UPDATE: DRAFT IMPLEMENTING REGULATIONS OF INDONESIA PERSONAL DATA PROTECTION LAW
インドネシア法弁護士
フィエスタ ヴィクトリア
On 20 September 2022 the Indonesian Parliament finally passed the Personal Data Protection Bill that had been discussed for more than 8 years. The Bill has been formally promulgated as law by publication in the State Gazette, has taken into effect from 17 October 2022 (“PDP Law”). The Government believes that the new PDP Law is crucial to help raise the level of data protection in Indonesia to the same level as other countries that have adopted a more developed data protection rules and regulations amidst a sequence of data security breaches in the country, including recent hackings to the Government’s system that gained access to sensitive Government’s information. Modelled on European Union's General Data Protection Regulation (GDPR), Indonesia's PDP Law regulates all forms of data processing, including acquisition and collection, storing, updating and correcting, as well as deleting. The PDP Law is designed to be the foundation of Indonesian data protection regulations, which hopefully could provide a more consistent and unified basis for protection of personal data across all business sectors. It was not necessarily the case with the previous data privacy regulations, that took a more sectoral approach, hence spread across different sets of regulations.
“Personal Data” is any data related to an individual (natural person) or “Data Subject” that is identified or identifiable independently or in combination with other information, directly or indirectly, through the use of an electronic system and/or non-electronic means”.
Personal Data is classified into:
a. General Personal Data, which includes:
ⅰ. Full name;
ⅱ. Gender;
ⅲ. Nationality;
ⅳ. Religion;
ⅴ. Marital status; and/or
ⅵ. Personal Data that is combined to identify a person.
b. Specific Personal Data, which includes:
ⅰ. Data and information on health;
ⅱ. Biometric data;
ⅲ. Genetic data;
ⅳ. Criminal records;
ⅴ. Children’s data;
ⅵ. Personal financial data; and/or
ⅶ. Other data in accordance with the laws and regulations.
A few notable requirements/changes introduced by the PDP Law:
Incompliance with the requirements of the PDP Law may result in administrative sanctions of written warnings, a temporary ban on personal-data processing, deletion or destruction of Personal Data, and/or administrative fines.
In addition, certain criminal offenses under the PDP Law are subject to imprisonment and/or fines, and/or the following additional sanctions:
a. Seizure of assets obtained or generated from the crime;
b. Freezing of all or part of the corporation’s business;
c. Permanent prohibition on carrying out certain actions;
d. Closure of all or part of the corporation’s business premises and activities;
e. An order to carry out an obligation that has been neglected;
f. Payment of compensation;
g. Revocation of license; and/or
h. Dissolution of the corporation.
Organizations have 2 years grace period to adjust their operations in line with the PDP Law’s requirements. It is advised to reassessed your Personal Data protection policies and practices to ensure they are in compliance with the new PDP Law. There is no specific timeline on the issuance of the implementing regulations.
Please let us know if you have further questions or require our assistance on this matter.
For further information on the above, please contact this form.
Click here for the Japanese translation article.
[1] A Data Controller determines the purpose and controls the Personal Data processing. A Data Processor processes the Personal Data on behalf of the Data Controller.
The information provided in this article does not, and is not intended to, constitute legal advice and is for general informational purposes only. Readers of this article should contact an attorney to obtain advice with respect to any particular legal matter.