Armand Yapsunto Muharamsyah & Partners (AYMP)

 

The following law(s) specifically govern personal data / information:

The Minister of Communication and Information (“MOCI”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic System (“MR No. 20/2016”), which principally implements the data protection provisions enshrined under Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 (“Law No. 11/2008”) in conjunction with Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (“GR No. 71/2019”) (MR No. 20/2016, Law No. 11/2008, and GR No. 71/2019, shall be referred as “Indonesia PDP Regulations”). However, the said regulation only covers the protection of data in electronic systems, as the comprehensive general law on protection of personal data is still being finalised in Indonesia’s House of Representatives.

 

The key data protection principles in this jurisdiction are:

Article 2 of MR No. 20/2016 provides that data protection shall be conducted based on a key principle of good personal data protection, which includes:

  1. Having due regards towards personal data as private;
  2. Personal data is confidential in nature, in accordance with the consent of the data subject and/or based on the provisions of laws and regulations;
  3. Obtaining sufficient consent from the data subject, and basing its processing activities on such consent;
  4. The data processing shall be relevant to the purpose of acquisition, collection, processing, analysing, storage, display, announcement, delivery, and dissemination;
  5. Limiting processing activities to what is necessary;
  6. Ensuring the suitability of the utilized electronic system;
  7. Having the good faith to immediately notify data subjects of any failure in relation to personal data protection or data breach;
  8. Ensuring the availability of internal regulation for the management of personal data protection;
  9. Having responsibility toward any personal data under its possession;
  10. Ensuring ease of access to and correction of personal data for data subjects; and
  11. Ensuring the integrity, accuracy, and validity of personal data, and ensuring that personal data is up to date.

 

The supervisory authority / regulator in charge of data protection is:

The authority who oversees data protection, as stipulated under the Indonesia PDD Regulations, is the Minister of Communication and Information, and specifically its Director General of Informatics Application. Certain fields of personal data are also under the supervision of sectoral authority, such as Financial Services Authority (OJK) on the personal data collected in the financial services sector.

 

Is there a requirement to register with a supervisory authority / regulator?

GR No. 17/2019 requires the entity or person providing, managing, and/or operating an electronic system, which function is to prepare, collect, process, analyse, store, display, announce, transmit, and/or disseminate electronic information (including personal data) to register itself as an Electronic System Provider (“ESP”) to the MOCI, if it possesses the portal, website, or application which are used to, among others, process personal data for operational activities for the public in relation to electronic transactions. The registration has to be done once (without any fee being payable) through the Online Single Submission (OSS) System. The registrant shall firstly obtain a Business Identification Number (Nomor Induk Berusaha – NIB) and process to submit the following details to complete the registration:

  1. Name, sector and sub-sector of the electronic system;
  2. Standard Industrial Classification Code of registrant;
  3. Location of managing, processing and/or storing if the electronic system and electronic data (including personal data);
  4. Providers for the service of management, processing and/or storing if the electronic system and electronic data (including personal data);
  5. Website and its URL (if any);
  6. Name of Domain system or IP Server address;
  7. Description on business model, business process, and function of system electronics; and
  8. Details of Personal Data processed.

 

Is there a requirement to notify the supervisory authority / regulator?

The registration mentioned above is sufficient before processing personal data using an electronic system. No further notification is necessary prior to commencing processing activities. However, in terms of transfer of data to another jurisdiction, MR No. 20/2016 requires that it shall be done by coordinating with MOCI, by:

  1. Reporting the plan to transfer personal data, which shall include the details of destination jurisdiction, receiving party, date of transfer, and reason/purpose of the transfer;
  2. Requesting the assistance of MOCI for such transfer (if required); and
  3. Reporting the result of such transfer.

However, we note there is no further procedure regulated or made available with regards to the coordination with MOCI for overseas data transfer.

 

Is it possible to register with / notify the supervisory authority / regulator online?

The registration can be done through https://app.oss.go.id/app/#front/home, by firstly setting up an account and obtaining a Business Identification Number (Nomor Induk Berusaha – NIB) before processing to such registration.

 

The key data subject rights under the data protection laws of this jurisdiction are:

Article 26 of MR No. 20/2016 sets out the rights of data subjects, i.e.

  1. Confidentiality of their personal data;
  2. Filing complaints to MOCI to settle disputes over the failure of the relevant electronic system provider in protecting the confidentiality of their personal data;
  3. Obtain access or the opportunity to change or update their personal data without interfering with the personal data management system;
  4. Obtain access or the opportunity to receive the history of their own personal data, which has been previously provided to an ESP; and
  5. Request the deletion of their personal data in an electronic system managed by an ESP.

In addition to the above, GR No. 71/2019 also acknowledge the right of erasure by the data subject, i.e., erasing any electronic personal data which:

  1. Are obtained and processed without the consent of data subject;
  2. Had its underlying consent revoked;
  3. Are obtained and processed illegally;
  4. Are no longer in accordance with the purpose of which it was obtained based on agreement and/or laws and regulations;
  5. Have exceeded its usage period based on agreement and/or laws and regulations; and/or
  6. Are causing loss for the data subject by being displayed by the ESP.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Article 28 of MR No. 20/2016 requires the designation of a contact person by ESP for inquiring the data processing activity. However, we note that such a role is not a data protection officer, where it is not recognised under the Indonesia PDP Regulations.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

There are no provisions on data protection impact assessments, as well as circumstances requiring such assessments under Indonesia PDP Regulations.

 

Does this jurisdiction have any specific data breach notification requirements?

In case of a data breach, Article 28 of MR No. 20/2016 and Article 14 of GR No. 71/2019 requires a written notification to be served to the data subject, explaining reason or causes of such breach. Such a notification may be served electronically if the data subject consented to it beforehand and shall be served within 14 (fourteen) days upon becoming aware of such breach.

Further, the notification to MOCI is also required in the case of a failure or a disruption caused by third party to the electronic system, including a data breach which has a serious impact. However, there is no further elaboration on how to define a data breach as having a serious impact or not.

 

The following restrictions apply to the international transfer of personal data / information:

The transfer of personal data to a jurisdiction outside of Indonesia is not restricted but requires coordination with MOCI as explained above.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Article 2 of Law No. 11/2008 stated that the law extends its applicability to the actions (of data processing) of individuals or legal entity outside of Indonesia when its actions cause (i) legal implication within the territory of Indonesia; and/or (ii) undermining Indonesian interests.

Accordingly, the breach of personal data in a foreign jurisdiction which involves an Indonesian data subject may trigger this extra-territorial effect of this law. To enable this provision, Article 21 of GR No. 71/2019 provided that if the electronic data is being managed, processed, and/or stored in the jurisdiction out of Indonesia, the PSE shall ensure the effectivity of the supervisory activity by MOCI or other law-enforcement-institution.

However, there are no further provisions in place on the implementation procedure of this extra-territorial effect.

 

The following rules specifically deal with marketing:

There are no specific rules governing marketing except for marketing of financial instruments such as deposit, insurance, securities which can only be conducted by licensed entities. The relevant general provisions within the Indonesia PDP Regulations shall be observed and applicable in the marketing scheme.

The Indonesia PDP Regulations does not contain any provision which specifically governs marketing.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

As explained above, the Indonesia PDP Regulations does not contain any provision which specifically governs marketing.

 

The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):

The Indonesia PDP Regulations does not contain any provision which specifically governs marketing.

 

The following rules specifically deal with cookies:

The Indonesia PDP Regulations does not contain any provision which specifically governs cookies.

 

The consequences of non compliance with data protections laws (including marketing laws) are:
What are the consequences of non compliance with data protections laws (including marketing laws) within your jurisdiction? Please provide an overview of the level of fines that may be imposed by a supervisory authority/regulator.

Based on MR No. 20/2019, failing to comply with the provisions on data protection therein shall subject the offender with the administrative sanction of:

  1. written warnings;
  2. administrative fines;
  3. temporary suspension; and
  4. announcement in MOCI’s website.

GR No. 71/2019 also stipulated similar administrative sanctions for the noncompliance with data protection provisions therein, i.e.

  1. written warnings;
  2. administrative fines;
  3. temporary suspension;
  4. termination of access to the ESP’s electronic system; and
  5. blacklisting

The regulation does not further specify the level of fines imposable toward the offender of incompliance to the data protection provisions.

 

In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:

Principally, the processing of personal data of Indonesian data subjects through an electronic system requires the processor to register as the ESP. MOCI Regulation No. 5 of 2020 on the ESP in the Private Sector further affirmed that the ESP established or domiciled in a foreign jurisdiction, who are providing services, conducting business in Indonesia, and/or its electronic system are used/offered in Indonesia, is still subject to such registration requirement. As the registration is to be done online through OSS, MOCI and OSS are still developing a procedure for the foreign ESP in such registrations.

 

Multinational organisations should be aware of the following upcoming data protection developments:
Are there any upcoming data protection developments that a multinational organisation should be aware of?

Currently, the bill on comprehensive law on protection of personal data is still being finalised in the Indonesia House of Representatives. The bill has been assessed by MOCI since 2014 and was included in the national legislative programme in 2020 but has not yet been passed. It is reported the bill is optimistically targeted to be passed within 2021. Several important aspects to be included in the data protection bill includes the rights of data subject, introduction of the concept of data controller and data processor, classification of general personal data and specific personal data (which requires extra protection), the requirements of processing data as well as overseas transfer of personal data.

 

 

Search by:

Need more information?
Contact a member firm:
Gunadarma
Armand Yapsunto Muharamsyah & Partners
Indonesia