Data Protected - Indonesia

Contributed by Widyawan & Partners, an associated firm of Linklaters LLP and Allens 

Last updated February 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

Data protection in Indonesia is mainly regulated by Law No. 27 of 2022 on Personal Data Protection (“PDP Law”). The PDP Law is the first overarching regulation on data protection in Indonesia applicable to various sectors.

The other key laws and regulations are Law No. 11 of 2008 on Electronic Information and Transaction, as amended by Law No. 19 of 2016  and Law No. 1 of 2024("EIT Law") and its implementing regulations: (i) Government Regulation No. 71 of 2019 on Implementation of Electronic Systems and Transactions ("GR 71"); (ii) Menkominfo Regulation No. 20 of 2016 on Protection of Personal Data in Electronic Systems (“Reg 20”); and (iii) Menkominfo Regulation No. 5 of 2020 on Private Electronic System Operator (“Reg 5”), as amended by Menkominfo Regulation No. 10 of 2021.

There are also other industry-specific laws and regulations that regulate data protection, for example, the banking, telecommunications and health sectors. This summary does not address these industry-specific laws and regulations nor does it address laws regulating specific types of data other than personal data (such as laws regulating corporate and tax records) or regulating the collection, maintenance and use of personal data by government institutions.

Entry into force

The PDP Law took effect on 17 October 2022.

The EIT Law was enacted and came into full force on 21 April 2008. GR 71 was enacted and came into full force on 10 October 2019 and it revoked Government Regulation No. 82 of 2012 (“GR 82”). As an implementing regulation of GR 82, Reg 20 was enacted on 1 December 2016 and came into full force on 1 December 2018. Based on the Transitional Provisions of GR 71, the implementing regulation of GR 82 shall remain valid to the extent it does not contradict GR 71. Reg 20 therefore remains applicable, to the extent its particular provisions are in line with GR 71. Reg 5 was enacted on 16 November 2020 and it also serves as an implementing regulation of GR 71.

The Transitional Provisions of the PDP Law confirm that all laws and regulations concerning personal data protection shall remain valid, provided that the laws and regulations do not contradict with the PDP Law. The Indonesian Government is currently preparing a government regulation to further implement the PDP Law which is expected to be issued in mid 2024.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The data protections laws pertaining to data held electronically are mainly enforced by the Ministry of Communication and Information ("Menkominfo").

Jl. Medan Merdeka Barat No. 9
Jakarta 10110
Indonesia

https://kominfo.go.id/

The PDP law mandates the establishment of a government institution (stipulated by the President) to implement personal data protection (“Future Regulator”). This Future Regulator shall be responsible to the President. It is expected to set out policies and strategies for personal data protection and to monitor the implementation of personal data protection. However, this Future Regulator has not yet been established.

Notification or registration scheme and timing

Any electronic system operator must be registered with Menkominfo prior to the use of the electronic system by its users.

This obligatory registration also applies to any foreign electronic system operator which: (i) provides services within the territory of the Republic of Indonesia; (ii) conducts business in Indonesia; or (iii) operates an electronic system which is used and/or offered in Indonesia. The registration must be made to Menkominfo. Specifically for local private electronic system operators, (being the individual, business entity or community that operates an electronic system) under Reg 5, the registration with Menkominfo must be made through the Online Single Submission (“OSS”) system, as an integrated national business licensing platform operated by the OSS Authority, unless otherwise provided under the prevailing regulations.

Exemptions to notification

None.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PDP Law applies to any person (both individual and corporation), public entity and international organisation that conducts a “legal act” (this term is not defined) inside and outside Indonesia that has legal effect in Indonesia and/or outside Indonesia (if the personal data subject is Indonesian citizen). The PDP Law is not applicable to the processing of personal data by individuals in personal or household activities.

Similarly, the EIT Law applies to a "legal act" (this term is likewise not defined) of any person (whether an individual or legal entity) inside or outside the territory of the Republic of Indonesia, which has legal effect inside or outside the territory of the Republic of Indonesia and which is “detrimental to the interest of the Republic of Indonesia”. The law applies to legal acts performed not only in Indonesia or by Indonesian citizens, but also outside the jurisdiction of Indonesia by both Indonesian and foreign citizens or legal entities.

A legal act is “detrimental to the interest of the Republic of Indonesia” if, among other things, it is detrimental to the interests of the national economy, strategic data protection, the nation’s dignity and degree, state defence and security, sovereignty, citizens or Indonesian legal entities.

Is there a concept of a controller and a processor?

The PDP Law does introduce the concept of data controller and data processor. “Data controller” is any person, public entity or international organisation acting individually or collectively in determining the purpose and controlling the processing of personal data. The “data processor” is any person, public entity or international organisation acting individually or collectively in the processing of personal data under the name of the data controller.

A data controller is generally subject to more robust requirements. For example, having to demonstrate a legal basis for processing personal data.

The data processor conducts the data processing based on the instruction of the data controller within the responsibility of the data controller. Some obligations on data controllers under the PDP Law apply mutatis mutandis to the data processor.

GR 71 and Reg 20 also introduce the concept of an “electronic system operator” which is defined as any person that provides, manages or operates an electronic system.

Are both manual and electronic records subject to data protection legislation?

The PDP Law applies to all types of personal data both in electronic and non-electronic forms.

The EIT Law and its implementing regulations apply to data held electronically and, to certain extent, hard copy print outs of electronic data (e.g. use of hard copy print outs as an evidence in court proceeding).

Are there any national derogations?

The rights of the data subject protected under the PDP Law may be exempted for the interests of national defence and security, law enforcement, public interest in state administration, monitoring in financial services, monetary and payment system sectors and financial system stability in the context of state administration and statistics and scientific research, provided that such exemptions are conducted in the framework of implementing laws.

Under Reg 20 and Reg 5, the electronic system operator is obliged to make available any personal data stored in the electronic system for law enforcement purposes.

There are other exemptions provided under the industry specific regulations (e.g. banking, telecommunications and health sectors).

_____________________________________________________________________ Top

Personal Data

What is personal data?

The PDP Law defines personal data as data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or non-electronic system.

The PDP Law differentiates personal data into two main categories: (i) specific personal data (e.g. health information, criminal records, personal finance information, etc.); and (ii) general personal data (e.g. name nationality, religion, marital status, etc.). As a general proposition, both specific and general personal data subject to the same requirements under the PDP Law. However, specific personal data might be subject to certain additional requirements, among others the impact assessment on processing of specific personal data by the data controller.

Is information about legal entities personal data?

Now. However, to the extent that information about a legal entity contains any individual personal data (e.g. personal data of its director/commissioner), that will be subject to the PDP Law. 

What are the rules for processing personal data?

 The PDP Law requires personal data processing to be conducted in accordance with the following personal data protection principles: (i) the personal data collection must be limited and specific, legal and transparent; (ii) the processing must be in line with its objectives; (iii) the processing must ensure the rights of the data subject; (iv) the processing must be accurate, complete, not misleading, up to date and accountable; (v) the processing shall be carried out by protecting the security of personal data from an unauthorised access, unauthorised disclosure, unauthorised alteration, misuse, destruction, and/or loss of personal data; (vi) the processing shall be carried out by notifying the purpose and processing activities, as well as failure of personal data protection; (vii) the personal data must be destroyed and/or deleted after the lapse of the retention period or based on data subject’s request, unless determined otherwise by law; and (vii) the processing shall be carried out responsibly and can be clearly proven.

The PDP Law also requires a legal basis for processing personal data. Those legal bases are: (i) explicit consent of the data subject to the purpose(s) of the personal data processing disclosed to the data subject; (ii) fulfilment of a contractual obligation in favour of the data subject who is a party to an agreement or as requested by the data subject at the time of entering into an agreement; (iii) fulfilment of legal obligations of the data controller in accordance with applicable laws and regulations; (iv) fulfilment of the vital interest of the data subject; (v) implementation of duties for the purpose of public interest, public service and/or implementation of data controller’s authority pursuant to applicable laws and regulations; and/or (vi) fulfilment of another legitimate interest, in consideration of the purpose and interest of the data controller and the data subject’s rights.

Similarly, under the EIT Law and its implementing regulations, unless exempted under other applicable laws or regulations, the prior express consent of the data subject must be obtained in order to process their personal data in an electronic system. The entity collecting such personal data is required to explain the purpose of the data use, processing, transfer and disclosure in detail in the consent document, and can only use or process such personal data based on the scope consented by the data subject.

Are there any formalities to obtain consent to process personal data?

Based on the PDP Law, the consent that serves as the basis for personal data processing must be legal and explicit for one or several specific purposes that have been informed by a data controller to the data subject.

The consent shall be given in a written or recorded form (both having the same legal effect) and can be submitted electronically or non-electronically. Failure to comply with these requirements will lead the consent to be null and void by law.

Data subjects have the right to withdraw the consent to the processing of their personal data.

Are there any special rules when processing personal data about children?

In relation to personal data of a child (a person under the age of 18), the data processing must obtain prior express consent from a parent or legal guardian of such person.

Are there any special rules when processing personal data about employees?

To the extent such personal data fall within the scope of personal data under the PDP Law, GR 71, Reg 20 and Reg 5, the general rules on personal data processing under the PDP Law, GR 71, Reg 20 and Reg 5 shall apply.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The PDP Law contains the concept of specific personal data which are personal data, the processing of which may have a greater impact on the data subject (for example, discriminative actions and greater loss to the data subject).

Specific personal data cover medical, biometric, genetics, criminal record, child, personal finance data and/or other data in accordance with the laws and regulations. Where data is classified as specific personal data, the controller must conduct an assessment on the impact of the protection of such data.

Otherwise, the PDP Law and the EIT Law do not specifically distinguish between sensitive and non-sensitive personal data.

Are there additional rules for processing sensitive personal data?

See above.

Are there additional rules for processing information about criminal offences?

 

See above.

 

Are there any formalities to obtain consent to process sensitive personal data?

See above.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

A data controller or data processor must appoint a data protection officer if: (i) it handles personal data processing for the public interest; (ii) the core activity of data processing requires structured and systematic supervision over large volumes of data; and (iii) the core activity of data processing relates to processing of large volumes specific personal data and/or personal data relating to criminal activities. No thresholds are yet prescribed to determine what amounts to be considered as large-volume data processing in this context.

Additionally, under GR 71 that the electronic system operator must appoint a certified expert in the field of electronic systems and information technology.

What are the duties of a data protection officer?

Data protection officers are chiefly responsible for ensuring their appointing entity’s compliance with the applicable data protection laws and regulations. The data protection officer shall inform and give recommendation to data controller or data processor on the compliance with the PDP Law (and monitor and ensure the compliance).

The data protection officer shall also give advice on the assessment of impact of personal data protection and supervise the performance of the data controller and data processor. The data protection officer acts as contact person regarding any issues related to personal data processing.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Under the PDP Law, one of the rights of the data subject is to obtain information regarding identity clarity, basis of legal interest, purpose of requesting and using personal data, and accountability of parties requesting the data. One of the personal data protection principles under the PDP Law is that the processing of personal data must be conducted in a manner that is accurate, complete, not misleading, up to date and accountable.

A data controller is responsible for the processing of personal data and must demonstrate compliance with the principles of personal data protection. A data controller must also assess the impact of high risk processing.

A data controller to notify any failure of personal data protection to the relevant data subject and the Future Regulator in writing (within 72 hours).

GR 71 and Reg 20 also impose an obligation on an electronic system operator to have an internal set of rules on data protection, to emphasise the importance of personal data protection to employees and carry out relevant training on the prevention of personal data protection failure.

Are privacy impact assessments mandatory?

 Where data is classified as specific personal data, the controller must conduct an assessment on the impact of the processing of such data.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The data subjects shall have the right to obtain information regarding the identity, basis of legal interest, purpose of requesting and using their personal data, and accountability of parties requesting the data.

Rights to access information

The data subjects shall have the right to access and obtain a copy of their personal data in accordance with the provisions of laws and regulations.

Based on the PDP Law, personal data subjects shall have the right to obtain and use their personal data from a data controller in a form that is in accordance with the structure and format commonly used or readable by an electronic system.

The data subjects shall also have the right to use and send their personal data to other data controllers, provided that the systems used can communicate with each other securely in accordance with the personal data protection principles under the PDP Law. This subject matter will be further regulated in a government regulation (which has not yet been issued).

Right to be forgotten

The PDP Law gives the data subjects the right to request processing of their personal data ceases and that data is deleted or destroyed. 

Under the EIT Law and GR 71, data subjects have the right to request that electronic system operators erase any irrelevant data relating to them. This right is subdivided into two separate rights: (i) the right to erasure (from the electronic system); and (ii) the right of delisting – which is the removal of personal data from search engine results.

The ‘irrelevant data’ that are subject to the right of erasure consist of personal data: (i) that are obtained and processed without consent; (ii) the consent for the use of which has been withdrawn; (iii) that are obtained and processed unlawfully; (iv) that are no longer in line with the purpose of its collection; (v) the use of which has exceeded the applicable period of use; or (vi) that are displayed by the electronic system operator and this inflicts losses to the data subjects. The obligation of the electronic system operator to erase the irrelevant data does not apply if the erasure is prohibited by the prevailing laws and regulations.

The irrelevant data that are subject to the right of delisting are not clearly defined. The delisting must be done based on court order which will be issued based on the application of the data subjects.

Objection to direct marketing

There are no specific provisions regarding the right to object to direct marketing. However, it is good practice to inform data subjects if their personal data will be used for direct marketing as part of the process of obtaining consent.

Other rights

The PDP Law also provides the following rights for the data subject: (i) the right to complete, update and correct errors and inaccuracies in their personal data in accordance with the purpose of the data processing; (ii) the right to object to a decision-making action that is based solely on automated processing, including profiling, which has legal consequences or a significant impact on the data subjects; and (iii) the right to postpone or limit the data processing proportionally in accordance with the purpose of the processing.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Under the PDP Law, a data controller must protect and ensure the security of the personal data they process by: (i) preparing and implementing of operational technical measures to protect the data from disruption in the data processing; and (ii) determining the security level of the data by taking into account the nature and risks of the data that must be protected in the processing.

GR 71 imposes a general requirement on the electronic system operator to implement a security system to protect personal data and the electronic systems used must undergo a reliability test (either conducted independently or by the authorised institutions).

Specific rules governing processing by third party agents (processors)

The PDP Law does not impose a specific requirement for data controllers to have a processing contract with a data processor, nor specific any particular security requirements for that contract

GR 71 provides that in case the electronic system operator carries out its electronic system through an electronic agent, the obligations of the electronic system operator under GR 71 shall apply mutatis mutandis to the electronic agent.

Notice of breach laws

Under the PDP Law, a data controller must notify in writing (within 72 hours) any failure of personal data protection to the relevant data subject and the Future Regulator (and in certain circumstances, to the community – this is if the failure interrupts public service or has serious impact on public interests). The notification shall include at least information on: (i) the disclosed personal data; (ii) when and how the personal data are disclosed; and (iii) measures taken by the data controller to handle and recover the disclosure.

An electronic system operator is required under the EIT Law and its implementing regulations to notify data subject if the electronic system operator's security system has been breached.

Additionally, electronic system operator must also notify the relevant authority in case of a failure or interruption to the electronic system which has a serious impact on the electronic system itself, and which is caused by the action of other parties on the electronic system.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Generally, the PDP Law allows a data controller to transfer personal data to another data controller or data processor outside of Indonesia, provided that the jurisdiction in which the personal data are received has at least an equivalent standard of personal data protection as provided under the PDP Law.

The PDP Law contemplates that further provisions on cross-border data transfers will be issued under an implementing regulation. The PDP Law also allows the Future Regulator to conduct assessments on cross border personal data transfers. It is expected that these matters will be clarified in the implementing regulations.

GR 71 allows private electronic system providers to manage, process and/or store electronic systems and electronic data in and/or outside Indonesia. If the management, processing and/or storage of the electronic systems and electronic data is conducted outside Indonesia, the private electronic system operator shall ensure the effective supervision by the relevant authorised ministries, government institutions and law enforcement. The private electronic system operator shall give access to its electronic system and electronic data within the framework of supervision and law enforcement according to the laws and regulations of Indonesia.

However, a public electronic system operator must manage, process and store electronic system and electronic data in Indonesia, unless the relevant storage technology is not available in Indonesia. The criteria for the unavailability of such storage technology shall be determined by a committee consisting of the relevant ministries and government institutions, including Menkominfo.

Notification and approval of national regulator (including notification of use of Model Contracts)

Under Reg 20, an electronic system operator must notify Menkominfo of its plan to transfer the personal data outside Indonesia before the transfer. After the transfer, the electronic system operator must submit a post-transfer report to Menkominfo, which must include details of the transfer.

The notification to Menkominfo does not need to be made for each instance of cross-border transfer, as it may include plans for several cross-border transfers in the future. It is the current policy of Menkominfo that despite the provision of GR 71 (which allows the management, processing and storage of the electronic system and electronic data outside Indonesia), the notification and reporting obligations do not contradict GR 71 and therefore, remain applicable.

Use of binding corporate rules

There is currently no ability to use binding corporate rules under the PDP Law, the EIT Law or any of its implementing regulations.

_____________________________________________________________________ Top

Enforcement

Fines

Violation of the PDP Law can be subject to various administrative sanctions and criminal sanctions.

The administrative sanctions can take the forms of written warning, suspension of data processing activities, data deletion or removal and administrative fines (at a maximum of 2% of the annual income or revenue). Administrative sanctions will be imposed by the Future Regulator.

Criminal fines can range from IDR 4 billion to IDR 6 billion (approximately €236,000 to €354,000).

Additional criminal sanctions may also be imposed in the form of confiscation of obtained profits and/or assets or proceeds from criminal acts, and compensation payments. If the criminal activity is committed by a corporation the sanctions might also consist of: (i) confiscation of profits and/or assets obtained or proceeds from the crimes; (ii) suspension of the entirety or part of the corporation’s business; (iii) permanent prohibition from conducting certain activity; (iv) closure of the entirety or part of the corporation’s place of business or activities; (v) fulfilment of the neglected obligations or payment of compensation; (vi) revocation of licence; and (vii) dissolution of the corporation.

In addition, if the criminal activity is committed by a corporation, the criminal sanctions (both in the form of criminal fines and imprisonment, see below) can be imposed on the management, controller, instructing party, beneficial owner and the corporation itself. 

Breaches of the EIT Law may lead to administrative and civil liability which include fines (ranging from IDR 600 million to IDR 12 billion (approximately €35,400 to €708,000).

Imprisonment

Criminal sanctions for breach of the PDP Law include four to six years’ imprisonment

Breaches of the EIT Law may lead to criminal sanctions for violations of privacy which include between one and 12 years’ imprisonment.

Compensation

Under the PDP Law, data subject shall have the right to sue and receive compensation for violations of the processing of their personal data. This will be further regulated in the implementing government regulation.

Data subjects have the right to compensation for contravention of their rights under the EIT Law and its implementing regulations. These laws entitle a data subject to claim damages for loss against any party which causes that loss.

In addition, compensation may be available under the Indonesian Civil Code. This is based on the general law of tort under the Indonesian Civil Code and allows an aggrieved data subject to claim damages for actual loss suffered by the data subject where that loss is caused by an unlawful act of a data controller, data processor or an electronic system operator. In this context, the term “unlawful act” is interpreted broadly, including not only violations of statutory law, but also violations of public morals or the duty of care owed to other persons' interests. There is no clear definition in Indonesian law on what violates “public morals” or “duty of care”. The meaning of these terms varies over time and in different places.

Other powers

Menkominfo may impose administrative sanctions such as a written warning and temporary suspension of activity to an electronic systems provider that breaches the provisions of GR 71, Reg 20 or Reg 5.

Practice

Other enforcement action: We are not aware of any significant court cases directly relating to the unlawful use or processing of personal data.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no specific ePrivacy laws, and the PDP Law, the EIT Law and its implementing regulations do not contain provisions on direct marketing. However, any marketing materials distributed to consumers in Indonesia should be compliant with applicable Indonesian consumer protection laws (including the specific consumer protection provisions of the EIT Law and the general requirements under Law No. 8 of 1999 on Consumer Protection) and the sectoral regulations (if applicable), particularly the provision which prohibits business entrepreneur in any way to coerce the offering goods or services which may cause physical or psychological disturbance to consumer.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The use of cookies is not specifically regulated in Indonesia. To the extent that cookies contain personal data, the provision applicable to personal data (discussed above) will also apply.

Regulatory guidance on the use of cookies

There are no specific regulations regarding guidance on the use of cookies.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Under the PDP Law and the EIT Law and its implementing regulations, personal data processing is only allowed with the prior consent of the data subject. In practice, senders of direct marketing by e-mail use the following process to comply with the EIT Laws: (i) send an email which identifies the sender and explains the purpose of the e-mail to the recipient; and (ii) stop sending direct marketing by e-mail to the recipient if the recipient does not reply to the first e-mail.

Conditions for direct marketing by e-mail to corporate subscribers

There are no specific provisions on the conditions for sending direct marketing by e-mail to corporate subscribers. However, the provisions applying to individuals described above also apply to corporate subscribers.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Under the PDP Law and the EIT Law and its implementing regulations, personal data processing is only allowed with the prior consent of the data subject. In practice, telephone marketers use the following process to comply with the EIT Laws: (i) place a call which identifies the caller and explains the purpose of the call to the recipient; and (ii) stop the call if the recipient does not wish to continue the call.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no specific provisions on the conditions for sending direct marketing by telephone to corporate subscribers. However, the provisions applying to individuals described above also apply to corporate subscribers.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top