December 2022 

1. Governing Texts

The concern of data protection exists wherever personal data is collected or stored. As a general guidance, Indonesia provides protection for the data of its citizens in the Constitution of the Republic of Indonesia 1945 ('the Constitution'). In particular, Article 28G(1) of the Constitution states that 'each person shall have the right to the protection of their personal selves, families, respect, dignity, and possessions under their control'.

On 17 October 2022, Indonesia enacted a specific law regulating personal data protection, i.e. Law No. 27 of 2022 regarding Personal Data Protection (only available in Indonesian here) ('the PDPL'). Unlike the previous regulatory regime that focused on personal data processed through an electronic system, the PDPL applies to personal data processed by both electronic and non-electronic means.

In addition to the PDPL,  provisions applicable for data protection in Indonesia are found in several regulations.

1.1. Key acts, regulations, directives, bills

In the past decades, data protection laws in Indonesia have undergone significant progress and development. To date, Indonesia has enacted various laws relating to data privacy in a number of specific areas. Most notably, Indonesia recently passed the PDPL, which is now the main regulation on personal data protection.

The PDPL regulates the rights of personal data subjects, the obligations of personal data controllers ('Controllers') and personal data processors ('Processors'), and the relevant principles and requirements for processing personal data.

The implementation of the PDPL is still subject to implementing regulations that have yet to be enacted. The PDPL also provides a two-year grace period for its implementation by Controllers, Processors, and other relevant parties that process personal data.

Personal data protection laws and regulations

In addition to the PDPL, there are provisions governing the protection of personal data specifically in the realm of electronic systems which apply to electronic system providers ('ESPs') and that existed prior to the enactment of the PDPL, hereinafter referred to as the 'PDP Regulations'. The PDP Regulations still apply insofar as they do not conflict with the provisions of the PDPL.

Primarily, the provisions on personal data protection can be found in Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions (only available in Indonesian here ('the Electronic Information Law'), which came into force on 25 November 2016. The procedural guidelines for the Electronic Information Law are contained in Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (only  available in Indonesian here) ('GR 71'), which revokes the previous Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions ('GR 82').

The Electronic Information Law provides that, unless otherwise regulated, the use of any information pertaining to a person's personal data through electronic media requires the consent of such person. The elucidation of the Electronic Information Law provides that the protection of personal data is a part of the right to privacy which encompasses the following:

• the right to enjoy a private life, free of any disturbance;
• the right to communicate with other people without any espionage; and
• the right to monitor the access of information about a person's personal life and data.

To further clarify and implement data protection in electronic systems, the Minister of Communication and Information ('Kominfo') issued, on 1 December 2016, Regulation No. 20 of 2016 on Personal Data Protection in Electronic System ('Kominfo Regulation 20'). Kominfo Regulation 20 came into force on 1 December 2016 and established consent as the core foundation of data privacy protection under Indonesian data privacy laws, so that all processing can only be implemented after obtaining consent from the data subject.

Most recently, the Government of Indonesia ('the Government') further clarified the scope of protection for personal data by issuing Government Regulation No. 40 of 2019 on the Implementation of Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) ('GR 40'). GR 40 came into force on 24 May 2019.

Furthermore, the activity of trading through electronic systems is governed by Government Regulation No. 80 of 2019 regarding Trading through Electronic System (only available to download in Indonesian here) ('GR 80').

Finally, as mentioned above, the Government issued GR 71, which came into force on 10 October 2019, and aside from reaffirming existing concepts of personal data protection encapsulated in present Indonesian data protection regulations, contains several previously unrecognised additions to ESPs' obligation with regard to the protection of personal data previously set out in GR 82.

Other laws

Indonesian citizens are entitled to the protection of their personal data collected under Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) ('the Demography Law'), which came into force on 24 December 2013.

Personal data in the health sector is also governed under Ministry of Health ('MOH') Regulation No. 24 of 2022 on Medical Record, which provides for obligations pertaining to the storing, deletion, and confidentiality of medical records.

In the field of banking, personal data is governed under Bank Indonesia Regulation No. 22/20/PBI/2020 regarding Protection of Bank Indonesia Consumer (only available in Indonesian here), which regulates the obligation for banking or non-banking entities which are under the supervision of Bank Indonesia to keep the confidentiality and security of its consumers' data (e.g., the requirement for the consumer's consent before transferring their personal data).

In the financial services sector, the relevant provisions for personal data protection can be found in Financial Services Authority (Otoritas Jasa Keuangan or OJK) Regulation No. 6/POJK.07/2022 of 2022 regarding Customer and Public Protection in the Financial Services Sector (only available in Indonesia here) ('OJK Regulation 6/2022'). This regulation requires financial services institutions to protect the confidentiality and security of customers' personal data.

1.2. Guidelines

The main reference for personal data protection in Indonesia is the PDPL, along with the PDP Regulations. As stated earlier, the enforcement of the provisions of the PDPL will require the enactment of implementing regulations in the form of government regulations and presidential regulations.

1.3. Case law

Cases on breaches of the Electronic Information Law primarily concern defamation through electronic platforms. There are very few notable cases concerning unlawful acts specifically pertaining to personal data protection.

Some of the notable/landmark cases concerning personal data protection are outlined below.

Constitutional Court Decision No. 20/PUU-XIV/2016

Decision No. 20/PUU-XIV/2016 (only available in Indonesian here) was submitted by Setya Novanto, the former speaker of the House of Representative of the Republic of Indonesia ('DPR'). He requested that the Constitutional Court of the Republic of Indonesia ('the Constitutional Court') adjudicate the constitutionality of several Articles pertaining to interception and evidence contained in the Electronic Information Law (before the latest amendment was issued) and Law No. 20 of 2001 on the Amendments to Law No. 31 of 1999 regarding the Eradication of Criminal Acts of Corruption (only available in Indonesian here) ('the Corruption Law'). The articles concerned were Article 5(1) and (2) and Article 44(b) of the Electronic Information Law and Article 26A of Corruption Law, which state that electronic information and/or documents are valid evidence before a court. The main contention of the applicant was that the aforementioned articles did not provide limitations regarding the type of electronic information and/or documents which are valid evidence before a court, therefore opening up the possibility of admitting electronic information and/or documents which are obtained through unlawful interception by an unauthorised party.

In its decision, the Constitutional Court, while acknowledging that interception may impinge on the right of individuals, emphasised that there were already several legal bases which stipulate the procedure for a lawful interception. In addition, the Constitutional Court held that the interpretation of the term 'electronic information and/or documents' in the context of evidence before a court will contradict the Constitution, unless it is interpreted alongside the phrase '[e]lectronic information and/or electronic documents obtained in accordance with applicable laws and regulations and/or carried out in the framework of law enforcement at the request of the Police, Attorney General's Office, the Corruption Eradication Commission, and/or other law enforcement agencies.'

Therefore, the Constitutional Court limited the scope of valid 'electronic information and/or documents' evidence in courts to electronic information and/or documents that are obtained in accordance with law and/or carried out by the law enforcement agencies.

Central Jakarta District Court Case No. 235/PDT.G/2020/PN.JKT.PST

Central Jakarta District Court Case No. 235/PDT.G/2020/PN.JKT.PST (only available to download in Indonesian here) is the most recent notable case regarding data protection law. The parties involved in the case are the Indonesian Consumer Community ('KKI'), acting as plaintiff, and Kominfo and PT Tokopedia, as defendants. The case concerns the recent leakage of Tokopedia's consumer personal data for approximately 15 million accounts. However, since the case is still ongoing, there is yet any decision issued by the Court. We believe that the Court decision on this matter would become a notable precedent case that may impact data protection law going forward.

Other than the cases above, it is important to also note that there was recently a major allegation of personal data leakage that occurred in Indonesia in May 2021 involving Indonesia's Health Social Security Administrator Body ('BPJS Kesehatan'). The amount of personal data leaked was alleged to be approximately 279 million individuals. As of August 2021, there is still no publicly available record of a court decision pertaining to this allegation.

2. Scope of Application

2.1. Personal scope

PDPL

The PDPL applies to any person (individuals and corporations), public body, or international organisation. The PDPL does not apply to personal data processing carried out by individuals for the purpose of personal or household activities.

PDP Regulations

The PDP Regulations primarily focus on electronic information. Accordingly, the personal scope of the PDP Regulations is relatively broad as demonstrated through the definition of an ESP under the PDP Regulations, which seems to be generic in nature. An 'ESP' is defined as every person, state administrator, business entity, and community providing, managing, and/or operating an electronic system, either individually or jointly, for electronic system users for its personal purpose and/or another party's purpose.

In this regard, the term 'electronic system' is defined in GR 71 and Kominfo Regulation 20 as a set of electronic devices and procedures that function to prepare, collect, process, analyse, retain, display, publish, transmit, and/or disseminate electronic information. In this case, the interpretation applied by Kominfo is that any person or entity that stores data electronically would be considered an ESP using an electronic system and therefore subject to the PDP Regulations.

Furthermore, GR 71 distinguishes two types of ESP: public scope ESPs and private scope ESPs. Public scope ESPs are:

• state administrator agencies, defined in GR 71 as legislative, executive, and judiciary institutions at the central and regional level;
• other agencies formed by virtue of laws and regulations; and
• institutions appointed by state administrator agencies.

The latter refers to institutions providing electronic systems with a public scope on behalf of the appointing state administrator agency. It should be noted that Article 2(4) of GR 71 excludes public scope ESPs which are regulatory and supervisory authorities in the financial sector.

In contrast, the definition of private scope ESPs covers the provision of electronic system by individuals, business entities, and the public, which includes:

• ESPs regulated or supervised by the ministries or institutions based on laws and regulations; and
• ESPs with portals, sites, or applications in a network via internet that are used for certain purposes, such as providing, managing, and/or operating offers and/or trade of goods and/or services, including ESPs whose electronic system is used and/or offered in Indonesia (Article 2(5)(b) of GR 71).

2.2. Territorial scope

The PDPL applies to any person, public body, or international organisation that carries out a legal action contemplated under the PDPL and is located:

• within the jurisdiction of Indonesia; and/or
• outside the Indonesian jurisdiction but its action has a legal impact:
  • in the jurisdiction of Indonesia; and/or
  • on Indonesian personal data subjects outside the jurisdiction of Indonesia.

PDP Regulations

The data protection provisions of the Electronic Information Law apply extra-territorially in certain circumstances. In particular Article 2 of the Electronic Information Law, which states that the Electronic Information Law 'is applicable to every person who commits a legal act as regulated under this Law, both who are within Indonesian jurisdiction and outside of Indonesian jurisdiction, and which has legal consequences in Indonesian jurisdiction and/or outside of Indonesian jurisdiction and which is detrimental to Indonesia's interest.

The extraterritorial scope is further emphasised by the elucidation of Article 2. These provisions have been enacted under the consideration that the use of information technology for electronic information and electronic transaction can be cross-territorial or universal.

The phrase '[d]etrimental to Indonesia's interest' should be construed to include, but not be limited to, detriments to national economic interests, strategic data protection, the dignity of the nation, state defence and security, state sovereignty, citizens, as well as Indonesian legal entities.

2.3. Material scope

PDPL

Personal data is defined as any data concerning a person who is identified or may be identified independently or combined with other information, either directly or indirectly, through an electronic or non-electronic system. Pursuant to Article 4 of the PDPL, personal data comprises specific personal data and general personal data.

Specific personal data is personal data which, in its processing, may have a large impact on the personal data subject, such as discrimination or personal loss. Specific personal data includes: data and information regarding health; biometric data; genetic data; criminal records; data of children; personal financial data; and/or any other data in accordance with the relevant laws and regulations.

General personal data includes full name; gender; nationality; religion; marital status; and/or combined personal data to identify a person.

Under the PDPL, personal data processing includes:

• acquisition and collection;
• processing and analysing;
• storage;
• correction and updates;
• display, announcement, transfer, dissemination, or disclosure; and/or
• deletion or destruction.

Any personal data processing activity must be conducted in accordance with the personal data protection principles, as elaborated in the section on principles below.

PDP Regulations

Kominfo Regulation 20 regulates the following processes:

• acquisition and collection;
• processing and analysing;
• storage;
• display, publication, transmission, dissemination, and/or access opening; and
• destruction.

On the other hand, Article 56(4) of GR 40 grants access to personal data for the purpose of national security and law enforcement, subject to the approval from the Minister of Home Affairs.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

PDPL

The PDPL introduces a new institution whose role is to actualise the implementation of personal data protection in accordance with the provisions of the PDPL ('PDP Institution'). It will be directly responsible to the President of Indonesia. The establishment of the PDP Institution, however, is still awaiting the issuance of a presidential regulation.

Further provisions regarding the PDP Institution will be governed under a government regulation that is still to be issued.

PDP Regulations

There is no general data protection authority, regulatory body, or organisation specifically responsible for protecting personal information and ensuring that legal subjects (e.g., individuals and companies) comply with data protection laws. Furthermore, there is no central records database in Indonesia.

Nevertheless, Kominfo is empowered to carry out government affairs in the field of communication and information technology, pursuant to Presidential Regulation No. 54 of 2015 concerning the Ministry of Communication and Information Technology (only available in Indonesian here) and Kominfo Regulation No. 6 of 2018 concerning Organisation and Work Procedure of the Ministry of Communication and Information Technology (only available in Indonesian here).

Furthermore, pursuant to Article 85 of the Demography Law, the personal data of citizens shall be maintained accurately and protected by the administrator and executive agency.

3.2. Main powers, duties and responsibilities

PDPL

According to the PDPL, the PDP Institution will:

• oversee the formulation and stipulation of personal data protection policies and strategies; 
• supervise the implementation of personal data protection;
• enforce administrative sanctions for violations of the PDPL; and
• facilitate the dispute resolutions related to personal data protection outside of the courts.

Specifically for item two above, the PDP Institution shall be authorised to:

• formulate and establish policies in the field of personal data protection;
• supervise the compliance of Controllers;
• impose administrative sanctions for violations of personal data protection by Controllers and/or Processors;
• assist law enforcement in handling allegations of criminal acts related to personal data as referred to in the PDPL;
• cooperate with personal data protection institutions in other countries to resolve allegations of cross-border personal data protection violations;
• assess the fulfilment of personal data transfer requirements to jurisdictions outside of  Indonesia;
• supervise Controllers and/or Processors and then issue follow-up orders requiring the Controllers and/or Processors to carry out certain actions;
• publish the results of its supervision of personal data protection in accordance with the provisions of laws and regulations;
• receive complaints and/or reports regarding alleged breaches of personal data protection;
• examine and investigate complaints and reports of alleged violations of personal data protection;
• summon any person and/or public body related to alleged violations of personal data protection;
• request an explanation, data, information, and documents from any person and/or public body related to alleged violations of personal data protection;
• summon the necessary experts in examinations and investigations related to alleged violations of personal data protection;
• examine and investigate electronic systems, facilities, rooms, and/or places used by Controllers and/or Processors, which include obtaining access to the data and/or appointing a third party; and
• request legal assistance from the prosecutor's office to settle personal data protection disputes.

Other Laws and Regulations

According to the PDP Regulations, the Government is encumbered with the duty of supervision, advocacy, evaluation, enforcement, and other conduct necessary to ensure personal data protection. Furthermore, both the Electronic Information Law and the GR71 contain provisions which require the Government to protect public interests in the field of electronic communication. In particular, the Government is empowered, among other things, to determine the national cybersecurity strategy and regulate information security standards.

Furthermore, Kominfo is authorised, among other things, to formulate and implement policies as well as technical guidance and supervision in the field of communication and information technology ('IT').

As for the administrator and executive agency referred to in the Demography Law, Article 1(6) and (7) of the Demography Law stipulate that the administrator agency consists of the central government, provincial government, and regency or city government which are responsible for and are authorised to oversee population administration affairs, while the executive agency consists of the apparatus of the regency/city government responsible for and are authorised to implement services related to population administration affairs.

4. Key Definitions

PDPL

Personal data protection: All efforts to protect personal data in the framework of personal data processing in order to ensure the constitutional rights of the personal data subject (Article 1 of the PDPL).

Personal data subject: Any individual with which personal data is associated (Article 1 of the PDPL).

Data controller: Any person, public entity, or international organisation acting individually or jointly to determine the objectives and exercise control over the processing of personal data (Article 1 of the PDPL).

Data processor: Any person, public entity, or international organisation acting individually or jointly to process personal data on behalf of the Controller (Article 1 of the PDPL).

Personal data: Any data regarding individuals who are identified or can be identified, either separately or in combination with other information, directly or indirectly, using an electronic and/or non-electronic system (Article 1 of the PDPL).

Specific personal data: Personal data which, in its processing, may have a bigger impact on the personal data subject, such as discriminatory acts and other losses to the personal data subject (elucidation of Article 3 of the PDPL). Specific personal data includes: data and information regarding health; biometric data; genetic data; criminal records; data of children; personal financial data; and/or any other data in accordance with the relevant laws and regulations (Article 3 of the PDPL).

Health data: There is no definition of health data provided in the PDP Regulations. However, Article 99(1) and (2) of GR 71 acknowledges that entities in the health sector possess strategic electronic data which must be protected. The closest health data comes to being defined in the existing regulations is in MOH Regulation No. 24 of 2022 regarding Medical Record, which defines medical records as meaning files containing records and documents regarding a patient's identity and the examinations, medications, procedures, and other services provided to the  patient.

An explicit definition of health data can be found in the elucidation of Article 4 of the PDPL, which states that 'health data and information' shall mean individual records or information relating to physical health, mental health, and/or health services.

Biometric data: The elucidation of Article 4 of the PDPL stipulates that 'biometric data' shall mean data relating to the physical, physiological, or behavioural characteristics of an individual which allows the unique identification of an individual, such as facial images or dactyloscopy data. Biometric data also describes the unique nature and/or characteristics of an individual which should be kept and maintained, including but not limited to fingerprint records and DNA samples.

The elucidation of Article 40(1)(a)(3) of GR 71 also provides examples of biometric data, which are retina and fingerprint data.

Personal financial data: The elucidation of Article 4 of the PDPL refers to personal financial data as including data regarding bank deposits and credit card data.

Pseudonymisation: This term is not defined in the PDP Regulations or in the PDPL.

PDP Regulations

Personal data: Data on certain individuals that is stored, managed, and maintained, the accuracy and confidentiality of which is maintained and protected. More specifically, it refers to any accurate and actual information attached and identifiable, either directly or indirectly, to each individual, the purpose of which is in accordance with the laws and regulations.

Examples of 'personal data' under Article 84 of the Demography Law include:

• family identification card number;
• personal population identification card number;
• date of birth;
• information regarding any physical or mental condition;
• biological mother's population identification card number;
• father's population identification card number;
• other important events involving birth, death, marriage, divorce, child legalisation, name change, or change of nationality;
• fingerprints;
• eye scan;
• signatures; and
• other information considered as shameful (e.g. embarrassing) for any individual.

The elements of the term 'shameful' are further elaborated under GR 40. Under Article 54 of GR 40, other information that is considered shameful includes elements of data from an important event that should not be disclosed to other people. These events include:

• a child born whose parents' origins are unknown;
• gender change;
• a child born outside of marriage; and
• other important events determined by the Minister of Home Affairs.

5. Legal Bases

5.1. Consent

Consent is an important principle regulated strictly by the PDPL and PDP Regulations.

PDPL

Under Articles 22 and 23 of the PDPL, Controllers must acquire written or recorded, explicit, and valid consent before processing personal data.

In obtaining the consent of the data subject, Article 21 of the PDPL requires the Controller to provide the following information:

• confirmation that the personal data processing shall be carried out for lawful purposes;
• the purpose of the personal data processing;
• the type and relevance of the personal data to be processed;
• the retention period for documents containing personal data;
• details regarding the information collected;
• how long the processing of the personal data will be carried out; and
• rights of the personal data subject.

Article 22 of the PDPL stipulates that the consent must be provided in written or recorded form. Such consent may be submitted by electronic or non-electronic means.

PDP Regulations

Under Article 26(1) of the Electronic Information Law, the use of any information through electronic media which is related to the personal data of a person must be conducted with consent from the person concerned, unless otherwise determined by laws and regulations.

Under Article 14(3) of GR 71, the processing of personal data is subject to the provision of consent of the data subject for one or more specific purposes that have been conveyed to the data subject.

Under Article 9(1) of Kominfo Regulation 20, the acquisition and collection of personal data by ESPs should be based on consent or based on the provisions of laws and regulations.

Finally, Law No. 36 of 2009 on Health as amended by Law No. 11 of 2020 regarding Job Creation (only available to download in Indonesian here) ('the Health Law') contains specific regulations regarding personal data in the health sector. Article 44 (3) of the Health Law stipulates that human testing shall require the collection of the subject's informed consent. Before such consent is obtained, the researcher must, among other things, guarantee the confidentiality of the identity and personal data of the data subject.

5.2. Contract with the data subject

Article 20(2)(b) of the PDPL and Article 14(4)(a) of GR 71 stipulate, among other things, that aside from the obtainment of consent, data processing shall be carried out in order to fulfil contractual obligations in the event that the data subject is one of the parties or to fulfil the request of the data subject upon entering into an agreement.

5.3. Legal obligations

Article 20(2)(c) of the PDPL and Article 14(4)(b) of GR 71 provide that data processing shall be carried out, aside from obtaining the consent of the data subject, in order to fulfil legal obligations of the controller in accordance with statutory provisions.

5.4. Interests of the data subject

Under Article 20(2)(d) of the PDPL and Article 14(4)(c) of GR 71, aside from the obtainment of consent, personal data shall be processed in order to fulfil the vital interests of the data subject. There is no exhaustive nor non-exhaustive list of the interests of the data subject. The elucidation of Article 14(4)(c) of GR 71 elaborates the meaning of 'vital interest' as the need/necessity to protect very important matters about a person's existence.

5.5. Public interest

Under Article 20(2)(e) of the PDPL, aside from the obtainment of consent, personal data may be processed to fulfil the obligations of the Controller in the context of public interest, public service, or the implementation of the authority of the Controller in accordance with the laws and regulations.

Similarly, under Article 14(4)(e) of GR 71, personal data may be processed in order to fulfil the obligations of the controller in public services for the public interest.

5.6. Legitimate interests of the data controller

Under Article 20(2)(f) of the PDPL and Article 14(4)(f) of GR 71, aside from the obtainment of consent, personal data may be processed in order to fulfil the legitimate interests of the controller. There is no exhaustive nor non-exhaustive list of the legitimate interests of the data controller. Data controllers may pursue any interests so long as they adhere to the prohibitions and obligations set out in the PDPL and PDP Regulations.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Under Article 3 of the PDPL, the PDPL shall be implemented based on the principle of protection, legal certainty, public interest, benefit, prudence, balance, accountability, and confidentiality.

The Elucidation of Article 3 of the PDPL elaborates the following:

• principle of protection: means providing protection to data subjects so that their personal data is not misused;
• principle of legal certainty: means that every processing activity shall be carried out on a legal basis;
• principle of public interest: means that the enforcement of personal data protection must consider the interest of the public or society at large, as well as the state administration and national defence and security;
• principle of benefit: means that the regulation of personal data protection must be useful for the national interest, specifically for public welfare;
• principle of prudence: means that the parties involved in data processing and supervision activities must pay attention to all aspects that have the potential to cause losses;
• principle of balance: means parties must make an effort to balance the right of personal data protection and legitimate state rights based on public interest;
• principle of accountability: means all parties involved in data processing and supervision activities must act responsibly so as to ensure the balance of rights and obligations of the parties concerned, including the personal data subjects; and
• principle of confidentiality: means that personal data must be protected from unauthorised parties and/or from unauthorised personal data processing.

The processing of personal data must also comply with the personal data processing principles, which include:

• personal data collection shall be carried out in a limited and specific, legal and valid, and transparent manner;
• personal data processing shall be carried out in accordance with its purpose;
• personal data processing shall be carried out by ensuring the rights of the personal data subject;
• personal data processing shall be carried out in an accurate, complete, not misleading, up-to-date, and accountable manner;
• personal data processing shall be carried out by protecting the security of personal data from unauthorised access, unauthorised disclosure, unauthorised alteration, misuse, destruction, and/or loss of personal data;
• personal data processing shall be carried out by notifying the personal data subject of the purpose of the processing, as well as any failure to protect the personal data;
• personal data shall be destroyed and/or deleted after the expiry of the retention period or at the request of the personal data subject, unless otherwise stipulated by laws and regulations; and
• personal data processing shall be carried out responsibly and be evidenced clearly.

Under Articles 2 and 4 of Kominfo Regulation 20, the processing of personal data shall be carried out based on the principle of good personal data protection, which includes the following elements (see also Article 36 of Kominfo Regulation 20):

• having due regard towards personal data as private;
• personal data is confidential in nature, in accordance with the consent of the data subject and/or based on the provisions of laws and regulations;
• obtaining sufficient consent from the data subject, and basing its processing activities on such consent;
• ensuring processing is relevant to the purpose of acquisition, collection, processing, analysing, storage, display, announcement, delivery, and dissemination;
• limiting processing activities to what is necessary;
• ensuring the suitability of the electronic system that is being used;
• having the good faith to immediately notify data subjects of any failure in relation to personal data protection;
• ensuring the availability of internal regulation for the management of personal data protection;
• having responsibility for any personal data under possession of users;
• ensuring ease of access to and correction of personal data for data subjects; and
• ensuring the integrity, accuracy, and validity of personal data, and ensuring that personal data is up to date.

7. Controller and Processor Obligations

With the enactment of the PDPL, Indonesia now recognises the difference between a Controller and a Processor, and that the two have their own individual obligations as well as some shared obligations. Under the PDPL, the Controller shall remain responsible for personal data processing carried out by the Processor it appoins, so long as the Processor's activities are still in accordance with the Controller's instructions. With the approval of the Controller, the Processor can also appoint another Processor(s).

Obligations of Controllers

The obligations of Controllers are regulated under Article 20 to Article 50 of the PDPL. These obligations include:

• having a legal basis before processing personal data;
• that for processing activities based on the data subject's consent, to provide information to the personal data subject on the legality of the personal data processing; the purpose of the personal data processing; the type and relevance of the personal data to be processed; the retention period for documents containing personal data; details regarding the information collected; period of personal data processing; and data subject's rights. In the event that there is a change in any of the information above, the Controller must notify the data subject;
• to acquire written or recorded, explicit and valid consent before processing personal data;
• to provide proof of consent given by the data subject;
• to process the personal data of children by acquiring the consent of the parents and/or legal guardian of the child;
• to process the personal data of persons with disabilities using a method of communication in accordance with the laws and regulations, and by first acquiring the consent of the person with disabilities and/or that person's legal guardian;
• to process personal data in a limited and specific, legal, valid, and transparent manner;
• to process personal data in accordance with the purposes of the personal data processing;
• to ensure the accuracy, completeness, and consistency of personal data in accordance with the provisions of laws and regulations;
• to update and/or rectify mistakes and/or inaccuracies in the personal data no later than 72 hours from when the Controller receives a request to update and/or rectify the personal data;
• to record all personal data processing activities;
• to provide the data subject access to the personal data that is processed, along with the history of personal data processing in accordance with the retention period for the personal data. Such access must be provided at least 72 hours from the time the request for such access is received;
• to refuse to allow data subjects to change their personal data if such change endangers the security or physical or mental health of the data subject and/or other people; results in the disclosure of the personal data of other individuals; and/or is contrary to the interests of national defence and security;
• to assess the impact of personal data protection in the event that the personal data processing carries a high potential risk for the data subject (Data Protection Impact Assessment ('DPIA'));
• to protect and ensure the security of the processed personal data by preparing and implementing operational technical steps to protect personal data from interference of personal data processing that is contrary to the provisions of laws and regulations; and determining the level of security of personal data by considering the nature and risk of personal data that must be protected in the processing of personal data;
• to maintain the confidentiality of the personal data;
• to supervise each party involved in the processing of personal data that is under their control;
• to protect personal data from unlawful processing;
• to mitigate any unauthorised access to personal data by using a security system and/or processing personal data using an electronic system in a reliable, secure, and responsible manner, in accordance with the provisions of laws and regulations;
• to cease the personal data processing if the personal data subject withdraws their consent, at the latest 72 hours as of the time when the Controller receives the request to withdraw the consent for personal data processing;
• to postpone or restrict the personal data processing, either partially or completely, at the latest 72 hours as of the time the Controller receives the request to postpone or restrict the personal data processing;
• to cease the personal data processing if it has reached the retention period, the purpose of the processing has been achieved, and there is a request from the data subject;
• to delete all personal data in the event that the personal data is no longer necessary to achieve the purposes of the processing; the data subject has withdrawn the consent for the processing; the data subject requested the personal data to be deleted; or the personal data was obtained and/or processed in an unlawful manner;
• to notify the data subject of the deletion and/or destruction of personal data;
• in the event of a failure of personal data protection, provide a written notification no later than 72 hours to the personal data subject and the PDP Institution, and in certain cases, the public;
• to process personal data and demonstrate accountability in fulfilling its obligations to implement the principles of personal data protection;
• in the event of a merger, separation, acquisition, consolidation, or dissolution of a legal entity, to submit a notification of the transfer of personal data to the data subject; and
• to carry out institutional orders in the context of implementing personal data protection in accordance with the PDPL.

Article 50 of the PDPL provides that in certain circumstances, the above obligations of a Controller may be waived. These circumstances include due to the interests of national defence and security; interests of the law enforcement process; public interest in the context of state administration; or supervision of the financial services, monetary, payment system, and financial system stability sectors carried out in the context of state administration.

Obligations of Processors

The obligations of Processors are regulated under Articles 51 and 52 of the PDPL, with Article 52 stipulating those obligations of Controllers that are shared by Processors. The obligations of Processors, both shared and exclusive obligations, include:

• to ensure the accuracy, completeness, and consistency of personal data in accordance with the provisions of laws and regulations;
• to record all personal data processing activities;
• to protect and ensure the security of the processed personal data by preparing and implementing operational technical steps to protect personal data from interference of the personal data processing that is contrary to the provisions of laws and regulations; and determining the level of security of personal data by considering the nature and risks of personal data that must be protected in the processing of personal data;
• to maintain the confidentiality of the personal data;
• to supervise each party involved in the processing of personal data that is under their control;
• to protect personal data from unlawful processing;
• to mitigate any unauthorised access to personal data by using a security system and/or processing personal data using an electronic system in a reliable, secure, and responsible manner, in accordance with the provisions of laws and regulations; and
• to conduct personal data processing based on the instructions of the Controller. In doing so, Processors may include other Processors by first obtaining written approval from the Controller. 

General obligations applicable to ESPs

As there are several stakeholders in the field of personal data protection, the PDP Regulations provide for different obligations for the various stakeholders.

Article 27 of Kominfo Regulation 20 governs the obligations of personal data users which are to:

• maintain the confidentiality of personal data they receive, collect, process, and analyse;
• solely use personal data in accordance with the needs of users;
• protect personal data and documents containing such personal data from any misappropriation; and
• be responsible for the personal data that is under their control (i.e. either control by way of organisation which falls under their authority or individual control), if any misappropriation occurs.

Articles 4 and 28 of Kominfo Regulation 20 governs the obligations of ESPs which are to:

• undergo certification process for electronic systems under its management in accordance with the provisions of laws and regulations;
• safeguard the authenticity, validity, confidentiality, accuracy, and relevance as well as the conformity with the purpose of acquiring, collecting, processing, analysing, storing, displaying, announcing, delivering, disseminating, and erasing personal data;
• ensuring that personal data stored in an electronic system is encrypted;
• have internal regulations relating to the protection of personal data which conforms with the provisions of laws and regulations (e.g. provide audit track records on all electronic system organisation activities that are under its management);
• provide options to data subjects regarding whether their personal data may or may not be used and/or displayed by/to any third party based on an approval as long as it still relates with the purpose of acquiring and collecting personal data;
• grant access or opportunity to data subjects to alter or renew their personal data without disrupting the personal data management system, unless stipulated otherwise by the provisions of laws and regulations;
• delete personal data in accordance with the provisions of Kominfo Regulation 20; and
• provide a point of contact who can be easily contacted by data subjects as regards the management of their personal data.

Contracts with data subjects

While there is no explicit provision requiring the existence of a contract with the data subject, the PDP Regulations emphasise the importance of adherence to contractual obligations arising from agreements between the party processing the personal data and the data subject. Additionally, the PDP Regulations provide for general requirements regarding electronic contracts, including electronic contracts involving data subjects.

Under Article 1(17) of the Electronic Information Law and Article 1(17) of GR 71, an electronic contract is defined as an agreement between the parties made through an electronic system. As the implementing regulation to the Electronic Information Law, GR 71 provides for further rules regarding electronic contracts. In particular, Article 46(2) of GR 71 stipulates that an electronic contract is valid if it:

• contains the consent between those who bind themselves;
• is entered by legal subjects having capacity or authority to conclude an agreement;
• regulates a certain subject matter; and
• has a legal cause.

An electronic contract made with a data subject is only valid if it fulfils the aforementioned requirements.

Internal policies for ESPs

Kominfo Regulation 20 requires ESPs to have an internal policy on the protection of personal data when implementing the following data processing operations:

• acquisition and collection;
• processing and analysing;
• storage;
• presentation, publication, transmission, dissemination, and/or access opening; and
• destruction.

Usually, ESPs create their own data protection guidance/policy for users of their electronic systems and/or services, which should be compliant with the PDP Regulations.

Obligations for trading activities through electronic systems

GR 80 provides strict regulations on the personal data protection of consumers, providing that business entities conducting trade through electronic systems shall keep personal data in accordance with the standard of personal data protection or the common business practice. Such personal data protection must be carried out in accordance with the following rules:

• personal data must be obtained truthfully and legally from the owner of the personal data concerned, accompanied by the existence of choices and guarantees for the safeguarding and prevention of loss to the data subject;
• personal data must be used for one or more purposes that are described in a specific and valid manner, as well as cannot be further processed in a way that is not in accordance with said purposes;
• personal data that is obtained must be proper, relevant, and not too broad in relation to the purpose of their processing as previously conveyed to the data subject;
• personal data must be accurate and must always be up to date by way of giving opportunities to the data subject to update their personal data;
• personal data must be processed in accordance with the purpose of their acquisition and allocation, and cannot be possessed longer than the required time;
• personal data must be processed in accordance with the rights of data subjects as regulated under laws and regulations;
• parties which store personal data must possess a proper security system to prevent leaks or prevent any unlawful utilisation or processing of personal data, as well as be responsible for unexpected losses or damages to said personal data; and
• personal data cannot be sent to another country or area outside Indonesia, except if said country or area has been declared as having the same protection level and standard as Indonesia by the Minister of Trade.

7.1. Data processing notification

The PDPL and the PDP Regulations do not require notification or registration prior to the processing of data.

7.2. Data transfers

PDPL

A Controller is allowed to transfer personal data to another Controller within the jurisdiction of Indonesia. The PDPL further allows the cross-border transfer of personal data from a Controller to a Controller and/or Processor outside the jurisdiction of Indonesia if:

• the country of domicile of the Controller and/or Processor that will receive the personal data has a personal data protection level that is equal to or higher than that stipulated in the PDPL;
• If condition one is not fulfilled, the Controller must ensure that there is adequate and binding personal data protection; and
• If condition two above is not fulfilled, the Controller must obtain the consent of the data subject.

The implementation of cross-border data transfer is to be further regulated by a government regulation.

PDP Regulations

The transfer of personal data is prohibited without the consent of the data subject, as stipulated under Article 27(1) of the Electronic Information Law and emphasised in Article 21(a) of Kominfo Regulation 20.

Under Kominfo Regulation 20, coordination with Kominfo must be carried out before the personal data is transferred and after the transfer of personal data is completed. To fulfil the coordination requirement, Article 22(2) of Kominfo Regulation 20 requires an Indonesian ESP to:

• report the proposed transfer of personal data to Kominfo, which includes at least the name of the receiving state and the receiver, frequency of transfer, and the reason or purpose of such transfer;
• request for advocacy to Kominfo, if necessary; and
• report the result of the transfer.

The Electronic Information Law also provides that anyone who intends, without valid rights, to change, add, reduce, transmit, destroy, eliminate, transfer, or hide electronic information and/or electronic documents owned by another person or owned by the public shall be prohibited from doing so.

Additionally, Article 59(2)(h) of GR 80 provides that personal data is prohibited from being transferred to another country or territory outside Indonesia unless such country or territory has been declared by the Minister of Trade as having an equal standard or level of personal data protection.

Furthermore, Article 11 of OJK Regulation 6/2022, also limits the transfer of personal data to a third party by financial services providers, except when there is a written consent from the consumer and/or as required by laws and regulations.

7.3. Data processing records

Pursuant to Article 31 of the PDPL, Controllers must record all personal data processing activities.

Furthermore, under Article 22(1) of GR 71, ESPs are required to provide an audit trail for all activities of the electronic system organisation. This includes:

• maintaining the transaction log in accordance with the provider data retention policy, in accordance with laws and regulations;
• notifying to the consumer if a transaction has been conducted; and
• ensuring the availability of audit trail function to be able to detect an effort and/or incursion which must be reviewed or evaluated periodically.

In addition, in the event that the processing and audit trail are the responsibilities of the third party, then such audit trail process shall be in accordance with the standard which has been determined by the ESP.

7.4. Data protection impact assessment

PDPL

As stated above, the Controller is obliged to conduct a DPIA if the personal data processing has a high potential risk to the personal data subjects. According to Article 34(2) of the PDPL, personal data processing with high potential risk includes:

• automatic decision-making that has legal consequences or a significant impact on the data subject;
• processing of specific personal data;
• processing of large-scale personal data;
• processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
• processing of personal data for the activity of matching or combining a group of data;
• the use of new technologies in the processing of personal data; and/or
• the processing of personal data that limits the exercise of the rights of the data subject.

Further provisions of DPIA are expected to be regulated in a government regulation.

PDP Regulations

Under Article 12 of GR 71, ESPs must apply risk management towards damages or losses that they incurred. Such provision provides the meaning of 'risk management' as conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system which it manages.

7.5. Data protection officer appointment

A data protection officer ('DPO') is the official or officer responsible for ensuring compliance with the personal data protection principles and mitigating the risk of breach of personal data protection. The DPO may be an internal or external party of the company.

Article 53 of the PDPL introduces the requirement for controllers and processors to appoint a DPO in certain circumstances, namely where:

• the data processing is carried out for the benefit of public services;
• the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; and
• the main activity of the controller consists of large-scale processing which is specific in nature and/or which is related to criminal conduct.

Additionally, while the PDP Regulations do not stipulate the requirement of a DPO, Article 28(i) of Kominfo Regulation 20 requires ESPs to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.

7.6. Data breach notification

PDPL

Under Article 46 of the PDPL, Controllers are required to provide written notification no later than 72 hours following a data breach to the data subjects and the PDP Institution. If the breach interferes with public services and/or has a serious impact on the public interest, the Controller must also notify the public. Such written notification must contain at least the disclosed personal data, when and how the personal data was disclosed, and efforts by the Controller to handle and recover from the data breach.  

PDP Regulations

ESPs are required to report a personal data protection failure in the electronic system to the personal data subjects, at the latest 14 days after such failure is known; and Kominfo and the relevant authorities (such as the National Cyber and Crypto Agency) at the first opportunity without undue delay. Further, Article 28(c)(3) of Kominfo Regulation 20 requires ESPs to ensure notification is actually received by the data subjects if the breach has the potential to cause harm to the data subjects.

7.7. Data retention

PDPL

The PDP Law regulates that Controllers must cease personal data processing once the data retention period has been reached and subsequently destroy the personal data.

PDP Regulations

Implementing the Electronic Information Law, GR 71 also regulates the obligation for ESPs to delete certain personal data. ESPs must delete personal data which is irrelevant. Personal data is irrelevant when:

• it is acquired and processed without the consent of the data subject;
• consent has been withdrawn by the data subject;
• it is acquired and processed illegally;
• processing is no longer in accordance with the acquisition purpose based on an agreement and/or laws and regulations;
• its utilisation has exceeded the period in accordance with an agreement and/or laws and regulations; and/or
• the ESP's treatment of it has caused a loss for the data subject.

The obligation of deletion stipulated in the GR 71 consists of erasure and delisting from search engines.

As for the timeframe for data retention, Kominfo Regulation 20 stipulates that data must be stored within an electronic system for a minimum of five years. An exemption to this provision is stipulated under Article 16 of the PDPL     , where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.

Meanwhile, the PDP Regulations do not explicitly stipulate a timeframe for data retention or a maximum retention period, but instead it defers to the authority to do such, and to other relevant laws. One of the relevant laws which mentions retention period for personal data is Law No. 43 of 2009 regarding Archive (only available in Indonesian here) ('the Archiving Law'). The Archiving Law distinguishes data into data with a maximum of a 10-year retention period and data with a maximum of 25-year retention period. The data and its retention period shall be listed further in a retention schedule archive.

7.8. Children's data

PDPL

The PDPL considers children's data as specific personal data. Article 25 of the PDPL regulates that the processing of children's data must be conducted by first acquiring the consent of the child's parents or legal guardian. The processing of children's data must be implemented in a specific manner that is expected to be elaborated in an implementing regulation.

PDP Regulations

Kominfo Regulation 20 regulates the processing of children's data in the context of obtaining consent. Article 37 of Kominfo Regulation 20 provides that, in the event that the data subject constitutes a person who falls under the category of children in accordance with the provisions of laws and regulations, then the granting of consent as referred to under Kominfo Regulation 20 should be carried out by the parent or guardian of the child in question. The parent should be the father or mother of the child in question in accordance with the provisions of laws and regulations. The guardian should be the person who has the obligation to take care of the child in question before the child reaches adulthood in accordance with the provisions of laws and regulations.

The PDPL and the PDP Regulations defer the authority to set out age of consent to other laws. Based on Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014 (only available in Indonesian here), a child is an individual who has not reached the age of 18.

7.9. Special categories of personal data

Article 34 of the PDPL stipulates that the processing of specific personal data is considered a personal data processing activity with a high risk potential and would require a DPIA. Article 53 of the PDPL also regulates that a Controller and Processor must appoint a DPO if their main activities include processing specific personal data and/or personal data related to criminal conduct on a large scale.

In relation to the processing of criminal data, Article 33 of GR 71 also stipulates that 'for the purpose of criminal justice process, the ESP must provide electronic information and/or electronic data which is contained in the electronic system, or electronic information and/or electronic data which are processed by the electronic system, at the valid request from an investigator for certain criminal acts in accordance with the authority regulated in laws'.

Data of persons with disabilities

Article 26 of the PDPL regulates that the data of persons with disabilities must be handled in a specific manner, using a certain method of communication in accordance with the relevant regulations, and consent must first be acquired from the data subject and/or their legal guardian. It is expected that an implementing regulation will be issued to further clarify this matter.

7.10. Controller and processor contracts

Article 18 of the PDPL explicitly stipulates that in the event personal data processing is conducted by two or more Controllers (joint controllers), there must be an agreement between the Controllers on the roles, responsibilities, and relationship between each Controller.

For completeness, the relationship between Controller and Processor, as well as Processor and sub-processor, is regulated under Article 51 of the PDPL. This article regulates that if a Controller appoints a Processor, the Processor is required to carry out personal data processing in accordance with the instructions of the Controller. Further, a Processor is allowed to involve another Processor to carry out the personal data processing with the prior written approval of the Controller. Based on the above, while there is no explicit requirement governing the types or content of the contracts, it is understood that the relationship between Controller and Processor is to be governed under an agreement.

8. Data Subject Rights

PDP Law

Under Articles 5 to 13 of the PDPL, data subjects are entitled to the following rights:

• to obtain information regarding clarity of identity, basis of legal interest, purpose of requesting and using personal data, and accountability of parties that request the personal data;
• to complete, update, and/or correct errors and/or inaccuracies in their personal data;
• to access and obtain a copy of their personal data;
• to stop the processing of, delete, and/or destroy their personal data;
• to withdraw consent for the processing of their personal data that has been given to a Controller;
• to object to a decision-making action that is based solely on automatic processing, including profiling, which has legal consequences or has a significant impact on the data subject;
• to delay or limit personal data processing;
• to sue and receive compensation for violations in connection with the processing of their personal data; and
• to obtain and/or use their personal data from a Controller in a format commonly used or readable by an electronic system and use and send such data to other Controllers.

According to Article 15 of the PDPL, these rights may be waived as follows:

• in the interest of national defence and security;
• in the interest of law enforcement process;
• in the public interest in the context of state administration;
• in the interest of supervision of the financial services, monetary, payment system, and financial system stability sectors carried out in the context of state administration; or
• in the interest of statistics and scientific research.

In addition, where a Controller is a legal entity that performs a merger, separation, acquisition, consolidation, or dissolution of a legal entity, it is required to submit a notification of the transfer of personal data to the data subject. The notification must be submitted prior to the aforementioned corporate action. Additionally, the elucidation of Article 48 of the PDPL provides an explanation of notification, which is a notification to the data subject or notification in general through the mass media, either by electronic or non-electronic means.

Further provisions regarding the procedure to deliver a notification shall be regulated in a government regulation.

PDP Regulations

In addition, pursuant to Article 26 of Kominfo Regulation 20, data subjects are entitled to:

• confidentiality of their personal data;
• file complaints to Kominfo in relation to disputes over the failure of the relevant ESP to protect the confidentiality of their personal data;
• obtain access or the opportunity to change or update their personal data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations;
• obtain access or the opportunity to receive the history of their personal data, which has been given to an ESP insofar as it is still in accordance with the applicable laws and regulations; and
• request the destruction of their personal data in an electronic system managed by an ESP, unless otherwise determined by the applicable laws and regulations.

8.1. Right to be informed

The following information should be provided to data subjects at the point of collection of the personal data:

• the legality of the personal data processing;
• the purpose of the personal data processing;
• the type and relevance of the personal data to be processed;
• the retention period for documents containing personal data;
• details regarding the information collected;
• period of personal data processing; and
• the data subject's rights.

8.2. Right to access

Pursuant to Article 32 of the PDPL, data subjects are entitled to obtain access to their personal data that is processed along with the history of the personal data processing and the retention period of the personal data. This access must be provided at least within 72 hours upon receipt of the request from the data subject.

Article 26 of Kominfo Regulation 20 also stipulates that data subjects have the right to:

• obtain access or the opportunity to change or update their personal data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations; and
• obtain access or the opportunity to receive the history of their personal data, which has been given to an ESP insofar as it is still in accordance with the applicable laws and regulations.

8.3. Right to rectification

Article 30 of the PDPL stipulates that data subjects have the right to request Controllers to update and/or correct errors and/or inaccuracies in their personal data within 72 hours upon the receipt of such request. Data subjects are then entitled to receive notification regarding the update and/or correction of their personal data. Such right, however, may be denied by the Controller if:

• it endangers the security, physical health, or mental health of the data subject and/or other people;
• it risks the disclosure of other people's personal data; and/or
• it is contrary to the interests of national defence and security.

Kominfo Regulation 20 also provides that data subjects shall be entitled to gain access or opportunity to alter or renew their personal data without disrupting the personal data management system, unless stipulated otherwise by the provisions of laws and regulations. This shall mean that data subjects can rectify its personal data in cases of inaccuracy, so long as it doesn't disrupt the personal data management system.

Such right is also mentioned in Article 59(2)(d) of GR 80, which provides that personal data shall be accurate and up to date. This should be achieved by giving the data subject the chance to update their personal data.

8.4. Right to erasure

A data subject is entitled to request the deletion of their personal data, or it may be erased once the storage time limit lapses, provided that such request is in accordance with the applicable laws and regulations.

In this regard, GR 71 distinguishes the rights of the data subject into the right to erasure and the right to delisting in which the ESP is then obliged to delete electronic information no longer under its control. In particular, Article 15 of GR 71 defines the right to erasure as erasing irrelevant information or electronic documents (including those obtained without the person's consent), whereas the right to delisting means to delist such information from the internet search engine through a court order.

8.5. Right to object/opt-out

The fundamental principle of data processing is the existence of consent from the data subject. This approval indicates the freedom for the data subject to object to any form of processing with which they disagree. This right is regulated under Articles 9 and 40 of the PDPL, where the data subject has the right to withdraw their consent to the processing of their personal data, whereupon such withdrawal, the Controller must stop their processing activities within 72 hours upon the receipt of such request. Additionally, the data subject is given the right to revoke their consent. Article 16 of GR 71 emphasises that personal data which must be erased by ESPs includes personal data for which consent to be used has been withdrawn by the data subject.

8.6. Right to data portability

There is no provision concerning the right to data portability in the PDPL or the PDP Regulations.

8.7. Right not to be subject to automated decision-making

Under Article 10 of the PDPL, data subjects have the right to object to decision-making which is solely based on automatic processing, including profiling, given that such automated processing has legal consequences or a significant impact on the data subject.

8.8. Other rights

Not applicable.

9. Penalties

PDPL

There are two types of sanctions for violation of the PDP Regulations, i.e. administrative and criminal sanctions. Articles 67 to 69 of the PDPL stipulate the following criminal sanctions for the violation of personal data protection:

• any person who intentionally and unlawfully obtains or collects personal data that does not belong to them with the intention to benefit themselves or other persons which may result in a loss for the data subject shall be sentenced to imprisonment not exceeding five years and/or a fine not exceeding IDR 5 billion (approx. €302,180);
• any person who intentionally and unlawfully discloses personal data that does not belong to them shall be sentenced to imprisonment not exceeding four years and/or a fine not exceeding IDR 4 billion (approx. €241,750);
• any person who intentionally and unlawfully uses personal data that does not belong to them shall be sentenced to imprisonment not exceeding five years and/or a fine not exceeding IDR 5 billion (approx. €302,180); and
• any person who intentionally creates false personal data or falsifies personal data with the intention to benefit themselves or other persons which may result in a loss for other persons shall be sentenced to imprisonment not exceeding six years and/or a fine not exceeding IDR 6 billion (approx. €362,700).

If the above crimes above are committed by a corporation, only fines may be imposed. The criminal fines for corporate entities can be up to ten times the maximum fines for individuals.

Corporations may also be subject to additional penalties in the form of:

• confiscation of profits and/or assets obtained or proceeds from crimes;
• suspension of all or part of the corporation's business;
• permanent ban on performing certain actions;
• closure of all or part of the corporation's place of business and/or activities;
• implementation of neglected obligations;
• payment of compensation;
• revocation of license; and/or
• dissolution of the corporation.

PDP Regulations

Additionally, Articles 46 and 48 of the Electronic Information Law stipulate the following sanctions for the violation of personal data protection in an electronic system:

• any person who unlawfully alters, adds, reduces, transmits, tampers with, deletes, moves, or hides the electronic information and/or electronic records of another person or of the public shall be sentenced to imprisonment not exceeding eight years and/or a fine not exceeding IDR 2 billion (approx. €120,900);
• any person who unlawfully moves or transfers electronic information and/or electronic records to the electronic system of an unauthorised person shall be sentenced to imprisonment not exceeding nine years and/or a fine not exceeding IDR 3 billion (approx. €181,360); and
• any person who unlawfully alters, adds, reduces, transmits, tampers with, deletes, moves, or hides the electronic information and/or electronic records of another person or of the public, which results such information become publicly accessible in a distorted form (i.e., data's integrity is no longer as is) shall be sentenced to imprisonment not exceeding ten years and/or a fine not exceeding IDR 5 billion (approx. €302,180).

In addition to the criminal sanctions, violations of personal data protection may be punished with administrative sanctions  under Article 36 of Kominfo Regulation 20, which stipulates that any person who unlawfully obtains, collects, processes, analyse, deposits, displays, announces, transmits, and/or disseminates personal data is subject to administrative sanctions in the form of:

• verbal warning;
• written warning;
• temporary suspension of activities; and
• announcement of its name on sites within the network (websites).

Sanctions for the violation of the implementation of an electronic system are regulated under GR 82, which stipulates that an ESP may be subject to administrative sanctions in the form of:

• written warning;
• administrative fine; and
• temporary suspension.

Further, Article 58 of GR 40 imposes administrative sanctions for the violation of using personal data exceeding one's authority granted by law or any approval, or to display the collected personal data in public without prior approval from the Ministry, in the form of revocation of user access rights, destruction of data that has been accessed, and an administrative fine of IDR 10 billion (approx. €604,520).

9.1 Enforcement decisions

Not applicable.