On 17 October 2022, Law no. 27 of 2022 on Personal Data Protection (“PDP Law“) was eventually issued and published. Our team has managed to summarize the key provisions brought into effect by this PDP Law. This summary should be worth your time, if your business and investment, whether within or outside of Indonesia, deal with what the PDP defines as Personal Data.

And here’s the summary:

• The types of Personal Data are specified in more detail in the PDP Law. First, “Personal Data” essentially means personally identifiable data of any individual person, whether standalone or being combined with other information, and accessed whether directly or indirectly through electronic or non-electronic systems. They comprise Specific Personal Data (e.g., biometric data, crime records, etc) and General Personal Data (e.g., full name, citizenship, combined personal data to identify a person, etc).

• There is now a much clearer differentiation between a Controller and a Processor of Personal Data. A Controller is any person, public entity or international organization that acts, individually or jointly, in determining the purpose of data processing and performing control over Personal Data. Whereas a Processor is a party appointed by a Controller to process Personal Data. 

The PDP Law, however, does not give any detailed examples of what it means by a Controller and a Processor, respectively. Alas, this differentiation seems to indicate the government’s aim to hold accountable not just any party immediately having access to certain Personal Data, a Controller, but also anyone cooperating with said party to process, a Processor.

Also the PDP Law imposes various obligations on  Controllers and Processors, respectively. These obligations include maintaining confidentiality, preventing any illegal and unauthorized access, supervising each party involved in personal data processing and ensuring other data owners’ rights are fulfilled. 

• There is now more clarity in terms of the rights of Personal Data Owners. These rights include:

1. To be informed on the purposes of the use of his/her Personal Data;
2. To renew, revise, and/or complete his/her Personal Data in the event of discrepancy of the Personal Data;
3. To gain access and receive copies of his/her Personal Data;
4. To terminate, delete and/or destroy his/her Personal Data;
5. To withdraw granted consent;
6. To object to any decision based on automated processing; and
7. To postpone or limit processing of any Personal Data.

These rights indicate that there are now clearer legal grounds for anyone believing he/she deserves to be compensated, over any other party’s failure to protect, control or process his/her Personal Data. And this is despite the Privacy Policy of, say, your online platform does not explicitly state any of the above rights.

• A Controller is obliged to obtain a prior written, or recorded, consent, whether electronically or non-electronically, from each data owner, before processing their Personal Data. If a Controller fails to do so accordingly, its data processing activities can be deemed as null and void. “Null and void” means the activities never exist and all related objects should be restored to their conditions before the activities are committed as if the activities never take place.

• A Controller is obliged to end the processing of, and/or to delete, Personal Data, once certain conditions are fulfilled. One of these conditions is if requested by a data owner. The PDP Law, however, does not clearly state how a request should be filed by the data owner.

• If there is transfer of Personal Data resulting from a M&A transaction involving a Controller, the Controller is required to notify the transfer to data owners. This indicates the government taking Personal Data more seriously, now as valuable assets impacted by M&A. The PDP Law, however, does not clearly explain further in terms of what a personal data owner can do toward a notification. Can he/she object to the M&A from concluding? Or his/her objection only extends to demanding his/her Personal Data to no longer be accessed by the Controller?

• A Data Protection Officer should now be appointed by a Controller and a Processor, if certain conditions are met. And this Officer can be appointed, from within or outside of corporate organization.

Each related party is given a maximum of two years to comply with this PDP Law. Granted, the period is relatively long. But it is highly advisable to take a head start, in making the necessary adjustments.

This constitutes merely our initial review of the PDP Law and must not be treated as our legal opinion. Any use of this other than for your internal or personal reference, is prohibited, unless a prior written consent has been obtained from us.

Should you have any questions, feel free to contact us through:

Ronaldi Reisman (Co-Founding Partner): rreisman@rspstrategic.com 

Gustaf Josua (Associate): gjosua@rspstrategic.com

Celine Tangnandez Wijaya (Associate): cwijaya@rspstrategic.com