Indonesia’s Personal Data Protection Law Finally Enacted

A natural person, to whom Personal Data is attached and who is referred as a “Personal Data Subject”, has the following rights regarding his/her Personal Data:

(1) the right to receive information about the clarity of the identity, legal interest basis and purpose for which his/her Personal Data is requested and will be used, and the accountability of the party requesting the Personal Data;
(2) the right to complete, renew and rectify the inaccuracy of his/her Personal Data;
(3) the right to have an access and receive a copy his/her Personal Data;
(4) the right to discontinue the processing, to delete, and to destroy his/her Personal Data;
(5) the right to withdraw his/her consent to the processing of his/her Personal Data that has been given to a personal data controller;
(6) the right to submit an objection to an action that is solely based on automated processing, including profiling, which has legal consequences or has a significant impact on the Personal Data Subject;
(7) the right to defer or limit the processing of his/her Personal Data proportionally in accordance with the purpose of processing of Personal Data;
(8) the right to file a complaint and receive compensation for any breach of the confidentiality of his/her Personal Data;
(9) the right to receive and use his/her Personal Data from the Personal Data Controller in a form that conforms to the structure or format that is commonly used.

A Personal Data Subject can exercise the rights in (2) – (7) above by submitting a written demand application.

The processing of personal data includes the collection, analysis, storage, correction/updating, displaying, publication / announcement, transfer, transmission, disclosure, deletion and removal of data.

The Principles of the Processing of Personal Data are the following:

(a) the collection of Personal Data must be limited and specific, legally valid, and transparent;
(b) the processing of Personal Data must be for the specified purpose;
(c) the processing of Personal Data must guarantee the rights of the Personal Data Subjects;
(d) the processing of Personal Data must be accurate, complete, not misleading, up to date, and accountable for;
(e) the processing of Personal Data must protect the Personal Data against any unauthorized access, illegal disclosure, unauthorized alteration, misuse, destruction, and loss of the Personal Data;
(f) the Personal Data Subjects must be informed of the purpose of the Personal Data processing, as well as any failure to protect their Personal Data;
(g) Personal Data must be destroyed or deleted after the retention period ends or at the request of the Personal Data Subject, unless determined otherwise by the prevailing laws and regulations; and
(h) Personal Data must be processed responsibly and be clearly provable.

The Personal Data Controller has the following obligations regarding the processing of Personal Data, among others:

(a) to inform the Personal Data Subject of the purpose and legality of the data processing, his/her rights, the details of the information collected, the types and relevance of the data processed and the processing and retention periods and must inform the Personal Data Subject of any change to the information;
(b) to obtain and show the approval of the Personal Data Subject in a written or recorded consent that can be submitted by electronic or non-electronic means;
(c) to process the Personal Data in a limited and specific, legal, and transparent manner;
(d) to maintain the accuracy, completeness and consistency of the Personal Data;
(e) to update and rectify any inaccuracy within 3x24 hours of receipt of a request to renew or correct Personal Data;
(f) to record all the activities conducted during the data processing;
(g) to provide the Personal Data Subject access and the track record of the processing of his/her Personal Data within 3 x 24 hours of receipt of his/her request for access;
(h) to maintain the confidentiality of Personal Data;
(i) to supervise every party involved in the processing of the Personal Data;
(j) to protect and ensure the security of the processed Personal Data including against any unlawful processing of the Personal Data;
(k) to prevent any unlawful access to the Personal Data;
(l) halt the processing of Personal data within 3 x 24 hours of receipt of the withdrawal of his/her consent by the Personal Data Subject;
(m) to delay or limit data processing within 3 x 24 hours of receipt of a delay/limit request from the Personal Data Subject;
(n) to halt the data processing upon the expiry of the retention period; when the purpose of the processing has been achieved; or at the request of the Personal Data Subject;
(o) to delete personal data if the personal data is no longer needed, the Personal Data Subject withdraws his/her consent, at the request of the Personal Data Subject, or if the Personal Data was obtained or processed unlawfully;
(p) to delete the Personal Data from its database if the Personal Data retention period has expired, at the request of the Personal Data Subject; if the Personal Data is not relevant to a legal proceeding; or if the Personal Data was obtained or processed unlawfully;
(q) in the event of a breach of the confidentiality of personal data, to inform the Personal Data Subject and Minister of Communication and Informatics in writing within 3 x 24 hours of the occurrence of the breach;
(r) to inform the Personal Data Subject of any deletion or destruction of his/her Personal Data; and
(s) to inform the Personal Data Subject of the transfer of his/her Personal Data to in the event of a merger, acquisition, dissolution or consolidation of the Personal Data Controller in the form of a legal entity.

A Personal Data Controller may appoint a person or entity to process Personal Data on behalf of the Personal Data Controller, referred to as a “Personal Data Processor”. A Personal Data Processor has the following obligations in processing Personal Data:

(a) to obtain approval from the Personal Data Controller to process the Personal Data; if the Personal Data Processor does not processes the Personal Data according to the instructions and for the determined purpose, the Personal Data Processor will take responsibility for it;
(b) to maintain the accuracy, completeness and consistency of the Personal Data;
(c) to record all the activities conducted during the data processing;
(d) to supervise every party involved in the processing of the Personal Data;
(e) to protect and ensure the security of the processed Personal Data including against any unlawful processing of the Personal Data;
(f) to maintain the confidentiality of the Personal Data; and
(g) to prevent any unlawful access to the Personal Data.

The Personal Data is processed under instructions and orders from a Personal Data Controller, and therefore, liability during its processing lies with the Personal Data Controller. However, if a Personal Data Processor processes personal data in a way contrary to the determined purpose or not covered by the personal data controller’s instructions, the Personal Data Processor will be held liable for the personal data processing.

A Personal Data Controller and Personal Data Processor must also appoint a data protection officer responsible for the protection of Personal Data (“Data Protection Officer”). The Data Protection Officer’s duties are the following:

(a) to inform and give advice to the Personal Data Controller or Personal Data Processor regarding compliance with the law;
(b) to monitor and ensure the compliance with the law of the policies of the personal data controller or processor;
(c) to give advice on the impact of the Personal Data protection and to monitor the Personal Data Controller and Personal Data processor’s performance; and
(d) to coordinate and act as a contact person for issues related to the processing of personal data.

A Personal Data Controller may transfer Personal Data to another Personal Data Controller in another jurisdiction outside of Indonesia. However:

(a) the foreign country must have an equal or higher level of protection compared to Indonesia; or
(b) if the law is not sufficient, the Personal Data Controller must ensure that Personal Data protection is binding and meets the standards; or
(c) if both the above criteria cannot be met, it must obtain the consent of the Personal Data Subject.
Please note that the Personal Data Protection Law does not cover any specific or standard provisions of agreements between Personal Data Controllers.

No one may do any of the following:

(a) obtain or collect Personal Data that not his/her own for a personal benefit that may result in a loss for the Personal Data Subject;
(b) disclose Personal Data that does not belong to her/him;
(c) use Personal Data that does not belong to him; or
(d) counterfeit Personal Data or falsify Personal Data for a personal benefit that may result in a loss for the Personal Data Subject.

If any person or company commits any of the above violations, he/she may be sentenced to prison for up to 5 years and/or fined up to IDR 6 billion if he/she is a natural person or up to IDR 60 billion if a company. The company may also have its business activities suspended and its property seized and sold at auctioned to pay the fine if it cannot pay it.