Navigating Indonesia’s Personal Data Protection Law: Key Takeaways for Organizations

The Indonesian PDP Law

Indonesia’s Personal Data Protection Law (PDP Law), formally enacted as Law No. 27 of 2022, is the country’s first comprehensive legal framework governing how personal data is collected, used, stored and shared.   

Who Does This Apply To? 

Any organization or individual that processes the personal data of individuals in Indonesia regardless of the organization’s or individual’s physical establishment.   

What Is Personal Data? 

The PDP Law defines personal data as any information that can identify an individual, either directly or when combined with other data. It distinguishes between general personal data (e.g., name, gender, nationality, marital status) and sensitive personal data (e.g., health, biometric and genetic data, criminal records, financial information, and children’s data). Sensitive data carries higher risk and is subject to stricter protection requirements, often including data protection impact assessments. 

Data Subjects' Rights Under Indonesian PDP Law

PDP Law provides individuals with rights to ensure their data is handled transparently and securely. This means organizations must be prepared to justify what they do and respond to individuals who want more control over their information. Individuals have the following rights: 

• Right to Be Informed – Know who is collecting data, why, and how it will be used
• Right of Access – Request a copy of personal data
• Right to Rectification – Correct inaccurate or incomplete data
• Right to Erasure – Request deletion of data, subject to legal conditions
• Right to Restrict or Object – Limit or object to certain types of processing
• Right to Data Portability – Receive data in a usable format and transfer it elsewhere
• Right to Withdraw Consent – Revoke consent at any time
• Right to Redress – File complaints or seek compensation for unlawful processing
• Right to Object to Automated Decisions – Challenge decisions made solely through automated processing, including profiling  

Cross-Border Data Transfer Requirements

Organizations transferring data outside of Indonesia must ensure the receiving country implements equal or greater security measures to maintain compliance. This can include binding corporate data policies, standard contractual clauses, or other mechanisms that ensure data remains secure during cross-border transfers. 

Data Protection Officers [DPO]

If handling large volumes of sensitive data or engaging in activities that rely heavily on data processing, organizations are required to appoint a DPO to oversee compliance with the PDP Law. The DPO ensures that any potential data risks are mitigated and that compliance measures are maintained and updated as necessary.  

Breach Detection, Reporting, and Remediation

When a data breach occurs, both the data controller and processor are required to notify the affected data subjects and the Indonesian Data Protection Authority within 72 hours. The notification must include: 

• The nature of the breached data  
• The circumstances surrounding the breach  
• The measures taken to mitigate its effects

If the breach impacts public services or has significant public implications, a broader public announcement may also be required. 

Repercussions and Penalties for Violating Indonesia's PDP Law

Organizations that violate the PDP Law may face administrative fines of up to 2% of annual revenue for issues like failing to obtain consent, report breaches, or properly handle personal data. Serious offenses, including illegal data processing or intentional breaches, can lead to criminal penalties such as imprisonment of up to six years and fines reaching IDR 6 billion ($400,000 USD). The penalties are slightly lower for unauthorized access or data transfers without consent. In addition, organizations may be required to compensate individuals harmed by data breaches or misuse of their personal data. 

PDP Law Compliance Checklist

Learn More