Blog Details

The Personal Data Protection Law (Law No. 27 of 2022) was passed on October 17, 2022. This law marks a significant step by the Indonesian government in establishing legal certainty around personal data protection for Indonesian citizens. The PDP Law outlines regulations on the collection, processing, storage, and deletion of personal data. This law has been highly anticipated, as previous regulations on personal data were only covered by sector-specific regulations.

1. Types of Personal Data Protected

According to the PDP Law, personal data is classified into two main types:

• General Personal Data: Data that is non-sensitive but can still identify an individual, including names, addresses, email addresses, phone numbers, and other identity-related information.
• Specific Personal Data: More sensitive data with potentially severe impacts if misused. This includes health information, biometrics, genetic data, political views, religious beliefs, financial records, data on minors, and data relating to criminal records.

The processing of these two types of data comes with different limitations and obligations, especially for specific personal data that requires stricter security.

2. Data Owner Rights

The PDP Law grants data owners specific rights that must be respected by data controllers. These rights include:

• Right to Access: Data owners can request access to their personal data and understand how it is used.
• Right to Rectification: Data owners can request corrections to their data if there are inaccuracies.
• Right to Erasure: Data owners can request deletion of their data under certain conditions.
• Right to Withdraw Consent: Data owners can withdraw prior consent regarding the use of their personal data.
• Right to Data Portability: Data owners have the right to request the transfer of their data to another party.

Any violation of these rights may result in sanctions as specified in the PDP Law.

3. Obligations of Data Controllers and Processors

The PDP Law also differentiates between Data Controllers and Data Processors:

• Data Controllers are those who determine the purposes and control over personal data processing, such as companies or organizations collecting customer data.
• Data Processors are parties that process data as instructed by the Data Controller, usually partners or technology service providers.

Key obligations for both parties include:

• Ensuring Data Security: Active measures must be taken to protect data from unauthorized access, destruction, or breaches.
• Obtaining Explicit Consent: Before collecting data, controllers must obtain the data owner’s consent, which should be clear, specific, and revocable at any time.
• Transparency in Data Processing: Data controllers and processors must be transparent about the purpose of data use and the period of data storage.
• Data Deletion and Destruction: Personal data must be deleted or destroyed after it is no longer used or upon request by the data owner.

4. Sanctions and Legal Consequences

The PDP Law establishes sanctions for violations of data protection regulations. These sanctions include:

• Administrative Sanctions: Warnings, administrative fines, temporary suspension of data processing, and operational license revocation.
• Criminal Sanctions: Applied for severe violations involving large-scale data leaks or misuse of sensitive data. Criminal penalties may include hefty fines and/or imprisonment.
• Compensation for Data Owners: Data owners suffering losses can seek compensation from the controller or processor found violating the PDP Law.

5. Supervision and Law Enforcement by Regulatory Authority

To ensure the implementation of the PDP Law, the Government has designated a Personal Data Protection Supervisory Authority under the Ministry of Communication and Information Technology (Kominfo). This authority is responsible for:

• Receiving and investigating complaints related to data breaches.
• Developing technical guidelines and public education programs for businesses and the public.
• Issuing warnings, reprimands, and other enforcement actions if violations of the PDP Law are found.

The Personal Data Protection Law (PDP Law) is a significant step toward safeguarding the rights of citizens regarding personal data in the face of a rapidly developing digital era. While there are challenges in implementing this law—particularly in public awareness and readiness of supervisory authorities—there are also significant opportunities to build a secure and trustworthy digital environment. With the commitment of all stakeholders, including the government, businesses, and the public, effective personal data protection in Indonesia can be achieved.