This in-depth guide explores the various aspects of Indonesia’s Personal Data Protection Law, including its scope, data subjects’ rights, responsibilities of data controllers and data processors, as well as sanctions. Learn more about the law and how it affects businesses dealing with Indonesian residents.

Introduction to the PDP Law

The Indonesian approach to personal data protection is a bit fragmented, with privacy laws appearing in different pieces of legislation.

After years of deliberation, the country has finally passed a Personal Data Protection Law that has been on the table since 2016.

The new PDP Law will replace the existing patchwork of laws with a single system to regulate how user data is collected, processed, stored, and shared with third parties.

One of the reasons why the regulation was stifled was because there was a debate about monetary sanctions and an enforcement body. They deliberated if an independent entity should regulate personal data protection in the country.

Amid the series of data security violations in the country, the government is counting on the new law to act as a preventive measure.

The law was enacted to protect the personal data of individuals as well as to regulate the activities of those who collect, process, store, and use residents’ personal data.

The Indonesian Personal Data Protection Law (PDPL) was signed on September 20, 2022, and will take effect once it’s promulgated.

Scope of the PDPL

The Personal Data Protection Law (PDP Law) is set to cover every sector and organization dealing with the personal data of Indonesian residents. And it will require comprehensive protection of user data from both online and offline businesses.

The regulation has a total of 72 articles and 15 chapters that covers Indonesian users’ data rights, data storage, and processing, as well as prohibitions on data use. 

The definition of “personal data” can be found in Article 1 of the PDP Bill, while “sensitive data” is defined in Article 3.

Who the PDPL applies to

The data protection bill will apply to registered organizations that do any kind of business with Indonesian residents in and outside Indonesia and process personal data with the exception of  data processing by individuals on private or family matters.

Any entity, no matter where in the world they are located and regardless of whether they are private or public, will need to comply with the PDP Law if they process the personal data of Indonesian residents.

The PDP Law distinguishes between a data controller and a data processor.

The Data Controller: The party that determines the purpose of the processing of personal data.

The Data Processor: The party that processes personal data on behalf of the personal data controller.

Data controllers and data processors can be individuals, corporations, public entities, business actors, organizations, or institutions. Under the PDP Bill, the data controller bears the primary liability of personal data processing.

Definition of personal and sensitive data under the PDPL 

Personal data: The PDP Law defines personal data as any actual and accurate data on individuals that are collected, stored, and processed that makes such data users identifiable, directly or indirectly; by reference to identifiers such as date of birth, personal population identification card number, fingerprints, or important events involving birth, divorce, marriage, name change, etc.

Sensitive data: Sensitive data is defined in the PDP Bill as any data that requires a much higher level of protection. This includes user data as regards religious beliefs, health, personal financial information, sexual life, physical and mental conditions, and any other information that may be unsafe or risk the security of the data subject.

Legal basis for processing personal data

The PDP Bill outlines several requirements to ensure that the processing of personal data is lawful. Among other things, those requirements include obtaining consent.

Entities must have a permit from the Ministry before they can process user data concerning their genetic, health, or other personal data, including their ethnic origins, political views, or information about their sexual life.

Consumer rights under Indonesia’s Personal Data Protection Law

Data processors and data controllers are obligated by the law to grant data subjects the following rights:

• The right to obtain access to change or update their personal data
• The right to be informed
• The right to rectification
• The right to request the deletion of their personal data
• The right to opt-out
• The right not to be subject to automated decision-making like individual profiling
• The right to data portability
• The right to restrict the processing of their personal information
• The right to be notified of breaches
• The right to compensation in case of any data breaches that could result in violation of the rules

Enforcement

The Ministry of Communication and Information Technology (MCIT) is in charge of implementing the law.

The Personal Data Protection Law mandates organizations to inform both data users and the Ministry of a data breach within 72 hours. The notifications should include the compromised user data, the time it was compromised, and how the business intends to solve it.

Penalties and fines

The law brings some of the strictest penalties to non-compliance; companies that violate the Data Protection Law will be fined up to $14.4 million and/or face prison time from two to seven years, depending on the violation.

Is your company prepared for Indonesia’s Personal Data Protection Law?

The PDPL will impose stringent requirements on data controllers and processors while giving users more control over their personal information.

While the country’s lawmakers have taken a step towards protecting its people’s privacy, companies are required to be more proactive in ensuring data security by implementing robust policies and procedures.

This means that your business operations should align with this new regulation so that you can comply with the new regulations, better protect data, and meet the expectations of customers. 

To start businesses should:

1. Examine how they collect, store, share, or modify user data and determine what changes need to be made together with their legal and or privacy/security/technical team. Ensure that all necessary control measures are set up before the PDPL goes into effect. Data controllers that do personal data processing with high potential risks must also work on a data protection impact assessment ("DPIA").

2. Assess their contracts with data subjects and third parties to make sure they cover all the important clauses pertaining to data subject rights.

3. Ensure their staff is trained on the upcoming changes and ensure that contracts, policies, and notices are updated to align with the new privacy law.

4. Adopt data security measures that protect the integrity of their IT systems, such as enabling robust encryption, approved access control mechanisms, and strong authentication.

5. Implement data privacy software to automate certain processes and manage your company’s privacy program.

How Mine PrivacyOps can help

Mine PrivacyOps - the all-in-one privacy platform - offers a range of comprehensive solutions to manage your privacy program, from data subject request fulfillment to data governance.

The software helps you address the increasing challenges of managing your information and privacy programs on a day-to-day basis while protecting your organization's assets.