COMPARATIVE GUIDE
11 February 2025

Data Privacy Comparative Guide

G
GHP Law Firm

Contributor

GHP Law Firm logo
Explore Firm Details
Data Privacy Comparative Guide for the jurisdiction of Indonesia, check out our comparative guides section to compare across multiple countries
Indonesia Privacy
Naufal Fileindi and Benedict Giankana

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Indonesia's personal data protection regime was enacted on October 2022 through the Personal Data Protection (PDP) Law (27/2022). While this law is supposed to be the umbrella regulation that sets out general provisions on personal data protection, some of its provisions are yet to be effectively implemented pending promulgation of the relevant government regulations.

In general, personal data protection is regulated under the following statutes:

  • the PDP Law;
  • Government Regulation 71/2019 on the Operation of Electronic System and Transaction; and
  • Ministry of Communication and Informatics (MOCI) Regulation 20/2016 on Protection of Personal Data in Electronic Systems.

The Implementing Regulation Bill on Personal Data Protection has been made accessible to the public. This bill contains further provisions on certain aspects that are mentioned in the PDP Law, including but not limited to:

  • the requirements for data protection officers; and
  • the use of legitimate interest and agreement obligations as the basis for personal data processing.

However, this bill may be subject to changes upon its promulgation. Although the transitional period of the PDP Law expired in October 2024, there have been no updates as yet on the promulgation of the Implementing Regulation Bill.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

General provisions on personal data protection are set out in:

  • the PDP Law;
  • Government Regulation 71/2019; and
  • MOCI Regulation 20/2016.

However, sector-specific regulations also apply in certain sectors. For example, Otoritas Jasa Keuangan Regulation 11/POJK.03/2022 on the Organisation of Information Technology by General Banks regulates personal data protection provisions in the banking sector. Aside from general personal data protection, this regulation also discusses good governance practices for general banks on data protection, including in relation to:

  • the identification and mitigation of the risk of data breaches;
  • standards for adequate IT systems; and
  • the general management of personal data.

Moreover, according to the PDP Law, personal data is classified into two types:

  • general personal data, which includes data such as:
    • full name;
    • gender;
    • date of birth; and
    • phone number; and
  • specific personal data, which includes data such as:
    • biometric data;
    • medical records;
    • criminal records; and
    • financial data.

For specific data types such as biometric data, to the best of our knowledge, there are no dedicated provisions on these aside from those set out in the PDP Law.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

There are no bilateral or multilateral instruments that have effect in Indonesia. The Association for South East Asian Nations (ASEAN) has established a Model Contractual Clause on Cross-Border Data Transfers, although we understand that this is not legally binding and serves more as a guideline for cross-border data transfer clauses in the ASEAN region, in order to achieve uniformity of provisions.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The PDP Law provides for the establishment of a Personal Data Protection Authority (PDPA), although this has not yet happened. Pursuant to Article 58(2) of the PDP Law, the PDPA will be established under the supervision of the president. In the meantime, the Ministry of Communication and Digital Affairs (MCDA) (previously known as the MOCI)is responsible for supervising the communication and IT sector, including personal data protection.

Article 60 of the PDP Law provides that the PDPA has the authority, among other things, to:

  • formulate and stipulate policies relating to personal data protection;
  • supervise compliance with the personal data protection regime and issue orders to follow up on the results of such supervision; and
  • issue publications based on the results of supervision.

With regard to data transfers, the PDPA can assess the fulfilment of requirements for personal data transfers outside Indonesia. When it comes to disputes and law enforcement, the PDPA is authorised to:

  • cooperate with law enforcement on the handling of crimes relating to personal data; and
  • request legal assistance from the prosecutor's office in the settlement of a data protection dispute.

However, as the PDPA is yet to be established, in practice, the MCDA will exercise some of the above powers.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

As the implementing regulations on personal data protection in Indonesia have not been issued, domestic best practices are still developing. However, best practices that are accepted internationally are often implemented to exhibit compliance towards industry standards.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

Under the Personal Data Protection (PDP) Law, 'data processors' and 'data controllers' include all entities, such as:

  • individuals;
  • corporations;
  • public agencies; and
  • international organisations.

All such entities must comply with the PDP Law if they conduct data processing in Indonesia. Additionally, data processing conducted outside of Indonesia is subject to the PDP Law if it has legal consequences:

  • within Indonesia; and/or
  • for data subjects who are Indonesian citizens located outside Indonesia.

However, based on Article 1(6) of the PDP Law, data subjects enjoy protection under the law only in relation to their personal data. The data of corporations and other legal entities is not regarded as personal data and thus is not subject to protection under the PDP Law.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

Article 50 of the PDP Law states that exemptions from the regime apply in relation to:

  • the interests of defence and national security;
  • law enforcement;
  • the public interest for the administration of the state;
  • supervision of the financial service sector and the stability of the monetary and financial system for the administration of the state; and
  • the interest of statistics and scientific research.

2.3 Does the data privacy regime have extra-territorial application?

Yes, Article 2 of the PDP Law provides that it applies to all persons, public bodies and international organisations that conduct activities regulated under the law:

  • inside the legal territory of Indonesia; or
  • outside the legal territory of Indonesia, where such activities have legal effect:
    • in the legal territory of Indonesia; or
    • for Indonesian-national data subjects outside the legal territory of Indonesia.

The above provision is similar to the scope of the Law on Electronic Information and Transactions (11/2008), which also provides that acts abroad that have a legal effect in the territory of Indonesia are subject to its provisions. However, what is unique about the PDP Law is that it also encompasses actions taken abroad that have a legal effect on Indonesian-national data subjects outside the territory of Indonesia. According to the text, foreign persons and legal entities must also abide by the PDP Law if they collect data from Indonesian nationals, even if those nationals are domiciled abroad. In theory, this makes the law almost unlimited in scope. However, in practice, it will be difficult for the Indonesian government to enforce the law if the foreign person or entity has no operations in Indonesia. Nonetheless, for persons and legal entities operating in Indonesia, the scope of the PDP Law should be noted.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

The Personal Data Protection (PDP) Law aw does not explicitly define 'data processing', but pursuant to Article 16(1), activities that are considered to constitute data processing include:

  • the acquisition and collection of personal data;
  • the filtering and analysis of personal data;
  • the storage of personal data;
  • the correction and updating of personal data;
  • the display, announcement, transfer, dissemination or disclosure of personal data; and/or
  • the deletion or destruction of personal data.

As can be seen, the definition of 'data processing' is thus very broad. Almost everything that can be done with personal data will fall within the definition of 'data processing'. The term encompasses basic activities such as:

  • storing information on a hard drive;
  • retrieving information for display;
  • transferring information; and
  • deleting information.

(b) Data processor

Article 1(5) and Article 19 of the PDP Law define a 'data processor' as "every person, public agency, and international organisation that acts individually or jointly in personal data processing on behalf of a data controller". Essentially, they are 'subcontractors' which data controllers may subcontract to process personal data on their behalf.

(c) Data controller

Article 1(4) and Article 19 of the PDP Law define a 'data controller' as "every person, public agency, and international organisation that acts individually or jointly in determining purposes and exercising control over the processing of personal data".

(d) Data subject

Article 1(6) of the PDP Law defines a 'data subject' as "an individual whom the personal data is associated with". This definition is limited to natural persons. Corporations and other legal entities are not considered to be data subjects under the PDP Law and thus are not subject to protection under the PDP Law.

(e) Personal data

Article 1(1) of the PDP Law defines 'personal data' as "data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or nonelectronic system".

The PDP Law does not protect all data – only personal data falling under the definition set out in Article 1(1) of the PDP Law, which includes general and specific personal data.

(f) Sensitive personal data

Article 4(1) of the PDP Law classifies personal data into two categories:

  • specific personal data; and
  • general personal data.

In theory, as the elucidation of the PDP Law explains, 'specific personal data' is "personal data that, if processed, may cause a greater impact to a data subject." At the moment, the PDP Law differs in its treatment of specific personal data only in two respects:

  • with regard to the obligation to conduct a data protection impact analysis; and
  • with regard to the obligation to appoint a data protection officer.

However, future implementing regulations may set out further provisions or obligations regarding the processing of specific personal data.

(g) Consent

While the PDP Law does not define 'consent', it provides that consent is essential for data processing. Article 20(2)(a) requires "an explicit valid consent from data subjects for 1 (one) or several specific purposes that has been submitted by the data controller to data subjects".

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

There are no further key terms with regard to data protection in Indonesia. However, the term 'personally identifiable information' is not explicitly mentioned in Indonesian law and regulation.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

The Personal Data Protection Law has no registration requirements for data processors or data controllers. However, Indonesian laws and regulations stipulate that an electronic system provider (PSE) must be registered. A 'PSE' is any person, state administrator, business entity or community that provides, manages and/or operates an electronic system, either individually or jointly, for electronic system users for its own personal purposes and/or those of a third party.

PSEs in both the public and private sectors are obliged to register based on Article 6 of Government Regulation 71/2019.

If a PSE fails to register, then based on Article 7 of Ministry of Communication and Informatics (MOCI) Regulation 5/2020 on Organisation of Private Electronic Systems, administrative sanctions will be imposed in the form of termination of access to the electronic system (ie, access blocking).

PSE registration is also required in order to protect the public's right to secure access to digital services. Registration of PSEs makes it easier for the MCDAto:

  • oversee them in order to protect public rights and privacy rights; and
  • supervise the collection of taxes.

4.2 What is the process for registration?

Based on Article 3 of MOCI Regulation 5/2020, a private PSE must register with the MCDA through the Online Single Submission (OSS) System. The OSS System issues the relevant business licences to business owners for and on behalf of ministers, heads of institutions, governors and regents/mayors through an integrated electronic system.

Private PSEs must apply to register with the MCDA by filling out a form containing the following information:

  • an overview of the operation of the electronic system;
  • details of compliance with the following obligations:
    • ensuring information security in accordance with the law and regulations;
    • protecting personal data in accordance with the law and regulations; and
    • conducting electronic system feasibility tests in accordance with the law and regulations.

Private PSEs were required to register within six months of the implementation of risk-based business licensing through the OSS System, which took effect from 21 January 2022.

4.3 Is registered information publicly accessible?

Information on data controllers or data processors that have been registered as PSEs can be found on the MCDA's website at pse.kominfo.go.id. However, the accessible information:

  • states only whether entities are registered as PSEs; and
  • does not reveal their status as a data controller and/or processor.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The lawful bases for processing personal data are set out in the Personal Data Protection (PDP) Law. The provisions on lawful bases for data processing have universal application and their applicability does not depend on the type of personal data being processed.

Pursuant to Article 20 of the PDP Law, a data controller must have a recognised basis for the processing of personal data. These are as follows:

  • explicit and valid consent given by the data subject for one or several specific purposes that were submitted beforehand by the data controller to the data subject;
  • the fulfilment of agreement obligations to which the data subject is a party or the fulfilment of a request made by the data subject at the time of entering into an agreement;
  • the fulfilment of legal obligations of the data controller in accordance with the law and regulations;
  • the protection of vital interests of the data subject;
  • the fulfilment of duties in the public interest, the provision of public services or the exercise of the data controller's authority based on the law and regulations; and/or
  • the fulfilment of other legitimate interests by taking into account:
    • the purpose of and need for the data processing; and
    • the balance between the interests of the data controller and the rights of the data subject.

Article 21(1) of the PDP Law then states that if the basis used by the data controller correlates to an explicit and valid consent given by the data subject, the data controller must first submit information to the data subject before obtaining his or her explicit and valid consent. The information that must be provided includes details of:

  • the legality of the personal data processing;
  • the purpose of the personal data processing;
  • the type and relevance of the personal data that will be processed;
  • the retention period of documents containing the personal data;
  • the information collected by the data controller;
  • the period over which the personal data processing was conducted; and
  • the rights of the data subject.

The data controller must also inform the data subject if the information provided at the time of obtaining consent is changed or updated, as stipulated in Article 21(2) of the PDP Law.

Furthermore, Article 22 of the PDP Law states that the data subject's consent:

  • must be provided in written or recorded form; and
  • may be submitted electronically or non-electronically.

Should the approval have other purposes, the request must meet the following requirements:

  • It must be clearly distinguishable from those other purposes;
  • It must be made in an understandable and accessible format; and
  • It must use clear and simple language.

If the request does not fulfil the aforementioned requirements, the consent given by the data subject will be declared null and void.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Pursuant to Article 16(2) of the PDP Law, the principles that apply to personal data processing in Indonesia are as follows:

  • It must be limited and specific, legally valid and transparent.
  • It must be carried out in accordance with its purpose.
  • It must be carried out in a way that safeguards the rights of the data subject.
  • It must be carried out in a way that is accurate, complete, not misleading, up to date and accountable.
  • It must be carried out in a way that protects the personal data from:
    • unauthorised access;
    • unauthorised disclosure;
    • unauthorised alteration;
    • misuse;
    • destruction; and/or
    • loss.
  • The data subject must be notified of:
    • the purpose of the processing;
    • the processing activities; and
    • any personal data protection failure.
  • The personal data must be destroyed and/or deleted after the retention period ends or at the request of the data subject, unless otherwise stipulated by the law and regulations; and
  • The personal data must be processed responsibly in a way that can be clearly proven.

These principles apply universally to data processing in Indonesia, regardless of whether it is done by the data controller or outsourced.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

In practice, the processing of personal data primarily relies on the consent regime. This means that the data controller must obtain explicit and valid written consent from the data subject prior to collecting and processing the personal data.

In relation to valid consent, Article 21(1) of the PDP Law stipulates that the data controller must submit details of the following to the data subject before obtaining his or her explicit and valid consent:

  • the legality of the personal data processing;
  • the purpose of the personal data processing;
  • the type and relevance of the personal data that will be processed;
  • the retention period of documents containing the personal data;
  • the information collected by the data controller;
  • the duration of the personal data processing; and
  • the rights of the data subject.

Furthermore, there are steps to be taken by data controllers and/or processors in order to ensure lawful data processing, such as:

  • ensuring the accuracy of data;
  • recording all data processing-related activities; and
  • maintaining the confidentiality of the processed data.

Failure to comply with the relevant regulations may incur sanctions from the relevant authorities, such as:

  • a written reprimand;
  • the temporary suspension of personal data processing activities;
  • the erasure or removal of personal data; and/or
  • administrative fines of up to 2% of annual revenue.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

The transfer of data based on the Personal Data Protection (PDP) Law constitutes personal data processing, so a lawful basis for the processing is required. If a data transfer fulfils one of the lawful bases, it will comply with the Indonesian data protection regime.

An exemption is available where the data is transferred to a third party as the result of a corporate action – such as a merger, spin-off, acquisition, consolidation or dissolution – involving the legal entity that is the data controller. In the event of such a corporate action:

  • the data controller must notify the data subject prior to conducting the corporate action and the subsequent data transfer, as stipulated in Articles 48(1) and 48(2) of the PDP Law; and
  • if the corporate action results in the dissolution of the legal entity that is the data controller and personal data is subsequently stored, transferred, deleted or destroyed, the data subject must be notified accordingly as per Articles 48(3) and (4) of the PDP Law.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Pursuant to Article 56(2) of the PDP Law on the transfer of data abroad, the country that receives the data transfer must have personal data protection levels that are at least equal to those reflected in the PDP Law. If the provisions in Article 56(2) are not fulfilled, Article 56(3) stipulates that the data controller must ensure that there is an adequate and binding personal data protection regime in the receiving country. If both prerequisites are not fulfilled, then the data controller must obtain the data subject's approval for the data transfer.

However, as the PDP Law does not contain further provisions or guidelines on its implementation, the provisions set out in MOCI Reg 20/2016 still applies to the transfer of personal data abroad. Pursuant to MOCI Reg 20/2016, the data controller must also:

  • report on its plans to conduct the data transfer, including at minimum:
    • the name of the receiving country;
    • the name of the receiver;
    • the date of execution of the transfer; and
    • the reasons/purposes for the transfer;
  • request for advocation, if necessary; and
  • report on the execution of the transfer.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

There are no further requirements, restrictions or best practices relating to the transfer of personal data. Precedents and best practices in Indonesia are still developing, as the PDP Law was only recently enacted. Further implementing regulations on cross-border data transfer will be issued in the future.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Articles 5 to 13 of the Personal Data Protection (PDP) Law set out the rights of data subjects as follows:

  • the right to obtain information on the identity, basis of legal interest, purpose for requesting and using personal data and accountability of parties that request personal data;
  • the right to complete, update and/or correct errors and/or inaccuracies in their personal data in accordance with the purpose of the personal data processing;
  • the right to access and obtain a copy of their personal data in accordance with the law and regulations;
  • the right to end the processing and delete and/or destroy their personal data in accordance with the law and regulations;
  • the right to withdraw consent to the processing of their personal that has been given to a data controller;
  • the right to object to a decision-making action that is based solely on automated processing, including profiling, which has legal consequences for a significant impact on them;
  • the right to delay or limit the personal data processing proportionally to its purpose;
  • the right to sue and receive compensation for violations in the processing of their personal data in accordance with the law and regulations;
  • the right to obtain their personal data from a data controller in a form that accords with the structure and/or format that is commonly used or readable by an electronic system; and
  • the right to use and send their personal data to other data controllers, as long as the systems used can communicate with each other securely in accordance with the personal data protection principles set out in the PDP Law.

With regard to exemptions, Article 15 of the PDP Law states that rights in the fourth, fifth, sixth, seventh, ninth and tenth bullets above are excluded for the following reasons:

  • the interests of national defence and security;
  • the interests of law enforcement;
  • public interest in the context of state administration;
  • supervision of the financial service sector and the stability of the monetary and financial system for the administration of the state; and
  • the interest of statistics and scientific research.

These exemptions apply solely within the scope of implementing the provisions of the PDP Law. They reflect the exceptions stipulated under the General Data Protection Regulation; however, the latter contains additional provisions related to the establishment of policies that may limit a data subject's rights.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Pursuant to Article 26 of Ministry of Communication and Informatics (MOCI) Regulation 20/2016, a data subject has the right to file a report for the purposes of personal data dispute settlement in case of a failure to protect the confidentiality of his or her personal data. The report against the electronic system organiser may be submitted to the MCDA. A similar form of dispute settlement is regulated in the PDP Law, Article 59 of which stipulates that the Personal Data Protection Authority (PDPA) is responsible for settling disputes involving of personal data protection matters, although this remit is limited to out-of-court settlements.

Furthermore, Article 60 of the PDP Law stipulates that the PDPA is authorised to:

  • receive complaints and/or reports on allegations of personal data protection violations;
  • conduct inspections based on the allegations; and
  • impose administrative sanctions for personal data protection violations based on the PDP Law.

However, the PDPA has not yet been established and may only be established by the president, pursuant to Article 58 of the PDP Law.

In addition to the provisions set out in MOCI Regulation 20/2016 and the PDP Law, the Law on Electronic Information and Transactions imposes sanctions for certain criminal acts pertaining to personal data. Article 30 stipulates that unlawfully accessing an individual's computer and/or electronic system to unlawfully collect electronic information and/or electronic documents constitutes a criminal act and is subject to criminal sanctions. The alleged victim can file a report with the law enforcement authorities requesting the commencement of a criminal investigation.

7.3 What remedies are available to data subjects in case of breach of their rights?

The remedies available to data subjects may be sought through:

  • a personal data protection dispute; or
  • a criminal investigation and subsequent criminal court proceedings.

The remedies may thus take the form of:

  • compensation; or
  • criminal sanctions charged to the perpetrator in case of:
    • unlawful access; or
    • unlawful collection.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

The appointment of a data protection officer (DPO), as stipulated in Article 53(1) of the Personal Data Protection (PDP) Law, is obligatory only in the following cases:

  • The personal data is for the benefit of public services;
  • The core activities of the data controller are of such nature, scope and/or purpose as requires the regular and systematic monitoring of personal data on a large scale; or
  • The core activities of the data controller involve the large-scale processing of specific personal data and/or personal data relating to crimes.

If the personal data processing conducted by the data controller fulfils any of the aforementioned conditions and the data controller fails to appoint a DPO, it may be subject to administrative sanctions. Pursuant to Article 57(2) of the PDP Law, these administrative sanctions may take the form of:

  • a written warning;
  • the temporary suspension of personal data processing activities;
  • the erasure or removal of personal data; and/or
  • administrative fines.

8.2 What qualifications or other criteria must the data protection officer meet?

Subject to Article 53(2) of the PDP Law, a DPO must be appointed based on his or her:

  • professionalism;
  • knowledge of the law;
  • experience in the field; and
  • ability to fulfil the relevant duties.

As per the applicable regulations, there are no specific qualifications or other criteria required for a DPO; although the implementing regulations on the appointment of a DPO have not yet been issued, so this could change in future.

8.3 What are the key responsibilities of the data protection officer?

Pursuant to Article 54(1) of the PDP Law, a DPO has the following duties at minimum:

  • informing and advising the data controller or data processor on compliance with the PDP Law;
  • monitoring and ensuring compliance with:
    • the PDP Law; and
    • the policies of the data controller or data processor;
  • assessing the impact of the personal data protection regime and monitoring the performance of the data controller and any data processors; and
  • coordinating and liaising on all issues related to the processing of personal data.

The implementing regulations on the appointment of a DPO have not yet been issued, so further responsibilities of DPOs may be elaborated in the future.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Under the currently applicable regulations, there are no provisions that stipulate whether the role of the DPO can be outsourced. However, the implementing regulations on the appointment of a DPO have not yet been issued, so further provisions in this regard may be elaborated in future.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Pursuant to Article 15 (3b) of Ministry of Communication and Informatics (MOCI) Regulation 20/2016, the retention period for personal data is a minimum of five years.

However:

  • Article 16(2g) of the PDP Law states that a request from a data subject may affect the retention period, if the data controller is obliged to destroy and/or delete the personal data based on such request; and
  • Article 15 (3a) of MOCI Regulation 20/2016 provides that the retention period may also be subject to sector-specific regulations.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

Precedents and best practices in Indonesia are still developing, as the PDP Law was only recently enacted. Further implementing regulations may establish additional requirement in this regard.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

Article 35 of the Personal Data Protection (PDP) Law stipulates that a data controller must protect and ensure the security of the personal data being processed by:

  • preparing and implementing operational technical measures aimed at protecting the personal data from disruption through personal data processing that is contrary to the law and regulations; and
  • determining the security level of personal data by taking into account:
    • the nature of the data; and
    • the associated risks of the personal data processing.

Furthermore, the data controller must prevent personal data from being accessed illegally by:

  • using a security system for the processed personal data; and/or
  • processing the personal data by using an electronic system in a reliable, secure and responsible manner, as stipulated in Article 39 of the PDP Law.

These obligations also apply to data processers, as reflected in Article 52 of the PDP Law.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Pursuant to Article 46(1) of the PDP Law, in case of a failure to protect personal data (eg, a data breach), the data controller must notify, via written notification, the data subject and the Personal Data Protection Authority (PDPA) within 72 hours of the occurrence of such data breach. Article 46(2) stipulates that the written notification must at least contain the following information:

  • the disclosed personal data;
  • when and how the personal data was disclosed; and
  • the steps taken by the data controller to address and recover from the data breach.

Article 46 further states that a failure to protect personal data encompasses a failure to protect such data in terms of its confidentiality, integrity and availability, including through security breaches – whether intentional or unintentional – leading to the destruction, loss, alteration, disclosure or unauthorised access of the personal data which is being transferred, stored or processed.

However, the PDPA has not yet been established and the implementing regulations pertaining to the PDPA have not yet been issued. As a result, the notification of data breaches is still governed by Government Regulation 71/2019.

Article 14(5) of Government Regulation 71/2019 stipulates that in the event of a failure to protect personal data, the electronic system provider must notify the data subject in writing. Furthermore, Article 24(3) provides that where third-party action has an adverse effect on the electronic system of an 'organiser', the organiser (ie, a data controller and/or a data processor in certain circumstances) must submit a report to:

  • the law enforcement agency (ie, the police); and
  • the relevant ministry or agency – that is, the Ministry of Communication and Informatics (MOCI), now known as the MCDA.

Therefore, any data breach that warrants notification must currently be notified to:

  • the data subject;
  • the ministry; and
  • the police.

In practice, it remains to be seen whether the obligation to notify the police is enforceable. Furthermore, the established practice is that the MCDA is the government institution that should be notified of any data breach. The MCDA has established its own data breach notification form for data controllers to populate with information on the data breach.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

In the event of a data breach, the data controller must notify the data subject within 72 hours of the occurrence of the data breach. The written notification must contain at least the following information:

  • the disclosed personal data;
  • when and how the personal data was disclosed; and
  • the steps taken by the data controller to address and recover from the data breach.

However, the PDP Law does not specify the exact conditions under which the data controller must submit written notification to a data subject.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

As the PDPA has not yet been established, data breaches are currently reported to the MCDA. The MCDA, through the Directorate General of Applications and Informatics, has established a procedure which involves the submission of a report form to the MCDA for its further assessment of the data breach.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

There are no employee-specific provisions that apply in the context of personal data protection. The general requirements and restrictions that apply to the personal data of employees in Indonesia are as follows:

  • Purpose limitation: Personal data must:
  • be collected and processed for a specific purpose; and
  • not be used for any other purpose without the consent of the data subject.
    • Data minimisation: Only that personal data which is necessary for the purpose for which it is collected should be collected.
    • Accuracy: Personal data must be accurate and up to date.
    • Storage limitation: Personal data must be stored for no longer than is necessary for the purpose for which it was collected.
    • Integrity and confidentiality: Personal data must be protected against unauthorised access, use, disclosure, alteration or destruction.
    • Transparency: Employees must be informed about the collection and processing of their personal data.
    • Data subject rights: Employees have the right to access, correct, delete, restrict and object to the processing of their personal data.
    • Accountability: Organisations must be accountable for compliance with the data protection requirements.

The requirements and restrictions on the processing of personal data in Indonesia are constantly evolving. Organisations should regularly monitor the latest developments in this area to ensure that they remain compliant with the law.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

There are no specific regulations on employee surveillance in Indonesia. However, general provisions on the installation of visual data processors or processing devices may apply. Article 17(1) of the Personal Data Protection (PDP) Law states that the installation of a visual data processor or processing device in public places and/or public services must comply with the following provisions:

  • Installation must be for the purpose of:
    • security;
    • disaster prevention; and/or
    • traffic management or the collection, analysis and regulation of traffic information.
  • Information must be displayed in areas where a visual data processor or processing device has been installed.
  • Information captured through the use of the visual data processor or processing device should not be used to identify a person.

Additionally, the second and third provisions above are excluded in relation to:

  • the prevention of crime; and
  • law enforcement processes.

Furthermore, we understand that workplaces may not be considered to constitute a 'public place'. On that note, as employee surveillance may potentially involve the collection of employees' biometric data, an explicit request for consent which elaborates on the surveillance will be required.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

There are no other requirements and/or restrictions that should be considered from an employment perspective in the data privacy context. However, best practice suggests that employment agreements should contain:

  • requests for consent with regard to the processing of employees' personal data; and
  • obligations for employees to adhere to the PDP Law where they process the personal data of company users/customers.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

There are no specific regulations on the use of cookies in Indonesia.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

There are no specific regulations on cloud computing services from a data privacy perspective in Indonesia. However, Ministry of Communications and Informatics (MOCI) Regulation 5/2020 on Electronic System Providers in the Private Sector does contain requirements on the governance of cloud computing services. Among other things, it

stipulates that the governance of cloud computing services should encompass the following, at minimum:

  • the rights and obligations of users when using cloud computing services;
  • the rights and obligations of service organisers in conducting the operation of cloud computing; and
  • the responsibility of cloud computing service users when storing electronic information and/or documents in the cloud.

Additionally, cloud computing services organisers must provide electronic information and/or documents on users in their possession for the purposes of supervision and law enforcement.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

The Personal Data Protection Law does not recognise or regulate the sale of personal data. However, the general practice when processing data primarily relies on the consent of the data subject. Therefore, if the sale or transfer of personal data has been consented to by the data subject, such sale or transfer may be deemed lawful.

Additionally, if personal data sold may potentially be used for targeted advertising, the prior consent of the data subject is required, as this may be interpreted as the processing of personal data. Separate consent for targeted advertising is typically obtained on top of the usual consent for data collection and processing.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

There have been few notable data protection disputes to date in Indonesia. However, in theory, data protection disputes may be resolved through the following forums:

  • Personal Data Protection Authority (PDPA): The PDPA is an independent body that is responsible for enforcing the Personal Data Protection (PDP) Law. The PDPA can:
    • hear complaints from data subjects; and
    • take enforcement action against organisations that violate the PDP Law.
  • However, the PDPA has not yet been established.
  • The courts: Data privacy disputes can also be heard in the courts, which have the power to:
    • order organisations to comply with the PDP Law; and
    • award damages to data subjects who have been harmed by a breach of the PDP Law.
  • Alternative dispute resolution (ADR): Data privacy disputes can also be resolved through ADR, such as mediation or arbitration.

12.2 What issues do such disputes typically involve? How are they typically resolved?

As there have been few disputes on these matters, this question is difficult to answer. However, one recent relevant case is discussed in question 12.3.

12.3 Have there been any recent cases of note?

One recent notable case that arose in 2020 involved a dispute between e-commerce platform Tokopedia and the MOCI on one side and Tokopedia customers on the other. The dispute involved a data breach experienced by Tokopedia, in which the personal data of customers was disclosed (ie, email addresses and telephone numbers).

The dispute was heard at the district court on the basis of tort, as customers claimed that the data breach had violated the Indonesian consumer protection regulations. The district court presiding over the civil lawsuit did not hold Tokopedia or the MOCI liable and stated that the lawsuit should have been filed through the state administrative courts.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The data protection regime in Indonesia is still in its infancy. Companies are undertaking adjustments to ensure compliance with the relevant regulations. However, precedent and best practices have not yet emerged.

As the Personal Data Protection Law is relatively new, further implementing regulations are still being prepared and have not yet been established. However, as Indonesia enters a transitional period with a new presidential regime, it is unclear when the implementing regulations will be established.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Indonesian practice mostly relies on the consent regime as a basis for personal data processing. The use of other legal bases for personal data processing is not as significant as the use of the consent regime, although this may be because the data protection regime in Indonesia is still in its infancy. On that note, requests for consent should be generally implemented when conducting operations in Indonesia – although we understand that several contexts of data processing may require different bases, as if the data processing is urgent, an alternative basis may be more beneficial.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Naufal Fileindi
Naufal Fileindi
Photo of Benedict Giankana
Benedict Giankana
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More