IDC Names Securiti a Worldwide Leader in Data PrivacyView
In January 2020, Indonesia joined the burgeoning list of countries with their own data protection regulations. Provisions for data protection had existed within various other Indonesian laws but to provide clarity to both the data subjects about their data rights and organizations about their obligations, a separate draft bill was introduced.
Personal Data Protection Bill (PDPB) contained almost all the necessary provisions to ensure Indonesians' data rights are adequately protected while placing several obligations upon organizations to guarantee those data rights are appropriately respected.
On 20th September, the Indonesian Parliament passed the bill, making it official law within Indonesia. Indonesia's Protection of Personal Data Law (PDPL) provides a transition period of two years for organizations (data controllers or data processors) to adjust their data handling and processing methods in accordance with the new law.
Prior to the draft PDPB and its subsequent enactment, Indonesia had a piecemeal framework for data protection and privacy in the form of Electronic Information and Transactions Regulations, MoCI Regulations, and Regulations on implementation of the Electronic System and Transaction. Moreover, the Republic of Indonesia's 1945 Constitution's Article 28G paragraph (1) also emphasizes the privacy of individuals. The PDPL aims to codify and harmonize these into a single, all-encompassing approach to personal data protection.
Understanding its various aspects is vital to achieving eventual compliance with it. So, here's what you need to know about Indonesia's PDPL.
Here's what data is covered by this law and the exact scope of its application:
The Indonesian PDPL applies to all forms of personal data processing related to any person (individual or corporation). This processing of personal data includes collection, analysis, storage, transfer, or deletion.
The Indonesian PDPL is applicable to every person, corporation, public body, or international organization located within or outside of the Republic of Indonesia (‘Indonesia’). In the case of the latter, the test is to consider whether any actions of the entities - handling the personal data of Indonesian residents - trigger legal consequences either:
This law exempts the processing of personal data by individuals in personal or household activities.
PDPL defines personal data as the one which relates to an identified or identifiable individual alone or in combination with other information, either directly or indirectly, through electronic or non-electronic systems. Personal data is categorized as either general or specific.
General personal is the category of personal data that includes:
Specific personal data refers to:
One stark difference that can be noticed is that previously, PDPB included the category of sensitive personal information that included data about religion/faith, sexual orientation, political views, etc. However, PDPL brings religion/faith under the General Personal Data while completely removing any mention of data related to sexual orientation and political views.
To ensure compliance with the PDPL, organizations should fulfill the following requirements:
The data controller must have a valid lawful basis for processing personal data. The basis can include:
The PDPL requires the personal data controller to comply with the eight principles for personal data processing. This includes:
Obtaining explicit valid consent from the data subject for one or more specified purposes is one of the basis for data processing activities under PDPL. The consent to the processing of personal data should be in written or recorded format, gained either electronically or non-electronically. If the processing is based on consent, the data controller is required to provide information to data subjects regarding:
If the consent as mentioned above was gained for additional purposes, it must fulfill the following conditions:
Failure to fulfill these conditions or, in case of a request for processing, failure to show an agreement clause showing explicit consent can render the gained consent null and void.
The data controller must show proof of consent from the data subject before initiating their data processing activities.
In the case of children's personal data processing, the approval of the child's parents or legal guardian is required. The same goes for the personal data processing of people with disabilities, where their consent must be gained through communication using certain methods.
The data subject has a right to withdraw consent to the processing of his/her personal data at any time. In case the data subject withdraws their consent, the data controller must cease processing their personal data within 72 hours from the day such request is received.
The data controller is required to determine the security level of the personal data and ensure adequate security and protection mechanisms in place by:
Additionally, the data controller is required to maintain the confidentiality of the personal data collected while supervising all parties involved in processing personal data under their command, such as data processors. This includes undertaking all required measures to prevent unlawful access to personal data by using a security system for personal data processed and/or processing personal data using an electronic system in a reliable, safe, and responsible manner.
PDPL defines a data breach as failing to protect a data subject’s personal data in terms of confidentiality, integrity, and availability. This includes security lapses - intentional or unintentional - that result in the loss, destruction, alteration, disclosure, or unauthorized access to personal data. In the event of a data breach, the data controller must notify both the affected data subjects and the regulatory authorities of the breach within 72 hours.
This notification must be in writing and should contain at least one of the following:
In some instances, the data controller may also be required to inform the general public about the data breach.
The data controller is required to stop or end the processing of personal data in the following cases:
The data controllers are responsible for the processing of personal data and will be held accountable for it. Data controllers should be able to demonstrate complete due diligence and compliance by following the rules for protecting the personal information of individuals. For this, organizations should have privacy notices in place.
If the processing of personal data poses a significant risk to the data subject, the personal data controller must conduct a personal Data Protection Impact Assessment (DPIA). Potential high-risk activities include:
Further provisions on conducting DPIAs will be given in future government regulations.
Both the data processor and data controller are required to appoint an official that oversees the organization's following activities:
The officer must be appointed based on professionalism, knowledge of the law, personal data protection practices, and ability to fulfill their duties diligently. He/she should be able to identify risks to the processing of personal data based on the nature, scope, purpose, and context of processing. The officer may be an internal employee or an external contractor.
Some additional responsibilities of the officer may include:
The data controllers can appoint a data processor who carries out their processing activities. The data processor should ensure that any such processing activities are done in accordance with the purposes specified by the data controller. Additionally, the processing should also comply with the provisions of PDPL.
The data processor can appoint subprocessors, but it should only be done with prior written consent from the data controller. The data controller remains responsible for all processing activities and will be liable for them unless the data processor carries out the processing outside the orders and purposes set by the data controller.
The data controller must keep a detailed record of all their personal data processing activities. The data controller is also required to give the data subject access to the personal data processed on them along with the track record of processing activities related to their data in accordance with the period of storage.
PDPL allows data controllers in Indonesia to transfer personal data to other data controllers and processors outside the jurisdiction of Indonesia as far as certain conditions are met.
These conditions include:
The PDPL provides exceptions to some of the data controllers or processors' processing activities on stipulated conditions. Firstly, if the activities involve national defense or security interests. Secondly, if the processing involves the interests of the law enforcement process or the interest of the public in the context of state administration.
Finally, if the processing encompasses the interests of supervision of the financial services sector, monetary, payment systems, and financial system stability carried out in the context of state administration. If the organization’s processing activities involve any of these, it can be exempted from the following obligations:
The PDPL provides a range of rights to the data subjects. The data subject can submit his/her request - in lieu of exercising any right - electronically or non-electronically to the data controller. Here are some of the data subject rights guaranteed by the Indonesian PDPL:
All data subjects have a right to obtain information regarding the clarity of identity, what legal interests are being protected, why their personal data is being requested and used, and who is responsible for those decisions.
All data subjects have the right to know, access, and obtain a copy of their personal data collected by a data controller or data processor. This includes the right to request to know the methods used to collect their data, the data sources, and for what purpose. The copy of personal data can be obtained free of any charge unless, for some circumstances, that would require any fee.
Whenever a data subject requests to obtain processed data and a track record of processing, the data controller shall grant access to it within 72 hours of receiving such request. Such a request can only be refused by the data controller if it endangers the data subject or other persons, endangers national security, or impacts the disclosure of personal data belonging to other persons.
All data subjects have the right to request modifications to data that has become outdated/incomplete/incorrect since it was collected. The data controller must update and correct any discrepancies within 72 hours of the receipt of the request. Once updated and corrected, the data controller is required to inform the data subject.
All data subjects have the right to revoke or withdraw consent to the processing of their personal data at any time. When the data subject withdraws the consent, the data controller is obligated to stop the processing of the data subject’s personal data within 72 hours. The data controller must then delete the personal data belonging to the data subject.
All data subjects have the right to request an end to the processing of their personal data and delete or destroy the personal data related to them.
All data subjects have the right to object to any automated decision-making processes, including profiling, that may significantly impact the data subjects.
Further provisions relating to how data subjects may exercise their right to object to automated decision-making will be provided in future government regulations.
All data subjects have the right to delay or restrict the processing of their personal data proportionate to the purpose for which it is to be processed. The data controller must restrict or postpone the processing of the data subject’s personal data within 72 hours of receipt of such request. Once done, the data controller is required to notify the data subject of the implementation of restriction/postponement of processing.
All data subjects have the right to sue a data controller or processor and receive fair compensation in case the provisions of this law were violated in processing their personal data.
Further provisions relating to how data subjects may exercise their right to limit the processing of their data will be provided in future government regulations.
All data subjects whose personal information is collected have a right to get a copy of such information in a commonly used, machine-readable format from the controller or processor. Data subjects can use and send personal data about themselves to other data controllers, as long as the systems used can communicate with each other securely in accordance with the PDPL provisions.
Further provisions relating to how data subjects may exercise their right to data portability will be provided in future government regulations.
All the aforementioned data subject rights do not apply in cases involving:
Chapter IX of the PDPL requires the central government to establish an agency responsible for implementing the PDPL. The agency shall be determined and answerable to the President, while further provisions related to the agency will follow via a presidential regulation.
The agency's responsibilities will include the following per the law:
The Indonesian PDPL follows a tough stance on levying fines on organizations and individuals found to have obtained or collected personal data on Indonesian citizens unlawfully.
Such an act carries a fine of 5 billion Indonesian rupiahs and/or a maximum prison sentence of 5 years. This penalty is also applicable to anyone who uses the unlawfully obtained personal data of others.
Similarly, anyone found disclosing the personal data of Indonesian citizens without their consent or intentionally using such data can be fined 4 billion Indonesian rupiahs and/or a maximum prison sentence of 4 years for each of that offenses. Anyone found falsifying personal data with the intent to benefit themselves or another organization or individual while causing harm to others can be fined 6 billion Indonesian rupiahs and/or a maximum prison sentence of 6 years.
Additionally, the law allows additional penalties to be imposed on those found guilty in the form of confiscation of profits or assets obtained from the criminal acts and payment of compensation.
When an organization is fined, the penalty may be imposed on the management, control holder, order giver, beneficial owner, and/or the corporation as an entity itself. The organization has a period of 1 month to pay the fine with the possibility of a 1-month extension for genuine reasons.
In case the fine is not paid within this period, the assets or income of the offender may be confiscated and auctioned by the prosecutor to settle the unpaid fine.
In the event of personal data protection failure, the PDPL provides for administrative sanctions in the form of a written warning, temporary suspension, deletion of personal data and administrative fines. The administrative fines would be a maximum 2% of annual revenue or annual acceptance of the violation variable. These sanctions will be imposed by the regulatory authority.
Here are just some basic steps organizations can undertake to operationalize the law into practice:
It's undeniable how much data regulations have begun to impact how organizations typically interact with their users. While for users, it allows for greater control over their data than was previously possible, it leaves organizations with the laborious and complicated task of compliance. Failure to do so can lead to millions in regulatory fines and the loss of customer confidence.
This task is further exacerbated by the fact that different regulations place different obligations on organizations. So, on paper, an organization may have to change its data processing and collection activities on a country-to-country basis.
Naturally, automation is the most effective and efficient way to ensure compliance.
Securiti is a market-leading data governance and compliance enterprise solutions provider with products that range from universal consent management and data classification to DSR automation and assessment automation that can help organizations fulfill their data-related obligations effectively under all major data regulations.
Indonesia has implemented the Protection of Personal Data Law (PDPL), a data protection regulation that applies to all forms of personal data processing related to any person (individual or corporation), including collection, analysis, storage, transfer, or deletion.
Data subject rights in Indonesia, under the Personal Data Protection Law, include rights to obtain information, access, modify, revoke consent, end processing, object to automated decision-making, object or restrict, legal action, and data portability.
Sensitive personal data is defined as personal data that requires special protection and includes data concerning religion or belief, health, physical and mental conditions, sexual life, personal financial data, and other personal data that may be dangerous or detrimental to the privacy of the data subject.
The fine for a data breach in Indonesia may vary depending on the severity of the breach and the provisions of the Personal Data Protection Bill. A fine of 5 billion Indonesian rupiahs and/or a maximum prison sentence of 5 years.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row Suite 450. San Jose,