The Indonesian Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) has been effective as of its promulgation on 17 October 2022, with 2 (two) years transitional period. PDP Law responds to the need to protect individual rights in connection with the processing of personal data and aims to increase the effectiveness and reduce the overlapping and scattered provisions regarding personal data protection in several regulations. Not only does the PDP Law give Indonesian citizens more control over their personal data, but it also significantly streamlines the regulatory environment for business sectors.
-
Salient Points of PDP Law
-
Definition of Personal Data
Previously, regulations on personal data were contained in several laws and regulations. PDP Law brought a more specific and strict definition of ‘personal data’, which cleared up the broad and overlapped provisions as previously regulated in several laws and regulations. Referring to Article 1 paragraph (1) of the PDP Law, personal data are any information concerning a person that is “identified” or “identifiable” independently or combined with other information, either “directly” or “indirectly” through electronic or non-electronic systems.
The PDP Law generally regulates 2 (two) types of personal data, namely personal data that is specific and general in nature.
- General Data: Refers to data that may not have a significant impact on the relevant data owner during its processing, but can still be used to identify the data owner in question, e.g., full name, gender, religion, nationality, marital status and/or the combined data to identify a person.
- Specific data: Refers to data, where processing is likely to result in high risk or significantly affects the data owner, for instance, the processing may lead to the exclusion or discrimination against individuals. Types of data that fall within this criterion are health data, biometric data, genetics data, criminal convictions or offences, children’s data, financial data and/ or any data according to the prevailing laws and regulations.
From the criterion specified above, the processing of sensitive personal data is subjected to more stringent rules and conditions, whereas business actors can only process personal data under certain conditions, for instance, consent from the data owner has already been obtained to such processing and such processing is intended only for a specified and legitimate purpose.
Nonetheless, the PDP Law did not differentiate the provisions of rights, obligations and/or prohibitions between the protection of the general data and the protection of the specified data, which means both are considered and treated equally as personal data.
-
The Extra-Territorial Reach
The PDP Law shall apply to companies both within and outside the jurisdiction of Indonesia that involves the processing of Indonesian citizens’ personal data. Given the extra-territorial jurisdiction, the PDP Law shall still apply even if a company has no operational presence whatsoever in Indonesia. However, the aforementioned ground shall only apply to the extent if the processing activities (among others the acquisition and collection, filtering and analysis, storage, fixes and updates, display, announcement, transfer, dissemination or disclosure and/or deletion or destruction of the personal data) target Indonesian data subjects and/or have a legal consequence in Indonesia. Thus far, the territorial scope of PDP Law is rather broad and creates stringent rules for all business actors to be compliant.
-
Rights of Personal Data Owner
In order to protect individual rights in connection with the processing of personal data, the PDP Law provides clarity for the rights of the personal data owner upon their personal data, as follows:
- The right to obtain information regarding identity clarity, the basis of legal interest, the purpose of
requesting and using personal data, and accountability of requesting parties; - The right to complete, update and/or correct errors and/or inaccuracies;
- The right to access and obtain a copy;
- The right to sue and receive compensation for violations of the processing of personal data
- The right to end processing, delete and/or destroy;
- The right to withdraw consent to the processing;
- The right to object to a decision-making action that is based solely on automated processing;
- The right to delay or limit personal data processing;
- The right to obtain and/or use personal data from a personal data controller with the structure and/or format commonly used or readable by an electronic system; and
- The right to use and send personal data to other personal controllers.
Nonetheless, the rights of personal data owner(s) as referred to in point (v) to point (x) are excluded for:
- The interests of the national defence and security;
- The interests of law enforcement process;
- Public interest in the context of state administration;
- The interests of supervision of the sectors of financial services, monetary, payment system, and financial system stability carried out in the context of state administration; and/or
- the interests of statistics and scientific research.
- The right to obtain information regarding identity clarity, the basis of legal interest, the purpose of
-
Actors in Data Protection
PDP Law introduces 2 (two) main actors in regulating personal data protection in Indonesia, namely “Data Controller” and “Data Processor”, with the following definitions and characteristics:
- Data Controller: refers to every person, public agency, and international organization that acts individually or jointly in determining the purpose and exercising control over the processing of personal data. Additionally, the PDP Law permits data controller to transfer personal data to other data controller and/or data processor within or outside the jurisdiction of the Republic of Indonesia as long as data controller must carry out personal data protection as referred to in PDP Law.
- Data Processor: refers to every person, public agency, and international organization that acts individually or jointly to process personal data on behalf of the data controller. So, instead of processing the data for their own purposes, the data processor entity processes personal data on behalf of the data controller.
The PDP Law stipulates that the relationship between the data controller and data processor must be governed by a contract, which among other things defines the responsibilities, the type of processing and the personal data that is the subject of the contract. Accordingly, the data processor must not exceed their contractual parameters.
-
Cross-Borders Data Transfer
According to Article 56 of PDP Law, it is permissible for the data controller to transfer personal data to another data controller and/or data processor outside the territory of Indonesia. However, such cross-border transfers can only be permitted if the transferring data controller is able to ensure the following conditions:
- the data controller outside Indonesia’s jurisdiction that receives the data has an equal or higher
level of personal data protection. - in the absence of point (i), ensure that personal data protection is adequate and binding.
- in the absence of point (i) and point (ii), the data controller must seek approval from the data owner prior transferring the data controller outside Indonesia’s jurisdiction.
Kindly note that the said conditions hereof will be regulated under the upcoming government regulation.
- the data controller outside Indonesia’s jurisdiction that receives the data has an equal or higher
-
-
PDP Law for Business Actors
Specifically for business actors, the enactment of the PDP Law also affects how companies adapt and ensure their businesses are compliant with the PDP Law. Hence, we have summarized the numerous obligations for business actors, which are as follows:
-
Providing Transparent Information
Business actors must provide data with information on who is processing what and why. At a minimum, the companies must clearly state:
- the legality;
- the purpose;
- the type and relevance;
- how long the data is being stored;
- details regarding the information collected;
- period of the processing; and
- rights of the data owner.
It is also worth mentioning that the privacy information is subject to frequent updates in the event of any changes to the above.
-
Appointing a DPO
Business actors who act as a data controller and/or data processor are required to appoint a data protection officer (“DPO”). DPO is responsible for monitoring the business actors’ compliance with the PDP Law. Such appointment shall be based on professionalism, knowledge of the law, personal data protection practice and ability to fulfill their duties.
DPO’s core task is to inform and advise the business actors about their obligation relating to the protection of personal data. This obligation shall only be applicable in the event that the purpose of processing is for the benefit of public-services, the main operations of the data controller have the nature, scope, purposes that require regular and systematic monitoring and/or consist of the personal data processing of a large scale personal data.
-
Designing Preventive Measure
Business actors must prevent personal data from being accessed illegally. This shall be carried out by using a security system for the processing of personal data. This helps to ensure that a company takes data protection into account and must take all necessary technical and organizational steps to protect the data of data owner.
-
Data Breach Notification
PDP Law imposes a stricker responsibility for data breach notification compared with the previos provision as stipulated under the Ministry of Communication and Informatics Number 20 of 2016 regarding Personal Data Protection in Electronic Systems, in whicj business actor must give a written notice to the data owner by no later than 14 (fourteen) days after the failure to protect the personal data is discovered.
However, according to the PDP Law, the business actors must provide written notification in the event that the business actors fail to protect the personal data of the data owner, by no later than 3 (three) days to the data owner and the agency. In this case, the data breach written notification shall at least contain:
- the disclosed personal data;
- when and how the personal data are disclosed; and
- efforts to handle and recover from the disclosure of personal data by the personal data controller.
-
Notifying Data Owner in Event of Corporate Action
In the event of corporate actions, namely merger, acquisition, spin-off, consolidation or dissolution, the business actors must notify the relevant data owner of resultant data transfers. This notification shall be given before and after it has been undertaken.
-
Respond to Data Owner’s Request Upon Withdrawal or Deletion
The PDP Law enshrined that for the data owner to exercise their rights, the companies should respond to this request without undue delay and, in any case, within 3 x 24 hours when the personal data controller receives the request for a delay and limitation of the personal data processing.
-
Prohibitions
Lastly, it is worth noting that according to Article 65 and 66 of PDP Law, the PDP Law strictly prohibits every person to:
- unlawfully obtaining or collecting personal data that does not belong to such Person with the intention of benefiting themselves or another person which may result in the loss for the data owner.
- unlawfully disclosing personal data that does not belong to themselves.
- use personal data that does not belong to such Person in a manner that contravenes the law.
- create a false personal data or fake personal data with the intention of benefiting themselves or other persons that may cause harm to other persons.
Further, any violation to the PDP Law shall subject to an imprisonment sanction. In this case, should the crimes conducted by corporation, the sentence may be imposed on the management, controller, commanding officer, beneficial owner and/or corporation. Although the only sentence that may be imposed on corporation is fines up to 10 (ten) times of the maximum sentence impose, however, corporation may also be imposed on additional sentences in the form of:
- confiscation of profits and/or assets obtained or proceeds from crimes;
- suspension of the entire or part of the Corporation’s business;
- permanent prohibition of doing certain actions;
- shutdown of the entire or part of the Corporation’s place of business and/or activities;
- fulfill the obligations that have been neglected;
- payment of compensation;
- revocation of license; and/or
- dissolution of the Corporation.
-
Remarks
Following the issuance of the PDP Law, it is indispensable to highlight some of the key features promulgated by the PDP Law. All business actors must carefully evaluate what actions must be taken to permit the use of the acquired data and to ensure such use adheres to all applicable laws. In regard to this, it is advisable for the business actors to pinpoint what actions to take and processes related to the collection, storage and distribution of personal data to be fully PDP Law compliant, including but not limited to within Business-to-Business and Business-to-Customer contracts, sales, and direct marketing, as well as human resources or employment sector.
Given the ever-changing nature of data privacy laws, it is ideal to consult with privacy counsel at each stage of a transaction in order to adequately manage these along with other associated risks. This issue become highly important since a management, controller, commanding officer, beneficial owner and/or corporation that fails to comply with the PDP Law may be subject to a sanction in the form of a fine up to 10 (ten) times of the maximum fine, as well as additional criminal sanctions.
Author: Narada Kumara, Yohanes Tamba, Hafid Triadmaja Syahputra, & Syifa Salsabila
In the upcoming client update, we will strive to address these developments as well as the most recent developments from the PDP Law. If you would like to discuss this with us, please contact us by email at info@tnklaw.id or phone at (021) – 2528636.
