Nusantara Legal Partnership

Data Protection Regulation in Indonesia

19 Apr 2024

Our Marshall Situmorang contributed to a collaborative project titled 'Asia: Data Protection Regulations,' in partnership with Lexwork International's Asian Member.You can access the full guide here.

Q1. What is the legislative and technology framework for governing personal information (“PI”) in your jurisdiction? Does your jurisdiction have a dedicated data protection law?
Generally, PI is being regulated under Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), which applies to all personal data processing activities in electronic systems. Before the issuance of PDP Law, PI protection was stipulated under several regulations, rather than stipulated under 1 (one) comprehensive laws on PI protection. In addition to PDP Law, there are also other sector-specific regulations applicable to financial services sectors.

Q2. How is PI classified? Are there specific / additional regulations governing the processing of special or certain categories of personal information?

Under PDP Law, PI is classified into 2 (two main categories, namely (i) general personal data (i.e., name, gender, nationality, etc) and (ii) specific personal data (i.e., medical records, biometric data, criminal records, etc). Moreover, the special or certain categories of PI are solely based on the discretion of the relevant authorities by virtue of their sector-specific requirements.

Q3. What are the grounds for processing PI in your jurisdiction?

Personal data processing shall only be conducted if the controller has fulfilled various requirements, such as (i) obtaining explicit consent from the data subject, (ii) fulfilment of the obligation that has arisen from the agreement, (iii) fulfilment of the obligations by law, (iv) protecting the vital interest of data subject, (v) conducted as a part of public interest or services, and (vi) fulfilling other legitimate interest.

Q4. What are the data breach notification/reporting requirements in your jurisdiction?

The controller must deliver a written notification no later than 3 x 24 hours after breach incident. The notification shall include (i) details of the data disclosed, (ii) details of the personal data breach, and (iii) measures in handling and recovering the personal data breach. If the data breach disrupts public services or has a serious impact on the public interest, the controller is also required to notify the incident to the public.

Q5. Who is the authority responsible for overseeing compliance with data protection laws, and what is the scope of its powers?

Data protection authority has to oversee personal data matters in Indonesia. Since the PDP Law is currently in the transitional period, at the moment, the Indonesian government has not enacted the data protection authority. PDP Law currently only stipulates obligations of data protection authorities, which are as follows: a. formulating and establishing policies and strategies for personal data protection; b. supervising the implementation of personal data protection; c. enforcing PDP Law; and d. facilitating alternative dispute resolutions.

Q6. Please provide a brief scope of penalties for breaches of data protection laws.

Breaches to the PDP Law are subject to administrative and criminal sanctions. The maximum administrative sanctions would be a fine of up to 2%. Whereas the lower sanctions may include (i) written warning, (ii) temporary suspension of personal data processing activities, and/or (iii) deletion of personal data. PDP Law can impose a fine of between IDR4 billion and IDR6 billion, and imprisonment between 4 and 6 years on a criminal offender. Additionally, sentences in the form of confiscation of profits and/or assets from the crimes and compensation payment can be imposed on the violators.

Q7. Is it mandatory for an organisation to appoint a specific individual to manage data protection compliance in your jurisdiction, for example, a data protection officer? If yes, what qualifications are needed for that role and what are the legal responsibilities?

Yes, the appointment of a data protection officer (“DPO”) becomes mandatory if have already satisfied requirements stipulated in the PDP Law, with one of the being the data processing is conducted for public service/interest. Based on PDP Law, the DPO is responsible for (i) advising compliance with PDP Law, (ii) monitoring, (iii) advising the data protection assessment impact, (iv) coordinating or acting as a liaison in issues related to personal data processing.

Q8. Can you transfer PI outside of your jurisdiction? If yes, what are the conditions / restrictions placed on cross border transfers?

Yes, the cross-border data transfer is permitted but subject to consent from the data subject before the data transfer. In addition, the sender must ensure that the recipient country is having an equal or higher level of personal data protection. If the recipient country does not fulfil the required level, the sender must ensure an adequate and binding personal data protection agreement with the recipient.

Q9. Are there any data localisation requirements?

There is no data localisation requirement for private electronic system operator (“Private ESO”) to commence the processing, and/or storage of electronic systems and data in Indonesia or overseas. However, a Private ESO performs data processing overseas, it must grant access to the government authority (if requested) for the purpose of regulatory monitoring.

Q10. What security obligations are imposed on both data controllers/ data fiduciaries and service providers engaged in PI processing?

Any controllers must perform the appropriate actions when commencing PI processing, such obligations may include action, that (i) ensures the accuracy of processed personal data through the verification process, (ii) rejects the request to access a data subject if such request would jeopardize the data subject and national security, (iii) perform impact assessment provided the data processing has a potential risk to the data subject, (iv) prepare and implement the technical and operational measures to protect the personal data, (v) determine the personal data security level, (vi) preserve the confidentiality of personal data being processed, (vii) prevent personal data from unlawful accessing, and (viii) monitor every person involved in the data processing activities.

Disclaimer: The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.

Data Protection Regulation in Indonesia

MORE ARTICLES

Data Protection Regulation in Indonesia

Entities in Indonesia Vol. II: A General Overview of Business Entities in Indonesia - Non Legal Business Entities

Indonesia Tech Deals Vol. XI

General Overview of the Mandatory Reporting of Job Vacancy

General Overview of the Cyber Security in Indonesia Digital Landscape under Presidential Regulation No 47 of 2023

QnA on Land Information in Indonesia

Guideline on Investment Activity Report in Indonesia

International Comparative Legal Guides - Telecoms Media and Internet 2024

QnA on Data Protection in Indonesia: 2023 - 2024 Edition

Land Utilization and Allocation for Investment Management in Indonesia - a General Overview of Presidential Regulation No. 70 of 2023