Armand Yapsunto Muharamsyah & Partners (AYMP)

 

What law(s) specifically govern personal data / information?

  1. Law No. 27 of 2022 on Personal Data Protection (“Law No. 27/2022”);
  2. The Minister of Communication and Information (“MOCI”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic System (“MR No. 20/2016”), which principally implements the data protection provisions enshrined under Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 (“Law No. 11/2008”); and
  3. Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (“GR No. 71/2019”),

(Law No. 27/2022, Law No. 11/2008, GR No. 71/2019, and MR No. 20/2016, shall be referred as “Indonesia PDP Regulations”).

Law No. 27/2022 is the latest regulation passed with regards to the personal data protection. Pursuant to Law No. 27/2022, at the time this Law comes into force, all provisions of laws and regulations governing personal data protection, are declared to still be valid as long as they do not conflict with the provisions of Law No. 27/2022. Therefore, the laws and regulations that have existed prior to Law No. 27/2022, are still included in this section.

 

What are the key data protection principles in this jurisdiction?:

Article 16 paragraph (2) of Law No. 27/2022 provides that data protection shall be conducted based on the principles of personal data protection, which includes:

  1. Personal data collection is conducted in limited and specific manner, legally valid, and transparent;
  2. The processing of personal data is carried out in accordance with its purpose;
  3. The processing of personal data is carried out by guaranteeing the rights of the Personal Data Subject;
  4. The processing of personal data is carried out in an accurate, complete, not misleading, up-to-date and accountable manner;
  5. The personal data processing is carried out by protecting the security of personal data from unauthorised access, unauthorised disclosure, unauthorised alteration, misuse, destruction, and/or loss of personal data;
  6. The processing of personal data is carried out by notifying the purposes and processing activities, as well as the failure of Personal Data Protection;
  7. Personal data is destroyed and/or deleted after the retention period ends or based on the request of the Personal Data Subject, unless otherwise stipulated by laws and regulations; and
  8. The processing of personal data is carried out responsibly and this can be proven clearly.

 

What is the supervisory authority / regulator in charge of data protection?

Pursuant to the Law No. 27/2022, the authority who will oversee the data protection implementation is a separate institution that will be established by the President of the Republic of Indonesia (“Personal Data Protection Agency”). The provisions regarding the Personal Data Protection Agency will further be determined in a Presidential Regulation. However, the Presidential Regulation has not been enacted up until now. As the Personal Data Protection Agency who supervises the data protection implementation has not been established, therefore, the authority who oversees data protection, as stipulated under the Law No. 11/2008, GR No. 71/2019, and MR No. 20/2016, is the Minister of Communication and Information, and specifically its Director General of Informatics Application. Certain fields of personal data are also under the supervision of a sectoral authority, such as the Financial Services Authority (OJK) on the personal data collected in the financial services sector.

 

Is there a requirement to register with a supervisory authority / regulator?

GR No. 17/2019 juncto the MOCI Regulation No. 5 of 2020 on Private Electronic System Providers requires the entity or person (local entity or Indonesian citizen and/or foreign entity or foreign citizen: (i) providing services in the territory of the Republic of Indonesia, (ii) conducting business activities in Indonesia, and/or (iii) whose electronic system is being utilised and/or offered in Indonesia) providing, managing, and/or operating an electronic system, the function of which is to prepare, collect, process, analyse, store, display, announce, transmit, and/or disseminate electronic information (including personal data) to register itself as an Electronic System Provider (“ESP”) to the MOCI, if:

  • it is regulated or supervised by the MOCI or any government institution(s) pursuant to the prevailing laws and regulation; and/or
  • it possesses the portal, website, or application which are used to, among others, process personal data for operational activities for the public in relation to electronic transactions.

The registration has to be done once (without any fee being payable) through the Online Single Submission (OSS) System for the local ESP. The registrant shall firstly obtain a Business Identification Number (Nomor Induk Berusaha – NIB) and process to submit the following details to complete the registration:

  1. Name, sector and sub-sector of the electronic system;
  2. Standard Industrial Classification Code of the registrant;
  3. Location of managing, processing and/or storing of the electronic system and electronic data (including personal data);
  4. Providers for the service of management, processing and/or storing of the electronic system and electronic data (including personal data);
  5. Website and its URL (if any);
  6. Name of Domain system or IP Server address;
  7. Description on business model, business process, and function of system electronics; and
  8. Details of Personal Data processed.

On the other hand, the foreign ESP that fulfils the criteria to be registered in Indonesia shall complete the registration form which consists of:

  • The identity of the foreign ESP;
  • The identity of the head of the company and/or the identity of the person in charge;
  • Domicile statement and/or certificate of incorporation;
  • Number of users from Indonesia;
  • Transaction value originating from Indonesia.
  • The registration form shall be submitted to the MOCI.

 

Is there a requirement to notify the supervisory authority / regulator?

The registration mentioned above is sufficient before processing personal data using an electronic system. No further notification is necessary prior to commencing processing activities. However, in terms of transfer of data to another jurisdiction, MR No. 20/2016 requires that it shall be done by coordinating with the MOCI, by:

  • Reporting the plan to transfer personal data, which shall include the details of the destination jurisdiction, receiving party, date of transfer, and reason/purpose of the transfer;
  • Requesting the assistance of the MOCI for such transfer (if required); and
  • Reporting the result of such transfer.

However, we note there is no further procedure regulated or made available with regards to the coordination with the MOCI for overseas data transfer.

 

Is it possible to register with / notify the supervisory authority / regulator online?

The registration can be done through https://oss.go.id/ , by firstly setting up an account and obtaining a Business Identification Number (Nomor Induk Berusaha – NIB) before processing such registration.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Pursuant to Article 5 – Article 13 of Law No. 27/2022, the rights of data subjects are as follows:

  1. Personal data subjects are entitled to obtain information regarding the clarity of identity, basis of legal interest, purpose of requesting and using personal data, and accountability of the party requesting personal data;
  2. Personal data subjects have the right to complete, update and/or correct errors and/or inaccuracies of personal data regarding themselves in accordance with the purpose of processing personal data;
  3. Personal data subjects have the right to obtain access and obtain a copy of personal data regarding themselves in accordance with the laws and regulations;
  4. Personal data subjects have the right to end the processing, to delete and/or to destroy personal data regarding themselves in accordance with the laws and regulations;
  5. Personal data subjects have the right to withdraw the consent to process the personal data regarding themselves that have been given to the Personal Data Controller;
  6. Personal data subjects have the right to submit an objection towards the decision-making actions that are only based on automatic processing, including profiling, which inflict legal consequences or have significant impact on the personal data subjects;
  7. Personal data subjects have the right to suspend or limit the processing of personal data proportionally according to the purposes for which the personal data is processed;
  8. Personal data subjects have the right to claim and receive compensation for the violations in the processing of personal data regarding themselves in accordance with the laws and regulations;
  9. Personal data subjects have the right to obtain and/or use personal data regarding themselves from the Personal Data Controller in a form that is in accordance with the structure and/or format that is commonly used or can be read by electronic systems;
  10. Personal data subjects have the right to use and send personal data regarding themselves to other Personal Data Controllers, as long as the systems used are able to communicate with each other safely in accordance with the principles of Personal Data Protection pursuant to the Law No. 27/2022.

In addition to the above, Article 26 of MR No. 20/2016 sets out the rights of data subjects, i.e.

  1. Confidentiality of their personal data;
  2. Filing complaints to the MOCI to settle disputes over the failure of the relevant electronic system provider in protecting the confidentiality of their personal data;
  3. Obtaining access or the opportunity to change or update their personal data without interfering with the personal data management system;
  4. Obtaining access or the opportunity to receive the history of their own personal data, which has been previously provided to an ESP; and
  5. Requesting the deletion of their personal data in an electronic system managed by an ESP.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Pursuant to Article 53 of Law No. 27/2022, the Personal Data Controller and Personal Data Processor are required to appoint a Data Protection Officer, in the event that:

  1. the processing of personal data is for public service interests;
  2. the core activities of the Personal Data Controller have the nature, scope, and/or objectives that require regular and systematic monitoring of the personal data on a large scale; and
  3. the core activities of the Personal Data Controller consist of processing personal data on a large scale for specific personal data and/or personal data related to criminal actions.

The in-depth provisions regarding the Data Protection Officer will be further regulated in an implementing regulation in the form of Government Regulation.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Pursuant to Article 34 of the Law No. 27/2022, the Personal Data Controller is required to conduct personal data protection impact assessments in the event that the processing of personal data has a high potential risk to personal data subjects.

Further, the processing activities of personal data that have high potential risks include:

  • automatic decision-making that has legal consequences or significant impact on personal data subjects;
  • processing of specific personal data (i.e. (i) health data and information; (ii) biometric data; (iii) genetics data; (iv) crime records; (v) data of a child; (vi) personal financial data; and/or (vii) other data in accordance with the provisions of the laws and regulations);
  • processing of personal data on a large scale;
  • processing of personal data for systematic evaluation, scoring or monitoring of personal data subjects;
  • processing of personal data for activities of matching or merging a group of data;
  • use of new technology in processing personal data; and/or
  • processing of personal data which limits the exercise of the rights of Personal Data Subjects.

 

Does this jurisdiction have any specific data breach notification requirements?

In case of a data breach, Article 46 of the Law No. 27/2022 requires a written notification to be served to the personal data subject and Personal Data Protection Agency at the latest 3 x 24 (three times twenty-four) hours or 3 (three) calendar days. Such written notification shall at least cover: (i) the personal data that is breached; (ii) when and how the personal data is breached; and (iii) efforts to handle and recover the disclosure of personal data by the Personal Data Controller. In certain circumstances, among others, if such data breach disrupts public services and/or has a serious impact on the interests of the community, the Personal Data Controller is required to notify the general public with regards to the data breach.

As the Personal Data Protection Agency has not been established, such notification then shall be served to the MOCI as the ministry responsible for communication and informatics matters.

 

What restrictions apply to the international transfer of personal data / information?

The transfer of personal data to a jurisdiction outside of Indonesia is not restricted but requires coordination with the MOCI as explained above.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Pursuant to Article 2 of the Law No. 27/2022, the Law applies to any person, corporation (both legal and non-legal entities), public agency, or international organisation who carries out legal actions set forth in the Law No. 27/2022, located:

  • inside the Indonesian jurisdiction; and
  • outside the Indonesian jurisdiction that has a legal impact (i) within the jurisdiction of the Republic of Indonesia, and/or (ii) for the personal data subjects who are Indonesian citizens residing outside the jurisdiction of the Republic of Indonesia.

Therefore, the Law No. 27/2022 applies to, not only the legal subjects within the jurisdiction of the Republic of Indonesia (e.g. Indonesian citizens, foreign citizens, and legal entities located in the Republic of Indonesia), but also applies to the legal subjects outside the jurisdiction of the Republic of Indonesia (e.g. Indonesian citizens, foreign citizens and foreign legal entities located outside of the Republic of Indonesia).

However, there are no further provisions yet in place on the implementation procedure of this extra-territorial effect.

 

What rules specifically deal with marketing?

There are no specific rules governing marketing except for marketing of financial instruments such as deposit, insurance, securities which can only be conducted by licensed entities. The relevant general provisions within the Indonesia PDP Regulations shall be observed and applicable in the marketing scheme.

The Indonesia PDP Regulations does not contain any provision which specifically governs marketing.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

N/A

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

As explained above, the Indonesia PDP Regulations does not contain any provision which specifically governs marketing.

The Indonesia PDP Regulations does not contain any provision which specifically governs marketing.

 

What rules specifically deal with cookies?

The Indonesia PDP Regulations does not contain any provision which specifically governs cookies.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

N/A.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Pursuant to Article 65 and 66 of the Law No. 27/2022, every person and/or entity is prohibited to:

  • unlawfully obtain or collect personal data that does not belong to them with the intention of benefiting themselves or another person which may result in a loss to the personal data subject;
  • unlawfully disclose personal data that is not their own;
  • unlawfully use personal data that is not their own; and/or
  • create false personal data or falsify personal data with the intention of benefiting themselves or others that may cause harm to other people.

The violations of the above prohibitions by an entity shall result in the imposition of criminal sanctions as regulated under the Law No. 27/2022 in the form of fines at most 10 (ten) times of the maximum fine imposed for an individual. Therefore, the sanctions for the violations of the above prohibitions include (i) fines of up to IDR60,000,000,000 (sixty billion Rupiah); or (ii) other additional penalties including but not limited to the confiscation of profits and/or assets obtained or proceeds from criminal actions, payment of compensation, and/or permanent prohibition for certain conducts.

In addition to the above, pursuant to Article 57 of the Law No. 27/2022, the violations of several provisions in the Law No. 27/2022, among others, failure of the Personal Data Controller to obtain the basis for the processing of personal data and/or to provide information regarding the personal data processing to the personal data subject, shall result in the imposition of administrative sanctions which consist of:

  • written admonition;
  • temporary suspension of personal data processing activities;
  • deletion or destruction of personal data; and/or
  • administrative fines of up to 2% (two percent) of the annual income or annual revenue for the violation variable.

Further provisions regarding the imposition of administrative sanctions will be regulated in an implementing regulation in the form of Government Regulation.

 

What upcoming data protection developments should multinational organisations be aware of?

As mentioned previously, there will be a specific institution in Indonesia (i.e. the Personal Data Protection Agency) which conducts the implementation of personal data protection pursuant to the Law No. 27/2022. The Personal Data Protection Agency will directly be responsible to the President of the Republic of Indonesia. The Personal Data Protection Agency will conduct, among others:

  • The formulation and determination of personal data protection policies and strategies that serve as guidelines for personal data subjects, Personal Data Controllers, and Personal Data Processors;
  • The supervision of the implementation of personal data protection;
  • The enforcement of administrative sanctions against the violations of Law No. 27/2022; and
  • The facilitation of out-of-court dispute resolution.

The Personal Data Protection Agency will be further regulated in an implementing regulation in the form of Presidential Regulation.

Multinational organisations should be aware of the following upcoming data protection developments:

Law No. 27/2022 is the latest regulation regarding personal data protection in Indonesia. However, please note that Law No. 27/2022 only provides the general provisions of personal data protection and therefore, it needs implementing regulations (e.g. Government Regulation and Presidential Regulation) to ensure that it is being implemented effectively.

 

Search by:
Need more information?
Contact a member firm:
Arie Armand
Armand Yapsunto Muharamsyah & Partners(AYMP)
Indonesia


Richard Yapsunto
Armand Yapsunto Muharamsyah & Partners(AYMP)
Indonesia


Wemmy Muharamsyah
Armand Yapsunto Muharamsyah & Partners (AYMP)
Indonesia