Indonesia PDPL: Everything You Must Know
Do you have business interests in Indonesia? Or collect its residents' data for commercial purposes? If so, you must comply with the Indonesia Personal Data Protection Law (“PDP Law”).
Like many data protection laws, Indonesia's PDP Law works to protect the privacy rights of its residents. To do this, the law places several obligations on businesses that handle Indonesians' personal data.
This guide unpacks everything you need to know about Indonesia’s PDP Law, including what it entails, who it applies to, how you can comply, and the potential penalties if you don’t.
Let’s dive in!
Key Takeaways
- Indonesia’s PDP Law is the country's national data privacy law. It grants Indonesians several rights over their personal data and requires businesses to maintain specific data protection standards.
- If your business handles the personal data of Indonesians, compliance with the PDP Law is a must. Your duties include (but aren’t limited to) getting valid consent when necessary, reporting data breaches promptly, and implementing adequate data security safeguards.
- Non-compliance with Indonesia’s PDP Law invites monetary fines, civil lawsuits, and criminal charges of up to 5 years in prison.
What is Indonesia’s PDP Law?
The Personal Data Protection Law (PDPL) is a landmark legislation that protects people’s fundamental right to privacy in Indonesia. It’s officially known as Law No. 27 of 2022 on the Protection of Personal Data.
Before the PDPL, Indonesia had a patchwork system with over 30 different laws addressing specific aspects of its data protection. Together, these were called the “PDP Regulations.”
The PDP Law harmonizes these scattered regulations into a single data protection framework. It regulates how businesses (i.e., data controllers and processors) collect, analyze, store, transfer, and delete personal data within and beyond Indonesia's borders.
The PDPL was born out of a growing concern about the volume of personal data being handled in Indonesia and the security threats it poses.
Case in point, Indonesia suffered the highest number of ransomware attacks among South-Asian countries in 2021 and faced about 11 million cyber attacks in the first quarter of 2022. The need for a comprehensive data protection law became all too glaring.
In short, Indonesia’s PDP Law:
- Gives Indonesians greater control over their data
- Builds trust in the digital economy to attract domestic and international investment
- Aligns Indonesia's data protection with international standards like the EU's General Data Protection Regulation (GDPR)
While formally enacted in October 2022, the PDPL provides a two-year grace period for businesses to comply with its provisions. Therefore, this period ends in October 2024.
What Type of Data Does the PDP Law Protect?
Like many other laws, Indonesia's PDP Law distinguishes between standard personal data and a more delicate category (typically called Sensitive Personal Information).
In particular, Indonesia’s law classifies data into the following:
- Personal data: Any information that directly or indirectly identifies a natural person. Typical examples include names, phone numbers, email addresses, online identifiers, etc.
- Specific personal data: A sub-category of personal data considered particularly sensitive and requiring more stringent protection. Examples include (but aren’t limited to) children’s data, biometrics, criminal records, personal financial information, and health data.
Scope of Indonesia’s PDP Law
The PDPL casts a wide net, covering any entity processing personal data that meets one of these criteria:
- Legal Consequences in Indonesia: If your data processing activities have legal ramifications within Indonesia, you fall under the scope of the PDP Law.
- Impact on Indonesian Citizens: Even if you operate outside Indonesia, the PDP Law applies if your data processing affects Indonesian citizens, whether they're within or outside the country.
Exemptions to Indonesia’s PDP Law
Despite its comprehensive scope, the PDP Law exempts specific data processing activities from its coverage when such activities involve any of the following:
- Law enforcement
- The financial services industry
- National defense or security interests
- Public interests in the context of state administration
- Personal or household activities (non-commercial purposes)
Data Subject Rights Under Indonesia’s PDP Law
Like other modern privacy laws, Indonesia’s PDP Law gives consumers several rights over their personal data. In other words, businesses must have systems in place to help exercise these rights upon request.
Note: Each right comes with nuances and potential limitations.
Briefly, the nine data subject rights under Indonesia’s PDP Law are as follows:
Right to Obtain Information
Data subjects have the right to know what personal data you hold about them, its purpose, and the third parties you share it with. Be prepared to provide clear and concise explanations upon request.
Right to Access and Copy
Data subjects can request a free copy of the personal data you hold about them. As such, your systems should provide easy access to customer data (typically through online dashboards or user portals) where possible.
Right to Rectification
Data subjects can ask that you correct any inaccurate or incomplete details in the data you hold about. You’ll, therefore, need an efficient process for promptly handling correction requests.
Right to Deletion
Like many other data laws, Indonesia’s PDP Law gives data subjects the right to request the deletion of their personal data.
Naturally, there are exemptions for cases like legal obligations or legitimate business interests. So, you’ll need to evaluate each request carefully and explain any limitations clearly.
Right to Delay/Restrict Processing
Data subjects can request that you temporarily restrict or suspend processing their data. You'll need to assess these requests case-by-case and implement controls to manage restricted data effectively.
Right to Withdraw Consent
Data subjects can withdraw their consent for data processing at any time. This means your systems need to seamlessly handle consent withdrawal (also known as opt-out) and update relevant data usage accordingly.
Right to Object to Decision-Making
Indonesia’s law also allows data subjects to object to automated decision-making (e.g., profiling) that significantly affects them. In other words, you should consider providing alternative mechanisms for human input or manual review options.
Right to Data Portability
Data subjects can request their personal data in a readily portable format to transfer it to another controller. Develop technical solutions and clear procedures to facilitate data portability requests.
Right to Sue and Seek Compensation
Finally, data subjects have the right to file legal complaints and seek compensation for damages resulting from violations of their rights. Prioritize data security and compliance to minimize exposure to such risks.
Compliance Checklist for Indonesia’s PDP Law
If your business is already GDPR-compliant, navigating Indonesia's PDP Law shouldn’t be too difficult since it was modeled after the GDPR.
To help you get started, we've compiled the most important requirements into a checklist below:
Identify a lawful basis for processing
Like the GDPR, Indonesia’s PDP Law requires businesses to identify a lawful basis before every data processing activity they undertake. In other words, you need a valid reason to justify processing consumers' data.
Under the law, there are seven legal bases, including:
- Consent
- Legitimate interests
- Fulfillment of contractual obligations
- Compliance with legal obligations
- Protection of vital interest
- Exercise of authority
- Fulfillment of an obligation in the public interest
Respond swiftly to Data Subject Access Requests (DSARs)
When a data subject tries to exercise their rights (verbally or in writing), it’s known as a Data Subject Access Request (DSAR). Under Indonesia’s PDP Law, you have 72 hours to respond to these requests.
There are, of course, exceptions, such as when requests are complex or other permissible exceptions apply. If you deny a DSAR, the law requires that you clearly communicate your reasons to data subjects.
Obtain valid consent when necessary
Consent standards under Indonesia's PDP Law are quite strict — much like the GDPR's. If you rely on the lawful basis of consent, your consent request must be "valid."
Valid consent under the PDP Law must be:
- Clear and Accessible: Provide easily understandable information about the purpose of data collection, legal basis, and your use of the data.
- Explicit and Informed: Data subjects must fully understand the implications of consent. Avoid pre-checked boxes and vague language.
- Specific and Purpose-driven: Consent must be specific to a single purpose (e.g., sending promotional emails or creating an account). Blanket consent for multiple activities is invalid.
- Documented: Maintain clear records of how and when you obtained valid consent.
Note that consent for a minor and people with disabilities must be obtained from their parents or legal guardians.
Conduct Data Protection Impact Assessments (DPIAs)
If your data processing activities may pose a significant risk to data subjects, Indonesia’s PDP Law requires you to conduct a Data Protection Impact Assessment (DPIA).
Examples of high-risk activities include but aren’t limited to the following:
- Processing specific personal data
- Using new technologies to process data
- Processing personal data on a large scale
- Automated decision-making that legally or significantly affects data subjects
It’s worth noting that more guidance on DPIAs will be provided in other regulations to come.
Maintain adequate security safeguards
Not surprisingly, you’ll need robust technical and organizational security measures to protect personal data under Indonesia’s PDP Law. As with most laws, your security level should reflect how risky your data processing activities are.
While the PDP Law doesn’t offer specific safeguards, the following are examples of effective measures:
- Data encryption
- Access controls
- Frequent cybersecurity audits
- Crisis management action plans
- Privacy awareness training for employees
Abide by the data protection principles
Like the GDPR, Indonesia’s PDP Law sets out several data protection principles by which all businesses must abide.
Briefly, these principles are as follows:
- Process data in a limited, lawful, specific, and transparent way
- Only process personal data in line with your established purposes
- Ensure the personal data you hold is accurate, complete, and consistent
- Use technical safeguards to make data confidential and secure
- Practice accountability by recording your data processing activities
Notify promptly about data breaches
When a data breach occurs, Indonesia’s PDP Law requires you to promptly notify affected data subjects and the data protection authority within 72 hours.
Your breach notifications must include the following details:
- How the breach took place
- Types of personal data affected
- What steps you've taken to lessen the breach’s effects
In some cases, you may have to notify the general public about the data breach.
Appoint a Data Protection Officer (DPO)
A DPO is an independent privacy consultant who primarily oversees compliance with data privacy laws. They also provide useful advice and act as your primary point of contact with regulatory authorities.
Unlike the GDPR, the PDP Law's threshold for appointing a DPO is quite limited. It only requires a DPO if all the following is true:
- You process data in the interest of public services
- Your core activities involve regular and systematic monitoring of large-scale personal data
- Your core activities involve handling substantial amounts of specific personal data or data relating to criminal offenses
If your business doesn't fall under this threshold, you may still wish to appoint a DPO (or similar compliance solutions) to ensure top-tier data protection standards.
Ensure adequate protection for cross-border transfers
Like the GPDR, Indonesia’s PDP Law sets out specific requirements for cross-border data transfers.
According to the law, all data transfers out of Indonesia can only proceed if the receiving country’s data protection framework is equal to or higher than that of the PDP Law.
If the receiving country's data protection isn’t up to par, you’ll need to ensure that the transferred data receives “adequate and binding” protection.
The PDP Law doesn't specify how you can achieve this. Instead, it explains that the specifics will be addressed in a separate regulation.
Penalties for Non-Compliance with Indonesia’s PDP Law
Like the GDPR, Indonesia's PDP Law sets out tiered penalties for non-compliance with its provisions. This means the exact penalties will vary depending on how serious offenses are.
Indonesia’s data protection authority will issue more guidance over time to clarify fine structures and dispute procedures.
That said, here's a breakdown of the potential penalties:
- Administrative Sanctions:
- Written warnings
- Temporary suspension of data processing activities
- Forced deletion of personal data
- Fines of up to 2% of annual revenue
- Civil Liability:
- Lawsuits and compensation for damages caused by data processing practices
- Corporate Accountability:
- Managers and officers could be personally fined or incarcerated
- Profit or asset seizure, license revocation, business dissolution, or a permanent ban on specific operations.
- Criminal Liability:
- Up to five years in prison and/or a fine of 5 billion rupiah for unlawful data collection or use.
- Up to four years in prison and/or a fine of 4 billion rupiah for unauthorized data disclosure.
- Up to six years in prison, a fine of 6 billion rupiah, and asset confiscation for intentional creation of false data
How Can Captain Compliance Help?
Indonesia’s PDP Law borrows many of its provisions from the GDPR, one of the strictest data privacy laws. In other words, compliance with the PDP Law is complex and demanding.
To effectively navigate Indonesia’s data privacy framework, it's a smart move to outsource your compliance to dedicated professionals. And that's where Captain Compliance comes in.
We understand how challenging compliance can be, so our mission is to simplify this process and take the burden off your hands.
With Captain Compliance, you can rest easy knowing that your business is well-equipped to meet its data privacy obligations.
Ready to achieve compliance success with Indonesia’s PDP Law? Get in touch today!
FAQs
Can the PDP Law apply to my business, even if it’s based outside Indonesia?
Yes, if you process the personal data of Indonesians, the PDP Law applies regardless of your location. This includes whether you target Indonesian users online, process data related to contracts or legal obligations in Indonesia, or store data on Indonesian servers.
Learn more about Data Localization in Indonesia
What types of data does Indonesia’s PDP Law protect?
Indonesia’s PDP Law covers both "personal data" (e.g., names, phone numbers, and addresses) and "specific personal data" (e.g., criminal records, health data, and geometric information). The latter requires stricter protection measures.
Find out how Personally Identifiable Information compares to Sensitive Personal Information
How can I comply with Indonesia’s PDP Law?
Compliance with Indonesia’s PDP Law requires paying special attention to the following requirements:
- Identify a lawful basis for data processing
- Obtain informed and explicit and informed consent when necessary
- Set up and maintain adequate data security measures
- Respond appropriately to Data Subject Access Requests (DSARs)
- Process personal data in line with Indonesia’s data protection principles
- Notify affected consumers and the data protection authority when a data breach occurs
See also: GDPR Compliance Checklist for 2023
What are the penalties for non-compliance with Indonesia’s PDP Law?
Non-compliance with Indonesia’s PDP Law may result in up to 5 years of imprisonment for responsible businesses and individuals. Financial, civil, and administrative penalties may also be levied on violators.