top of page
90.png

Personal Data Protection

Introduction

The rapid development of information and communication technology has transformed the way individuals and organizations interact, process, and share information. While this technological progress has generated numerous opportunities, it has also introduced substantial challenges, particularly in ensuring the protection of personal data. In 2023, Indonesia faced a major data breach when sensitive information from the social security agency was leaked. Acknowledging personal data protection as a fundamental human right, the Government enacted Law 27 of 2022 on Personal Data Protection ("Law 27/2022"). Effective as of 17 October 2022, Law 27/2022 sets comprehensive regulations applicable to all personal data processing activities.

 

Law 27/2022 establishes a legal framework to protect Personal Data in all stages of processing in order to guarantee the constitutional rights of the Personal Data subject. Furthermore, Law 27/2022 applies to every person, public agency, and international organization processing Personal Data: (i) within the jurisdiction of the Republic of Indonesia; or (ii) outside the jurisdiction of the Republic of Indonesia, if their activities have legal consequences within the jurisdiction of the Republic of Indonesia or towards Indonesian citizens abroad.

 

To ensure a seamless transition for the stakeholders, Law 27/2022 provides a 2 (two)-year transitional period during which organizations are required to align their policies and systems with the provision of Law 27/2022.

Types of Personal Data and Personal Data Processing

Law 27/2022 stipulates that Personal Data shall consist of: (i) specific Personal Data; and (ii) general Personal Data. Further, specific Personal Data shall include:

 

  • health data and information, referring to individual records or information relating to physical health, mental health, and/or health services;

  • biometric data, referring to the data relating to the physical, physiological, or behavioral characteristics of an individual that allows unique identification of an individual, such as facial images or dactyloscopy data. Biometric data also describes the uniqueness and/or characteristics of a person that must be maintained and cared for, including but not limited to fingerprints records, eye retina, and DNA samples;

  • genetic data, referring to all data of any kind regarding the characteristics of an individual that is inherited or acquired during early prenatal development;

  • crime records, referring to written record of a person who has committed unlawful act or violated laws or is currently in the judicial process for the committed act, including police records and inclusion in the list of prevention or deterrence;

  • child data;

  • personal financial data, which shall include not limited to data on the amount of deposits in bank including savings, time deposits and credit card data; and/or

  • other data in accordance with provisions of laws and regulations.

 

Meanwhile, the general Personal Data shall include:

  • full name;

  • gender;

  • citizenship;

  • religion;

  • marital status; and/or

  • combined Personal Data to identify a person, among others, a cellular phone number and IP address.

 

Furthermore, Law 27/2022 stipulates that the processing of Personal Data includes several stages, starting from collecting to deleting the Personal Data. As for the specific stages of Personal data processing are as follows:

 

  • acquisition and collection;

  • filtering and analysis;

  • storage;

  • fixes and updates;

  • display, announcement, transfer, dissemination or disclosure; and/or

  • deletion or destruction.

 

Personal Data processing as mentioned above shall be carried out in accordance with the Personal Data Protection principles, including:

Personal Data Protection Principles

Personal Data Protection Principles

Source: Law 27/2022.

In this regard, Personal Data processing may be carried out by 2 (two) or more Personal Data Controllers. In the event that Personal Data processing is carried out by 2 (two) or more Personal Data Controllers, there are several minimum requirements that must be met: (i) an agreement between the Personal Data Controller that contains the roles, responsibilities, and relationship between the Personal Data Controllers; (ii) interrelated purposes and ways of Personal Data Processing which are mutually determined; and lastly (iii) there is a jointly appointed contact person.

Stakeholders in Personal Data Protection

Law 27/2022 regulates the stakeholders that involved in Personal Data Protection, which demonstrated in the graph below:

Picture1.png

Stakeholders in Personal Data Protection

Source: Law 27/2022.

  • ​Stakeholders in Personal Data Protection

Personal Data Subject means an individual to whom Personal Data is attached.[1]  Personal Data Subject shall have the rights that must be protected, among others:

 

  1. end processing, delete, and/or destroy Personal Data regarding themselves in accordance with provisions of laws and regulations;

  2. withdraw the consent to the processing of Personal Data concerning themselves that has been given to the Personal Data Controller;

  3. object a decision based solely on automated processing, including profiling, which has a legal impact concerning themselves or has a significant impact on the Personal Data Subject; 

  4. postpone or restrict the processing of Personal Data in proportion to the purpose for which the Personal Data is processed;

  5. obtain and/or use Personal Data concerning themselves from a Personal Data Controller in a structured, commonly used and/or electronic system-readable format; and

  6. use and transmit Personal Data concerning themselves to another Personal Data Controller, to the extent the system used can mutually exchange communications securely within the principle of Personal Data Protection based on Law 27/2022.

Nevertheless, the rights of Personal Data Subject as mentioned above are excluded for the following purposes:

 

  1. the interest of national defense and security;

  2. the interest of law enforcement;

  3. the public interest in the scope of the administration of state;

  4. the interest of supervision of the financial sector, monetary sector, financial system, and financial system stability carried out within the scope of the administration of the state; or

  5. the purpose of statistical and scientific research.

 

In addition, the implementation of the rights of Personal Data Subject as stipulated in Law 27/2022 shall be submitted through a registered application that is submitted electronically or non-electronically to a Personal Data Controller.

  • Personal Data Controller

Personal Data Controller shall include (i) any Person, (ii) Public Agency, and (iii) International Organization. Further, a Personal Data Controller must have a basis for Personal Data processing, which shall include:

WhatsApp Image 2025-01-31 at 09.13.24_b51d2aef.jpg

Personal Data Processing Basis

Source: Law 27/2022.

Further, approval for Personal Data processing shall be carried out through a written or recorded consent that may be given electronically or nonelectronically. In the event that the approval contains other purposes, the request for approval must meet the following conditions:

 

  1. clearly distinguishable from other matters;

  2. be made in a comprehensible and easily accessible form; and

  3. use simple and clear language.

 

In processing Personal Data, the Personal Data Controller must show proof of consent given by a Personal Data Subject and process Personal Data in a limited and specific, lawful, and transparent manner.[3] Law 27/2022 also stipulates that the Personal Data Controller must carry out the Personal Data processing in accordance with the purpose of the Personal Data processing and record all Personal Data processing activities. The Personal Data Controller shall also ensure accuracy, completeness, and consistency of Personal Data in accordance with the laws and regulations.

 

In addition, the Personal Data Controller has the obligation to protect and ensure the security of the Personal Data that they process, by performing:

 

  1. preparation and implementation of operational technical measures to protect Personal Data from disruption in the Personal Data processing that is contrary to provisions of laws and regulations; and

  2. determination of the security level Personal Data by taking into account the nature and risks of Personal Data that must be protected in the Personal Data processing.

 

Personal Data Controller must maintain the confidentiality of the Personal Data, therefore the Personal Data Controller must supervise each party that is involved in the Personal Data processing under the control of the Personal Data Controller. In this regard, the Personal Data Controller must also protect the Personal Data from unauthorized processing and prevent it from being accessed illegally. Therefore, the prevention shall be carried out by using an electronic system in a reliable, secure, and responsible manner that is carried out in accordance with provisions of laws and regulations. In the event of a failure of Personal Data Protection, the Personal Data Controller must provide a written notification no later than 3 x 24 (three times twenty-four) hours to: (i) Personal Data Subject and (ii) agency. However, in certain cases, the Personal Data Controller must notify the public regarding the failure of Personal Data Protection.

 

Moreover, the Personal Data Controller in the form of a legal entity that performs a merger, spin-off, acquisition, consolidation, or dissolution of the legal entity must submit a notification of the transfer of Personal Data to the Personal Data Subject, which shall be made before and after the merger, spin-off, acquisition, consolidation, or dissolution of the legal entity.  In the event that the Personal Data Controller in the form of a legal entity dissolves or is dissolved, the storage, transfer, deletion, or destruction of Personal Data shall be carried out in accordance with provisions of laws and regulations and shall be notified to the Personal Data Subject.

 

However, certain obligations of a Personal Data Controller that stipulated in Law 27/2022 shall be exempted for:

 

  1. the interests of the national defense and security;

  2. the interests of law enforcement process;

  3. public interest in the context of state administration; or

  4. the interests of supervision of the sectors of financial services, monetary, payment system, and financial system stability carried out in the context of state administration.

  • Personal Data Processor

Personal Data Processor shall include: (i) any Person, (ii) Public Agency, and (iii) International Organization. The obligations of Personal Data Processor based on Law 27/2022 are as follows:

 

  1. in the event that a Personal Data Controller appoints a Personal Data Processor, the Personal Data Processor must process Personal Data based on the instructions of the Personal Data Controller, which shall be carried out in accordance with Law 27/2022 and included in the responsibility of the Personal Data Controller;

  2. the Personal Data Processor may involve other Personal Data Processor in Personal Data processing and must obtain a written approval from the Personal Data Controller before involving other Personal Data Processors; and

  3. in the event that the Personal Data Processor performs the Personal Data processing outside of the orders and purposes set by the Personal Data Controller, the Personal Data processing shall be the responsibility of the Personal Data Processor.

 

Furthermore, there are certain obligations of the Personal Data Controller which also apply to the Personal Data Processor, as follows:

 

  1. the Personal Data Processor must ensure the accuracy, completeness, and consistency of Personal Data in accordance with provisions of laws and regulations;

  2. in ensuring the accuracy, completeness, and consistency of Personal Data, the Personal Data Processor must carry out a verification.

  3. the Personal Data Processor must record all Personal Data processing activities;

  4. the Personal Data Processor must protect and ensure the security of the Personal Data that they process;

  5. in conducting Personal Data processing, the Personal Data Processor must maintain the confidentiality of the Personal Data;

  6. the Personal Data Processor must supervise each party that is involved in the Personal Data processing;

  7. the Personal Data Processor must protect Personal Data from unauthorized processing; and

  8. the Personal Data Processor must prevent the Personal Data from being accessed illegally.

  • Officials or Officers Carrying Out Personal Data Protection Function

Article 53 Law 27/2022 stipulates that Personal Data Controller and Personal Data Processor must appoint officials or officers who carry out the Personal Data Protection function, based on professionalism, knowledge of the law, Personal Data Protection practice, and ability to fulfil their duties, in the event that:

 

  1. the Personal Data are for the benefit of public services;

  2. the core activities of the Personal Data Controller have the nature, scope, and/or purposes that require regular and systematic monitoring of Personal Data on a large scale; and

  3. the core activities of the Personal Data Controller consist of the Personal Data processing on a large scale for specific Personal Data and/or Personal Data related to crimes.

 

Furthermore, the officials or officers who carry out the Personal Data Protection function shall have at least the following duties:

 

  1. inform and provide advice to the Personal Data Controller or the Personal Data Processor in order to comply with Law 27/2022;

  2. monitor and ensure compliance with Law 27/2022 and the policies of the Personal Data Controller or Personal Data Processor;

  3. provide advice on assessing the impact of Personal Data Protection and monitoring the performance of the Personal Data Controller and the Personal Data Processor; and

  4. coordinate and act as a liaison for issues related to the processing of Personal Data.

 

Additionally, officials or officers who carry out the Personal Data Protection function shall take into account the risk related to the Personal Data processing, by taking into the account the nature, scope, context, and purpose of the processing.

 

  • Personal Data Protection Agency

 

Law 27/2022 stipulates that the Government shall participate in the organization of Personal Data Protection, which shall be conducted by an agency that is established by the President and responsible to the President. Furthermore, in order to realize the implementation of Personal Data Protection, the agency shall carry out:

 

  1. formulation and stipulation of policies and strategies for Personal Data Protection which shall become the guideline for Personal Data Subject, Personal Data Controller, and Personal Data Processor;

  2. supervision on the organization of Personal Data Protection;

  3. enforcement of administrative law on violations of Law 27/2022; and

  4. facilitation of dispute settlement out of court.

 

Further provisions regarding the referred agency will be regulated by Presidential Regulation. Moreover, Article 61 Law 27/2022 stipulates that the procedures for the implementation of authority over the mentioned agency will be regulated in Government Regulation. However, until today, the intended Presidential Regulation has not been enacted.

Transfer of Personal Data

Law 27/2022 stipulates that Personal Data Controller may transfer Personal Data to other (i) Personal Data Controller within the jurisdiction of the Republic of Indonesia; and (ii) Personal Data Controller and/or Personal Data Processor outside the jurisdiction of the Republic of Indonesia.

 

  • Transfer of Personal Data Within the Jurisdiction of the Republic of Indonesia

 

The Personal Data Controller may transfer Personal Data to other Personal Data Controller within the jurisdiction of the Republic of Indonesia. The Personal Data Controller who transfers Personal Data and who receives the transfer of Personal Data must carry out Personal Data Protection as referred to in Law 27/2022.

 

  • Transfer of Personal Data Outside the Jurisdiction of the Republic of Indonesia

 

The Personal Data Controller may transfer Personal Data other Personal Data Controller and/or Personal Data Processor outside the jurisdiction of the Republic of Indonesia in accordance with the provisions stipulated under Law 27/2022. In carrying out the transfer of Personal Data, the Personal Data Controller must ensure that the country of domicile of the Personal Data Controller and/or the Personal Data Processor that receives the transfer of Personal Data has a Personal Data Protection level that is equal to or higher than those that are regulated under Law 27/2022.

 

In the event that the above provisions are not fulfilled, the Personal Data Controller must ensure that there is adequate and binding Personal Data Protection and must obtain consent of the Personal Data Subject.

Dispute Settlement and Procedural Law

Picture2.png

Dispute Settlement based on Law 27/2022

Source: Law 27/2022.

In resolving disputes related to Personal Data, the settlement of a Personal Data Protection dispute shall be conducted through arbitration, court, or other alternative dispute resolution agencies in accordance with provisions of laws and regulations. Furthermore, the procedural law that applies to the settlement of a Personal Data Protection dispute and/or judiciary process shall be implemented based on the procedural law that is applicable in accordance with provisions of laws and regulations.

 

Moreover, the valid evidence in Law 27/2022 shall consist of: (i) evidence as referred to in the procedural law; and (ii) other evidence in the form of electronic information and/or electronic documents in accordance with provisions of laws and regulations. In the event that it is necessary to protect the Personal Data, the court proceeding may be carried out in a closed court.

Prohibitions in The Use of Personal Data and Criminal Provisions

Diving deeper into Law 27/2022, it explicitly prohibits unlawful act related to obtaining or collecting Personal Data that do not belong to them with the intention to benefit themselves or other persons which may result in the loss of the Personal Data Subject. Furthermore, every Person is prohibited from unlawfully disclosing and using Personal Data that do not belong to them.

 

To address these prohibitions, Article 67 Law 27/2022 stipulates that every Person who intentionally or unlawfully:

 

  • obtains or collects Personal Data that do not belong to them with the intention to benefit themselves or other persons which may result in the loss of the Personal Data Subject, shall be sentenced to a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp5,000,000,000,- (five billion Rupiah);

  • discloses Personal Data that do not belong to them, shall be sentenced to a maximum imprisonment of 4 (four) years and/or a maximum fine of Rp4,000,000,000,- (five billion Rupiah); and

  • uses Personal Data that do not belong to them, shall be sentenced to a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp5,000,000,000,- (five billion Rupiah).

 

Concurrently, Article 68 Law 27/2022 provide specific provision for any Person who intentionally makes false Personal Data or falsifies Personal Data to intentionally benefit themselves or other persons which may result in the loss of other persons shall be sentenced to imprisonment of up to 6 (six) years and/or a fine of up to Rp6,000,000,000,- (six billion Rupiah). In addition to sentences, an additional sentence may be imposed in the form of confiscation of obtained profits and/or assets or proceeds from criminal acts and compensation payment.

 

Moreover, in the event that the crimes as referred to in Article 67 and Article 68 Law 27/2022 are conducted by a Corporation, the sentence may be imposed on the management, controller, commanding officer, beneficial owner, and/or Corporation. In this regard, the only sentence that may be imposed on Corporation is fines, which amounting to maximum 10 (ten) times of the maximum sentence imposed. Specifically, in addition to the fines, a Corporation may be imposed with an additional penalty of:[6]

 

  • seizure of profits and/or assets acquired or proceeds from crimes;

  • suspension of entire or part of the Corporation’s business;

  • a permanent prohibition on engaging in certain actions;

  • closure of the all or part of the place of business and/or activities of the Corporation;

  • compulsory of the obligations that have been neglected;

  • payment of compensation;

  • revocation of license; and/or

  • dissolution of the Corporation.

bottom of page