The Personal Data Protection Law ('PDPL') was signed by the President and entered into force, on 17 October 2022, following the ratification of the final draft of the Personal Data Protection Act in September 2022. In particular, the PDPL establishes obligations for controllers and processors, as well as rights for data subjects. More specifically, the PDPL provides lawful bases for the processing of personal information, including additional protections for 'special categories of personal data' such as health information, criminal records, children's information, and personal financial data. Moreover, the PDPL provides data subject rights, such as the rights to access, correct, and delete personal data, as well as rights to terminate and restrict processing and automated decision-making.

In regard to controller and processor obligations, the PDPL introduces requirements including:

• conducting a Data Protection Impact Assessment ('DPIA') for high-risk processing;
• notifying the relevant institution and the data subject within 72 hours of a personal data breach;
• appointing a data protection officer ('DPO') for certain processing activities;
• limits on the transfer of personal data outside Indonesia to countries with an equal level of personal data protection; and
• specific requirements for the transfer of personal information including during mergers and acquisitions.

In addition, the PDPL establishes an institution responsible for administering the PDPL and imposes administrative sanctions of up to 2% of annual revenue for violations, as well as criminal sanctions of up to six years' imprisonment or a fine of IDR 6 billion (approx. €391,250) for certain offences.

Finally, Article 74 of the PDPL provides that controllers, processors, and any other parties related to the processing of personal data will have two years from the date of promulgation to comply with the PDPL.

You can access the PDPL, only available in Indonesian, here.