<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Indonesia PDP Bill

Indonesia’s personal data protection law.

Book a Demo

What is PDP?

The Personal Information Protection Bill (PDP) is Indonesia’s personal data protection law that was passed in September of this year and became active in October when the President of the country gave his approval of it.

It is the first law of its kind in Indonesia, having been preceded by about 32 separate laws that worked together in an attempt to regulate data privacy and it is modeled after the EU’s GDPR but with some notable differences. 

Penalties range from administrative fines to imprisonment, there is an extraterritorial scope that covers Indonesian citizens even when outside the country, and facial recognition technologies are regulated stricter here.

While the text of the law itself is now in its final version, there are guidelines to be had that would assist organizations in staying compliant with this law, however there is no mention of a time when these will be made available.


What is Personal Information and what are other key definitions?

Indonesian law sees personal data as any information about individuals that can be used either by itself or together with other types of information, whether directly or indirectly, through both electronic and non-electronic means. In this regard, information is understood as any type of information, statement, idea or sign that contains identifiable markers. 

The personal data of individuals is divided into what a translated version of the law calls ‘personal data of a specific nature’ which means health information, biometric data, genetic data, crime records, data of children, personal financial information, etc., and ‘general personal data’ which means an individual’s name, gender, citizenship, religion, marital status, or any other types of information that when combined can identify the individual. So we can say that personal data of a specific nature refers to what other privacy laws call sensitive personal data.

This law makes a distinction between a data controller and a data processor, defining the controller as any person, public body or organization that processes personal data, and the processor as any person, public body, or organization that processes data on behalf of the data controller.


Who has to comply with the PDP?

The PDP applies to any person, public body or international organization that is either located in Indonesia, or whose legal activities target Indonesian individuals, whether the individuals themselves reside in the country or not. This makes the law stand out through its fairly large extraterritorial scope. 

What this means for your organization is that as long as your organization’s processing activities have legal consequences in Indonesia or cover Indonesian citizens located outside of the country, you are required to comply with.

The legal consequences are not defined or explained by the law but an expectation has been created that implementation guidelines would clarify the gaps currently found in the text of the bill.

Who is excluded from PDP compliance? 

Indonesian law exempts personal data processed for personal purposes or within household activities and it also exempts certain obligations of data controllers for one of the below interests, within the context of implementing the law and its regulations: 

  • in the interest of national security and defense;
  • in the context of state administration;
  • in the interest of supervising the financial services sector or other finance related systems and activities carried out in the context of state administration;
  • in the interest of statistics and scientific research.

How can I keep my organization PDP compliant? 

According to the text of the law, there are eight principles that your organization has to follow in order to be compliant, namely: 

  • protection: personal data processing must be carried out in accordance with the initial purpose;
  • legal certainty: personal data collection must be carried out in a limited and specific manner, the collection must be legally valid, and transparent;
  • public interest: personal data processing must be carried out by notifying individuals about the purpose of the processing activities, as well as of any failure in personal data protection;
  • benefit: processing of personal data must be carried out responsibly and be clearly proven;
  • prudence: processing of personal data must be carried out by protecting the security of personal data from unauthorized access, disclosure, alteration, misuse, destruction, and/or loss;
  • balance: processing of personal data must be carried out accurately, completely, not in a misleading manner, must be up to date, and be accounted for;
  • accountability: processing of personal data must be carried out by guaranteeing the rights of data subjects;
  • confidentiality: personal data must be destroyed and/or deleted after the retention period ends or based on the request of the data subjects, unless exceptions outlined in the law apply.

PDP stands out from other data privacy laws by making a special mention regarding visual data processing equipment directly in the law, rather than making it a guideline as the EDPB did, of which it says that visual data processing equipment can only be installed in public places and/or in public service facilities with limited conditions:

  • The installation must be for the purpose of security, disaster prevention, and/or traffic administration or collection, analysis, and regulation of traffic information.
  • Information must be displayed in the areas where visual data processing equipment has been installed.
  • The installation must not be with the goal of identifying individuals.

However, similar to other privacy laws, PDP talks in Article 20 about the requirement of a privacy policy that has to outline several details:

  • the legal basis for the processing of personal data;
  • the purpose;
  • the types of personal data to be processed;
  • the retention period of documents containing personal data;
  • details regarding the information collected;
  • the period of processing of personal data; 
  • data subject access rights.

In the event that a change occurs to any of the above, you are required to notify individuals beforehand of this. 

The Indonesian law includes several other requirements for compliance such as: 

  • you have to show proof of consent that you obtained from the data subject;
  • the personal data of children has a special regimen for processing so consent from the child’s parent or legal guardian has to be obtained before processing has begun;
  • in the case of persons with disabilities, consent has to be obtained from the persons themselves or, where that is not the case, from the legal guardian of the person in question;
  • according to Article 31, as a data controller you are required to keep a record of all processing activities;
  • data protection impact assessments have to be carried out within your organization if the processing of personal data has a high risk potential;
  • regardless of whether you are a data processor or data controller, you are required to appoint a Data Protection Officer (DPO) who is “appointed based on professionalism, knowledge of the law, personal data protection practice, and ability to fulfill their duties,” and who can be appointed either from within or from outside your organization. However, this only applies in the following cases: 
    • the processing of personal data is carried out for the benefit of public service;
    • your core activities as a data controller have the nature, scope, and/or purposes that require regular and systematic monitoring of personal data on a large scale;
    • your core activities as a data controller consist of processing personal data on a large scale and of a specific nature and/or related to criminal acts.

What data access rights does PDP grant? 

PDP grants data subjects with 7 rights as follows: 

  • Right to be informed
  • Right to correct inaccurate information
  • Right to access data
  • Right to delete
  • Right to restrict processing
  • Right to object to automated decision making
  • Right to data portability

There are no differences between these and access rights granted by the GDPR or other data privacy laws. 

PDP Bill Indonesia compliant website with Clym

Book a Demo

How to address data subject access requests under PDP?

Indonesian law offers a very short timeframe for replying to any data subject access request, namely 3 x 24 hours, 3 days from the date of receiving the request. 

This is until now the shortest period of time granted to organizations across the global data privacy map, as every other legislation offers a minimum of 20 days or more, with a possibility of extending this by a number of extra days. This is another difference here as PDP offers no such extension period. 

However, you are allowed to refuse to grant access if one of the following apply: 

  • it would endanger the safety, physical or mental health of the data subject or others;
  • it would result in disclosing personal data about a different individual;
  • it would be against the interest of national defense and security.

Enforcement and penalties

As stated above, Indonesian law includes both administrative fines and/or imprisonment as penalty for violations.

Administrative sanctions can range from a written warning, to temporary ceasing of activity, all the way to administrative fines of up to 2% of the annual income or annual revenue.

In the case of criminal penalties, these can range from a fine between 4,000,000,000 Rp (approx. 257,000$) and 6,000,000,000 Rp (approx. 385,000$) and a prison sentence between 3 and 6 years. 

Additional penalties in the form of confiscation of profits and/or assets obtained or proceeds from criminal acts and payment of compensation may be imposed and, for corporations that are in breach of Article 67 and/or 68, which refer to intentional violations of the law, the penalties imposed may go up to 10 times the maximum penalty imposed as well as:

  • confiscation of profits and/or property obtained as a result of of the criminal violation;
  • freezing of all or parts of the business of the corporation;
  • closure of all or parts of the business of the corporation;
  • forcing the corporation to carry out obligations that it has neglected;
  • payment of compensation;
  • revocation of the corporation’s license;
  • total dissolution of the corporation.

Data Subject Rights - GDPR vs. PDP


How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

illustration of contact means


If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
+1 980 446 8535 +1 866 275 2596