Indonesia personal data protection Law no. 27 year 2022
The Indonesian Parliament finally approved the long-awaited Personal Data Protection Law No. 27 year 2022 on 20 September 2022 which had been discussed since 2019. This law was initiated by the Government and largely modeled on the European Union’s General Data Protection Regulation (“GDPR”). Based on the transitional clause of this law, the existing data privacy legislation, remains in force to the extent they do not contradict with the Law. The Law shall be applicable to individual, company (legal entity or not), public institutions (i.e. executive, legislative, and judicative of state’s organs) and international organizations in Indonesia who engage in processing personal data. These parties shall have two (2) years to comply with the Law’s requirements. This Law can also applicable to those parties who are processing personal data outside Indonesia but inflict legal impact in Indonesia’s territory or toward Indonesian citizen overseas.
This Law among others regulates:
If the processing of personal data involves more than one (1) Data Controller, or if the data processor is a third party, then there should be an agreement between the Data Controllers and the agreement between the data controller and the data processor.
Disclaimer: This article is intended as general information only and it does not constitute a legal advice. We accept no responsibility for any loss that may arise from reliance on this information. Please contact us if you need full legal advice.
This Law among others regulates:
- Any party who determines the purpose of processing and controls personal data shall be referred to as Data Controller. Processing of personal data can be carried out by two (2) or more Data Controllers.
- Any party who carries out processing of personal data in the name /on behalf of the Data Controller shall be referred to as Data Processor.
- Principles of personal data processing/handling by the Data Controller which includes :
a. Protection of the rights of the data subject based on the Law
b. Lawful grounds for processing data
c. The collection of personal data shall be limited, specific, legally legitimate and transparent
d. The processing of personal data shall only be based on a specific purpose
e. Personal data must be kept accurate and up to date
f. Processed in a manner that ensure security of personal data from illegal/unlawful/unauthorized access, expose, alteration, misuse, destruction, and loss of personal data - The Data Processor shall only process the personal data based on the instruction from the Data Controller.
- Before processing the personal data shall notify the following information to the data subjects:
a. The purpose of collection and processing
b. The type and relevancy of the data being processed in relation to the purpose
c. Time period of retention
d. Time period of process
e. The rights of the data subject - The six legal grounds in processing personal data are:
a. Written or recorded consent from data subject (either electronically or manually); or
b. Fulfillment of contractual obligation; or
c. Fulfillment of the data controller's legal obligation; or
d. Protection of vital interest of the data subject; and/or
e. Undertake a task as required for public interest or public service or exercising authority of the Data Controller under regulations
f. Fulfillment of other legitimate interests, subject to consideration of the purpose, need, and balancing of the Data Controller with the rights of the data subjects - The Data Processor must appoint a Data Protection officer (DPO) if the personal data is large scale, processed for public interest; requires a regular and systematic monitoring; and the type of personal data is specific and/or crime related personal data
- The data subject has the rights among others to access and obtain copy of his/her personal data, delete personal data, withdrawn consent, and claim compensation for breaches of their personal data.
- In case failure or breach of the data protection happens, the data processor must send a written notification to the effected data subject and to the authority within 3 x 24 hours. The written notice must specify which type of data has been disclosed, when and how the breach occurs and any remedial actions taken to mitigate the harm.
- Breach of personal data protection shall be subject to criminal sanctions 6 years of jail and/ or monetary fine Rp 6.000.000.000 at most. If the breach is committed by a company, the sanction shall be 10 times of the monetary fine imposed against individual, plus additional sanctions, such as business license revocation.
If the processing of personal data involves more than one (1) Data Controller, or if the data processor is a third party, then there should be an agreement between the Data Controllers and the agreement between the data controller and the data processor.
Disclaimer: This article is intended as general information only and it does not constitute a legal advice. We accept no responsibility for any loss that may arise from reliance on this information. Please contact us if you need full legal advice.