Compliance with the Personal Data Protection Law: How will it affect Indonesian and offshore businesses?

Does the PDP Law immediately apply to, and must it be implemented by data controllers/processors?

Referring to the PDP Law’s transitional provision, data controllers/processors have 2 (two) years from 17 October 2022 to comply with the PDP Law. It is worth noting that notwithstanding the transitional period, businesses need to explore certain measures within this period to ensure that its operations are in line with the provisions under the PDP Law.

What are the obligations of the data controller under the PDP Law?

The PDP Law requires data controllers to, among others:

• provide information to data subject regarding the legality and purpose of the personal data processing, type and relevance of the personal data to be processed, retention period, details on the information collected, data processing period, and personal data subject’s rights, before collecting their personal data;
• notify data subject, or notify in general through mass media, regarding the transfer of personal data in relation to merger, spin-off, acquisition, consolidation, or dissolution;
• ensure the country where the receiving data controller is located has an adequate or higher level of data protection in the event that offshore data transfers are conducted, and if such a condition cannot be fulfilled then the data controller must ensure appropriate and binding personal data protection. Consent of data subject for offshore data transfer must only be obtained by the data controller if the previous 2 conditions cannot be fulfilled; and
• maintain the confidentiality of personal data.

It is also interesting that the PDP Law now introduces the 72 (seventy two) hour rule where businesses are required to:

• notify affected data subject regarding instances of data breach no later than 72 (seventy two) hours;
• update and/or correct errors and/or inaccuracies in personal data no later than 72 (seventy two) hours after the request by the personal data subject;
• provide access to data subject no later than 72 (seventy two) hours after the request by the data subject;
• terminate personal data processing and erase personal data no later than 72 (seventy two) hours after the withdrawal of data subject’s consent; and
• delay and limit processing activity no later than 72 (seventy two) hours after the request by the personal data subject.

What are the rights of data subjects under the PDP Law?

Data subjects have the following rights:

• to obtain information regarding identity clarity, basis of legal interest, purpose of requesting and using personal data, and accountability of parties that request personal data;
• to complete, update and/or correct errors and/or inaccuracies in personal data regarding themselves in accordance with the purpose of the personal data processing;
• to access and obtain a copy of personal data regarding themselves;
• to obtain and/or use personal data regarding themselves from a personal data controller in a form that is in accordance with the structure and/or format commonly used or readable by an electronic system;
• to use and send personal data regarding themselves to other personal data controllers;
• to delete, and/or destroy personal data regarding themselves;
• to withdraw consent with regard to the processing of personal data regarding themselves that has been given to a personal data controller;
• to object to a decision-making action that is based solely on automated processing, including profiling, which has legal consequences or significant impact on  data subjects;
• to delay or limit the personal data processing in proportion to the purpose of personal data processing; and
• to sue and receive compensation for violations of the processing of personal data regarding themselves

It is critical for businesses to understand and ensure that the data subjects’ rights are respected when collecting and/or processing their personal data.

What are the sanctions for non-compliance with the PDP Law?

PDP Law adopts two types of sanctions, which comprise administrative sanctions and criminal sanctions.

Violations of the provisions within the PDP Law will be met with administrative sanctions, as follows:

1. written reprimand;
2. an order to temporarily suspend the personal data processing activities;
3. an order to erase or destroy the personal data; and/or
4. fines of maximum 2% of the gross annual income.

We understand that the fines will be regulated further pending the issuance of an implementing regulation.

Violations of the prohibited actions, which include unlawful collection, disclosure, and/or use and falsifying of personal data, will be subject to criminal sanctions ranging from four to six years imprisonment and/or criminal fines ranging from IDR 4 to 6 billion for individuals. For corporations, the criminal fines will be multiplied by a maximum of 10 times, amounting to a maximum of IDR 50 billion or approx. USD 3,182,878.

There are also additional sanctions for corporations in the form of, among others:

• confiscation of profits and/or assets obtained or proceeds from the crimes;
• suspension of the entire or part of the corporation’s business;
• permanent prohibition of certain actions;
• shutdown of the entire or part of the corporation’s place of business and/or activities;
• fulfilment of neglected obligations;
• payment of compensation;
• license revocation; and/or
• dissolution of the corporation.

Note:

It is worth noting that the above view might change should the government issue further implementing regulations of the PDP Law in the future. This alert cannot be deemed as our formal legal advice.

Authored by Chalid Heyder, Teguh Darmawan, and Andera Rabbani.