Header Top Bar

WhatsApp Us +62 813 3355 7116

Navigating the personal data protection law in Indonesia

Navigating the personal data protection law in Indonesia

Personal data protection is the legal and regulatory framework designed to safeguard individual privacy by governing personal data collection, storage, use, disclosure, and transfer.

This framework ensures that personal information is handled ethically, responsibly, and with the consent of the data subject (the individual whose data is being processed).

Understanding the PDP law in Indonesia

Following the enactment of Law No. 27 of 2022 on Personal Data Protection (PDP Law), organizations and companies in Indonesia must comply with strict regulations designed to protect the personal data they handle.

This law imposes various obligations on entities that act as Personal Data Controllers or Processors, requiring them to implement robust measures to secure the personal data of customers, clients, employees, and other relevant individuals.

Non-compliance with the PDP Law can lead to significant penalties, including fines of up to IDR 60 billion or 2% of annual revenue, highlighting the importance of adhering to these regulations.

Why is PDP law necessary?

The personal data protection law is crucial for Indonesia as it addresses the need to protect individuals’ rights regarding data processing, whether electronic or non-electronic. Adequate personal data protection fosters public trust and encourages data sharing for societal benefits.

The law aims to balance individual rights with societal interests. Under the PDP Law, the government grants several rights to personal data subjects.

Personal Data Protection Law Description
The Right to be Informed Individuals should be able to know who is processing their data, the legal basis for it, the purpose, and the accountability of the requesting parties.
The Right to Rectification Enables individuals to complete, update, and correct their data.
The Right to Access Allows individuals to access their data and additional information.
The Right to Erasure and Restriction of Processing This would enable individuals to halt processing, erase, or destroy their data.
The Right Concerning Automated Decision-Making and Profiling Allow individuals to object to decisions based on automated processing and profiling.
The Right to Object Enable individuals to oppose the processing of their data, including profiling.
The Right to Claim Compensation Allow individuals to seek compensation and ensure data controllers and processors fulfill obligations.
The Right to Data Portability This enables individuals to access and transfer their data between different services.

The PDP Law mandates that personal data controllers and processors must secure consent from data subjects, keep detailed records of data processing activities, guarantee data security, and designate a Data Protection Officer (DPO) to oversee these activities.

Data protection vs. data privacy

Requirements for Personal Data Protection Law in Indonesia

Data protection and data privacy are closely connected but have subtle differences. Data protection focuses on the legal and regulatory framework governing the handling of personal data, while data privacy emphasizes an individual’s right to control their personal information.

The personal data protection law ensures legal safeguards for data processing and empowers individuals to manage their privacy, creating a more secure digital environment for Indonesians.

What are examples of protected personal data?

Personal data protection law broadly defines personal data, encompassing any information related to an identifiable individual. Examples include:

  • Name, address, phone number, and email address
  • Date of birth, gender, and marital status
  • Biometric data (fingerprints, facial recognition)
  • Financial information (bank account details, credit card numbers)
  • Health data (medical records, genetic information)
  • Political opinions, religious beliefs, and sexual orientation

Read more: Intellectual property rights in Indonesia: An overview

Principles of personal data protection

The PDP Law establishes several core principles that guide the processing of personal data. These principles ensure that individuals’ personal information is handled with care, transparency, and respect for their privacy rights.

Component Description
Lawful basis for processing personal data (Articles 20 and 21) Before processing personal data, identify the appropriate lawful basis as required by the PDP Law, which outlines six bases. The suitable basis depends on the purpose of processing and your relationship with the data subject.
  • Explicit consent
  • Contractual obligation
  • Legal obligation
  • Vital interests
  • Public interest
  • Legitimate interest
Right to be informed (Article 5) Your business is required to provide privacy information to data subjects.
Right to rectification (Article 6) Your business must enable data subjects to correct and update their personal data.
Right to access (Article 7) Your business must grant data subjects the right to request access to their personal data.
Right to erasure (Article 8) Your business must securely dispose of personal data that is no longer needed or has been requested for deletion by the data subject.
Right to withdraw consent (Article 9) Your business must allow data subjects to withdraw their consent at any time.
Right to object to automated decision-making, including profiling (Article 10) Your business must allow individuals to object to processing their data under the PDP Law, which protects them from decisions based solely on automated processing, including profiling.
Right to restrict processing (Article 11) Your business must allow data subjects to request a restriction on processing their personal data.
Right to data portability (Article 13) Your business must provide data subjects the right to transfer, copy, or move their personal data from one IT system to another.
Data Protection Impact Assessment (“DPIA”) (Article 34) Your business must conduct a DPIA if you plan to carry out data processing activities that present a significant risk to the rights or interests of the data subjects.
Data security (Article 35) Your business must implement the necessary security measures.
Breach notification (Article 46) Your business must inform the impacted data subjects and the data protection authority regarding personal data breaches.
Accountability (Article 47) Your business needs to show evidence of its compliance with the requirements of the PDP Law.
Data Protection Officers (DPO) (Article 35) Your business might have to designate a DPO if you:
  • Process personal data for public services (e.g., public authority);
  • Conduct extensive, regular, and systematic monitoring of data subjects as a fundamental part of your operations (e.g., tracking online behavior); and
  • Undertake significant processing of particular personal data or data concerning criminal convictions and offenses as a core aspect of your activities.
Cross-border data transfer (Article 56) Your business can solely transfer personal data beyond Indonesia if it adheres to the transfer conditions delineated in the PDP Law:
  • The recipient’s jurisdiction must maintain an equivalent or superior standard of data protection.
  • The data exporter establishes suitable and binding safeguards.
  • Without the criteria above, the data exporter may proceed contingent on the data subject’s consent.

When is the deadline for compliance with PDP law?

Entities such as personal data controllers and processors must review their policies within two years of the PDP Law’s enactment on October 16, 2024. Failure to comply may result in penalties, including fines of up to two percent of the entity’s annual income.

Guide to Doing Business in Jakarta

Ebook Download | Ultimate Guide to Doing Business in Indonesia

Indonesia’s new personal data protection law has transformed the legal landscape of business. Ensuring compliance is no longer optional – it’s essential.

At InCorp, we understand the complexities of the PDP Law. We offer comprehensive legal compliance services to help your business navigate this evolving landscape.

Complete the form below to protect your business, build customer trust, and ensure smooth operations in the new era of data protection.


Start investing in Indonesia with InCorp


    Tjhia Edy Tarlesno

    Legal & Compliance Manager at InCorp Indonesia

    Edy Tarlesno holds various certifications and a respectable degree to be an expert on internal and external legal compliance in Indonesia. His experience starts from bankruptcy and insolvency, leading to a prominent social foundation consultancy in Indonesia.

Frequently Asked Questions

More on Compliance