October 2023

1. Governing Texts

The concern of data protection exists wherever personal data is collected or stored. As a general guidance, Indonesia provides for the protection of the data of its citizens in the Constitution of the Republic of Indonesia 1945 ('the Constitution'). In particular, Article 28G (1) of the Constitution states that 'each person shall have the right to the protection of their personal selves, families, respect, dignity, and possessions under their control.'

On October 17, 2022, Indonesia enacted a specific law regulating personal data protection, i.e., Law No. 27 of 2022 regarding Personal Data Protection (only available in Indonesian here) ('the PDPL'). Unlike the previous regulatory regime that focused on personal data processed through an electronic system, the PDPL applies to personal data processed by both electronic and non-electronic means. The Government of Indonesia ('the Government') is in the process of enacting implementing regulations to the PDPL, which will elaborate the provisions of the PDPL. In addition to the above, provisions applicable to data protection in Indonesia are found in several regulations.

1.1. Key acts, regulations, directives, bills

In the past decades, data protection laws in Indonesia have undergone significant progress and development. To date, Indonesia has enacted various laws relating to data privacy in a number of specific areas. Most notably, Indonesia recently passed the PDPL, which is now the main regulation on personal data protection.

The PDPL regulates the rights of personal data subjects, the obligations of personal data controllers and personal data processors, and the relevant principles and requirements for processing personal data.

The implementation of the PDPL is still subject to implementing regulations that have yet to be enacted. As of September 2023, the Government has made progress towards the enactment of the regulations implementing the PDPL with the release of the Draft of the Government Regulation of 2023 regarding the Implementation of Law Number 27 of 2022 regarding Personal Data Protection (only available in Indonesian here) ('the Draft PDPL Implementing Regulation'). The PDPL also provides a two-year grace period from its enactment for its implementation by controllers, processors, and other relevant parties that process personal data.

Personal data protection laws and regulations

In addition to the PDPL, there are other provisions governing the protection of personal data specifically in the realm of electronic systems which apply to electronic system providers ('ESPs') and that existed prior to the enactment of the PDPL, hereinafter referred to as the 'PDP Regulations'. The PDP Regulations still apply insofar as they do not conflict with the provisions of the PDPL.

Primarily, the provisions on personal data protection can be found in Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions (only available in Indonesian here) ('the Electronic Information Law'). The Electronic Information Law came into force on November 25, 2016, prior to being partially revoked by Law No. 1 of 2023 regarding the Criminal Code (only available in Indonesian here) ('the Criminal Code'), which will take full effect in 2026. The procedural guidelines for the Electronic Information Law are contained in Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (only available in Indonesian here) ('GR 71'), which revokes the previous Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions ('GR 82').

The Electronic Information Law provides that, unless otherwise regulated, the use of any information pertaining to a person's personal data through electronic media requires the consent of such person. The elucidation of the Electronic Information Law provides that the protection of personal data is a part of the right to privacy which encompasses the following:

• the right to enjoy a private life, free of any disturbance;
• the right to communicate with other people without any espionage; and
• the right to monitor the access of information about a person's personal life and data.

To further clarify and implement data protection in electronic systems, the Minister of Communication and Information ('Kominfo') issued, December 1, 2016, Regulation No. 20 of 2016 on Personal Data Protection in Electronic System ('Kominfo Regulation 20'). Kominfo Regulation 20 established consent as the core foundation of data privacy protection under the Indonesian data privacy laws, so that all processing can only be implemented after obtaining consent from the data subject.

The Government further clarified the scope of protection for personal data by issuing Government Regulation No. 40 of 2019 on the Implementation of Law No. 23 of 2006 as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) ('GR 40'). GR 40 came into force on May 24, 2019. Furthermore, the activity of trading through electronic systems is governed by Government Regulation No. 80 of 2019 regarding Trading through Electronic System (only available to download in Indonesian here) ('GR 80').

Finally, as mentioned above, GR 71, which came into force on  October 10, 2019, reaffirms the existing concepts of personal data protection encapsulated in the present Indonesian data protection regulations and contains several previously unrecognized additions to ESPs' obligation with regard to the protection of personal data previously set out in GR 82.

Other laws

Indonesian citizens are entitled to the protection of their personal data collected under Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) ('the Demography Law'), which came into force on December 24, 2013.

Personal data in the health sector is also governed under Ministry of Health ('MOH') Regulation No. 24 of 2022 on Medical Record (only available in Indonesian here), which provides for obligations pertaining to the storing, deletion, and confidentiality of medical records.

In the field of banking, personal data was initially governed under the Bank Indonesia Regulation No. 22/20/PBI/2020 regarding the Protection of Bank Indonesia Consumer, which has been revoked and replaced by Bank Indonesia Regulation No. 3 of 2023 regarding the same (only available in Indonesian here) ('Bank Indonesia Regulation 3 of 2023'). In essence, the Bank Indonesia Regulation 3 of 2023 sets forth the obligation for banking or non-banking entities that are under the supervision of Bank Indonesia to keep the confidentiality and security of its consumers' data (e.g., the requirement for the consumer's consent before transferring their personal data).

In the financial services sector, the relevant provisions for personal data protection can be found in Financial Services Authority (also known as Otoritas Jasa Keuangan or 'OJK') Regulation No. 6/POJK.07/2022 of 2022 regarding Customer and Public Protection in the Financial Services Sector (only available in Indonesia here) ('OJK Regulation 6/2022'). The OJK Regulation 6/2022 requires financial service institutions to protect the confidentiality and security of customers' personal data. Additionally, Law No. 4 of 2023 regarding the Development and Strengthening of the Financial Sector (only available in Indonesia here) introduces new provisions guaranteeing the protection of customers' personal data in the context of financial services.

1.2. Guidelines

The main law for personal data protection in Indonesia is the PDPL, along with the PDP Regulations. As stated earlier in the section on key acts, regulations, directives, bills above, the enforcement of the provisions of the PDPL will require the enactment of implementing regulations in the form of Government regulations and Presidential regulations, the former of which is in the process of being drafted.

1.3. Case law

Cases on breaches of the Electronic Information Law primarily concern issues such as defamation through electronic platforms or negligence in the management of electronic systems. However, there have been cases where individuals have contested the constitutionality of the enacted PDPL provisions. To date, there have been very few cases concerning unlawful acts specifically pertaining to personal data protection in Indonesia.

Some of the notable/landmark cases concerning personal data protection are outlined below.

Constitutional Court Decision No. 20/PUU-XIV/2016

Decision No. 20/PUU-XIV/2016 (only available in Indonesian here) was submitted by Setya Novanto, the former speaker of the House of Representatives of the Republic of Indonesia ('DPR'). He requested that the Constitutional Court of the Republic of Indonesia ('the Constitutional Court') adjudicate the Constitutionality of several Articles pertaining to interception and evidence contained in the Electronic Information Law (before the latest amendment was issued) and Law No. 20 of 2001 on the Amendments to Law No. 31 of 1999 regarding the Eradication of Criminal Acts of Corruption (only available in Indonesian here) ('the Corruption Law'). The Articles concerned were Articles 5(1) and (2) and 44(b) of the Electronic Information Law and Article 26A of Corruption Law, which state that electronic information and/or documents are valid evidence before a court. The main contention of the applicant was that the aforementioned Articles did not provide limitations regarding the type of electronic information and/or documents that are valid evidence before a court, therefore, opening up the possibility of admitting electronic information and/or documents that are obtained through unlawful interception by an unauthorized party.

In its decision, the Constitutional Court, while acknowledging that interception may impinge on the rights of individuals, emphasized that there were already several legal bases that stipulate the procedure for a lawful interception. In addition, the Constitutional Court held that the interpretation of the term 'electronic information and/or documents' in the context of evidence before a court will contradict the Constitution unless it is interpreted alongside the phrase 'electronic information and/or electronic documents obtained in accordance with applicable laws and regulations and/or carried out in the framework of law enforcement at the request of the Police, the Attorney General's Office, the Corruption Eradication Commission, and/or other law enforcement agencies.'

Therefore, the Constitutional Court limited the scope of valid electronic information and/or documents evidence in courts to electronic information and/or documents that are obtained in accordance with law and/or carried out by law enforcement agencies.

Constitutional Court Decision No. 108/PUU-XX/2022

Decision No. 108/PUU-XX/2022 (only available in Indonesian here) was brought by an individual to contest the Constitutionality of Articles 1(4), 2(2), and 19 of the PDPL. Firstly, the applicant claimed that by not allowing legal entities to act as controllers under Articles 1(4) and 19 of the PDPL, it would limit the expertise and benefits derived from the personal data subjects in the form of such entities. Secondly, the applicant raised a concern that Article 2(2) of the PDPL undermines the protection of personal data subjects by excluding data processing activities carried out by individuals in personal or household contexts from the scope of the PDPL provisions. The Constitutional Court rejected both propositions of the applicant. With regard to the first claim, the Constitutional Court stressed that the phrase 'every person' in both Article 1(4) and Article 19 of the PDPL includes legal entities when read in conjunction with Articles 1(7) and 1(8) of the PDPL. As such, legal entities that possess the necessary expertise to ensure the ideal degree of data protection, as referred to by the applicant, may be appointed as controllers under the PDPL. Other provisions of the PDPL, such as Article 48, provide certain obligations for legal entities in their capacity as processors. The Constitutional Court concluded its position with regard to the first claim by underlining the significance of Article 1(4) of the PDPL and stating that a declaration of its unconstitutionality would inevitably leave a legal vacuum concerning the legal subjects that may assume the role of controller.

The Constitutional Court then turned to the applicant's second contention concerning Article 2(2) of the PDPL which, in the applicant's view, provides no legal protection for data processing activities in the context of e-commerce activities, which are largely conducted in a household context and are therefore, excluded from the scope of the PDPL provisions. While the Constitutional Court did affirm the existence of personal data protection as a human right, it dismissed the applicant's second contention by stating that the aforementioned exclusion only applies to private acts by individuals that are purely non-commercial in nature. As such, e-commerce practices are not excluded by Article 2(2) of the PDPL and instead fall under the ambit of Article 2(1) of the PDPL even when they are performed in a personal or household context. A final point highlighted by the Constitutional Court ties to the fact that Article 2(2) of the PDPL ensures that the various encumbering legal obligations imposed by the provisions of the PDPL are not imposed against natural persons who engage in the processing of personal data for personal or household activities.

Constitutional Court Decision No. 110/PUU-XX/2022

In Decision No. 110/PUU-XX/2022 (only available in Indonesian here), the Constitutional Court ruled on the Constitutionality of Article 15(1)(a) of the PDPL. In the view of the applicant, the exception concerning interests of national defense and security under Article 15(1)(a) were not sufficiently defined and as such could be abused to set aside the inherent human right to privacy. In light of this concern, the applicant requested Article 15(1)(a) to be declared unconstitutional or alternatively conditionally unconstitutional as long as it is not interpreted as 'interests related to efforts taken in the pursuit of maintaining the sovereignty of the State, the integrity of its territory, and security of its people from all threats.'

In dismissing the applicant's request, the Constitutional Court stated the PDPL has established rigid rights and obligations for personal data subjects, processors, and controllers to minimize any potential injustice or abuse against the public, which is reinforced by the existence of dispute settlement mechanisms such as arbitration, litigation, and alternative dispute resolution institutions. The Constitutional Court also stressed that the exception concerning interests of national defense and security under Article 15(1)(a) of the PDPL could not be viewed on its own and must be interpreted in tandem with the other exceptions listed under the Article, especially with respect to the exception of public interest in the context of State administration governed by Article 15(1)(c). This particular exception is a manifestation of the principle of public interest as provided under Article 3 of the PDPL. As such, in the view of the Constitutional Court, the PDPL has put in place sufficient safeguards to prevent the abuse of Article 15(1)(a). The Constitutional Court concluded that the application of such Article would be in line with the principle of public interest as long as it was applied only in the context of protecting such interests and the public in accordance with the applicable regulations.

Central Jakarta District Court Case No. 235/PDT.G/2020/PN.JKT.PST.

Case No. 235/PDT.G/2020/PN.JKT.PST. (only available in Indonesian here) of the Central Jakarta District Court is a notable case regarding data protection law. The parties involved in the case are the Indonesian Consumer Community (Komunitas Konsumen Indonesia or 'KKI'), acting as the plaintiff, and Kominfo and PT Tokopedia, as the defendants. The case concerns the leakage of PT Tokopedia's consumer personal data of approximately 15 million accounts. The plaintiff mainly argued that Kominfo failed to act diligently in overseeing the electronic systems used by PT Tokopedia and that PT Tokopedia did not act in good faith as it never notified the affected users, in writing, of the data breach, which caused or could have caused losses for the affected Tokopedia account owners. Reference was made by the plaintiff to several regulations including the Kominfo Regulation 20, GR 71, GR 80, and the Demography Law.

As identified by the Central Jakarta District Court, the main request by the plaintiff involved ordering Kominfo to revoke the Electronic System Provider Registration Certificate of PT Tokopedia and to sanction PT Tokopedia by way of an administrative fine of IDR 100 billion (approx. $6.37 million) which must be paid to the State Treasury no later than 30 calendar days from when the verdict of the case becomes legally binding. However, the case was dismissed by the Central Jakarta District Court as the demands by the plaintiff were found to be administrative acts falling under the jurisdictional competence of the Administrative Court of Jakarta and not the Central Jakarta District Court, in accordance with Article 2(1) of Supreme Court of the Republic of Indonesia Regulation No. 2 of 2019. This decision was eventually upheld by the Central Jakarta Court of Appeal and the Supreme Court of the Republic of Indonesia.

Other than the cases above, it is important to also note that there was a major allegation of personal data leakage that occurred in Indonesia in May 2021 involving Indonesia's Health Social Security Administrator Body ('BPJS Kesehatan'). The amount of personal data leaked was alleged to be approximately 279 million individuals. As of September 2023, there is still no publicly available record of a court decision pertaining to this allegation.

2. Scope of Application

2.1. Personal scope

PDPL and Draft PDPL Implementing Regulation

Both the PDPL and the Draft PDPL Implementing Regulation apply to any person (individuals and corporations), public body, or international organization. They do not apply to personal data processing carried out by individuals for the purpose of personal or household activities. Article 3(2) of the Draft PDPL Implementing Regulation further clarifies that personal or household activities refer to data processing activities which are:

• done to fulfill personal or household needs;
• not of a professional and/or commercial character; and
• not intended for the public.

PDP Regulations

The PDP Regulations primarily focus on electronic information. Accordingly, the personal scope of the PDP Regulations is relatively broad as seen through the definition of an ESP under the PDP Regulations, which seems to be generic in nature. An 'ESP' is defined as every person, State administrator, business entity, and community providing, managing, and/or operating an electronic system, either individually or jointly, for electronic system users for its personal purpose and/or another party's purpose.

In this regard, the term 'electronic system' is defined in GR 71 and the Kominfo Regulation 20 as a set of electronic devices and procedures that function to prepare, collect, process, analyze, retain, display, publish, transmit, and/or disseminate electronic information. In this case, the interpretation applied by the Kominfo is that any person or entity that stores data electronically would be considered an ESP using an electronic system and therefore, would be subject to the PDP Regulations.

Furthermore, GR 71 distinguishes two types of ESPs, namely public scope ESPs and private scope ESPs. Public scope ESPs are:

• State administrator agencies, defined in GR 71 as legislative, executive, and judicial institutions at the central and regional level;
• other agencies formed by virtue of laws and regulations; and
• institutions appointed by State administrator agencies.

The latter refers to institutions providing electronic systems with a public scope on behalf of the appointing State administrator agency. It should be noted that Article 2(4) of GR 71 excludes public scope ESPs which are regulatory and supervisory authorities in the financial sector.

In contrast, the definition of private scope ESPs covers the provision of electronic system by individuals, business entities, and the public, which includes:

• ESPs regulated or supervised by the ministries or institutions based on laws and regulations; and
• ESPs with portals, sites, or applications in a network via the internet that are used for certain purposes, such as providing, managing, and/or operating offers and/or trade of goods and/or services, including ESPs whose electronic system is used and/or offered in Indonesia (Article 2(5)(b) of GR 71).

2.2. Territorial scope

PDPL and Draft PDPL Implementing Regulation

The PDPL applies to any person, public body, or international organization that carries out a legal action contemplated under the PDPL and is located:

• within the jurisdiction of Indonesia; and/or
• outside the Indonesian jurisdiction but its action has a legal impact in Indonesia and/or on Indonesian personal data subjects outside the Indonesian jurisdiction.

It is worth noting that the  Draft PDPL Implementing Regulation provides similar provisions that extend its scope of application to both the personal data processing activities within and beyond the jurisdiction of Indonesia, the latter being subject to certain requirements.

PDP Regulations

The data protection provisions of the Electronic Information Law apply extraterritorially in certain circumstances. In particular, Article 2 of the Electronic Information Law, which states that the Electronic Information Law 'is applicable to every person who commits a legal act as regulated under this Law, both who are within Indonesian jurisdiction and outside of Indonesian jurisdiction, and which has legal consequences in Indonesian jurisdiction and/or outside of Indonesian jurisdiction and which is detrimental to Indonesia's interest.'

The extraterritorial scope is further emphasized by the elucidation of Article 2. These provisions have been enacted under the consideration that the use of information technology ('IT') for electronic information and electronic transactions can be cross-territorial or universal.

The phrase 'detrimental to Indonesia's interest' should be construed to include, but not limited to, detriments to national economic interests, strategic data protection, the dignity of the Nation, State defense and security, State sovereignty, citizens, as well as Indonesian legal entities.

Similarly, it is worth noting that Article 4(c) of the Criminal Code also provides for an extraterritorial scope, which provides that the provisions of the Criminal Code apply to any crimes in the field of IT or other crimes with consequences within the territory, ship, or aircraft of Indonesia. In certain circumstances, the Criminal Code also applies to any person outside the territory of Indonesia and also to Indonesian nationals abroad, subject to further defined conditions.

2.3. Material scope

PDPL and Draft PDPL Implementing Regulation

Personal data is defined as any data concerning a person who is identified or may be identified independently or combined with other information, either directly or indirectly, through an electronic or non-electronic system. Pursuant to Article 4 of the PDPL, personal data is comprised of specific personal data and general personal data.

Specific personal data is personal data that, in its processing, may have a large impact on the personal data subject, such as discrimination or personal loss. Specific personal data includes:

• data and information regarding health;
• biometric data;
• genetic data;
• criminal records;
• data of children;
• personal financial data; and/or
• any other data in accordance with the relevant laws and regulations.

Article 7(2) of the Draft PDPL Implementing Regulation clarifies that the determination of the phrase 'any other data in accordance with the relevant laws and regulations' must be based on the consideration of whether it poses a greater risk of discrimination, material/immaterial losses, or other impacts which are contrary to the law.

 general personal data includes:

• full name;
• gender;
• nationality;
• religion;
• marital status; and/or
• combined personal data to identify a person.

Under the PDPL, personal data processing includes:

• acquisition and collection;
• processing and analyzing;
• storage;
• correction and updates;
• display, announcement, transfer, dissemination, or disclosure; and/or
• deletion or destruction.

Further requirements and obligations associated with such acts of personal data processing are specifically governed under Article 9 to Article 15 of the Draft PDPL Implementing Regulation. Any personal data processing activity must be conducted in accordance with the personal data protection principles, as elaborated in the section on principles below.

PDP Regulations

The Kominfo Regulation 20 regulates the following processes:

• acquisition and collection;
• processing and analyzing;
• storage;
• display, publication, transmission, dissemination, and/or access opening; and
• destruction.

On the other hand, Article 56(4) of GR 40 grants access to personal data for the purpose of national security and law enforcement, subject to the approval from the Minister of Home Affairs.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

PDPL and Draft PDPL Implementing Regulation

The PDPL introduces a new institution whose role is to actualize the implementation of personal data protection in accordance with the provisions of the PDPL ('the PDP Institution'). It will be directly responsible to the President of Indonesia. The establishment of the PDP Institution, however, is still awaiting the issuance of a Presidential regulation. The Draft PDPL Implementing Regulation does make a reference to the PDPL Institution, stating that the implementation of personal data protection by the PDP Institution would be done in accordance with the law.

PDP Regulations

There is no general data protection authority, regulatory body, or organization specifically responsible for protecting personal information and ensuring that legal subjects (e.g., individuals and companies) comply with data protection laws. Furthermore, there is no central records database in Indonesia.

Nevertheless, the Kominfo is empowered to carry out Government affairs in the field of communication and IT, pursuant to Presidential Regulation No. 22 of 2023 regarding the Ministry of Communication and Information Technology (only available in Indonesian here) and the Kominfo Regulation No. 12 of 2021 regarding Organization and Work Procedure of the Ministry of Communication and Information Technology (only available in Indonesian here) ('the Kominfo Regulation No. 12').

Furthermore, pursuant to Article 85 of the Demography Law, the personal data of citizens must be maintained accurately and protected by the administrator and the executive agency.

3.2. Main powers, duties and responsibilities

PDPL and Draft PDPL Implementing Regulation

The PDP Institution is established and tasked to:

• oversee the formulation and stipulation of personal data protection policies and strategies;
• supervise the implementation of personal data protection;
• enforce administrative sanctions for the violations of the PDPL; and
• facilitate dispute resolutions related to personal data protection outside of the courts.

Furthermore, the PDP Institution would be authorized to:

• formulate and establish policies in the field of personal data protection;
• supervise the compliance of the controllers;
• impose administrative sanctions for violations of personal data protection by controllers and/or processors;
• assist law enforcement in handling allegations of criminal acts related to personal data as referred to in the PDPL;
• cooperate with personal data protection institutions in other countries to resolve allegations of cross-border personal data protection violations;
• assess the fulfillment of personal data transfer requirements to jurisdictions outside Indonesia;
• supervise controllers and/or processors and then issue follow-up orders requiring the controllers and/or processors to carry out certain actions;
• publish the results of its supervision of personal data protection in accordance with the provisions of laws and regulations;
• receive complaints and/or reports regarding alleged breaches of personal data protection;
• examine and investigate complaints and reports of alleged violations of personal data protection;
• summon any person and/or public body related to alleged violations of personal data protection;
• request an explanation, data, information, and documents from any person and/or public body related to alleged violations of personal data protection;
• summon the necessary experts in examinations and investigations related to alleged violations of personal data protection;
• examine and investigate electronic systems, facilities, rooms, and/or places used by controllers and/or processors, which include obtaining access to the data and/or appointing a third party; and
• request legal assistance from the prosecutor's office to settle personal data protection disputes.

The procedures to implement the abovementioned authorities of the PDP Institution are elaborated in Articles 201 to 212 of the Draft PDPL Implementing Regulation. The following table illustrates several provisions of interest:

4. Key Definitions

PDPL and Draft PDPL Implementing Regulation

Data controller: Any person, public entity, or international organization acting individually or jointly to determine the objectives and exercise control over the processing of personal data (Article 1 of the PDPL and Article 1(4) of the Draft PDPL Implementing Regulation).

Data processor: Any person, public entity, or international organization acting individually or jointly to process personal data on behalf of the controller (Article 1 of the PDPL and Article 1(5) of the Draft PDPL Implementing Regulation).

Personal data: Any data regarding individuals who are identified or can be identified, either separately or in combination with other information, directly or indirectly, using an electronic and/or non-electronic system (Article 1 of the PDPL and Article 1(1) of the Draft PDPL Implementing Regulation).

Sensitive data: This term is not explicitly defined but 'specific personal data' is defined as personal data which, in its processing, may have a bigger impact on the personal data subject, such as discriminatory acts and other losses to the personal data subject (Article 3 of the PDPL and Article 7(2) of the Draft PDPL Implementing Regulation). Specific personal data includes (Article 3 of the PDPL and Article 7(1) of the PDPL Implementing Regulation Draft):

• data and information regarding health;
• biometric data;
• genetic data;
• criminal records;
• data of children;
• personal financial data; and/or
• any other data in accordance with the relevant laws and regulations.

Health data: Individual records or information relating to physical health, mental health, and/or health services (Article 4 of the PDPL, specifically relating to 'health data and information').

Biometric data: Article 4 of the PDPL stipulates that 'biometric data' means data relating to the physical, physiological, or behavioral characteristics of an individual which allows the unique identification of an individual, such as facial images or dactyloscopy data. Biometric data also describes the unique nature and/or characteristics of an individual which should be kept and maintained, including but not limited to fingerprint records and DNA samples.

Article 40(1)(a)(3) of the GR 71 also provides examples of biometric data, which are retina and fingerprint data. Indonesian Migrant Workers Protection Board Regulation No. 2 of 2023 (only available in Indonesian here) considers fingerprints as biometric data.

Pseudonymization: This term is not explicitly defined in the prevailing laws and regulations. However, Article 131 (2) of the Draft PDPL Implementing Regulation notes that controllers are required to protect the personal data they process including by way of pseudonymization and encryption of such personal data.

Personal data protection: All efforts to protect personal data in the framework of personal data processing, in order to ensure the Constitutional rights of the personal data subject (Article 1 of the PDPL and Article 1(2) of the Draft PDPL Implementing Regulation).

Personal data subject: Any individual with whom personal data is associated (Article 1 of the PDPL and Article 1(6) of the Draft PDPL Implementing Regulation).

Personal financial data: Article 4 of the PDPL refers to personal financial data as including data regarding bank deposits and credit card data.

PDP Regulations

Personal data: Data on certain individuals that is stored, managed, and maintained, the accuracy and confidentiality of which is maintained and protected. More specifically, it refers to any accurate and actual information attached and identifiable, either directly or indirectly, to each individual, the purpose of which is in accordance with the laws and regulations.

Examples of 'personal data' under Article 84 of the Demography Law include:

• information about physical and/or mental disability;
• fingerprints;
• iris
• signature; and
• other data elements that are considered as shameful/embarrassing) for an individual.

The elements of the term 'shameful' are further elaborated under GR 40. Under Article 54 of GR 40, other information that is considered shameful includes elements of data from an important event that should not be disclosed to other people. These events include:

• a child born whose parents' origins are unknown;
• gender change;
• a child born outside of marriage; and
• other important events determined by the Minister of Home Affairs.

5. Legal Bases

5.1. Consent

Consent is an important principle regulated strictly by the PDPL and PDP Regulations.

PDPL and Draft PDPL Implementing Regulation

Under Articles 22 and 23 of the PDPL and Articles 44 and 45 of the Draft PDPL Implementing Regulation, controllers must acquire written or recorded, explicit, and valid consent before processing personal data.

In obtaining the consent of the data subject, Article 21 of the PDPL requires the controller to provide the following information:

• confirmation that the personal data processing shall be carried out for lawful purposes;
• the purpose of the personal data processing;
• the type and relevance of the personal data to be processed;
• the retention period for documents containing personal data;
• details regarding the information collected;
• how long the processing of the personal data will be carried out; and
• the rights of the personal data subject.

Article 22 of the PDPL stipulates that the consent must be provided in a written or recorded form. Such consent may be submitted by electronic or non-electronic means.

 Article 46 of the Draft PDPL Implementing Regulation further provides that the controllers are required to provide a mechanism to obtain the personal data subject's consent.

PDP Regulations

Under Article 26(1) of the Electronic Information Law, the use of any information through electronic media which is related to the personal data of a person must be conducted with consent from the person concerned, unless otherwise determined by laws and regulations.

Under Article 14(3) of GR 71, the processing of personal data is subject to the provision of consent of the data subject for one or more specific purposes that have been conveyed to the data subject.

Under Article 9(1) of the Kominfo Regulation 20, the acquisition and collection of personal data by ESPs should be based on consent or based on the provisions of laws and regulations.

5.2. Contract with the data subject

Article 20(2)(b) of the PDPL, Article 44(2)(b) of Draft PDPL Implementing Regulation, and Article 14(4)(a) of GR 71 stipulate, among other things, that aside from the obtainment of consent, data processing shall be carried out in order to fulfill contractual obligations in the event that the data subject is one of the parties or to fulfill the request of the data subject upon entering into an agreement.

5.3. Legal obligations

Article 20(2)(c) of the PDPL, Article 44(2)(c) of Draft PDPL Implementing Regulation, and Article 14(4)(b) of GR 71 provide that data processing may be carried out, aside from by obtaining the consent of the data subject, in order to fulfill legal obligations of the controller in accordance with statutory provisions.

5.4. Interests of the data subject

Under Article 20(2)(d) of the PDPL, Article 44(2)(d) of Draft PDPL Implementing Regulation, and Article 14(4)(c) of GR 71, aside from by obtaining consent, personal data may be processed in order to fulfill the vital interests of the data subject. There is no exhaustive nor non-exhaustive list of the interests of the data subject. Article 14(4)(c) of GR 71 elaborates on the meaning of 'vital interest' as the need/necessity to protect the very important matters of a person's existence.

5.5. Public interest

Under Article 20(2)(e) of the PDPL and Article 44(2)(e) of the Draft PDPL Implementing Regulation, aside from obtaining consent, personal data may be processed to fulfill the obligations of the controller in the context of public interest, public service, or the implementation of the authority of the controller in accordance with the laws and regulations.

Similarly, under Article 14(4)(e) of GR 71, personal data may be processed in order to fulfill the obligations of the controller in the public services for the public interest.

5.6. Legitimate interests of the data controller

Under Article 20(2)(f) of the PDPL, Article 44(2)(f) of Draft PDPL Implementing Regulation,  and Article 14(4)(f) of GR 71, aside from by obtaining consent, personal data may be processed in order to fulfill the legitimate interests of the controller. There is no exhaustive nor non-exhaustive list of the legitimate interests of the data controller. Data controllers may pursue any interests so long as they adhere to the prohibitions and obligations set out in the PDPL and PDP Regulations.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Under Article 3 of the PDPL, the PDPL shall be implemented based on the principles of protection, legal certainty, public interest, benefit, prudence, balance, accountability, and confidentiality.

Article 3 of the PDPL and Article 24 of Draft PDPL Implementing Regulation elaborates the following principles:

• principle of protection: means providing protection to data subjects so that their personal data is not misused;
• principle of legal certainty: means that every processing activity shall be carried out on a legal basis;
• principle of public interest: means that the enforcement of personal data protection must consider the interest of the public or society at large, as well as the State administration and National defense and security;
• principle of benefit: means that the regulation of personal data protection must be useful for the National interest, specifically for public welfare;
• principle of prudence: means that the parties involved in data processing and supervision activities must pay attention to all aspects that have the potential to cause losses;
• principle of balance: means parties must make an effort to balance the right of personal data protection and legitimate state rights based on public interest;
• principle of accountability: means all parties involved in data processing and supervision activities must act responsibly so as to ensure the balance of rights and obligations of the parties concerned, including the personal data subjects; and
• principle of confidentiality: means that personal data must be protected from unauthorized parties and/or from unauthorized personal data processing.

The processing of personal data must also comply with the personal data processing principles, which include:

• personal data collection shall be carried out in a limited and specific, legal and valid, and transparent manner;
• personal data processing shall be carried out in accordance with its purpose;
• personal data processing shall be carried out by ensuring the rights of the personal data subject;
• personal data processing shall be carried out in an accurate, complete, not misleading, up-to-date, and accountable manner;
• personal data processing shall be carried out by protecting the security of personal data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or loss of personal data;
• personal data processing shall be carried out by notifying the personal data subject of the purpose of the processing, as well as any failure to protect the personal data;
• personal data shall be destroyed and/or deleted after the expiry of the retention period or at the request of the personal data subject, unless otherwise stipulated by laws and regulations; and
• personal data processing shall be carried out responsibly and be evidenced clearly.

Under Articles 2 and 4 of the Kominfo Regulation 20, the processing of personal data shall be carried out based on the principle of good personal data protection, which includes the following elements (see also Article 36 of the Kominfo Regulation 20):

• having due regard towards personal data as private;
• personal data is confidential in nature, in accordance with the consent of the data subject and/or based on the provisions of laws and regulations;
• obtaining sufficient consent from the data subject, and basing its processing activities on such consent;
• ensuring processing is relevant to the purpose of acquisition, collection, processing, analyzing, storage, display, announcement, delivery, and dissemination;
• limiting processing activities to what is necessary;
• ensuring the suitability of the electronic system that is being used;
• having the good faith to immediately notify data subjects of any failure in relation to personal data protection;
• ensuring the availability of internal regulation for the management of personal data protection;
• having responsibility for any personal data under the possession of users;
• ensuring ease of access to and correction of personal data for data subjects; and
• ensuring the integrity, accuracy, and validity of personal data, and ensuring that personal data is up to date.

Under Article 25 of the Draft PDPL Implementing Regulation, the collection of personal data is limited and specific, legal, and transparent in its application, therefore the controller must:

• collect personal data in accordance with the purpose of collecting personal data;
• periodically review the personal data collected;
• determine the basis of processing before collecting the personal data;
• facilitate the right of personal data subjects to obtain information about the clarity of identity, the basis of legal interests, the purpose of requesting and using personal data, and the accountability of the party requesting personal data in accordance with the provisions of laws and regulations; and
• publish a notification of personal data protection that is easily accessible by the personal data subject.

Pursuant to Article 26 of the Draft PDPL Implementing Regulation,  the processing of personal data must be carried out in accordance with its purpose, therefore, the controller must:

• clearly identify the purpose and objectives of personal data processing;
• document the purpose of the personal data processing in a personal data processing inventory list; and
• incorporate the purpose of the personal data processing into the external personal data protection notice policy.

Under Article 27 of the Draft PDPL Implementing Regulation, personal data processing is carried out by guaranteeing the rights of the personal data subject, therefore, the controller shall:

• develop internal policies, procedures, and/or guidelines to manage requests for the rights of personal data subjects;
• understand the conditions for the fulfillment and/or rejection of requests for the rights of personal data subjects in accordance with the provisions of laws and regulations;
• facilitate the right of personal data subjects to gain access to and obtain copies of personal data about themselves in accordance with the provisions of laws and regulations;
• handle requests of  personal data subjects by:
  • ensuring that the personal data subjects are always provided with the latest and most up-to-date information; and
  • having a mechanism to collect all information that is required to be provided to the personal data subjects;
• implement a system that accommodates the principles of personal data protection in managing requests for personal subject rights; and
• facilitate the right of the personal data subjects to withdraw their consent to the processing of personal data about them that has been given to the controller in accordance with the provisions of laws and regulations.

According to Article 28 of the Draft PDPL Implementing Regulation, for the processing of personal data to be accurate, complete, non-misleading, up-to-date, and accountable, the controller shall:

• take proportionate steps to ensure the accuracy of any personal data processed;
• have internal policies, procedures, and/or, guidelines to ensure the quality of personal data which at least includes:
  • accuracy of personal data;
  • completeness of personal data;
  • records related to the source of personal data collection; and
  • periodic updates and verification of personal data information;
• document any inaccuracy and incompleteness of personal data;
• implement protection measures in the personal data verification process to maintain accuracy, so as not to harm the personal data subject;
• determine the mechanism and/or standard of data quality implementation to ensure that the personal data processed and analyzed is accurate and complete;
• facilitate the right of personal data subjects to complete, update, and/or correct errors and/or inaccuracies in personal data about themselves in accordance with the purposes of personal data processing and in accordance with the provisions of laws and regulations;
• facilitate the right of personal data subjects to object to decision-making actions based solely on automated processing, including profiling, which has legal consequences or has a significant impact on personal data subjects in accordance with the provisions of laws and regulations; and
• facilitate the right of personal data subjects to suspend or restrict the processing of personal data in a manner proportionate to the purposes of processing personal data and in accordance with the provisions of laws and regulations.

Under Article 29 of the Draft PDPL Implementing Regulation, where the processing of personal data is conducted by protecting the security of personal data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or erasure of personal data, the controller shall:

• implement security mechanisms to ensure:
  • personal data can be accessed, altered, disclosed, or deleted only by authorized parties;
  • personal data stored or processed is accurate and complete; and
  • personal data that is accidentally lost, altered, or destroyed must be recoverable by the controller so that it can still be accessed and used;
• conduct a risk analysis of personal data processing activities and use it to assess the appropriate level of security that should be applied;
• have an information security and personal data protection policy in place, and take steps to ensure that the policy is implemented, as well as ensuring that controls are implemented on a consistent and ongoing basis;
• periodically review information security and personal data protection policies and controls, and improve them as necessary;
• implement basic technical controls based on commonly used frameworks and/or standards;
• implement basic technical controls based on frameworks and/or commonly used standards; and
• implement protection of personal data through encryption and/or data masking mechanisms;
• understand, determine, and implement requirements for confidentiality, integrity, availability, authentication, authorization, integrity, and accountability for personal data processed;
• ensure that access to personal data can be restored in the event of a data security incident, i.e., by establishing a backup process in accordance with the provisions of laws and regulations; and
• conduct regular testing and review of security control measures to ensure they remain effective and sustainable.

Under Article 30 of the Draft PDPL Implementing Regulation, where the processing of personal data is carried out by notifying the purposes and activities of the processing, as well as the failure of personal data protection, the controller must:

• clearly determine the purpose of processing personal data and notify the purpose to the personal data subject;
• compile and stipulate notification of personal data protection in the form of documents;
• implement technical and organizational controls in terms of preventing personal data protection failures;
• provide written notification to the personal data subject and PDP Institution when there is a failure of personal data protection which at least contains related information relating to:
  • personal data that is disclosed;
  • description of the type of failure of personal data protection;
  • the time and way the personal data is disclosed;
  • the impact of the failure of personal data protection to the personal data subject;
  • handling and recovery efforts for the disclosure of personal data by the controller; and
  • information of contact person;
• establish and implement policies, procedures, and/or guidelines regarding the prevention and handling of personal data protection failure which at least contains:
  • division of roles and responsibilities for handling the failure of personal data protection;
  • mechanism to conduct analysis, classification, prioritization, monitoring, handling, and resolution of personal data protection failures, including post-incident;
  • documentation of the handling of personal data protection failures and reporting mechanisms to personal data subjects and PDP Institutions; and
  • periodic review and update of the process of handling the failure of personal data protection; and
• notify the failure of personal data protection to the personal data subject and PDP Institution in accordance with the provisions of laws and regulations.

Article 31 of the Draft PDPL Implementing Regulation governs the implementation of the principle of the destruction and/or deletion of personal data after the retention period ends or based on the request of the data subjects, which requires the controller to:                                                          

• have a personal data retention policy or standard;
• have a personal data retention period determined by the controller or in accordance with the provisions of laws and regulations;
• periodically review the processing of personal data and delete or destroy personal data when it is no longer needed;
• identify and explain what personal data needs to be kept for archiving purposes; and
• facilitate data subjects in exercising their rights to end processing, delete, and/or destroy personal data about them in accordance with the provisions of laws and regulations.

Under Article 32 of the Draft PDPL Implementing Regulation, the processing of personal data must be carried out responsibly and be clearly demonstrable, therefore the controller shall:

• establish appropriate technical and organizational measures to meet the accountability or liability requirements that are required to be implemented by:
  • adopting and implementing a personal data protection policy;
  • applying personal data protection principles throughout the personal data processing cycle;
  • having a written agreement with the organization that processes personal data on behalf of the controller in case of appointing a processor;
  • recording personal data processing activities;
  • implementing appropriate security measures;
  • recording and reporting violations of personal data processing;
  • conducting a Data Protection Impact Assessment ('DPIA') of personal data in the event that personal data processing may pose a high risk to the interests of personal data subjects; and
  • appointing a DPO in accordance with the provisions of laws and regulations.
• be responsible for complying with the provisions of laws and regulations related to personal data protection;
• keep evidence of actions that are out by the controller in accordance with the provisions of laws and regulations;
• ensure that the processor keeps evidence of the measures implemented by the processor in accordance with the provisions of laws and regulations; and
• periodically review and update the implementation of compliance with laws and regulations related to personal data protection, both independently and with independent external parties.

7. Controller and Processor Obligations

With the enactment of the PDPL, Indonesia now recognizes the difference between a controller and a processor, and that the two have their own individual obligations as well as some shared obligations. Under the PDPL, the controller must remain responsible for personal data processing carried out by the processor they appoint, so long as the processor's activities are still in accordance with the controller's instructions. With the approval of the controller, the processor can also appoint another processor(s).

Obligations of Controllers

The obligations of the controllers are regulated under Articles 20 to 50 of the PDPL. These obligations include:

• having a legal basis before processing personal data;
• for processing activities based on the data subject's consent, to provide information to the personal data subject on:

o the legality of the personal data processing;

• the purpose of the personal data processing;
• the type and relevance of the personal data to be processed;
• the retention period for documents containing personal data;
• details regarding the information collected;
• period of personal data processing; and
• data subject's rights; and
• in the event that there is a change in any of the information  above, the controller must notify the data subject; 
• to acquire written or recorded, explicit, and valid consent before processing personal data;
• to provide proof of consent given by the data subject;
• to process the personal data of children by acquiring the consent of the parents and/or legal guardian of the child;
• to process the personal data of persons with disabilities using a method of communication in accordance with the laws and regulations, and by first acquiring the consent of the person with disabilities and/or that person's legal guardian;
• to process personal data in a limited and specific, legal, valid, and transparent manner;
• to process personal data in accordance with the purposes of the personal data processing;
• to ensure the accuracy, completeness, and consistency of personal data in accordance with the provisions of laws and regulations;
• to update and/or rectify mistakes and/or inaccuracies in the personal data no later than 72 hours from when the controller receives a request to update and/or rectify the personal data;
• to record all personal data processing activities;
• to provide the data subject access to the personal data that is processed, along with the history of the personal data processing in accordance with the retention period for the personal data. Such access must be provided at least 72 hours from the time the request for such access is received;
• to refuse to allow data subjects to change their personal data if such change:
• endangers the security or physical or mental health of the data subject and/or other people;
• results in the disclosure of the personal data of other individuals; and/or
• is contrary to the interests of national defense and security; 
• to assess the impact of personal data protection in the event that personal data processing carries a high potential risk for the data subject (DPIA);
• to protect and ensure the security of the processed personal data by preparing and implementing operational technical steps to protect personal data from the interference of personal data processing that is contrary to the provisions of laws and regulations and determining the level of security of personal data by considering the nature and risk of personal data that must be protected in the processing of personal data;
• to maintain the confidentiality of the personal data;
• to supervise each party involved in the processing of personal data that is under their control;
• to protect personal data from unlawful processing;
• to mitigate any unauthorized access to personal data by using a security system and/or processing personal data using an electronic system in a reliable, secure, and responsible manner, in accordance with the provisions of laws and regulations;
• to cease the personal data processing if the personal data subject withdraws their consent, at the latest 72 hours from the time when the controller receives the request to withdraw the consent for personal data processing;
• to postpone or restrict the personal data processing, either partially or completely, at the latest 72 hours from the time the controller receives the request to postpone or restrict the personal data processing;
• to cease the personal data processing if it has reached the retention period, the purpose of the processing has been achieved, and there is a request from the data subject;
• to delete all personal data in the event that the personal data is no longer necessary to achieve the purposes of the processing, the data subject has withdrawn the consent for the processing, the data subject has requested the personal data to be deleted, or the personal data was obtained and/or processed in an unlawful manner;
• to notify the data subject of the deletion and/or destruction of personal data;
• in the event of a failure of personal data protection, provide written notification, no later than 72 hours, to the personal data subject and the PDP Institution, and in certain cases, the public;
• to process the personal data and demonstrate accountability in fulfilling its obligations to implement the principles of personal data protection;
• in the event of a merger, separation, acquisition, consolidation, or dissolution of a legal entity, to submit a notification of the transfer of personal data to the data subject; and
• to carry out institutional orders in the context of implementing personal data protection in accordance with the PDPL.

Article 50 of the PDPL provides that in certain circumstances, the above obligations of a controller may be waived. These circumstances include:

• interests of national defense and security;
• interests of the law enforcement process;
• public interest in the context of State administration; or
• supervision of the financial services, monetary, payment system, and financial system stability sectors carried out in the context of State administration.

Obligations of Processors

The obligations of the processors are regulated under Articles 51 and 52 of the PDPL, with Article 52 stipulating the obligations of controllers that are shared by the processors. The obligations of processors, both shared and exclusive obligations, include:

• to ensure the accuracy, completeness, and consistency of personal data in accordance with the provisions of laws and regulations;
• to record all personal data processing activities;
• to protect and ensure the security of the processed personal data by preparing and implementing operational technical steps to protect personal data from the interference of the personal data processing that is contrary to the provisions of laws and regulations and determining the level of security of personal data by considering the nature and risks of personal data that must be protected in the processing of personal data;
• to maintain the confidentiality of the personal data;
• to supervise each party involved in the processing of personal data that is under their control;
• to protect the personal data from unlawful processing;
• to mitigate any unauthorized access to personal data by using a security system and/or processing personal data using an electronic system in a reliable, secure, and responsible manner, in accordance with the provisions of laws and regulations; and
• to conduct personal data processing based on the instructions of the controller. In doing so, the processors may include other processors by first obtaining written approval from the controller.

As there are several stakeholders in the field of personal data protection, the PDP Regulations provide for different obligations for the various stakeholders.

Article 27 of the Kominfo Regulation 20 governs the obligations of personal data users which are to:

• maintain the confidentiality of personal data they receive, collect, process, and analyze;
• solely use personal data in accordance with the needs of users;
• protect personal data and documents containing such personal data from any misappropriation; and
• be responsible for the personal data that is under their control (i.e., either control by way of organization which falls under their authority or individual control), if any misappropriation occurs.

Articles 4 and 28 of the Kominfo Regulation 20 govern the obligations of ESPs which are to:

• undergo certification process for electronic systems under its management in accordance with the provisions of laws and regulations;
• safeguard the authenticity, validity, confidentiality, accuracy, and relevance as well as the conformity with the purpose of acquiring, collecting, processing, analyzing, storing, displaying, announcing, delivering, disseminating, and erasing personal data;
• ensuring that personal data stored in an electronic system is encrypted;
• have internal regulations relating to the protection of personal data that conforms with the provisions of laws and regulations (e.g., provide audit track records on all electronic system organization activities that are under its management);
• provide options to data subjects regarding whether their personal data may or may not be used and/or displayed by/to any third party based on approval as long as it still relates to the purpose of acquiring and collecting personal data;
• grant access or opportunity to data subjects to alter or renew their personal data without disrupting the personal data management system, unless stipulated otherwise by the provisions of laws and regulations;
• delete personal data in accordance with the provisions of the Kominfo Regulation 20; and
• provide a point of contact who can be easily contacted by data subjects as regards the management of their personal data. 

While there is no explicit provision requiring the existence of a contract with the data subject, the PDP Regulations emphasize the importance of adherence to contractual obligations arising from agreements between the party processing the personal data and the data subject. Additionally, the PDP Regulations provide for general requirements regarding electronic contracts, including electronic contracts involving data subjects.

Under Article 1(17) of the Electronic Information Law and Article 1(17) of GR 71, an 'electronic contract' is defined as an agreement between the parties made through an electronic system. As the implementing regulation of the Electronic Information Law, GR 71 provides for further rules regarding electronic contracts. In particular, Article 46(2) of GR 71 stipulates that an electronic contract is valid if it:

• contains the consent of the parties;
• is entered by legal subjects having the capacity or authority to conclude an agreement;
• regulates a certain subject matter; and
• has a legal cause.

An electronic contract made with a data subject is only valid if it fulfills the aforementioned requirements.

Internal policies for ESPs

The Kominfo Regulation 20 requires ESPs to have an internal policy on the protection of personal data when implementing the following data processing operations:

• acquisition and collection;
• processing and analyzing;
• storage;
• presentation, publication, transmission, dissemination, and/or access opening; and
• destruction.

Usually, the ESPs create their own data protection guidance/policy for users of their electronic systems and/or services, which should be compliant with the PDP Regulations.

Obligations for trading activities through electronic systems

GR 80 provides strict regulations on the personal data protection of consumers, providing that business entities conducting trade through electronic systems shall keep personal data in accordance with the standard of personal data protection or the common business practice. Such personal data protection must be carried out in accordance with the following rules:

• personal data must be obtained truthfully and legally from the owner of the personal data concerned, accompanied by the existence of choices and guarantees for the safeguarding and prevention of loss to the data subject;
• personal data must be used for one or more purposes that are described in a specific and valid manner, as well as cannot be further processed in a way that is not in accordance with the said purposes;
• personal data that is obtained must be proper, relevant, and not too broad in relation to the purpose of their processing as previously conveyed to the data subject;
• personal data must be accurate and must always be up to date by way of giving opportunities to the data subject to update their personal data;
• personal data must be processed in accordance with the purpose of their acquisition and allocation, and cannot be possessed longer than the required time;
• personal data must be processed in accordance with the rights of data subjects as regulated under laws and regulations;
• parties that store personal data must possess a proper security system to prevent leaks or prevent any unlawful utilization or processing of personal data, as well as be responsible for unexpected losses or damages to the personal data; and

personal data cannot be sent to another country or area outside Indonesia, except if the country or area has been declared as having the same protection level and standard as Indonesia by the Minister of Trade.

7.1. Data processing notification

The PDPL, Draft PDPL Implementing Regulation, and the PDP Regulations do not require notification or registration prior to the processing of data.

7.2. Data transfers

PDPL and Draft PDPL Implementing Regulation

A controller is allowed to transfer personal data to another controller within the jurisdiction of Indonesia. The PDPL further allows the cross-border transfer of personal data from a controller to a controller and/or processor outside the jurisdiction of Indonesia if:

• the country of domicile of the controller and/or processor that will receive the personal data provides a data protection level that is equal to or higher than that stipulated in the PDPL;
• if the above condition is not fulfilled, the controller must ensure that there is adequate and binding personal data protection; and
• if the above two conditions are not fulfilled, the controller must obtain the consent of the data subject.

Article 183 of the Draft PDPL Implementing Regulation regulates that the PDP Institution will have the authority to assess whether the country of domicile of the controller and/or processor receiving personal data has an equal or higher level of personal data protection than that stipulated in the PDPL. The assessment will consider whether the country of domicile of the controller and/or processor receiving personal data:

• has legal regulations for personal data protection;
• has a personal data protection supervisory agency or authority; and
• has international commitments or is subject to other obligations arising from legally binding conventions or instruments and from its participation in multilateral or regional systems related to personal data protection.

PDP Regulations

The transfer of personal data is prohibited without the consent of the data subject, as stipulated under Article 26(1) of the Electronic Information Law and emphasized in Article 21(a) of the Kominfo Regulation 20.

Under the Kominfo Regulation 20, coordination with the Kominfo must be carried out before the personal data is transferred and after the transfer of personal data is completed. To fulfill the coordination requirement, Article 22(2) of the Kominfo Regulation 20 requires an Indonesian ESP to:

• report the proposed transfer of personal data to the Kominfo, which includes at least the name of the receiving state and the receiver, frequency of transfer, and the reason or purpose of such transfer;
• request for advocacy to the Kominfo, if necessary; and
• report the result of the transfer.

The Electronic Information Law also provides that anyone who intends, without valid rights, to change, add, reduce, transmit, destroy, eliminate, transfer, or hide electronic information, and/or electronic documents owned by another person or owned by the public would be prohibited from doing so.

Additionally, Article 59(2)(h) of GR 80 provides that personal data is prohibited from being transferred to another country or territory outside Indonesia unless such country or territory has been declared by the Minister of Trade as having an equal standard or level of personal data protection.

Furthermore, Article 11 of OJK Regulation 6/2022, also limits the transfer of personal data to a third party by financial services providers, except when the consumers provide their consent, in writing or electronically, as required by the laws and regulations.

7.3. Data processing records

Pursuant to Article 31 of the PDPL, controllers must record all personal data processing activities.

Furthermore, under Article 22(1) of GR 71, the ESPs are required to provide an audit trail for all activities of the electronic system organization. This includes:

• maintaining the transaction log in accordance with the provider data retention policy, in accordance with the laws and regulations;
• notifying the consumer if a transaction has been conducted; and
• ensuring the availability of an audit trail function to be able to detect an effort and/or incursion that must be reviewed or evaluated periodically.

In addition, in the event that the processing and audit trail are the responsibilities of a  third party, then such audit trail process must be in accordance with the standard that is determined by the ESP.

7.4. Data protection impact assessment

PDPL and Draft PDPL Implementing Regulation

As stated above, the controller is obliged to conduct a DPIA if the personal data processing has a high potential risk to the personal data subjects. According to Article 34(2) of the PDPL, personal data processing with high potential risk includes:

• automatic decision-making that has legal consequences or a significant impact on the data subject;
• processing of specific personal data;
• processing of large-scale personal data;
• processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
• processing of personal data for the activity of matching or combining a group of data;
• the use of new technologies in the processing of personal data; and/or
• the processing of personal data that limits the exercise of the rights of the data subject.

Article 128 of the Draft PDPL Implementing Regulation stipulates that the assessment must be documented and must at least include:

• a systematic description of the activities and the purpose of the processing of the personal data, including the interests of the controller of the processing;
•  assessment of the need for and proportionality between the purposes and activities of the processing of personal data;
• risk assessment for protecting the rights of personal data subjects; and
• measures used by the controller to protect the personal data subjects from the risks of personal data processing.

Under the Draft PDPL Implementing Regulation, the controller is obliged to reassess in the event of a change in the risk of processing personal data. In its assessment, the controller is allowed to consult with the PDP Institution if the data processing has a risk of causing material and/or non-material harm to personal data subjects, with no technical and organizational policies that can be provided by the controller to minimize the harm.

PDP Regulations

Under Article 12 of GR 71, the ESPs must apply risk management towards damages or losses that they incurred. The provision provides the meaning of 'risk management' as conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system which it manages.

7.5. Data protection officer appointment

PDPL and Draft PDPL Implementing Regulations

A DPO is the official or officer responsible for ensuring compliance with the personal data protection principles and mitigating the risk of breach of personal data protection. The DPO may be an internal or external party of the company.

Article 53 of the PDPL introduces the requirement for controllers and processors to appoint a DPO in certain circumstances, namely where:

• the data processing is carried out for the benefit of public services;
• the nature, scope, and/or purposes of the main activity of the controller require organized and systematic supervision on a large scale; and
• the main activity of the controller consists of large-scale processing which is specific in nature and/or which is related to criminal conduct.

In accordance with Article 166 of the Draft PDPL Implementing Regulation, the controller and/or the processor must consider the structure, size, and need of the controller and/or the processor organization in appointing a DPO. Moreover, a DPO can be a natural person or several persons from within and/or outside the organization of a controller and/or the processor.

According to Article 167 of the Draft PDPL Implementing Regulation, the task of the DPO must at least include:

• to inform and provide advice to the controller or the processor to comply with personal data protection laws and regulations;
• to monitor and ensure compliance with personal data protection laws and regulations in and the policies regulating the controller or the processor;
• to provide advice regarding the assessment of the impact of personal data protection and monitor the performance of the controller or the processor; and
• coordinate and act as a contact person for issues related to personal data processing.

Furthermore, the DPO will have the obligation to:

• provide recommendations and suggestions to the unit, officials, or parties responsible for the security of the processing of personal data processed by the controller so that the security of the processing of personal data is carried out in accordance with the provisions of the laws and regulations;
• make the necessary efforts to ensure that the unit, official, or party responsible for the security of the processing of personal data processed by the controller implements technical and operational measures that take into account the protection of the rights and freedoms of data subjects; and
• report the performance of the unit, official, or party responsible for the security of processing personal data to the board of directors and/or the PDP Institution in the event that the DPO assesses that the unit, official, or party has or has not implemented the technical and operational steps that take into account the protection of data subjects according to the needs of the controller.

The Draft PDPL Implementing Regulation stipulates that the appointment of DPOs must be further regulated in the   PDP Institution Regulation.

PDP Regulations

Additionally, while the PDP Regulations do not stipulate the requirement of a DPO, Article 28(i) of the Kominfo Regulation 20 requires ESPs to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.

7.6. Data breach notification

PDPL and Draft PDPL Implementing Regulation

Under Article 46 of the PDPL, the controllers are required to provide written notification, no later than 72 hours following a data breach, to the data subjects and the PDP Institution. If the breach interferes with public services and/or has a serious impact on the public interest, the controller must also notify the public. However, according to the Draft PDPL Implementing Regulation, public notification is excluded if the breach does not cause the disclosure of personal data.

Such written notification must contain at least the disclosed personal data when and how the personal data was disclosed, and efforts by the controller to handle and recover from the data breach. The Draft PDPL Implementing Regulation further adds that the notification must also contain a contact person.

In addition to the data breach notification, Article 125 of the Draft PDPL Implementing Regulation obliges the controller to submit documentation on the failure of personal data protection to the PDP Institution. The documentation must at least include the following information:

• the cause of failure;
• the time and chronology of failure;
• the affected personal data;
• the result of failure;
• the handling and corrective actions taken;
• the conclusion on whether personal data is disclosed;
• the period of notification to data subjects and the PDP Institution;
• the risk of the impact of the disclosed personal data on the data subjects.

Subsequent to the breach, the controller will have the obligation to establish and implement policies that regulate the prevention and handling of personal data protection failures which at least contain:

• the division of roles and responsibilities for handling personal data protection failures;
• the mechanisms for analyzing, classifying, prioritizing, monitoring, handling, and resolving personal data protection failures, including after incidents;
• documentation on handling personal data protection failures and reporting mechanisms to data subjects and the PDP Institutions; and
• regular review and update of the process for handling personal data protection failures.

PDP Regulations

The ESPs are required to report a personal data protection failure in the electronic system to the personal data subjects, at the latest 14 days after such failure is known and to the Kominfo and other relevant authorities, such as the National Cyber and Crypto Agency, at the first opportunity, without undue delay. Further, Article 28(c)(3) of the Kominfo Regulation 20 requires the ESPs to ensure that the notification is actually received by the data subjects if the breach has the potential to cause harm to the data subjects.

7.7. Data retention

PDPL and Draft PDPL Implementing Regulation

The PDPL regulates that controllers must cease personal data processing once the data retention period has been reached and subsequently destroy the personal data. Article 31 of the Draft PDPL Implementing Regulation provides that the controller must have a policy or standard of personal data retention. The retention period must be determined by the controller in accordance with the provisions of laws and regulations. Upon the expiry of the retention period, the controller must destroy the personal data.

PDP Regulations

Implementing the Electronic Information Law, GR 71 also regulates the obligation of the ESPs to delete certain personal data. The ESPs must delete personal data which is irrelevant. Personal data is irrelevant when:

• it is acquired and processed without the consent of the data subject;
• the consent has been withdrawn by the data subject;
• it is acquired and processed illegally;
• processing is no longer in accordance with the acquisition purpose based on an agreement and/or the laws and regulations;
• its utilization has exceeded the period in accordance with an agreement and/or the laws and regulations; and/or
• the ESP's treatment of it has caused a loss for the data subject.

The obligation of deletion stipulated in GR 71 consists of erasure and delisting from search engines.

As for the timeframe for data retention, the Kominfo Regulation 20 stipulates that data must be stored within an electronic system for a minimum of five years. An exemption to this provision is stipulated under Article 16 of the PDPL, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.

Meanwhile, the PDP Regulations do not explicitly stipulate a timeframe for data retention or a maximum retention period, but instead, it defers to the authority to do so, and to other relevant laws. One of the relevant laws that mention the retention period for personal data is Law No. 43 of 2009 regarding the Archive (only available in Indonesian here) ('the Archiving Law'). The Archiving Law distinguishes data into data with a maximum of a 10-year retention period and data with a maximum of a 25-year retention period. The data and its retention period must be listed further in a retention schedule archive.

7.8. Children's data

PDPL and Draft PDPL Implementing Regulation

The PDPL considers children's data as specific personal data. In this regard, the Draft PDPL Implementing Regulation establishes 'children' as individuals who have not reached the age of 18 years and are unmarried. Article 25 of the PDPL provides that the processing of children's data must be conducted by first acquiring the consent of the child's parents or their legal guardian. In accordance with Article 51(6) of the Draft PDPL Implementing Regulation, the consent of a child's parent or legal guardian must also be obtained upon any request for changes to the child's data. Subsequent to obtaining the consent, the controller would have to verify the consent considering the available technology. When a child no longer meets the criteria to be considered a child, the controller would have to provide a mechanism to switch from processing the personal data of a child to that of an individual who is of age. 

PDP Regulations

The Kominfo Regulation 20 regulates the processing of children's data in the context of obtaining consent. Article 37 of the Kominfo Regulation 20 provides that, in the event that the data subject constitutes a person who falls under the category of children in accordance with the provisions of the laws and regulations, then the granting of consent, as referred to under Kominfo Regulation 20, should be carried out by the parent or the guardian of the child. The parent should be the father or mother of the child in accordance with the provisions of the laws and regulations.  The guardian should be the person who has the obligation to take care of the child before the child reaches adulthood in accordance with the provisions of the laws and regulations.

The PDPL and the PDP Regulations defer the authority to set out the age of consent to other laws. Based on Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014 (only available in Indonesian here), a child is an individual who has not reached the age of 18 years.

7.9. Special categories of personal data

Article 34 of the PDPL stipulates that the processing of specific personal data is considered a potential high-risk personal data processing activity and would require a DPIA. Article 53 of the PDPL also regulates that a controller and processor must appoint a DPO if their main activities include processing specific personal data and/or personal data related to criminal conduct on a large scale.

In relation to the processing of criminal data, Article 33 of GR 71 also stipulates that 'for the purpose of the criminal justice process, the ESP must provide electronic information and/or electronic data which is contained in the electronic system, or electronic information, and/or electronic data that are processed by the electronic system, at the valid request from an investigator for certain criminal acts in accordance with the authority regulated in the laws.'

Data of persons with disabilities

Article 26 of the PDPL regulates that the data of persons with disabilities must be handled in a specific manner, using a certain method of communication in accordance with the relevant regulations, and consent must first be acquired from the data subject and/or their legal guardian. The Draft PDPL Implementing Regulation defines a person with disabilities as any person who experiences physical, intellectual, mental, and/or sensory limitations for a long period of time who, in interacting with the environment, may experience obstacles and difficulties in participating fully and effectively with other citizens based on equal rights.

Article 53 of the Draft PDPL Implementing Regulation governs the processing of data of persons with disabilities and according to Article 53, a controller has the obligation to take steps to identify persons with disabilities and provide services that are accessible and can be understood by persons with disabilities. With regards to consent, it is further regulated that consent must still be obtained directly from the data subject despite any physical and/or sensory limitations, provided that the data subject has the capacity to provide direct consent. The consent of the data subject's legal guardian becomes obligatory for the controller to obtain if the processing of personal data is carried out based on the explicit valid consent of the data subject and the fulfillment of contractual obligations. Processing personal data through the consent of the data subject's legal guardian will allow the guardian to represent the data subject in submitting requests for the fulfillment of the data subject's rights. Persons with disabilities who provide direct consent are able to request the fulfillment of their rights through the mechanisms provided by the controller.

7.10. Controller and processor contracts

Article 18 of the PDPL explicitly stipulates that in the event personal data processing is conducted by two or more controllers (joint controllers), there must be an agreement between the controllers on the roles, responsibilities, and relationships between each of the controllers.

For completeness, the relationship between the controller and the processor, as well as the processor and the sub-processor, is regulated under Article 51 of the PDPL. Article 51 of the PDPL regulates that if a controller appoints a processor, the processor is required to carry out personal data processing in accordance with the instructions of the controller. Further, a processor is allowed to involve another processor to carry out the personal data processing with the prior written approval of the controller. Based on the above, while there is no explicit requirement governing the types or content of the contracts, it is understood that the relationship between the controller and the processor is to be governed under an agreement.

8. Data Subject Rights

PDPL and Draft PDPL Implementing Regulation

Under Articles 5 to 13 of the PDPL, data subjects are entitled to the following rights:

• to obtain information regarding clarity of identity, the basis of legal interest, the purpose of requesting and using personal data, and accountability of parties that request the personal data;
• to complete, update, and/or correct errors and/or inaccuracies in their personal data;
• to access and obtain a copy of their personal data;
• to stop the processing of, delete, and/or destroy their personal data;
• to withdraw consent for the processing of their personal data that has been given to a controller;
• to object to a decision-making action that is based solely on automatic processing, including profiling, which has legal consequences or has a significant impact on the data subject;
• to delay or limit personal data processing;
• to sue and receive compensation for violations in connection with the processing of their personal data; and
• to obtain and/or use their personal data from a controller in a format commonly used or readable by an electronic system and use and send such data to other controllers.

According to Article 15 of the PDPL, these rights may be waived as follows:

• in the interest of national defense and security;
• in the interest of the law enforcement process;
• in the public interest in the context of State administration;
• in the interest of supervision of the financial services, monetary, payment system, and financial system stability sectors carried out in the context of State administration; or
• in the interest of statistics and scientific research.

In addition, where a controller is a legal entity that performs a merger, separation, acquisition, consolidation, or dissolution of a legal entity, it is required to submit a notification of the transfer of personal data to the data subject. The notification must be submitted prior to the aforementioned corporate action. Additionally, Article 48 of the PDPL provides an explanation of notification, which is a notification to the data subject or notification in general through the mass media, either by electronic or non-electronic means.

Article 143(2) of the Draft PDPL Implementing Regulation regulates that the notification must at least contain:

• information that there will be a transfer of personal data from the old controller to the new controller;
• processing activities that will be and have been carried out in the context of this transaction;
• the responsible party's company name, address, telephone number, and other contact information held by the new controller;
• methods and procedures for submitting objections and/or requests to stop the processing, or the data subject's refusal to send personal data to the new controller;
• information on the time of processing for the purposes of the new controller's activities;
•  information that the personal data of the data subject can be accessed by the new controller and/or other related parties involved in this process; and
• a statement that the old controller will destroy the personal data that has been transferred to the new controller when the transaction ends.

PDP Regulations

In addition, pursuant to Article 26 of the Kominfo Regulation 20, data subjects are entitled to:

• confidentiality of their personal data;
• file complaints to Kominfo in relation to disputes over the failure of the relevant ESP to protect the confidentiality of their personal data;
• obtain access or the opportunity to change or update their personal data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations;
• obtain access or the opportunity to receive the history of their personal data, which has been given to an ESP insofar as it is still in accordance with the applicable laws and regulations; and
• request the destruction of their personal data in an electronic system managed by an ESP, unless otherwise determined by the applicable laws and regulations.

8.1. Right to be informed

The following information should be provided to the data subjects at the point of collection of the personal data:

• the legality of the personal data processing;
• the purpose of the personal data processing;
• the type and relevance of the personal data to be processed;
• the retention period for documents containing personal data;
• the details regarding the information collected;
• the period of personal data processing; and
• the data subject's rights.

In any event, the controller must inform the data subjects prior to making any changes to the above information.

8.2. Right to access

Pursuant to Article 32 of the PDPL, the data subjects are entitled to obtain access to their personal data that is processed along with the history of the personal data processing and the retention period of the personal data. This access must be provided at least within 72 hours upon the receipt of the request from the data subject.

Article 26 of the Kominfo Regulation 20 also stipulates that data subjects have the right to:

• obtain access or the opportunity to change or update their personal data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations; and
• obtain access or the opportunity to receive the history of their personal data, which has been given to an ESP insofar as it is still in accordance with the applicable laws and regulations.

8.3. Right to rectification

Article 30 of the PDPL stipulates that the data subjects have the right to request controllers to update and/or correct errors and/or inaccuracies in their personal data within 72 hours upon the receipt of such request. The data subjects are then entitled to receive notification regarding the update and/or correction of their personal data. Such right, however, may be denied by the controller if:

• it endangers the security, physical health, or mental health of the data subject and/or other people;
• it risks the disclosure of other people's personal data; and/or
• it is contrary to the interests of national defense and security.

The Kominfo Regulation 20 also provides that data subjects shall be entitled to gain access or opportunity to alter or renew their personal data without disrupting the personal data management system unless stipulated otherwise by the provisions of the laws and regulations. This means that the data subjects can rectify their personal data in cases of inaccuracy, so long as it doesn't disrupt the personal data management system.

Such a right is also mentioned in Article 59(2)(d) of GR 80, which provides that the personal data must be accurate and up to date. This should be achieved by giving the data subject the chance to update their personal data.

8.4. Right to erasure

PDPL and Draft PDPL Implementing Regulation

A data subject is entitled to request the deletion of their personal data, or it may be erased once the storage time limit lapses, provided that such request is in accordance with the applicable laws and regulations. According to Article 15(d) of the Draft PDPL Implementing Regulation, upon the valid/legitimate request for deletion or destruction by the data subject, the controller must delete or destroy the data subject's personal data in all locations where the personal data is stored and provide evidence of the deletion or destruction to the data subject. Articles 94 and 95 of the Draft PDPL Implementing Regulation further provide that the controllers must immediately delete the personal data of a data subject upon the withdrawal of consent for data processing. The data subjects also have the right of deletion or destruction of their personal data if the purpose of processing and/or the retention period has not been reached.

Pursuant to these Articles, the data subjects must take only one action, either withdrawal of consent or submit a request for deletion, for the purpose of deleting personal data. However, the Draft PDPL Implementing Regulation does not provide any further explanation regarding the reason for this matter.

Furthermore, the controller is obliged to delete personal data in the following instances:

• the personal data is no longer required for achieving the purposes of processing the personal data;
• the data subject has withdrawn their consent to the processing of personal data;
• there is a request from the data subject; or
• personal data is obtained and/or processed unlawfully.

The controller must destroy the personal data in the following instances:

• the retention period has expired, and the destruction statement has been made based on a records retention schedule;
• there is a request from the data subject;
• personal data not related to the completion of the legal process of a case; and/or
• personal data is obtained and/or processed unlawfully.

The destruction of personal data is carried out by eliminating, obliterating, or destroying both electronic and non-electronic personal data so that it can no longer be used to identify the data subject.

PDP Regulations

In this regard, GR 71 distinguishes the rights of the data subject into the right to erasure and the right to delisting in which the ESP is then obliged to delete electronic information no longer under its control. In particular, Article 15 of GR 71 defines the right to erasure as erasing irrelevant information or electronic documents (including those obtained without the person's consent), whereas the right to delisting means to delist such information from the internet search engine through a court order.

Furthermore, Articles 59(3) and 59(4) of GR 80 also provide that business actors that conduct trading through the electronic system must delete the personal data of the data subjects that have stopped using their services and requested the deletion of their personal data.

8.5. Right to object/opt-out

PDPL and Draft PDPL Implementing Regulation

The fundamental principle of data processing is the existence of consent from the data subject. This approval indicates the freedom for the data subject to object to any form of processing with which they disagree. This right is regulated under Articles 9 and 40 of the PDPL, where the data subject has the right to withdraw their consent to the processing of their personal data, whereupon such withdrawal, the controller must stop their processing activities within 72 hours upon the receipt of such request. Additionally, the data subject is given the right to revoke their consent.

Pursuant to Article 92 of the Draft PDPL Implementing Regulation, consent to the data processing can be withdrawn if the purpose and/or the retention period have not been achieved. However, the withdrawal of the consent does not automatically require the controller to delete and/or destroy the personal data unless the data subject submits a written request simultaneously with the request for termination of the processing.

PDP Regulations

Article 16 of GR 71 emphasizes that personal data which must be erased by the ESPs includes personal data for which the consent to be used has been withdrawn by the data subject.

8.6. Right to data portability

Article 13 of the PDPL provides that a data subject has the right to obtain their personal data from the controller in a structure and/or format commonly used and/or readable by an electronic system. This data can be used and transmitted by the data subject to another controller provided that the systems can communicate with each other securely in accordance with the principles of personal data protection. According to Article 121 of the Draft PDPL Implementing Regulation, the implementation of the right to data portability applies in the following instances:

• the basis on which the processing of personal data is carried out based on the explicit and valid consent of the data subject or the fulfillment of contractual obligations to which the data subject is a party or to fulfill the request of the personal data subject at the time of entering into the agreement; and
• the processing of personal data is carried out automatically.

Article 122 of the Draft PDPL Implementing Regulation provides that personal data that can be transmitted  must fulfill the following criteria:

• the personal data is related to the data subjects;
• the personal data is stored and processed electronically;
• the personal data is provided or given by the data subject to the controller;
• the personal data is processed by the controller until the controller receives a request to obtain and/or use their personal data; and
• any other criteria set by the PDP Institution.

In fulfilling the request for the right to obtain and/or use the personal data to be transmitted, the controller must pay attention to the ability of the controller to fulfill the rights of the data subjects, and the provisions of the competition law.

8.7. Right not to be subject to automated decision-making

Under Article 10 of the PDPL, data subjects have the right to object to decision-making, which is solely based on automatic processing, including profiling, given that such automated processing has legal consequences or a significant impact on the data subject.

8.8. Other rights

Not applicable.

9. Penalties

PDPL and Draft PDPL Implementing Regulation

There are two types of sanctions for the violation of the PDP Regulations, i.e., administrative and criminal sanctions. Articles 67 to 69 of the PDPL stipulate the following criminal sanctions for the violation of personal data protection:

• any person who intentionally and unlawfully obtains or collects personal data that does not belong to them with the intention to benefit themselves or other persons which may result in a loss for the data subject shall be sentenced to imprisonment not exceeding five years and/or a fine not exceeding IDR 5 billion (approx. $318,319);
• any person who intentionally and unlawfully discloses personal data that does not belong to them shall be sentenced to imprisonment not exceeding four years and/or a fine not exceeding IDR 4 billion (approx. $254,655 );
• any person who intentionally and unlawfully uses personal data that does not belong to them shall be sentenced to imprisonment not exceeding five years and/or a fine not exceeding IDR 5 billion (approx. $318,319 ); and
• any person who intentionally creates false personal data or falsifies personal data with the intention to benefit themselves or other persons which may result in a loss for other persons shall be sentenced to imprisonment not exceeding six years and/or a fine not exceeding IDR 6 billion (approx. $381,983).

Administrative sanctions are regulated under Article 57 of the PDPL and consist of:

• a written warning;
• a temporary suspension of personal data processing activities;
• deletion or destruction of personal data; and/or
• administrative fines.

In accordance with Article 213(4) of the Draft PDPL Implementing Regulation, the imposition of administrative sanctions must consider the extent of the breach, the controller's and/or the Processor's business continuity, and their history of compliance, and must provide clear considerations and reasons.

If the above crimes are committed by a corporation, only fines may be imposed. The criminal fines for corporate entities can be up to 10 times the maximum fines for individuals. The corporations may also be subject to additional penalties in the form of:

• the confiscation of profits and/or assets obtained or proceeds from crimes;
• the suspension of all or part of the corporation's business;
• permanent ban on performing certain actions;
• the closure of all or part of the corporation's place of business and/or activities;
• the implementation of neglected obligations;
• the payment of compensation;
• the revocation of license; and/or
• the dissolution of the corporation.

PDP Regulations

Additionally, Article 48 of the Electronic Information Law stipulates the following sanctions for the violation of personal data protection in an electronic system:

• any person who unlawfully alters, adds, reduces, transmits, tampers with, deletes, moves, or hides the electronic information and/or electronic records of another person or of the public shall be sentenced to imprisonment not exceeding eight years and/or a fine not exceeding IDR 2 billion (approx. $127,286);
• any person who unlawfully moves or transfers electronic information and/or electronic records to the electronic system of an unauthorized person shall be sentenced to imprisonment not exceeding nine years and/or a fine not exceeding IDR 3 billion (approx. $190,929); and
• any person who unlawfully alters, adds, reduces, transmits, tampers with, deletes, moves, or hides the electronic information and/or electronic records of another person or of the public, which results such information become publicly accessible in a distorted form (i.e., data's integrity is no longer as is) shall be sentenced to imprisonment not exceeding ten years and/or a fine not exceeding IDR 5 billion (approx. $318,319).

Article 46 of the Electronic Information Law also regulates sanctions for the use and destruction of electronic information. However, with the Criminal Code, Article 46 of the Electronic Information Law is revoked by Article 332 of the Criminal Code, which stipulates the following sanctions:

• any person who intentionally and illegally or unlawfully accesses computers and/or electronic systems of other persons in any way shall be sentenced to imprisonment for a maximum of six years or a maximum criminal fine of category V;
• any person who intentionally and illegally or unlawfully accesses computers and/or electronic systems in any way for the purpose of obtaining electronic information and/or electronic documents shall be sentenced to imprisonment for a maximum of seven years or a maximum criminal fine of category V; and
• any person who intentionally and illegally or unlawfully accesses computers and/or electronic systems in any way by violating, bypassing, exceeding, or breaking through the security system, shall be sentenced to imprisonment for a maximum of eight years or a maximum criminal fine of category VI.

In accordance with Article 79(1) of the Criminal Code, the maximum category V criminal fine is IDR 500 million (approx. $31,821) and the maximum category VI criminal fine is IDR 2 billion (approx. $127,286).

In addition to the criminal sanctions, the violations of personal data protection may be punished with administrative sanctions under Article 36 of the Kominfo Regulation 20, which stipulates that any person who unlawfully obtains, collects, processes, analyzes, deposits, displays, announces, transmits, and/or disseminates personal data is subject to administrative sanctions in the form of:

• verbal warning;
• written warning;
• temporary suspension of activities; and
• announcement of its name on sites within the network (websites).

The sanctions for the violation of the implementation of an electronic system are regulated under GR 82, which stipulates that an ESP may be subject to administrative sanctions in the form of:

• a written warning;
• an administrative fine; and
• a temporary suspension.

Further, Article 58 of GR 40 imposes administrative sanctions for the violation of using personal data exceeding one's authority granted by the law or any approval, or for displaying the collected personal data in the public without prior approval from the Ministry, in the form of revocation of the user access rights, destruction of data that has been accessed, and an administrative fine of IDR 10 billion (approx. $636,428).

9.1 Enforcement decisions

Not applicable.