Indonesia’s Personal Data Protection Law Finally Enacted Since the discussion of the draft bill in 2016, the Indonesian House of Representatives has passed the draft bill on Personal Data Protection (“Personal Data Protection Law”) as the regulatory framework for the personal data of a person which is identified or can be identified separately or in combination with other information either directly or indirectly through electronic or non-electronic systems (“Personal Data”).
Previously, the Indonesian laws and regulations on data protection were only among others, Ministry of Communication and Informatics Regulation No. 20 of 2016 on The Protection of Personal Data in Electronic Systems, Government Regulation No.
71 of 2019 on the Implementation of Electronic Systems and Transactions and Government Regulation No. 80 of 2019 on Trading through Electronic Systems.
The Data Protection Law categorizes personal data as either:
(i) General personal data – the basic information about a Personal Data Subject, i.e. his/her name, gender, nationality, religion and the combined personal data which identifies a person;
(ii) Specific personal data – this data includes a person’s health data and information, biometric data, genetic data, sexual orientation, political view, criminal record, children’s data, private financial data and other data defined as personal data under the prevailing laws and regulations.
The key provisions of the Personal Data Protection Law are explained in the table below:
I. The Key Provisions of the Personal Data Protection Law
|The Rights of a Personal Data Subject||
A natural person, to whom Personal Data is attached and who is referred as a “Personal Data Subject”, has the following rights regarding his/her Personal Data:
(1) the right to receive information about the clarity of the identity, legal interest basis and purpose for which his/her Personal Data is requested and will be used, and the accountability of the party requesting the Personal Data;
A Personal Data Subject can exercise the rights in (2) – (7) above by submitting a written demand application.
|The Processing of Personal Data||
The processing of personal data includes the collection, analysis, storage, correction/updating, displaying, publication / announcement, transfer, transmission, disclosure, deletion and removal of data.
The Principles of the Processing of Personal Data are the following:
(a) the collection of Personal Data must be limited and specific, legally valid, and transparent;
|The Obligations of the Controller regarding the Processing of Personal Data||
The Personal Data Controller has the following obligations regarding the processing of Personal Data, among others:
(a) to inform the Personal Data Subject of the purpose and legality of the data processing, his/her rights, the details of the information collected, the types and relevance of the data processed and the processing and retention periods and must inform the Personal Data Subject of any change to the information;
|The Obligations of the Processor in the Processing of Personal Data||
A Personal Data Controller may appoint a person or entity to process Personal Data on behalf of the Personal Data Controller, referred to as a “Personal Data Processor”. A Personal Data Processor has the following obligations in processing Personal Data:
(a) to obtain approval from the Personal Data Controller to process the Personal Data; if the Personal Data Processor does not processes the Personal Data according to the instructions and for the determined purpose, the Personal Data Processor will take responsibility for it;
The Personal Data is processed under instructions and orders from a Personal Data Controller, and therefore, liability during its processing lies with the Personal Data Controller. However, if a Personal Data Processor processes personal data in a way contrary to the determined purpose or not covered by the personal data controller’s instructions, the Personal Data Processor will be held liable for the personal data processing.
|The Appointment of a Data Protection Officer||
A Personal Data Controller and Personal Data Processor must also appoint a data protection officer responsible for the protection of Personal Data (“Data Protection Officer”). The Data Protection Officer’s duties are the following:
(a) to inform and give advice to the Personal Data Controller or Personal Data Processor regarding compliance with the law;
|The Cross Border Transfer of Personal Data||
A Personal Data Controller may transfer Personal Data to another Personal Data Controller in another jurisdiction outside of Indonesia. However:
(a) the foreign country must have an equal or higher level of protection compared to Indonesia; or
the Use of Personal
No one may do any of the following:
(a) obtain or collect Personal Data that not his/her own for a personal benefit that may result in a loss for the Personal Data Subject;
If any person or company commits any of the above violations, he/she may be sentenced to prison for up to 5 years and/or fined up to IDR 6 billion if he/she is a natural person or up to IDR 60 billion if a company. The company may also have its business activities suspended and its property seized and sold at auctioned to pay the fine if it cannot pay it.
The Personal Data Protection Law will come into force upon its ratification by the President or 30 days after the draft bill was passed by the House of Representatives and the President. Personal Data Controllers, Personal Data Processors and other related party have been given 2 years to adjust and comply with the provisions on the processing of Personal Data.
The Indonesian Government will also issue implementing regulations, among others on the processing of Personal Data, the procedure for a violation of the Personal Data processing requirements, transfers of Personal Data etc.