Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Oct 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Indonesia: Personal Data Protection Law - What you need to know - Part one

Privacy Law PrinciplesPrivacy Law ReformData Subject RightsPrivacy Law Concepts

On 20 September 2022, the House of Representatives ratified the final draft of the Personal Data Protection Act1 which, once formally enacted into law, will become the Law on Personal Data ('the Law'). The Law is expected to unify Indonesia's patchwork of data protection legislation, which is currently limited to electronic information and systems, namely Law No. 11 of 2008 on Electronic Information and Transactions and Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems. OneTrust DataGuidance provides an overview of the Law and its key provisions, with part one covering the scope of application, key definitions and principles, legal bases for processing, and rights of data subjects, and part two covering controller and processor obligations, data transfers, and enforcement and entry into force of the Law.

yai112 / Signature collection / istockphoto.com

Scope (Articles 2, 50)

The Law applies to persons, public agencies, and international organisations that perform legal actions regulated by the Law where located:

  • within the jurisdiction of the Republic of Indonesia; and
  • outside the jurisdiction of the Republic of Indonesia, where there are legal consequences within:
    • the jurisdiction of the Republic of Indonesia; and/or
    • for personal data subjects of Indonesian citizenship outside the jurisdiction of the Republic of Indonesia.

Please note that the Law does not apply to the processing of personal data by individuals in personal or household activities.

In addition, the obligations of personal data controllers, referred to in Article 30, 32, 36, 42, 43(1)(a) to (c), 44(1)(b), 45, and 46(1)(a), are exempted for:

  • the interests of national defence and security;
  • the interests of the law enforcement process;
  • public interests in the administration of the state; and
  • the interest of supervision of the financial services sector, monetary and payment system, as well as financial system stability carried out in the context of state administration.

The exceptions above will only apply in the context of implementing the provisions of the Law.

Key definitions (Articles 1, 4, 16)

The Law provides a number of definitions including personal data, personal data controller, personal data processor, subject of personal data, among others.

Similar to international data protection law, personal data is defined as data about a natural person identifiable or identifiable alone or in combination with other information either directly or indirectly through electronic or non-electronic systems. Furthermore, the Law outlines specific types of personal data.

In addition, a personal data controller is any person, public body, and international organisation that acts individually together in determining the objectives and exercising control over the processing of personal data; whereas a personal data processor is any person, public body, and international organisation acting individually or jointly in processing personal data on behalf of the controller.

Furthermore, the processing of personal data includes acquisition, collection, processing, analysis, storage, fixes, updates, deletion, and/or destruction.

Processing principles (Articles 16, 28, 29, 47)

The Law provides a number of data processing principles, including:

  • personal data collection must be limited, specific, legally valid, and transparent;
  • processing must be carried out in accordance with its purpose;
  • processing must be carried out by guaranteeing the rights of data subjects;
  • processing must be carried out in an accurate, complete, not misleading, up-to-date, and accountable manner;
  • processing must be carried out by protecting the security of personal data from unauthorised access, disclosure, and alteration, as well as misuse, destruction, and/or loss of personal data;
  • processing must be carried out by notifying the purpose and processing of activities;
  • personal data is destroyed and/or deleted after the retention period ends or at the request of the data subject, unless otherwise stipulated by laws and regulations; and
  • processing must be carried out responsibly and can be clearly proven.

Legal bases (Articles 9, 20, 22, 23, 24, 40)

Controllers are required to have a basis for processing personal data, which include:

  • where there is explicit valid consent for one or several specific purposes;
  • for the fulfilment of  contractual obligations to which the data subject is a party or where the = controller is fulfilling a request of the data subject at the time of entering into the agreement;
  • for the fulfilment of legal obligations in accordance with the provisions of laws and regulations;
  • for the fulfilment of vital interest(s) of the data subject;
  • in carrying out tasks in the context of public interests, public services, or exercising the authority of the controller based on the laws and regulations; and/or
  • for the fulfilment of other legitimate interests, taking into account the objectives, needs, and balance of interests of the controller and the rights of the data subject.

In regard to consent, consent can be written or recorded and can be electronic or non-electronic. Consent, however, must be clearly distinguishable from other purposes and provided in an understandable and accessible format. Moreover, the controller is required to demonstrate the consent provided by the data subject. Please also note that the data subject has the right to withdraw their consent to the processing of their personal data, and the controller must stop processing upon receipt of such withdrawal.

Furthermore, the use of a legal basis that does not satisfy the disclosure requirements will be null and void.  

Special categories of personal data (Articles 4, 25, 26)

Personal data of a specific nature includes health data/information, biometric data, genetic data, criminal records, child data, personal financial data, and other data in accordance with the provisions of the legislation.

In regard to the processing of children's data, where the processing of children's personal data is carried out on a regular basis, the approval of the child's parent and/or guardian in accordance must be obtained in accordance with the provisions of laws and regulations.

Moreover, in relation to the processing of personal data of persons with disabilities, such person's processing must obtain approval from persons with disabilities and/or their guardians in accordance with the provisions of laws and regulations. Furthermore, such processing must be carried out through communication using certain methods in accordance with the provisions of laws and regulations.

Data subject rights

Right to be informed (Articles 21, 41, 45)

When processing of personal data is based on the legal basis of consent, the controller is obliged to notify the data subject of information regarding:

  • the legality of the processing of personal data;
  • the purpose of processing personal data;
  • the type and relevance of the personal data to be processed;
  • the retention period of documents containing personal data;
  • details regarding the information collected; and
  • the period of processing of personal data.

Moreover, where there are changes to the information above, the controller is obliged to notify the data subject before any change to the information occurs.

Furthermore, the controller is obliged to notify whether delays and restrictions have been implemented to the data subject, as well as the deletion and destruction of their personal data.

Right to access (Articles 5, 7, 13, 32)

As a general principle, data subjects have the right to obtain information about the clarity of identity, the basis of legal interests, the purpose of the request and use of personal data, and the accountability of the party requesting personal data.

In addition, data subjects are also entitled to access and obtain a copy of their personal data in accordance with the provisions of laws and regulations.

Furthermore, controllers must provide access to personal data processed, along with the track record of processing in accordance with the period of storage. Such access should be granted no later than 72 hours after the access request is received.

Controller can refuse to grant access where access would:

  • endanger the security, physical health, or mental health of the data subject and/or other people;
  • impact on the disclosure of other people's personal data; and/or
  • be contrary to the interests of national defence and security.

Right to correction (Articles 6, 30)

Data subjects have the right to complete, update, and/or correct errors and inaccuracies in their personal data according to the purpose of processing.

Controllers are obligated to update and/or correct errors and/or inaccuracies in such personal data no later than 72 hours after receiving a request.

Please note controllers are required to notify the results of updating and/or correcting to the data subject.

Right to deletion (Articles 8, 43, 44)

Correspondingly, data subjects have the right to end processing, delete, and/or destroy their personal data in accordance with the provisions of laws and regulations.

More specifically, controllers are obliged to delete personal data where:

  • the personal data is no longer necessary for the achievement of the purposes of  processing personal data;
  • the data subject has withdrawn their consent to the processing of the personal data;
  • there is a request from the data subject; and
  • the personal data is obtained and/or processed in an unlawful manner

Furthermore, the controllers are required to destroy personal data in a number of scenarios, including where:

  • the retention period has expired and is described as being destroyed based on the archive retention schedule;
  • there is a request from the data subject;
  • the personal data is not related to the settlement of the legal process of a case; and/or
  • the personal data is obtained and/or processed in an unlawful manner.

Automatic decision-making (Article 10)

Data subjects have the right to object to decision-making actions based solely on automated processing, including profiling, which has legal consequences or has a significant impact on the data subject. The submission of objections to the automatic processing will be regulated in a Government Regulation.

Right to restriction of processing (Articles 11, 41)

Data subjects have the right to delay or limit the processing of personal data in proportion to the purposes for which the personal data is processed. In addition, the controllers are obligated to delay and limit the same either partially or completely no later than 72 hours from when the controller receives a request.

Right to sue (Article 12)

Data subjects have the right to sue and receive compensation for violations with personal data processing in accordance with the provisions of laws and regulations. Furthermore, the provision regarding such violation will be regulated in a Government Regulation.

Right to data portability (Article 13)

Data subjects have the right to obtain and/or use personal data about themselves obtained from the controller in a form that is in accordance with the structure and/or format commonly used or readable by the electronic system.

In addition, data subjects have the right to use and send their personal data to other controllers, as long as the system used can communicate with each other securely in accordance with the personal data protection principle within the Law. Furthermore, the provisions on the use and transmission of personal data will be regulated in a Government Regulation.

Personal information rights procedures (Article 15)

The exercise of the rights of the personal data subject must be submitted through a registered application submitted electronically or non-electronically to the controller.

Furthermore, exceptions to data subject rights in relation to Articles 8, 9, 10(1), 11, and 13(1) and (2) include:

  • the interests of national defence and security;
  • the interests of the law enforcement process;
  • public interests in the administration of the state;
  • the interests of the supervisors of the financial services sector, monetary, payment system, and the stability of the financial system carried out in the context of state administration; or
  • the interest in statistics and scientific research.

Conclusion

As outlined above, part one examined the scope of application, key definitions and principles, legal bases for processing, and rights of data subjects. Part two provides an overview of controller and processor obligations, data transfers, and enforcement and entry into force of the Law.

Keshawna Campbell Lead Privacy Analyst
[email protected]
Karan Chao Senior Privacy Analyst
[email protected]

1. Only available in Indonesia: https://www.dpr.go.id/dokakd/dokumen/K1-RJ-20220920-123712-3183.pdf

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback