Controller obligations

Joint controllers (Article 18)

The processing of personal data may be carried out by two or more controllers. In which case, such controllers must fulfil the minimum requirements of:

• establishing an agreement to outline their roles, responsibilities, and relationships;
• ensuring that their purposes of processing are interrelated and that the means for processing are mutually determined; and
• jointly appointing a contact person.

Record-keeping (Article 31)

Controllers are required to record all processing activities, although the Law does not clarify how this obligation may be complied with or whether further rules may be established.

Notably, however, Article 32 of the Law explicitly refers to the right of data subjects to access records of processing.

DPIAs (Article 34)

Controllers must conduct a Data Protection Impact Assessment ('DPIA') in the event that the processing of personal data has a high potential risk to the data subject, including for:

• automated decision-making that has legal consequences or a significant impact on the data subject;
• the processing of specific personal data;
• large-scale processing of personal data;
• the processing of personal data for the systematic evaluation, scoring, or monitoring of activities of data subjects;
• the processing of personal data for matching activities or for merging groups of data;
• the use of new technology in the processing of personal data; and
• the processing of personal data that restricts the exercise of data subject rights.

According to the explanatory memorandum, DPIAs involve the evaluation of potential risks associated with the processing of personal data, as well as efforts or steps that must be taken to mitigate those risks, including to the rights of data subjects and to compliance with the Law.

Further provisions regarding DPIAs may be specified in a Government Regulation.

Security and breach notification (Articles 35, 36, 38, 39, 46)

Controllers are obliged to protect and ensure the security of personal data, particularly protection from interference, by:

• preparing and implementing technical operational measures; and
• determining the security level of personal data by taking into account the nature and risks of personal data.

In addition to the above, controllers are also explicitly responsible for maintaining confidentiality and protecting personal data from unauthorised processing and unlawful access. Accordingly, prevention must be carried out either by using an appropriate security system or by processing personal data using electronic systems reliably, safely, and responsibly.

Where a controller fails to protect personal data, they must submit a written notification within 72 hours to data subjects and the institution to be established by the President ('the Institution') responsible for administering the Law. According to the explanatory memorandum, this includes security breaches, whether intentional or unintentional, that lead to the destruction, loss, alteration, or disclosure of, or unauthorised access to, personal data.

As such, the written notice must detail at least:

• the disclosed personal data;
• when and how the personal data was disclosed; and
• handling and recovery efforts for the disclosed personal data.

In certain cases, the controller is also required to inform the public of the above. According to the explanatory memorandum, this refers to cases where the failure to protect personal data disrupts public services and/or has a serious impact on public interests.

Data retention (Articles 42 to 45)

The Law does not specify an exact period for storing personal data. However, it does outline when controllers must cease processing, delete personal data, and/or destroy personal data, including circumstances where the data subject has not requested it.

The obligation to delete arises, for example, when the personal data is no longer necessary for the purposes of processing or when the personal data is obtained and/or processed by unlawful means.

Although the Law does not define the term 'delete' or distinguish it from the term 'destroy', the explanatory memorandum reveals that the term 'destroy' refers to an action to eliminate or obliterate personal data so that it can no longer be used to identify the data subject. Accordingly, the obligation to destroy arises when the personal data has reached the end of its retention period and is qualified to be destroyed based on its archive schedule, or when the personal data is not related to the legal process of a case.

In any case, controllers must notify the deletion and/or destruction of personal data to the data subject.

DPOs (Articles 53, 54)

The obligation to appoint an official or officer to perform the function of personal data protection, i.e. a data protection officer ('DPO'), applies to both controllers and processors. It applies to:

• the processing of personal data for the purposes of public services;
• the core activities of the controller have a nature, scope, and/or purpose that requires regular and systematic monitoring of personal data on a large scale; and
• the core activities of the controller consist of large-scale processing of specific personal data or personal data relating to criminal offences.

According to the explanatory memorandum, the DPO is expected to ensure compliance with the principles of personal data protection and mitigate the risk of violating the same.

The Law goes on to detail how DPOs may be appointed, as well as their duties. Further provisions regarding DPOs may be specified in a Government Regulation.

Processor obligations

Supervision and accountability (Articles 37, 51)

Controllers are required to supervise each party involved in the processing of personal data under their control.

In the event that the controller appoints a processor, the processor must perform the processing of personal data based on the controller's order and in accordance with the provisions set out in the Law. Furthermore, processors may engage other processors with the written consent of the controller.

As a general principle, the processing of personal data by a processor falls within the responsibility of the controller. However, where the processor carries out processing outside the orders and purposes set by the controller, the processor is deemed responsible.

Obligations (Articles 52)

The following provisions also apply to processors:

• Article 29, regarding accuracy, completeness and consistency of personal data;
• Article 31, regarding record-keeping; and
• Articles 35 to 39, regarding security of personal data.

Furthermore, as noted above, the obligation to appoint a DPO applies to both controllers and processors.

Data transfers

Transfers for the purpose of M&A (Article 48)

A unique feature of the Law is its provisions on the transfer of personal data as a result of a merger, separation, acquisition, consolidation, or dissolution. Under these circumstances, the controller must notify data subjects prior to the event. According to the explanatory memorandum, the notification may be made directly to the data subject or through mass media, whether through electronic or non-electronic means.

In cases of dissolution specifically, the storage, transfer, deletion, or destruction of personal data must be carried out in accordance with the provisions of laws and regulations and notified to data subjects.

Further provisions regarding the above-mentioned notifications may be specified in a Government Regulation.

Transfers within Indonesia (Article 55)

Controllers are expressly authorised to transfer personal data to other controllers within Indonesia. Both parties are obliged to ensure personal data protection as referred to in the Law.

Transfers outside Indonesia (Article 56)

For cross-border data transfers, controllers must ensure that the country of the recipient has a level of personal data protection equal to or higher than that stipulated in the Law. Where the controller fails to ensure this, they are obliged to ensure that personal data is adequate and binding.

Separately and in all cases of cross-border data transfers, the controller must obtain the consent of the data subject.

Further provisions regarding cross-border data transfers may be specified in a Government Regulation.

Enforcement

Supervisory authority (Chapter IX)

The implementation of the Law lies with the Government and within the authority of the Institution. Further provisions regarding the Institution may be specified in a Government Regulation.

In general, the Institution is tasked with:

• formulating and establishing policies and procedures for data subjects, controllers, and processors;
• supervising the implementation of controllers;
• enforcing administrative law in relation to violations of the Law; and
• facilitating out-of-court dispute resolution.

The Law also grants the Institution extensive advisory, investigative, and corrective powers, such as receiving complaints and giving orders to controllers and processors.

Administrative sanctions (Article 57)

Administrative sanctions may take the form of:

• a written warning;
• the temporary suspension of processing activities;
• the deletion or destruction of personal data; and/or
• an administrative fine of up to 2% of annual revenue or of annual receipts of the violation variable.

Further provisions regarding administrative fines may be specified in a Government Regulation.

Accordingly, breach of the following provisions is subject to administrative sanctions:

• Article 20(1), regarding the legal bases for processing;
• Articles 21 and 24, regarding the information that must be provided when obtaining the consent of data subjects and the obligation to maintain evidence of consent;
• Articles 25(2) and 26(3), regarding the obligation to obtain consent for the processing of children's personal data and the personal data of persons with disabilities;
• Articles 27 to 29, regarding the general principles of processing;
• Articles 30, 32(1), 33, 40(1), 41(1) and (3), regarding certain data subject rights;
• Article 31, regarding record-keeping;
• Article 34(1), regarding the conduct of DPIAs
• Articles 35 to 38, 39(1), and 46(1) and (3), regarding the security of personal data and breach notification;
• Articles 42(1), 43(1), 44(1), and 45, regarding data retention;
• Article 47, regarding the principle of accountability;
• Articles 48(1), 55(2), and 56(2) to (4), regarding the transfer of personal data;
• Article 49, regarding the orders of the Institution;
• Articles 51(1) and (5) and 52, regarding the obligations of processors; and
• Article 53(1), regarding the appointment of DPOs.

Criminal sanctions (Chapters XIII and XIV)

In addition to the possibility of administrative sanctions, the Law also establishes criminal offences.

Unlawful collection of personal data

All persons are prohibited from unlawfully obtaining or collecting personal data that does not belong to them, with the intention of benefiting themselves or another person, which may result in the loss for the data subject. Breach of this may result in imprisonment for a maximum of five years and/or a maximum fine of IDR 5 billion (approx. €338,520).

Unlawful disclosure of personal data

All persons are prohibited by law from disclosing personal data that does not belong to them. Persons who intentionally and unlawfully disclose such personal data may be sentenced to imprisonment for a maximum of four years and/or a maximum fine of IDR 4 billion (approx. €270,570).

Unlawful use of personal data

All persons are prohibited by law from using personal data that does not belong to them. Persons who intentionally and unlawfully use such personal data may be sentenced to imprisonment for a maximum of five years and/or a maximum fine of IDR 5 billion (approx. €338,520).

Other offences

The Law goes on to detail further offences, including the offence of falsifying personal data which may entail imprisonment for a maximum of six years and/or a maximum fine of IDR 6 billion (approx. €405,520). The Law also sets out the procedure of imposing criminal sanctions, namely the person within the organisation on which a sanction may be imposed and the process of determining sanctions in court.

In addition to the above-mentioned sanctions, additional penalties may also be imposed in the form of confiscation of profits and/or assets obtained or proceeds from criminal acts, as well as payment of compensation.

Entry into force and transition (Chapter XV)

The Law enters into effect on the date of enactment.

According to Article 73 of Law No. 12 of 2011 on the Establishment of Legislations, in order to become law, draft laws must be delivered to the President for signature within a period of 30 days from its approval in the House of Representatives. If a draft law has not been signed within this period, it becomes law automatically. At the time of writing, the final draft of the Law has not yet been signed.

Notwithstanding the above, the Law also establishes a two-year transition period for compliance. More specifically, controllers, processors, and other parties are obliged to adjust to the provisions on personal data processing under the Law within two years of enactment.

Keshawna Campbell Lead Privacy Analyst
[email protected]
Karan Chao Senior Privacy Analyst
[email protected]

1. Only available in Indonesian: https://www.dpr.go.id/dokakd/dokumen/K1-RJ-20220920-123712-3183.pdf