Indonesia PDP Bill

Who is excluded from PDP compliance? 

Indonesian law exempts personal data processed for personal purposes or within household activities and it also exempts certain obligations of data controllers for one of the below interests, within the context of implementing the law and its regulations: 

• in the interest of national security and defense;
• in the context of state administration;
• in the interest of supervising the financial services sector or other finance related systems and activities carried out in the context of state administration;
• in the interest of statistics and scientific research.
  
  

How can I keep my organization PDP compliant? 

According to the text of the law, there are eight principles that your organization has to follow in order to be compliant, namely: 

• protection: personal data processing must be carried out in accordance with the initial purpose;
• legal certainty: personal data collection must be carried out in a limited and specific manner, the collection must be legally valid, and transparent;
• public interest: personal data processing must be carried out by notifying individuals about the purpose of the processing activities, as well as of any failure in personal data protection;
• benefit: processing of personal data must be carried out responsibly and be clearly proven;
• prudence: processing of personal data must be carried out by protecting the security of personal data from unauthorized access, disclosure, alteration, misuse, destruction, and/or loss;
• balance: processing of personal data must be carried out accurately, completely, not in a misleading manner, must be up to date, and be accounted for;
• accountability: processing of personal data must be carried out by guaranteeing the rights of data subjects;
• confidentiality: personal data must be destroyed and/or deleted after the retention period ends or based on the request of the data subjects, unless exceptions outlined in the law apply.

PDP stands out from other data privacy laws by making a special mention regarding visual data processing equipment directly in the law, rather than making it a guideline as the EDPB did, of which it says that visual data processing equipment can only be installed in public places and/or in public service facilities with limited conditions:

• The installation must be for the purpose of security, disaster prevention, and/or traffic administration or collection, analysis, and regulation of traffic information.
• Information must be displayed in the areas where visual data processing equipment has been installed.
• The installation must not be with the goal of identifying individuals.

However, similar to other privacy laws, PDP talks in Article 20 about the requirement of a privacy policy that has to outline several details:

• the legal basis for the processing of personal data;
• the purpose;
• the types of personal data to be processed;
• the retention period of documents containing personal data;
• details regarding the information collected;
• the period of processing of personal data; 
• data subject access rights.

In the event that a change occurs to any of the above, you are required to notify individuals beforehand of this. 

The Indonesian law includes several other requirements for compliance such as: 

• you have to show proof of consent that you obtained from the data subject;
• the personal data of children has a special regimen for processing so consent from the child’s parent or legal guardian has to be obtained before processing has begun;
• in the case of persons with disabilities, consent has to be obtained from the persons themselves or, where that is not the case, from the legal guardian of the person in question;
• according to Article 31, as a data controller you are required to keep a record of all processing activities;
• data protection impact assessments have to be carried out within your organization if the processing of personal data has a high risk potential;
• regardless of whether you are a data processor or data controller, you are required to appoint a Data Protection Officer (DPO) who is “appointed based on professionalism, knowledge of the law, personal data protection practice, and ability to fulfill their duties,” and who can be appointed either from within or from outside your organization. However, this only applies in the following cases: 
• the processing of personal data is carried out for the benefit of public service;
• your core activities as a data controller have the nature, scope, and/or purposes that require regular and systematic monitoring of personal data on a large scale;
• your core activities as a data controller consist of processing personal data on a large scale and of a specific nature and/or related to criminal acts.
  
  

What data access rights does PDP grant? 

PDP grants data subjects with 7 rights as follows: 

• Right to be informed
• Right to correct inaccurate information
• Right to access data
• Right to delete
• Right to restrict processing
• Right to object to automated decision making
• Right to data portability

There are no differences between these and access rights granted by the GDPR or other data privacy laws. 

How to address data subject access requests under PDP?

Indonesian law offers a very short timeframe for replying to any data subject access request, namely 3 x 24 hours, 3 days from the date of receiving the request. 

This is until now the shortest period of time granted to organizations across the global data privacy map, as every other legislation offers a minimum of 20 days or more, with a possibility of extending this by a number of extra days. This is another difference here as PDP offers no such extension period. 

However, you are allowed to refuse to grant access if one of the following apply: 

• it would endanger the safety, physical or mental health of the data subject or others;
• it would result in disclosing personal data about a different individual;
• it would be against the interest of national defense and security.
  
  

Enforcement and penalties

As stated above, Indonesian law includes both administrative fines and/or imprisonment as penalty for violations.

Administrative sanctions can range from a written warning, to temporary ceasing of activity, all the way to administrative fines of up to 2% of the annual income or annual revenue.

In the case of criminal penalties, these can range from a fine between 4,000,000,000 Rp (approx. 257,000$) and 6,000,000,000 Rp (approx. 385,000$) and a prison sentence between 3 and 6 years. 

Additional penalties in the form of confiscation of profits and/or assets obtained or proceeds from criminal acts and payment of compensation may be imposed and, for corporations that are in breach of Article 67 and/or 68, which refer to intentional violations of the law, the penalties imposed may go up to 10 times the maximum penalty imposed as well as:

• confiscation of profits and/or property obtained as a result of of the criminal violation;
• freezing of all or parts of the business of the corporation;
• closure of all or parts of the business of the corporation;
• forcing the corporation to carry out obligations that it has neglected;
• payment of compensation;
• revocation of the corporation’s license;
• total dissolution of the corporation.
  
  

Data Subject Rights - GDPR vs. PDP