• Login
    • Advanced search
    • Title
    • Channel
    • Module
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Digital Assets and Blockchain
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
Hogan Lovells Engage 5.7.13
      • Title
      • Channel
      • Module
    • Hit ENTER to search in content
    • Advanced search
    • Login
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Digital Assets and Blockchain
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
  1. News
  2. Compliance with the Personal Data Protection Law: How will it affect Indonesian and offshore businesses?

Compliance with the Personal Data Protection Law: How will it affect Indonesian and offshore businesses?

08 December 2022
    • Share by email
    • Share on
    • Twitter
    • LinkedIn
    • Get link
    • Get QR Code
    • Download
    • Print

Noting the extraterritorial approach adopted by the Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), the enactment of the PDP Law will not only affect the way Indonesian businesses navigate the personal data protection regulatory compliance landscape, but will also impact offshore businesses. We set out below notable topics that businesses need to be aware of:

Index
  1. Does the PDP Law immediately apply to, and must it be implemented by data controllers/processors?
    1. What are the obligations of the data controller under the PDP Law?
    2. What are the rights of data subjects under the PDP Law?
    3. What are the sanctions for non-compliance with the PDP Law?

Does the PDP Law immediately apply to, and must it be implemented by data controllers/processors?

Referring to the PDP Law’s transitional provision, data controllers/processors have 2 (two) years from 17 October 2022 to comply with the PDP Law. It is worth noting that notwithstanding the transitional period, businesses need to explore certain measures within this period to ensure that its operations are in line with the provisions under the PDP Law.

What are the obligations of the data controller under the PDP Law?

The PDP Law requires data controllers to, among others:

  • provide information to data subject regarding the legality and purpose of the personal data processing, type and relevance of the personal data to be processed, retention period, details on the information collected, data processing period, and personal data subject’s rights, before collecting their personal data;
  • notify data subject, or notify in general through mass media, regarding the transfer of personal data in relation to merger, spin-off, acquisition, consolidation, or dissolution;
  • ensure the country where the receiving data controller is located has an adequate or higher level of data protection in the event that offshore data transfers are conducted, and if such a condition cannot be fulfilled then the data controller must ensure appropriate and binding personal data protection. Consent of data subject for offshore data transfer must only be obtained by the data controller if the previous 2 conditions cannot be fulfilled; and
  • maintain the confidentiality of personal data.

It is also interesting that the PDP Law now introduces the 72 (seventy two) hour rule where businesses are required to:

  • notify affected data subject regarding instances of data breach no later than 72 (seventy two) hours;
  • update and/or correct errors and/or inaccuracies in personal data no later than 72 (seventy two) hours after the request by the personal data subject;
  • provide access to data subject no later than 72 (seventy two) hours after the request by the data subject;
  • terminate personal data processing and erase personal data no later than 72 (seventy two) hours after the withdrawal of data subject’s consent; and
  • delay and limit processing activity no later than 72 (seventy two) hours after the request by the personal data subject.

What are the rights of data subjects under the PDP Law?

Data subjects have the following rights:

  • to obtain information regarding identity clarity, basis of legal interest, purpose of requesting and using personal data, and accountability of parties that request personal data;
  • to complete, update and/or correct errors and/or inaccuracies in personal data regarding themselves in accordance with the purpose of the personal data processing;
  • to access and obtain a copy of personal data regarding themselves;
  • to obtain and/or use personal data regarding themselves from a personal data controller in a form that is in accordance with the structure and/or format commonly used or readable by an electronic system;
  • to use and send personal data regarding themselves to other personal data controllers;
  • to delete, and/or destroy personal data regarding themselves;
  • to withdraw consent with regard to the processing of personal data regarding themselves that has been given to a personal data controller;
  • to object to a decision-making action that is based solely on automated processing, including profiling, which has legal consequences or significant impact on  data subjects;
  • to delay or limit the personal data processing in proportion to the purpose of personal data processing; and
  • to sue and receive compensation for violations of the processing of personal data regarding themselves

It is critical for businesses to understand and ensure that the data subjects’ rights are respected when collecting and/or processing their personal data.

What are the sanctions for non-compliance with the PDP Law?

PDP Law adopts two types of sanctions, which comprise administrative sanctions and criminal sanctions.

Violations of the provisions within the PDP Law will be met with administrative sanctions, as follows:

  1. written reprimand;
  2. an order to temporarily suspend the personal data processing activities;
  3. an order to erase or destroy the personal data; and/or
  4. fines of maximum 2% of the gross annual income.

We understand that the fines will be regulated further pending the issuance of an implementing regulation.

Violations of the prohibited actions, which include unlawful collection, disclosure, and/or use and falsifying of personal data, will be subject to criminal sanctions ranging from four to six years imprisonment and/or criminal fines ranging from IDR 4 to 6 billion for individuals. For corporations, the criminal fines will be multiplied by a maximum of 10 times, amounting to a maximum of IDR 50 billion or approx. USD 3,182,878.

There are also additional sanctions for corporations in the form of, among others:

  • confiscation of profits and/or assets obtained or proceeds from the crimes;
  • suspension of the entire or part of the corporation’s business;
  • permanent prohibition of certain actions;
  • shutdown of the entire or part of the corporation’s place of business and/or activities;
  • fulfilment of neglected obligations;
  • payment of compensation;
  • license revocation; and/or
  • dissolution of the corporation.

Note:

It is worth noting that the above view might change should the government issue further implementing regulations of the PDP Law in the future. This alert cannot be deemed as our formal legal advice.

 

 

Authored by Chalid Heyder, Teguh Darmawan, and Andera Rabbani.

 

Contacts
Chalid Heyder
Office Managing Partner
Jakarta
Teguh Darmawan
Counsel
Jakarta
Andera Rabbani
Associate
Jakarta
Index
  1. Does the PDP Law immediately apply to, and must it be implemented by data controllers/processors?
    1. What are the obligations of the data controller under the PDP Law?
    2. What are the rights of data subjects under the PDP Law?
    3. What are the sanctions for non-compliance with the PDP Law?
Related Materials
LAE March 2021, ACER_June_2020_Jakarta_Indonesia_1294500985

Indonesian House of Representatives passes the Data Protection Bill into law

Sanctions Navigator

Sanctions Navigator: Russia Sanctions

Keywords Indonesia’s Personal Data Protection Law, Indonesia’s PDP Law, Personal Data Protection in Indonesia
Languages English
Topics Risks, Disputes and Litigation, Technology Litigation and Disputes
Countries Indonesia
Delete Comment ?

Are you sure want to delete comment ?

Get link
Embed
Share by email
Get QR Code

Scan this QR Code to share this content

  • Contact us
  • Disclaimer
  • Privacy
  • Cookies
  • Legal Notices
  • Terms of Use

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.

Thomson Reuters HighQ Logo
© 2023 Hogan Lovells | Privacy Policy | Terms of Service