English | 中文 | 下载审德中文简介 

Nov

02

A Brief Overview of the Indonesian Personal Data Protection Law

President Joko Widodo officially ratified Law No. 27 of 2022 on Personal Data Protection (PDP Law) on 17 October 2022, which has been expected for a long time, ever since the first draft was released for public comment on 28 January 2020. Before the PDP Law was ratified, personal data protection regulation in Indonesia was not codified under a particular law. Instead, it was regulated in more than 30 different laws and regulations, in particular those regarding electronic systems. While they provided fairly comprehensive regulations on personal data protection, it was difficult for people to hold companies accountable for misusing their personal data due to the lack of a specific comprehensive law regulating it.

The PDP Law sets forth the rights and responsibilities of individuals as the 'data subjects' and any individuals, public entities or international organizations as the personal data 'controllers' and 'processors', as defined in Article 1 of the PDP Law. Many of the core aspects of the PDP Law, such as definitions of covered data and covered entities, lawful grounds, processing obligations, accountability measures and controller-processor relationships are similar to other personal data protection laws around the world - most notably the EU's General Data Protection Regulation (GDPR). However, there are a few provisions that are distinct to the law in Indonesia. For instance, Article 2 paragraph (1) of the PDP Law includes a broad exterritorial scope provision that will apply to any person, public body or international organization carrying out activities within the scope of the PDP Law, not only within the jurisdiction of Indonesia, but also outside the jurisdiction of Indonesia that have a legal impact on the jurisdiction of Indonesia or data subjects who are Indonesian citizens located outside the jurisdiction of Indonesia.

Although the government will need to further regulate key provisions in subsequent regulations, the PDP Law establishes a comprehensive foundation to govern data processing activities in Indonesia. As to the compliance period, Article 74 of the PDP Law requires data controllers, processors and other parties related to personal data processing to comply with the provisions of PDP Law within no later than two years (except for the criminal provisions that will come into force immediately) once the PDP Law comes into effect, which will occur when it receives presidential assent or when the time window to receive assent expires. Regarding other relevant laws and regulations previously issued in relation to personal data protection, they shall be deemed applicable as long as they do not contravene the PDP Law, as set out in Article 75 of the PDP Law.

The PDP Law defines “personal data” as the data of any person who is identified or can be identified individually or in combination with other information, directly or indirectly through an electronic or non-electronic system. Furthermore, Article 4 of the PDP Law identifies a number of categories of general personal data which, by definition, would not be categorized as specific personal data. These include a person's full name, gender, citizenship, religion, and marital status, as well as data that is combined with other data to identify an individual. Whereas specific personal data includes personal data information such as biometrics, health information, genetics, criminal record, children's data, personal finance and any other data in accordance with the regulation. In the explanatory note of the PDP Law on Specific Personal Data, it explains that the above data may potentially cause loss and damage to the data subject.

In order to legally process personal data, Article 20 of the PDP Law sets out six legal bases for processing personal data (whether specific or of a general nature), namely:

  1. obtaining an explicit agreement or consent from the data subject;
  2. fulfilling the agreement obligation and requests of the data subject;
  3. protecting the vital interest of the data subject.
  4. fulfilling the data controllers' obligations based on the prevailing laws and regulations;
  5. implement tasks for the public interest, public services or implementation of controllers;
  6. fulfilling the legitimate interests in terms of the purpose and needs of data processing and balancing the interests of the controller with the rights of the data subject.

It is expected that the PDP Law will have a significant impact on the regulatory mechanism of the transfer and protection of personal data, considering that Indonesia has the fourth largest population in the world. The PDP Law has established the appropriate characterizations of data subjects, which, as a result, will further identify the rights and obligations of the data subjects in relation to the protection and transfer of personal data. The PDP Law has established much greater clarity than the previous laws and regulations with regard to personal data protection in Indonesia.

Schinder Law Firm is one of many corporate law firms in Indonesia with many experienced and professional civil lawyers and investment lawyers in its arsenal, making it one of the top consulting firms in Indonesia. It is prepared to help your company understand the impacts of the Personal Data Protection Law (PDPL) and take the required measures to comply with the law. The Privacy, Data Protection, and Cybersecurity practice group at Schinder Law Firm is a pioneer in providing data privacy law services in Indonesia. Feel free to contact us at info@schinderlawfirm.com for further consultation.

Author: Dewi Susanti

Let Us Be Your Guide.
Our thorough understanding of local culture
ensures that your business will be in compliance
with all laws and regulations and receive
a warm welcome in the community.

Dear valued Visitor,

Data is a valuable currency in this new world. In the midst of digital transformation, the Indonesian government has taken the final decision to pass the Pelindungan Data Pribadi (PDP) Bill by September 2022. The PDP Law applies to all businesses established in Indonesia and puts the consumer in control. The task of complying with this regulation falls upon businesses.

The PDP Law affects a variety of business operations, including how your sales team prospect and how marketing initiatives are managed. Businesses have had to reassess their business procedures, applications, and forms. Additionally, all businesses that work with personal data should designate a Data Protection Officer (DPO) or data controller to oversee PDP compliance.

In line with this spirit, it gives us great pleasure to announce and share with all our esteemed clients and business associates that Schinder Law Firm is prepared to assist your company to understand the impacts of the Personal Data Protection Law (PDPL) and take the required measures to comply with the law. Our Privacy, Data Protection, and Cybersecurity practice group is a pioneer in providing data privacy law services in Indonesia. Personal data protection services include but are not limited to:

  • Assessing the existing systems, processes, and controls, etc.
  • Providing provide gap assessment on the existing systems, processes, and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDP Law
  • Developing policies, best practices, and procedures
  • Advising on the security of personal data and managing data breaches
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role, and responsibilities of a data protection officer
  • Advising on cross-border transfers of personal data
  • Carrying out data protection impact assessments and data protection audits
  • Recommending other necessary corrective actions in order to comply with the PDP Law
  • Training on the PDP Law tailored to clients’ businesses

We look forward to many more opportunities in the year ahead with your continued support and trust. For consultation, please send us a WhatsApp or Email.

Warmest regards,
Naz Schinder
Managing Partner

Keep Up with the New Law in Indonesia: Personal Data Protection

  • Assessing the existing systems, processes and controls, etc.
  • Providing provide gap assessment on the existing systems, processes and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDPL.
  • Developing policies, best practices and procedures.
  • Advising on security of personal data and managing data breaches.
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role and responsibilities of a data protection officer.
  • Advising on cross-border transfers of personal data.
  • Carrying out data protection impact assessments and data protection audits.
  • Recommending other necessary corrective actions in order to comply with the PDPL.
  • Training on the PDPL tailored to clients’ businesses.
Privacy, Data Protection and Cyber Security
We help our clients to understand the impact of the Personal Data Protection Law (PDPL) on their companies and take the required measures to comply with the law.