An Overview of Indonesia’s Personal Data Protection Law (PDPL)

1. Introduction

In January 2020, Indonesia joined the burgeoning list of countries with their own data protection regulations by publishing the Personal Data Protection Bill (PDPB). Provisions for data protection existed within various other Indonesian laws, but a separate draft bill was introduced to provide clarity to both data subjects about their data rights and organizations about their obligations.

The Indonesian Parliament passed the Personal Data Protection Law (PDPL) on September 20, 2022. The law came into effect on October 17, 2022, and provides a two-year grace period for organizations (data controllers or data processors) to adjust their data handling and processing methods in accordance with the new law.

In August 2023, Law No. 27 of 2022, known as the Draft Implementing Regulation (Draft Regulation), was also published. The Draft Regulation is an extensive document that further expands upon the principles outlined in the PDPL. It provides specific regulations on how personal data should be processed, stored, and protected, the roles and responsibilities of data controllers and processors, how organizations should honor data subject rights, and enforcement mechanisms.

Prior to the PDPL, Indonesia had a piecemeal framework for data protection and privacy. There are several regulations that continue to regulate the personal data processed in the electronic systems by the Electronic Service Operators (ESOs). These are:

• Regulation No. 20 of 2016 concerning Protection of Personal Data in Electronic Systems (MoCI Reg);
• Law No. 11 of 2008 on Electronic Information and Transaction (EIT Law);
• Government Regulation No. 71 of 2019 on the Implementation of the Electronic System and Transaction (GR 71).

Moreover, Indonesia's 1945 Constitution's Article 28G paragraph (1) also emphasizes individual privacy. The PDPL aims to codify and harmonize these into a single, all-encompassing approach to personal data protection.

Understanding the various aspects of the PDPL is vital to achieving eventual compliance with it. So, here's what you need to know about Indonesia's PDPL.

2. Who Needs to Comply with PDPL

Here's what data is covered by this law and the exact scope of its application:

a. Material Scope

Indonesia PDPL applies when an individual, business, entity, or international organization processes personal data. The PDPL exempts the processing of personal data by individuals in personal or household activities.

b. Territorial Scope

The Indonesian PDPL is applicable to every person, corporation, public body, or international organization located within or outside Indonesia. In the case of the latter, the test is to consider whether any actions of the entities - handling the personal data of Indonesian residents - trigger legal consequences either:

• for them within Indonesia; and/or
• for Indonesian citizens living outside Indonesia.

3. Definitions of Key Terms

Personal Data

PDPL defines personal data as the one that relates to an identified or identifiable individual alone or in combination with other information, either directly or indirectly, through electronic or non-electronic systems. Personal data is categorized as either general or specific.

i. General Personal Data

General personal is the category of personal data that includes:

• Full name;
• Gender;
• Citizenship status;
• Religion;
• Marital status;
• Personal data that can be used to identify someone.

ii. Specific Personal Data

Specific personal data refers to:

• Health data & information;
• Biometric data;
• Genetic data;
• Criminal records;
• Child data;
• Financial data; and
• Any other data in accordance with the provisions of PDPL and its subsequent regulations.

4. Obligations for Organizations Under PDPL

To ensure compliance with the PDPL, organizations should fulfill the following requirements:

a. Lawful Basis Requirement

The data controller must have a valid lawful basis for processing personal data. The basis can include:

• Valid explicit consent from the data subject for one or more particular purposes that the data controller has disclosed to the data subject;
• Fulfillment of legal obligations of the data controller;
• Fulfillment of contractual obligations of the data controller;
• Fulfillment of a data subject’s request whilst entering into a contract or an agreement;
• Fulfillment of protection of vital interests of the data subject;
• Fulfillment of tasks and duties or exercise of authority by the data controller in the public interest and public services under law and regulations;
• Fulfillment of legitimate interests of the data controller and the rights of data subjects.

b. Data Processing Principles

The PDPL requires the personal data controller to comply with the eight principles for personal data processing. This includes:

1. Collection of data in a limited, transparent, and lawful manner;
2. Processing data according to a defined purpose;
3. Guaranteeing the rights of the personal data subjects;
4. Personal data processing is accurate, up-to-date, and not misleading;
5. The security of personal data is maintained by safeguarding it against unauthorized access, illegal disclosure, unauthorized modification, misuse, destruction, and/or deletion;
6. Disclosing the purpose of the processing and any data protection failures;
7. Deleting the personal data after the retention period ends or at the request of the data subject; and
8. Processing is done responsibly, which can be proven.

c. Consent Requirements

Obtaining explicit valid consent from the data subject for one or more specified purposes is one of the basis for data processing activities under the PDPL. The consent to the processing of personal data should be in written or recorded format, gained either electronically or non-electronically. If the processing is based on consent, the data controller is required to provide information to data subjects regarding:

• The legality of the processing of personal data;
• Purposes of processing personal data;
• Type and relevance of data that will be processed and the details of the information collected;
• Retention period;
• Details regarding the personal data collected,
• Period of processing of personal data;
• Data subject rights.

If the consent as mentioned above was gained for additional purposes, it must fulfill the following conditions:

• Other purposes are clearly distinguishable;
• Communicated in an understandable and accessible format;
• Communicated in simple and clear language.

Failure to fulfill these conditions or, in case of a request for processing, failure to show an agreement clause showing explicit consent can render the gained consent null and void.

The data controller must show proof of consent from the data subject before initiating their data processing activities.

In the case of children's personal data processing, the approval of the child's parents or legal guardian is required. The same goes for the personal data processing of people with disabilities, where their consent must be gained through communication using certain methods.

The data subject has the right to withdraw consent to the processing of his/her personal data at any time. If the data subject withdraws consent, the data controller must cease processing the personal data within 72 hours from the day such a request is received.

d. Security Requirements

The data controller is required to determine the security level of the personal data and ensure adequate security and protection mechanisms in place by:

• Overseeing the preparation and implementation of operational and technical steps to protect personal data from interference with the data processing activities;
• Determining the level of security of personal data by taking into account the nature and risks of data that must be protected during the data processing activities.

Additionally, the data controller is required to maintain the confidentiality of the personal data collected while supervising all parties involved in processing personal data under their command, such as data processors. This includes undertaking all required measures to prevent unlawful access to personal data by using a security system for personal data processed and/or processing personal data using an electronic system in a reliable, safe, and responsible manner.

e. Data Breach Requirements

PDPL defines a data breach as failing to protect a data subject’s personal data in terms of confidentiality, integrity, and availability. This includes security lapses - intentional or unintentional - that result in the loss, destruction, alteration, disclosure, or unauthorized access to personal data. In the event of a data breach, the data controller must notify both the affected data subjects and the regulatory authorities of the breach within 72 hours.

This notification must be in writing and should contain at least:

• The data affected;
• How the data was compromised;
• Steps being taken to remedy the situation and prevent future such incidents.

In some instances, the data controller may also be required to inform the general public about the data breach.

f. Ensure Termination of Processing

The data controller is required to stop or end the processing of personal data in the following cases:

• If it is requested by the data subject;
• The purpose of processing has been achieved;
• The retention period has been completed.

g. Privacy Notice Requirements

Data controllers are responsible for processing personal data and will be held accountable for it. They should be able to demonstrate complete due diligence and compliance by following the rules for protecting individuals' personal information. For this, organizations should have privacy notices in place.

h. Data Protection Impact Assessment

If the processing of personal data poses a significant risk to the data subject, the personal data controller must conduct a personal Data Protection Impact Assessment (DPIA). Potential high-risk activities include:

• Processing of Specific Personal Data;
• Large-scale processing of personal data;
• Automated decision-making that significantly affects the data subjects with legal repercussions;
• Processing of personal data for systematic evaluation, scoring, or monitoring activities data subjects;
• Processing of personal data to merge a group of data or matching activities;
• The use of new technology whilst processing personal data;
• Processing of personal data that limits a data subject’s ability to exercise their rights.

The DPDPA states that future government regulations will include further provisions on conducting DPIAs. The current Draft Regulation also provides details on DPIAs.

i. Data Protection Officer Requirements

Both the data processor and data controller are required to appoint an official that oversees the organization's following activities:

• Data processing activities for public purposes;
• Core data protection activities that require regular, systematic monitoring of personal data on a large scale;
• Data processing activities of a specific nature or personal data related to criminal activities.

The officer must be appointed based on professionalism, knowledge of the law, personal data protection practices, and ability to fulfill their duties diligently. He/she should be able to identify risks to the processing of personal data based on the nature, scope, purpose, and context of processing. The officer may be an internal employee or an external contractor.

Some additional responsibilities of the officer may include:

• Informing and advising the data controller and processor on how best to comply with PDPL;
• Monitoring and ensuring compliance with PDPL;
• Monitoring the performance of data controller and processor related to data protection;
• Coordinate and act as a liaison for issues related to data processing.

j. Data Processors' Requirements

The data controllers can appoint a data processor who carries out their processing activities. The data processor should ensure that any such processing activities are done in accordance with the purposes specified by the data controller. Additionally, the processing should also comply with the provisions of PDPL.

The data processor can appoint sub-processors, but it should only be done with prior written consent from the data controller. The data controller remains responsible for all processing activities and will be liable for them unless the data processor carries out the processing outside the orders and purposes set by the data controller.

k. Have a Record of Processing Activities

The data controller must keep a detailed record of all personal data processing activities. The data controller is also required to give the data subject access to the personal data processed on them and a track record of processing activities related to their data in accordance with the period of storage.

l. Cross-Border Data Transfer Requirements

PDPL allows data controllers in Indonesia to transfer personal data to other data controllers and processors outside Indonesia as long as certain conditions are met. These conditions include:

• Ensuring the country where the personal data is being transferred has its own Personal Data Protection Law equivalent regulation;
• In case such a regulation does not exist, the data controller must ensure that the country has adequate and binding personal data protection measures in place;
• If such measures are not in place, the data controller must obtain the consent of the relevant data subject.

Exceptions to the Organizations’ Obligations:

The PDPL provides exceptions to some of the data controllers or processors' processing activities on stipulated conditions. First, if the activities involve national defense or security interests. Second, if the processing involves the interests of the law enforcement process or the interests of the public in the context of state administration.

Finally, if the processing encompasses the interests of supervision of the financial services sector, monetary, payment systems, and financial system stability carried out in the context of state administration. If the organization’s processing activities involve any of these, it can be exempted from the following obligations:

• Rectify errors or inaccuracies in the personal data within 72 hours of receipt of such request and also notify of the same to the data subject;
• Provide access to the processed personal data and the track record of the processing activities to the data subject;
• Maintain confidentiality;
• Terminate the processing if the purpose is achieved, or retention period is reached, or the data subject requests it;
• Delete personal data if the data subject requests it or withdraws the consent or if it is no longer required for the purpose it was obtained;
• Destroy personal data if the data subject requests it;
• Notify the data subject on the erasure or destruction of personal data; and
• Notify the data subject in case of a breach or failure of personal data protection.

5. Data Subject Rights

The PDPL provides a range of rights to the data subjects. The data subject can submit his/her request - in lieu of exercising any right - electronically or non-electronically to the data controller. Here are some of the  data subject rights guaranteed by the Indonesian PDPL:

a. Right to Obtain Information

All data subjects have a right to obtain information regarding the clarity of identity, what legal interests are being protected, why their personal data is being requested and used, and who is responsible for those decisions.

b. Right to Access to Personal Data

All data subjects have the right to know, access, and obtain a copy of their personal data collected by a data controller or data processor. This includes the right to request to know the methods used to collect their data, the data sources, and for what purpose. The copy of personal data can be obtained free of any charge unless, for some circumstances, that would require any fee. Whenever a data subject requests to obtain processed data and a track record of processing, the data controller shall grant access to it within 72 hours of receiving such request.

c. Right to Modification of Data

All data subjects have the right to request modifications to data that has become outdated, incomplete, or incorrect since it was collected. The data controller must update and correct any discrepancies within 72 hours of receiving the request. Once updated and corrected, the data controller is required to inform the data subject.

d. Right to Revoke Consent

All data subjects have the right to revoke or withdraw consent to the processing of their personal data at any time. When the data subject withdraws the consent, the data controller is obligated to stop the processing of the data subject’s personal data within 72 hours. The data controller must then delete the personal data belonging to the data subject.

e. Right-to-End Processing

All data subjects have the right to request an end to the processing of their personal data and delete or destroy the personal data related to them.

f. Right to Object to Automated Decision-making

All data subjects have the right to object to any automated decision-making processes, including profiling, that may significantly impact the data subjects.

Further provisions relating to how data subjects may exercise their right to object to automated decision-making will be provided in future government regulations.

g. Right to Delay or Restrict

All data subjects have the right to delay or restrict the processing of their personal data proportionate to the purpose for which it is to be processed. The data controller must restrict or postpone the processing of the data subject’s personal data within 72 hours of receipt of such request. Once done, the data controller is required to notify the data subject of the implementation of restriction/postponement of processing.

h. Right to Legal Action

All data subjects have the right to sue a data controller or processor and receive fair compensation in case the provisions of this law were violated in processing their personal data.

Further provisions relating to how data subjects may exercise their right to limit the processing of their data will be provided in future government regulations.

i. Right to Data Portability

All data subjects whose personal information is collected have a right to get a copy of such information in a commonly used, machine-readable format from the controller or processor. Data subjects can use and send personal data about themselves to other data controllers as long as the systems used can communicate with each other securely in accordance with the PDPL provisions.

Further provisions relating to how data subjects may exercise their right to data portability will be provided in future government regulations.

Exceptions to the Data Subject Rights:

All the aforementioned data subject rights do not apply in cases involving:

• Interests of national defense and security;
• Interests of law enforcement process;
• Interests of supervision of the financial services sector, monetary, payment system, and stability of the financial system carried out in the context of state administration;
• Public interests of the administration of the state;
• Interest in scientific and statistical research.

6. Regulatory Authority

Chapter IX of the PDPL requires the central government to establish an agency responsible for implementing the PDPL. The agency shall be determined and answerable to the President, while further provisions related to the agency will follow via a presidential regulation.

The agency's responsibilities will include the following per the law:

• Establishing personal data protection policies that will provide guidance to data subjects, data controllers and data processors;
• Supervision of data controllers' compliance;
• Imposition of administrative fines for violations of the law by data controllers and data processors;
• Assisting law enforcement agencies in handling criminal activities related to personal data;
• Cooperation with other international data protection agencies in the context of resolving allegations of cross-border personal data protection violations;
• Carrying out assessments to fulfill the requirements for personal data transfers outside the jurisdiction of Indonesia;
• Give orders post-supervision and publish the results of the implementation of such supervision;
• Receive complaints and reports related to potential violations of personal data protection laws;
• Conduct inspections and searches on complaints, reports, and/or results of supervision on allegations of potential violations of personal data protection laws;
• Summon responsible personnel from data controllers and data processors alleged to have committed violations of personal data protection;
• Request relevant information, data, documents, and other resources from responsible personnel from data controllers and data processors alleged to have committed violations of personal data protection;
• Obtain experts’ advice in any investigation by summoning them;
• Conduct inspections and searches of all facilities, spaces, and place used by data controllers and data processors alleged to have committed violations of personal data protection;
• Request legal assistance from the prosecutor's office in resolving personal data protection disputes;
• Facilitation in out-of-court settlements.

7. Penalties and Sanctions

The Indonesian PDPL follows a tough stance on levying fines on organizations and individuals found to have obtained or collected personal data on Indonesian citizens unlawfully.

Such an act carries a fine of 5 billion Indonesian rupiahs and/or a maximum prison sentence of 5 years. This penalty is also applicable to anyone who uses the unlawfully obtained personal data of others.

Similarly, anyone found disclosing the personal data of Indonesian citizens without their consent or intentionally using such data can be fined 4 billion Indonesian rupiahs and/or a maximum prison sentence of 4 years for each of those offenses. Anyone found falsifying personal data with the intent to benefit themselves or another organization or individual while causing harm to others can be fined 6 billion Indonesian rupiahs and/or a maximum prison sentence of 6 years.

Additionally, the law allows additional penalties to be imposed on those found guilty in the form of confiscation of profits or assets obtained from the criminal acts and payment of compensation.

When an organization is fined, the penalty may be imposed on the management, control holder, order giver, beneficial owner, and/or the corporation as an entity itself. The organization has a period of 1 month to pay the fine with the possibility of a 1-month extension for genuine reasons.

If the fine is not paid within this period, the prosecutor may confiscate the offender's assets or income and auction them to settle the unpaid fine.

In the event of personal data protection failure, the PDPL provides for administrative sanctions in the form of a written warning, temporary suspension, deletion of personal data and administrative fines. The administrative fines would be a maximum 2% of annual revenue or annual acceptance of the violation variable. The violation variables are provided in the Draft Regulations, and will be used to calculate fines. The regulatory authority will impose these sanctions.

8. How Can an Organization Operationalize PDPL

Here are just some basic steps organizations can undertake to operationalize the law into practice:

• Have a compliant consent mechanism in place to capture express consent;
• Communicate to data subjects what data is being collected on them;
• Maintain proper channels of communication, allowing the data subjects to request access, alteration, or deletion of data collected on them;
• Properly educate the employees and the workforce on your data processing methods;
• Have an easy-to-read privacy policy that clearly communicates all the data subjects  their consumer rights without leaving any room for ambiguity;
• Have a strict data security management system in place;
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the PDPL;
• Have a breach response plan in place;
• Conduct regular data protection impact assessments and data mapping exercises to ensure maximum efficiency in your compliance efforts.

9. How Securiti Can Help

It's undeniable how much data regulations have begun to impact how organizations typically interact with their users. While for users, it allows for greater control over their data than was previously possible, it leaves organizations with the laborious and complicated task of compliance. Failure to do so can lead to millions in regulatory fines and the loss of customer confidence.

This task is further exacerbated by the fact that different regulations place different obligations on organizations. So, on paper, an organization may have to change its data processing and collection activities on a country-to-country basis.

Naturally, automation is the most effective and efficient way to ensure compliance.

Securiti is a market-leading data governance and compliance enterprise solutions provider with products that range from universal consent management and data classification to DSR automation and assessment automation that can help organizations fulfill their data-related obligations effectively under all major data regulations.

Request a demo today and learn more about how Securiti can help you comply with Indonesia's PDPL.