The sanctions associated with Indonesia’s Personal Data Protection Law (UU PDP) will become fully enforceable on October 16, 2024.
President Joko Widodo signed into law UU No 27 Tahun 2022, also known as Indonesia’s Personal Data Protection Law (UU PDP), on October 17, 2022. This law requires every individual, public entity, and international organization processing the personal data of Indonesian citizens to comply with its provisions. Recognizing the need for adjustments, a two-year grace period has been established, ending on October 16, 2024. Prompt action is essential, as non-compliance may result in immediate penalties.
Essential Steps Toward Compliance
Businesses must take a series of critical measures to ensure compliance with the UU PDP, among others:
- Data Protection Policies: This includes reviewing existing contracts and managing international data transfers.
- Appointing a Data Protection Officer (DPO): Businesses must appoint a DPO to oversee data protection strategies and lead compliance efforts.
The legal sanctions under Indonesia’s Personal Data Protection Law (UU PDP) are multi-faceted and can be significantly impactful. They consist of four main types:
- Administrative sanctions as per Article 57 of the UU PDP, which include written warnings;
- Temporary cessation of personal data processing activities;
- Deletion or destruction of personal data; and/or
- Administrative fines of up to two percent of the annual revenue or income for the violating party.
In more severe breaches, such as the falsification of personal data, individuals may face imprisonment for up to 6 years or fines up to IDR 60 billion. Those found buying or selling personal data could be sentenced to 5 years in prison or fined up to IDR50 billion. Corporations that violate this law may be subjected to additional criminal penalties, including the confiscation of profits and/or assets, the freezing of the whole or part of the corporate business operations, up to and including the dissolution of the corporation itself. These stringent penalties highlight the Indonesian government’s stern stance on personal data protection and the rigorous enforcement measures that are in place to deter violations.
Navigating the complexities of Indonesia’s Personal Data Protection landscape can be challenging and overwhelming for businesses. At the forefront of legal innovation, Schinder Law Firm has been instrumental in enhancing the privacy, data protection, and cybersecurity capabilities of numerous public and private entities across Indonesia. Our expert advisors are committed to protecting your operations and enhancing your digital reputation. For dedicated consultation and support in navigating these critical areas and beyond, contact us at info@schinderlawfirm.com.
Author: Naz Schinder