Personal data protection is the legal and regulatory framework designed to safeguard individual privacy by governing personal data collection, storage, use, disclosure, and transfer.
This framework ensures that personal information is handled ethically, responsibly, and with the consent of the data subject (the individual whose data is being processed).
Understanding the PDP law in Indonesia
Following the enactment of Law No. 27 of 2022 on Personal Data Protection (PDP Law), organizations and companies in Indonesia must comply with strict regulations designed to protect the personal data they handle.
This law imposes various obligations on entities that act as Personal Data Controllers or Processors, requiring them to implement robust measures to secure the personal data of customers, clients, employees, and other relevant individuals.
Non-compliance with the PDP Law can lead to significant penalties, including fines of up to IDR 60 billion or 2% of annual revenue, highlighting the importance of adhering to these regulations.
Why is PDP law necessary?
The personal data protection law is crucial for Indonesia as it addresses the need to protect individuals’ rights regarding data processing, whether electronic or non-electronic. Adequate personal data protection fosters public trust and encourages data sharing for societal benefits.
The law aims to balance individual rights with societal interests. Under the PDP Law, the government grants several rights to personal data subjects.
| Personal Data Protection Law | Description |
|---|---|
| The Right to be Informed | Individuals should be able to know who is processing their data, the legal basis for it, the purpose, and the accountability of the requesting parties. |
| The Right to Rectification | Enables individuals to complete, update, and correct their data. |
| The Right to Access | Allows individuals to access their data and additional information. |
| The Right to Erasure and Restriction of Processing | This would enable individuals to halt processing, erase, or destroy their data. |
| The Right Concerning Automated Decision-Making and Profiling | Allow individuals to object to decisions based on automated processing and profiling. |
| The Right to Object | Enable individuals to oppose the processing of their data, including profiling. |
| The Right to Claim Compensation | Allow individuals to seek compensation and ensure data controllers and processors fulfill obligations. |
| The Right to Data Portability | This enables individuals to access and transfer their data between different services. |
The PDP Law mandates that personal data controllers and processors must secure consent from data subjects, keep detailed records of data processing activities, guarantee data security, and designate a Data Protection Officer (DPO) to oversee these activities.
Data protection vs. data privacy
Data protection and data privacy are closely connected but have subtle differences. Data protection focuses on the legal and regulatory framework governing the handling of personal data, while data privacy emphasizes an individual’s right to control their personal information.
The personal data protection law ensures legal safeguards for data processing and empowers individuals to manage their privacy, creating a more secure digital environment for Indonesians.
What are examples of protected personal data?
Personal data protection law broadly defines personal data, encompassing any information related to an identifiable individual. Examples include:
- Name, address, phone number, and email address
- Date of birth, gender, and marital status
- Biometric data (fingerprints, facial recognition)
- Financial information (bank account details, credit card numbers)
- Health data (medical records, genetic information)
- Political opinions, religious beliefs, and sexual orientation
Read more: Intellectual property rights in Indonesia: An overview
Principles of personal data protection
The PDP Law establishes several core principles that guide the processing of personal data. These principles ensure that individuals’ personal information is handled with care, transparency, and respect for their privacy rights.
| Component | Description |
|---|---|
| Lawful basis for processing personal data (Articles 20 and 21) | Before processing personal data, identify the appropriate lawful basis as required by the PDP Law, which outlines six bases. The suitable basis depends on the purpose of processing and your relationship with the data subject.
|
| Right to be informed (Article 5) | Your business is required to provide privacy information to data subjects. |
| Right to rectification (Article 6) | Your business must enable data subjects to correct and update their personal data. |
| Right to access (Article 7) | Your business must grant data subjects the right to request access to their personal data. |
| Right to erasure (Article 8) | Your business must securely dispose of personal data that is no longer needed or has been requested for deletion by the data subject. |
| Right to withdraw consent (Article 9) | Your business must allow data subjects to withdraw their consent at any time. |
| Right to object to automated decision-making, including profiling (Article 10) | Your business must allow individuals to object to processing their data under the PDP Law, which protects them from decisions based solely on automated processing, including profiling. |
| Right to restrict processing (Article 11) | Your business must allow data subjects to request a restriction on processing their personal data. |
| Right to data portability (Article 13) | Your business must provide data subjects the right to transfer, copy, or move their personal data from one IT system to another. |
| Data Protection Impact Assessment (“DPIA”) (Article 34) | Your business must conduct a DPIA if you plan to carry out data processing activities that present a significant risk to the rights or interests of the data subjects. |
| Data security (Article 35) | Your business must implement the necessary security measures. |
| Breach notification (Article 46) | Your business must inform the impacted data subjects and the data protection authority regarding personal data breaches. |
| Accountability (Article 47) | Your business needs to show evidence of its compliance with the requirements of the PDP Law. |
| Data Protection Officers (DPO) (Article 35) | Your business might have to designate a DPO if you:
|
| Cross-border data transfer (Article 56) | Your business can solely transfer personal data beyond Indonesia if it adheres to the transfer conditions delineated in the PDP Law:
|
When is the deadline for compliance with PDP law?
Entities such as personal data controllers and processors must review their policies within two years of the PDP Law’s enactment on October 16, 2024. Failure to comply may result in penalties, including fines of up to two percent of the entity’s annual income.
Guide to Doing Business in Jakarta
Navigate your personal data protection with InCorp
Indonesia’s new personal data protection law has transformed the legal landscape of business. Ensuring compliance is no longer optional – it’s essential.
At InCorp, we understand the complexities of the PDP Law. We offer comprehensive legal compliance services to help your business navigate this evolving landscape.
Complete the form below to protect your business, build customer trust, and ensure smooth operations in the new era of data protection.
Tjhia Edy Tarlesno
Legal & Compliance Manager at InCorp Indonesia
Edy Tarlesno holds various certifications and a respectable degree to be an expert on internal and external legal compliance in Indonesia. His experience starts from bankruptcy and insolvency, leading to a prominent social foundation consultancy in Indonesia.
