as amended by MOCI Regulation No. 522 of 2024, dated October 18, 2024.

33. Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.

    Yes. As with other regulatory matters, any order issued by regulators – primarily the MOCDA in this context – may be appealed to the administrative court. Decisions rendered by the administrative court may subsequently be appealed through the standard judicial appellate process, including appeal and cassation.

34. Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?

    While court decisions in lawsuits concerning data protection remain limited, incidents of personal data breaches across various institutions have yet to show a significant decline. The roles of the MOCDA and law enforcement agencies in data protection enforcement remain evident, albeit infrequent. With the anticipated implementation of the Draft GR on PDP, primary enforcement responsibilities are expected to shift to the PDPA.

35. Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.

    Yes, under BSSN Reg. 8/2020, ESPs are required to independently implement an Information Security Management System (Sistem Manajemen Pengamanan Informasi or "SMPI") and conduct a self-assessment of their electronic systems based on risk principles. This assessment considers factors such as system investment, user volume, types of personal data processed, and potential impact of a security breach. Based on the assessment, electronic systems are categorized into one of three risk levels:
    • Strategic: Systems critical to national interests (e.g., public services, defence).
    • High: Systems impacting specific sectors or regions.
    • Low: Systems with limited impact beyond their immediate use.

    Based on the risk category, BSSN Reg. 8/2020 sets the following security standard requirements:

    Risk Category	Security Standard Requirements
    Strategic	· SNI ISO/IEC 27001 · Other cybersecurity standards set by BSSN · Other standards set by the relevant Ministry or Agency
    High	· SNI ISO/IEC 27001 and/or other cybersecurity standards set by BSSN · Other standards set by the relevant Ministry or Agency
    Low	· SNI ISO/IEC 27001 · Other cybersecurity standards set by BSSN

36. Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.

    The cybersecurity laws do not impose specific requirements regarding supply chain management. Related obligations are generally addressed under broader data protection, electronic system operation, and risk management standards, rather than through standalone supply chain regulations.

37. Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?

    The cybersecurity laws do not impose specific information sharing requirements on organisations.

38. Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?

    The cybersecurity laws do not require the appointment of a specific person responsible for cybersecurity. However, BSSN Regulation No. 1 of 2024, dated January 10, 2024, regarding Cyber Incident Management ("BSSN Reg. 1/2024"), mandates the establishment of Cyber Incident Response Teams ("CIRTs"), organized at three levels: (i) national, (ii) sectoral, and (iii) organizational. A CIRT is defined as a group of individuals responsible for managing and responding to cyber incidents within a defined scope of authority and responsibility. BSSN Reg. 1/2024 outlines the responsibilities of CIRTs, which include:
    1. containing and recovering from cyber incidents;
    2. reporting incidents to relevant authorities or parties; and
    3. disseminating information to prevent or mitigate future incidents.

    When a cyber incident occurs, the organizational CIRT must escalate the report to the next-level CIRT.

39. Are there specific cybersecurity laws / regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.

    Yes, sector-specific regulations are in place for cybersecurity in certain industries. For instance, in the fintech and payment systems sectors, both the Financial Services Authority and Bank Indonesia have established more detailed cybersecurity requirements.

40. What impact do international cybersecurity standards have on local laws and regulations?

    Indonesia's National Standard (Standar Nasional Indonesia or SNI) on cybersecurity certifications generally aligns with international standards, such as those from ISO, while incorporating necessary adjustments to meet the country's specific needs.

41. Do the cybersecurity laws in your jurisdiction impose obligations in the context of cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?

    Under BSSN Reg. 1/2024, a cyber incident is defined as a single event or a series of events that disrupt or threaten the operation of electronic systems. The regulation classifies ESPs into two categories: Vital Information Infrastructure Providers ("VII Providers") and non-VII Providers. VII Providers refers to electronic systems that utilize information and/or operational technology, either independently or in connection with other systems, to support strategic sectors, where disruption, damage, or destruction would have a serious impact on public interests, public services, defense and security, or the national economy. When a cyber incident occurs, ESPs are required to report it to BSSN and the relevant CIRTs, depending on the risk assessment category.

42. How are cybersecurity laws in your jurisdiction typically enforced?

    Cybersecurity issues are generally addressed through standard enforcement mechanisms. BSSN may impose administrative sanctions on businesses, including ESPs. Civil lawsuits are also available for parties claiming losses. In practice, cybersecurity incidents in Indonesia typically result from external third-party actions, and the focus tends to be on resolving the issue rather than pursuing formal disputes.

43. What powers of oversight / inspection / audit do regulators have in your jurisdiction under cybersecurity laws.

    BSSN and sector-specific authorities generally have the authority to inspect or audit organizations when necessary, particularly in response to a cybersecurity incident.

44. What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?

    BSSN is authorized to impose administrative sanctions on ESPs, primarily in the form of a written reprimand. In addition, sanctions under the EIT Law, as discussed in question Number 32, also apply to cybersecurity-related breaches.

45. Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?

    Currently, there are no specific guidelines or rules on this subject.

46. Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.

    Yes. Please refer to our response to question number 33.

47. Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?

    Recently, the government has been planning the implementation of a National Data Center, primarily aimed at enhancing cybersecurity protection within the public sector. This initiative may also affect certain private sector entities, particularly those handling data related to public interests, such as health data. Additionally, the government is in the process of formulating several regulations designed to further strengthen national cybersecurity protections.

Originally Published by Legal 500