Personal Data Protection Law

Indonesian Government issued Law No.27 Year 2022 on Personal Data Protection (“PDP Law”). It provides umbrella law for the application and implementation of personal data protection in Indonesia and is supervised by several authorities.

PDP Law is effective from 17 October 2022, but it provides a transition period of two years for relevant parties to adjust and comply with the law.

For Financial Institutions under OJK supervision there are two relevant OJK distributions outlining the regulatory requirements for compliance to the PDP Law: SE OJK no 49/POJK.04/2021 on consumer and people protection in Financial Services Sector and SE OJK no 11/POJK.07/2022 on implementation of IT by commercial banks. Other regulated industries will be required to keep up with their respective regulations as well.

Under the law, organizations must perform legal and compliance readiness-assessment and implement the necessary procedures and systems to ensure full compliance with the law and regulations by October 2024.

The PDP Law defines personal data as any electronic and/or non-electronic data that may directly or indirectly identify a person – whether in isolation, or in combination with other information.

Types of Personal Data

• General Personal Data: full name, gender, citizenship, and/or personal data which combines to enable identification.
• Specific Personal Data: health, biometric, genetic, financial data, criminal records, etc.

Rights of the Personal Data Owner

• Rights of information, purpose and use of personal data, basis of legal interest.
• Rights of modification, to rectify any incorrect or inaccurate information.
• Rights to access and obtain copies of the personal data.
• Rights of termination, erasure, and/or disposal of personal data.
• Rights to withdraw consent given to relevant parties to process its personal data.
• Rights to object on any decision made which was based on an automated decision-making process, including profiling, which may expose the personal data subjects to legal consequences or significant impact.
• Rights to delay or limit the processing of personal data.
• Rights to claim and receive compensation over personal data processing violations.

For companies, penalty can reach up to IDR 60 billion and may also incur additional sanctions such as confiscation of profits and/or assets; freezing of company’s business; permanent prohibition of certain activities; closure of all or part of a business place and/or activity; perform the previously neglected activity; payment of compensation; revocation of license and/or corporate dissolution.

In addition, organizations should also consider hiring a Data Protection Officer with the main task to ensure company’s compliance to the PDP Law.