English | 中文 | 下载审德中文简介 

Aug

14

The Impact of the European Union’s General Data Protection Regulation on Indonesian Companies

The European Parliament and the Council of European Union enacted Regulation 2016/679 on 25 May 2018, known as General Data Protection Regulation (“GDPR”). The GDPR provides a set of standardized data protection laws, which are intended to make it easier for consumers worldwide to understand how their data is being used.

GDPR has extra-territorial application outside European Union (“EU”) member states, and therefore affects data processing activities of controllers in other countries including Indonesia, where goods and services are being offered to individuals in the EU, and where their behavior may be monitored as a result of it. In this way, GDPR can be applicable to Indonesian companies if said company has a presence in EU territory and engages in business through digital platforms with EU customers or users, or tracks and analyzes the behavior data of EU individuals that are active online. Often, this monitoring and analysis is used to predict personal preferences, behaviors, and attitudes.

GDPR applies to personal data, both automated personal data and that under manual filling systems, which are accessible according to specific criteria. 1 GDPR classifies sensitive personal data as “special categories of personal data”. 2

The GDPR also recognizes that children deserve special protection of their personal data: consent for processing the data of children must be given or authorized by the holder of the parental responsibility over the child. According to such stipulations, a company which provides or offers service directly to children must ensure that its privacy notice is written in a clear and simplified way which makes it digestible for children. Furthermore, the consent under GDPR must be a freely-given, specific, informed, and unambiguous indication of the individual’s wishes. Consent shall also be separated from other terms and conditions, and be provided in a way that allows withdrawal of consent to be a simple process.

Through GDPR new rights for individuals have also been established, including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right related to automated decision making and profiling. The GDPR also includes a provision that promote accountability and governance, imposing more policies and procedures for company.

Unfortunately, the issuance of this article does make clear how the GDPR will be enforced in Indonesia. Currently, data protection in Indonesian is regulated by the Regulation of Minister of Communication and Information No. 20 of 2016 (“MOC Regulation 20/2016”), which concerns Data Privacy Protection and Electronic Systems. However, the scope of MOC Regulation 20/2016 is limited to electronic communication, and there is no provision regarding the recognition and enforcement of international or foreign data protection laws.

Indonesia and the EU are currently negotiating a Comprehensive Economic Partnership Agreement (“CEPA”), which should help to clarify the issues on enforcement of GDPR in Indonesia when signed and ratified.

Furthermore, Indonesian legislative Dewan Perwakilan Rakyat is planning to pass a Personal Data Protection Bill this year. Its draft suggests that Indonesia will adopt a similar approach to the EU for personal data protection.

One of Schinder Law Firm’s key practice areas is cyber law and personal data protection law. Our Senior Advisor Professor Abu Bakar Munir is a renowned international expert in the subject and our team of lawyers have extensive experience in advising technology companies. We also host trainings and workshops on personal data protection law.

Contact us if you need legal assistance on any matter related to personal data protection.

_______________________________________
1Article 4 (1) of GDPR.
2Based on Article 9 and Recitals (51) to (56) of GDPR, the special categories of personal data that may be deemed sensitive and is protected under GDPR are data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health, and sex life or sexual orientation.

About the author:

 

AKBARAkbar Muhammad Zainuri, S.H., M.H.

Akbar received his Sarjana Hukum (LLB) in 2012 from Universitas Trisakti. Subsequently, he earned his Magister Hukum (LLM) in transnational law in 2014. While at university, Akbar was actively involved in Student Executive Body where he served as Vice Head of Foreign Affair Department.

Let Us Be Your Guide.
Our thorough understanding of local culture
ensures that your business will be in compliance
with all laws and regulations and receive
a warm welcome in the community.

Dear valued Visitor,

Data is a valuable currency in this new world. In the midst of digital transformation, the Indonesian government has taken the final decision to pass the Pelindungan Data Pribadi (PDP) Bill by September 2022. The PDP Law applies to all businesses established in Indonesia and puts the consumer in control. The task of complying with this regulation falls upon businesses.

The PDP Law affects a variety of business operations, including how your sales team prospect and how marketing initiatives are managed. Businesses have had to reassess their business procedures, applications, and forms. Additionally, all businesses that work with personal data should designate a Data Protection Officer (DPO) or data controller to oversee PDP compliance.

In line with this spirit, it gives us great pleasure to announce and share with all our esteemed clients and business associates that Schinder Law Firm is prepared to assist your company to understand the impacts of the Personal Data Protection Law (PDPL) and take the required measures to comply with the law. Our Privacy, Data Protection, and Cybersecurity practice group is a pioneer in providing data privacy law services in Indonesia. Personal data protection services include but are not limited to:

  • Assessing the existing systems, processes, and controls, etc.
  • Providing provide gap assessment on the existing systems, processes, and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDP Law
  • Developing policies, best practices, and procedures
  • Advising on the security of personal data and managing data breaches
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role, and responsibilities of a data protection officer
  • Advising on cross-border transfers of personal data
  • Carrying out data protection impact assessments and data protection audits
  • Recommending other necessary corrective actions in order to comply with the PDP Law
  • Training on the PDP Law tailored to clients’ businesses

We look forward to many more opportunities in the year ahead with your continued support and trust. For consultation, please send us a WhatsApp or Email.

Warmest regards,
Naz Schinder
Managing Partner

Keep Up with the New Law in Indonesia: Personal Data Protection

  • Assessing the existing systems, processes and controls, etc.
  • Providing provide gap assessment on the existing systems, processes and controls, etc.
  • Developing and ensuring contracts and agreements comply with the PDPL.
  • Developing policies, best practices and procedures.
  • Advising on security of personal data and managing data breaches.
  • Acting as the Data Protection Officer (DPO) and advising upon the appointment, role and responsibilities of a data protection officer.
  • Advising on cross-border transfers of personal data.
  • Carrying out data protection impact assessments and data protection audits.
  • Recommending other necessary corrective actions in order to comply with the PDPL.
  • Training on the PDPL tailored to clients’ businesses.
Privacy, Data Protection and Cyber Security
We help our clients to understand the impact of the Personal Data Protection Law (PDPL) on their companies and take the required measures to comply with the law.