Armand Yapsunto Muharamsyah & Partners (AYMP)
What law(s) specifically govern personal data / information?
Law No. 27 of 2022 on Personal Data Protection ('Law No. 27/2022');
The Minister of Communication and Informatics ('MOCD' now is known as the Minister of Communication and Digital – ‘MOCD’) Regulation No. 20 of 2016 on Personal Data Protection in Electronic System ('MR No. 20/2016'), which principally implements the data protection provisions enshrined under Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 ('Law No. 11/2008');
Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions ('GR No. 71/2019'); and
Government Regulation No. 17 of 2025 on Governance of Electronic System Implementation in Child Protection (‘GR No. 17/2025’)
Law No. 27/2022 is the latest regulation passed with regards to personal data protection. Pursuant to Law No. 27/2022, at the time this Law comes into force, all provisions of laws and regulations governing personal data protection, are declared to still be valid as long as they do not conflict with the provisions of Law No. 27/2022. Therefore, the laws and regulations that have existed prior to Law No. 27/2022 are still included in this section.
On 27 March 2025, the Indonesian Government enacted GR No. 17/2025, which introduces specific obligations for Electronic System Providers whose platforms are used by or accessible to minors. These obligations include, among others, the implementation of child-oriented governance measures such as risk assessments, parental consent mechanisms, age verification, privacy-by-default settings, restrictions on profiling and location tracking of children as well as appointment of a responsible officer to oversee compliance. While the regulation provides a two-year transitional period for full implementation, we strongly recommend early alignment, as the Ministry of Communication and Digital Affairs retains supervisory authority and may impose administrative sanctions ranging from written warnings to suspension or termination of services.
What are the key data protection principles in this jurisdiction?:
Article 16 paragraph (2) of Law No. 27/2022 provides that data protection shall be conducted based on the principles of personal data protection, which includes:
- Personal data collection is conducted in limited and specific manner, legally valid, and transparent;
- The processing of personal data is carried out in accordance with its purpose;
- The processing of personal data is carried out by guaranteeing the rights of the Personal Data Subject;
- The processing of personal data is carried out in an accurate, complete, not misleading, up-to-date and accountable manner;s
- The personal data processing is carried out by protecting the security of personal data from unauthorised access, unauthorised disclosure, unauthorised alteration, misuse, destruction, and/or loss of personal data;
- The processing of personal data is carried out by notifying the purposes and processing activities, as well as the failure of Personal Data Protection;
- Personal data is destroyed and/or deleted after the retention period ends or based on the request of the Personal Data Subject, unless otherwise stipulated by laws and regulations; and
- The processing of personal data is carried out responsibly and this can be proven clearly.
What is the supervisory authority / regulator in charge of data protection?
Pursuant to Law No. 27/2022, the authority who will oversee the data protection implementation is a separate institution that will be established by the President of the Republic of Indonesia (PDP Agency'). The provisions regarding the PDP Agency will further be determined in a Presidential Regulation. However, the Presidential Regulation has not been enacted up until now. As the PDP Agency who supervises the data protection implementation has not been established, therefore, the authority who oversees data protection under the Indonesia PDP Regulations shall be MOCD specifically the Directorate General of Digital Space Supervision. This Directorate is a newly established division within the MOCD tasked with formulating and implementing policies on digital space supervision and personal data protection, pursuant to MOCD Regulation No. 1 of 2025 on the Structure and Framework of the MOCD.
Certain fields of personal data are also under the supervision of a sectoral authority, such as the Financial Services Authority (OJK) on the personal data collected in the financial services sector.
Is there a requirement to register with a supervisory authority / regulator?
GR No. 71/2019 in conjunction with the MOCD Regulation No. 5 of 2020 on Private Electronic System Providers as amended by MOCD Regulation No. 10 of 2021 requires the entity or person (local entity or Indonesian citizen and/or foreign entity or foreign citizen: (i) providing services in the territory of the Republic of Indonesia, (ii) conducting business activities in Indonesia, and/or (iii) whose electronic system is being utilised and/or offered in Indonesia) providing, managing, and/or operating an electronic system, the function of which is to prepare, collect, process, analyse, store, display, announce, transmit, and/or disseminate electronic information (including personal data) to register itself as an Electronic System Provider ('ESP') to the MOCD, if:
- it is regulated or supervised by the MOCD or any government institution(s) pursuant to the prevailing laws and regulation; and/or
- it possesses the portal, website, or application which are used to, among others, process personal data for operational activities for the public in relation to electronic transactions.
The registration has to be done once (without any fee being payable) through the Online Single Submission (“OSS”) system by submitting the following documents/information:
- Name, sector and sub-sector of the electronic system;
- Standard Industrial Classification Code of the registrant;
- Location of managing, processing and/or storing of the electronic system and electronic data (including personal data);
- Providers for the service of management, processing and/or storing of the electronic system and electronic data (including personal data);
- Website and its URL (if any);
- Name of Domain system or IP Server address;
- Description on business model, business process, and function of system electronics; and
- Details of Personal Data processed.
Once the said documents/information have been verified and approved, MOCD will list the name of the ESP (as well as its system) in the MOCD’s website, and then issue a Business Identification Number (Nomor Induk Berusaha – “NIB”) and a Registration Certificate (Tanda Terdaftar Penyelenggara Sistem Elektronik– “TDPSE”) to the relevant private ESP as the evidence of successful registration. The Registration Certificate shall be valid for 5 (five) years, and it may be extended thereafter.
On the other hand, the foreign ESP that fulfils the criteria to be registered in Indonesia shall complete the registration form which consists of:
- The identity of the foreign ESP;
- The identity of the head of the company and/or the identity of the person in charge;
- Domicile statement and/or certificate of incorporation that must be translated into Indonesian language by a sworn translator if the documents are non-Indonesian language;
- Number of users from Indonesia; and
- Transaction value originating from Indonesia.
Is there a requirement to notify the supervisory authority / regulator?
The registration mentioned above is sufficient before processing personal data using an electronic system. No further notification is necessary prior to commencing processing activities. However, in terms of transfer of data to another jurisdiction, MR No. 20/2016 requires that it shall be done by coordinating with the MOCD, by:
- Reporting the plan to transfer personal data, which shall include the details of the destination jurisdiction, receiving party, date of transfer, and reason/purpose of the transfer;
- Requesting the assistance of the MOCD for such transfer (if required); and
- Reporting the result of such transfer.
In addition to the foregoing, based our recent verbal consultation with MOCD, the procedure for the coordination should be as follows:
- data exporter shall first conduct the reporting of the implementation plan for the transfer of personal data prior to conducting the transfer to another jurisdiction. The data exporter shall fill in the form prepared by MOCD for such reporting and shall submit the completed form to MOCD.
- after the cross-border transfer of personal data has been conducted, the data exporter shall conduct the reporting of the results of the transfer of personal data implementation by filling in the form prepared by MOCD. After filling in the form, the data exporter shall submit the completed form through MOCD.
In relation to the timeline of the above procedure, there is currently no specific timeline/timeframe for the conduct of the abovementioned procedure under MR 20/2016. At this point, the data exporter is only required to ensure that (i) the reporting of the implementation plan for the cross-border transfer of personal data to be conducted at any time before the cross-border transfer of personal data is being conducted; and (ii) the reporting of the results of the cross-border transfer implementation to be conducted at any time after the cross-border transfer of personal data has been conducted.
Is it possible to register with / notify the supervisory authority / regulator online?
The registration can be done through https://oss.go.id/, by firstly setting up an account at the OSS system prior to submitting the application for obtaining the NIB and TDPSE as explained above.
What are the key data subject rights under the data protection laws of this jurisdiction?
Pursuant to Article 5 – Article 13 of Law No. 27/2022, the rights of data subjects are as follows:
- Personal data subjects are entitled to obtain information regarding the clarity of identity, basis of legal interest, purpose of requesting and using personal data, and accountability of the party requesting personal data;
- Personal data subjects have the right to complete, update and/or correct errors and/or inaccuracies of personal data regarding
- themselves in accordance with the purpose of processing personal data;
- Personal data subjects have the right to obtain access and obtain a copy of personal data regarding themselves in accordance with the laws and regulations;
- Personal data subjects have the right to end the processing, to delete and/or to destroy personal data regarding themselves in accordance with the laws and regulations;
- Personal data subjects have the right to withdraw the consent to process the personal data regarding themselves that have been given to the Personal Data Controller;
- Personal data subjects have the right to submit an objection towards the decision-making actions that are only based on automatic processing, including profiling, which inflict legal consequences or have significant impact on the personal data subjects;
- Personal data subjects have the right to suspend or limit the processing of personal data proportionally according to the purposes for which the personal data is processed;
- Personal data subjects have the right to claim and receive compensation for the violations in the processing of personal data regarding themselves in accordance with the laws and regulations;
- Personal data subjects have the right to obtain and/or use personal data regarding themselves from the Personal Data Controller in a form that is in accordance with the structure and/or format that is commonly used or can be read by electronic systems;
- Personal data subjects have the right to use and send personal data regarding themselves to other Personal Data Controllers, as long as the systems used are able to communicate with each other safely in accordance with the principles of Personal Data Protection pursuant to the Law No. 27/2022.
In addition to the above, Article 26 of MR No. 20/2016 sets out the rights of data subjects, i.e.
- Confidentiality of their personal data;
- Filing complaints to the MOCD to settle disputes over the failure of the relevant electronic system provider in protecting the confidentiality of their personal data;
- Obtaining access or the opportunity to change or update their personal data without interfering with the personal data management system;
- Obtaining access or the opportunity to receive the history of their own personal data, which has been previously provided to an ESP; and
- Requesting the deletion of their personal data in an electronic system managed by an ESP.
Is there a requirement to appoint a data protection officer (or equivalent)?
Pursuant to Article 53 paragraph (1) of Law No. 27/2022, the Personal Data Controller and Personal Data Processor are required to appoint a Data Protection Officer, in the event that:
- the processing of personal data is for public service interests;
- the core activities of the Personal Data Controller have nature, scope, and/or objectives that require regular and systematic monitoring of the personal data on a large scale; and
- the core activities of the Personal Data Controller consist of processing personal data on a large scale for specific personal data and/or personal data related to criminal actions.
It is important to note that the Constitutional Court of the Republic of Indonesia, through Decision No. 151/PUU-XXII/2024 dated 16 July 2025, has clarified the interpretation of the provision concerning the appointment of a Data Protection Officer. Although the original wording of Article 53 paragraph (1) of Law No. 27/2022 used ‘and’, which has been widely interpreted as requiring all three conditions to be met cumulatively, the Constitutional Court confirmed that the correct interpretation is ‘and/or’. Accordingly, if any one of the three conditions is satisfied, a data controller or data processor is required to appoint a Data Protection Officer.
The in-depth provisions regarding the Data Protection Officer will be further regulated in an implementing regulation in the form of Government Regulation.
.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Pursuant to Article 34 of Law No. 27/2022, the Personal Data Controller is required to conduct personal data protection impact assessments in the event that the processing of personal data has a high potential risk to personal data subjects.rights of Personal Data Subjects.
rights of Personal Data Subjects.
Further, the processing activities of personal data that have high potential risks include:rights of Personal Data Subjects.
- automatic decision-making that has legal consequences or significant impact on personal data subjects;
- processing of specific personal data (i.e. (i) health data and information; (ii) biometric data; (iii) genetics data; (iv) crime records; (v) data of a child; (vi) personal financial data; and/or (vii) other data in accordance with the provisions of the laws and regulations);
- processing of personal data on a large scale;
- processing of personal data for systematic evaluation, scoring or monitoring of personal data subjects;
- processing of personal data for activities of matching or merging a group of data;
- use of new technology in processing personal data; and/or
- processing of personal data which limits the exercise of the Personal Data Subjects.
Does this jurisdiction have any specific data breach notification requirements?
In case of a data breach, Article 46 of Law No. 27/2022 requires a written notification to be served to the personal data subject and the PDP Agency at the latest 3 x 24 (three (3) times twenty-four) hours or three (3) calendar days. Such written notification shall at least cover: (i) the personal data that is breached; (ii) when and how the personal data is breached; and (iii) efforts to handle and recover the disclosure of personal data by the Personal Data Controller. In certain circumstances, among others, if such data breach disrupts public services and/or has a serious impact on the interests of the community, the Personal Data Controller is required to notify the general public with regards to the data breach.
As the PDP Agency has not been established, such notification then shall be served to the MOCD as the ministry responsible for communication and informatics matters.
What restrictions apply to the international transfer of personal data / information?
The transfer of personal data to a jurisdiction outside of Indonesia is not restricted but requires coordination with the MOCD as explained above.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Pursuant to Article 2 of Law No. 27/2022, the Law applies to any person, corporation (both legal and non-legal entities), public agency, or international organisation who carries out legal actions set forth in Law No. 27/2022, located:
- inside the Indonesian jurisdiction; and
- outside the Indonesian jurisdiction that has a legal impact (i) within the jurisdiction of the Republic of Indonesia, and/or (ii) for the personal data subjects who are Indonesian citizens residing outside the jurisdiction of the Republic of Indonesia.
Therefore, Law No. 27/2022 applies to, not only the legal subjects within the jurisdiction of the Republic of Indonesia (e.g. Indonesian citizens, foreign citizens, and legal entities located in the Republic of Indonesia), but also applies to the legal subjects outside the jurisdiction of the Republic of Indonesia (e.g. Indonesian citizens, foreign citizens and foreign legal entities located outside of the Republic of Indonesia).
However, there are no further provisions yet in place on the implementation procedure of this extra-territorial effect.
What rules specifically deal with marketing?
There are no specific rules governing marketing except for marketing of financial instruments such as deposit, insurance, securities which can only be conducted by licensed entities. The relevant general provisions within the Indonesia PDP Regulations shall be observed and applicable in the marketing scheme.
The Indonesia PDP Regulations does not contain any provision which specifically governs marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
N/A
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
As explained above, the Indonesia PDP Regulations do not contain any provision which specifically governs marketing.
The Indonesia PDP Regulations do not contain any provision which specifically governs marketing, please note however, the Indonesia PDP Regulations shall apply if the electronic marketing involve/contain personal data. In financial sector, the direct/electronic marketing through the personal communication tools can only be done after the obtainment of the approval of the customer candidate and can only be done from Monday to Saturday, outside public holiday and between 08.00 – 18.00 local time.
What rules specifically deal with cookies?
The Indonesia PDP Regulations does not contain any provision which specifically governs cookies. The Indonesia PDP Regulations shall apply if the cookies contain personal data.
What are the consequences of non compliance with data protections laws (including marketing laws)?
N/A.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Pursuant to Article 65 and 66 of Law No. 27/2022, every person and/or entity is prohibited to:
- unlawfully obtain or collect personal data that does not belong to them with the intention of benefiting themselves or another person which may result in a loss to the personal data subject;
- unlawfully disclose personal data that is not their own;
- unlawfully use personal data that is not their own; and/or
- create false personal data or falsify personal data with the intention of benefiting themselves or others that may cause harm to other people.
The violations of the above prohibitions by an entity shall result in the imposition of criminal sanctions as regulated under Law No. 27/2022 in the form of fines at most 10 (ten) times of the maximum fine imposed for an individual. Therefore, the sanctions for the violations of the above prohibitions include (i) fines of up to IDR60,000,000,000 (sixty billion Rupiah); or (ii) other additional penalties including but not limited to the confiscation of profits and/or assets obtained or proceeds from criminal actions, payment of compensation, and/or permanent prohibition for certain conducts.
In addition to the above, pursuant to Article 57 of Law No. 27/2022, the violations of several provisions in Law No. 27/2022, among others, failure of the Personal Data Controller to obtain the basis for the processing of personal data and/or to provide information regarding the personal data processing to the personal data subject, shall result in the imposition of administrative sanctions which consist of:
- written admonition;
- temporary suspension of personal data processing activities;
- deletion or destruction of personal data; and/or
- administrative fines of up to 2% (two percent) of the annual income or annual revenue for the violation variable.
Further provisions regarding the imposition of administrative sanctions will be regulated in an implementing regulation in the form of Government Regulation.
What upcoming data protection developments should multinational organisations be aware of?
As mentioned previously, there will be a specific institution in Indonesia (i.e. the Personal Data Protection Agency) which conducts the implementation of personal data protection pursuant to Law No. 27/2022. The PDP Agency will directly be responsible to the President of the Republic of Indonesia. The PDP Agency will conduct, among others:
- The formulation and determination of personal data protection policies and strategies that serve as guidelines for personal data subjects, Personal Data Controllers, and Personal Data Processors;
- The supervision of the implementation of personal data protection;
- The enforcement of administrative sanctions against the violations of Law No. 27/2022; and
- The facilitation of out-of-court dispute resolution.
The PDP Agency will be further regulated in an implementing regulation in the form of Presidential Regulation.
Multinational organisations should be aware of the following upcoming data protection developments:
Law No. 27/2022 is the latest regulation regarding personal data protection in Indonesia. However, please note that Law No. 27/2022 only provides the general provisions of personal data protection and therefore, it needs implementing regulations (e.g. Government Regulation and Presidential Regulation) to ensure that it is being implemented effectively.
On 30 August 2023, the MOCD published the draft of government regulation (“Draft PDP GR”) concerning the implementation of Law No. 27/2022 for public discussion and consultation. As per 23 August 2024, the draft is in the harmonization process (https://pdp.id/rpp-ppdp/1 ). The followings are some of the key provisions of the Draft PDP GR:
- Draft PDP GR broadens the definition of personal data by adding other data in accordance with the provisions of law and regulations. The “other data” is considered as specific personal data if it can potentially create more significant harm to personal data subjects, such as discrimination, material/non-material loss or a violation of the law. The MOCD along with the PDP Agency shall have the authority and discretion to determine and designate additional data as “other data”.
- Under the Draft PDP GR, in case of error or negligence by the personal data controller in processing the personal data, the personal data subject may file material and non-material claims. The material claim shall be in the form of financial compensation equivalent to the losses incurred by the personal data subject. The amount of the material claim will be determined by the appointed party authorised to resolve the dispute outside the court or by the court decision. The non-material claim shall be in the form of corrective action or other means to restore the protection of the personal data.
- Under the Draft PDP GR, in case of personal data breach, the personal data controller shall not be required to notify the affected personal data subject if the failure of the personal data breach will not lead to the disclosure or leakage of personal data.
- Under the Draft PDP GR, in the case of cross border personal data transfer, the personal data controller shall fulfill following requirements: (i) the receiving country has its own personal data protection law, (ii) the receiving country has a personal data protection supervisory authority or agency; and (ii) the receiving country has made an international commitment or is subject to an international treaty or convention on personal data protection. If the foregoing requirement cannot be fulfilled, the personal data controller shall ensure that the receiving country has adequate and binding personal data protection measures which can be ascertained by the existence of (i) the international agreement entered into by and between the transferring country and the receiving country, (ii) the standard agreement clause for personal data protection provided by the PDP Agency, (iii) binding corporate rules for corporate group approved by the PDP Agency, and (iv) any other instruments for personal data protection that are deemed adequate and binding by the PDP Agency. The Draft PDP GR also requires the personal data controller to perform the risk assessment and legal instruments assessment prior to carrying out the personal data transfer. The personal data controller is also required to carry out the assessment of the necessity of the data transfer and its impact on the personal data subject rights.
- Under the Draft PDP GR, the personal data subject and personal data controller may report the dispute among them to the PDP Agency. The dispute settlement facilitated by the PDP Agency will prioritise the mediation process.