Updated: Jan 4
The principal law governing data protection in Indonesia is Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended by Law No. 19 of 2016 (“Electronic Information Law”). In addition to the Electronic Information Law, rules governing personal data protection are also found in Government Regulation No. 71 of 2019 regarding the Implementation of Electronic Systems and Transactions (“GR 71”) and Minister of Communication and Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data (“MOCI Reg. 20”). The Electronic Information Law, GR 71, and MOCI Reg. 20 are collectively referred to as the “PDP Regulations”.
The key principles that apply to the processing of personal data are as follows:
The PDP Regulations do not expressly identify transparency as a key principle, but the principle of transparency is reflected in certain obligations that apply to Electronic System Providers (“ESPs”). For example, ESPs must notify data subjects of data breaches within 14 days after the discovery of such breach.
Lawful Basis for Processing
The PDP Regulations mandate the obtainment of consent for any processing of personal data. In addition to consent, GR 71 stipulates other lawful bases other than consent for processing personal data, which are: (1) processing an individual’s personal data in order to satisfy the obligations of a contract or to fulfil the request of such personal data owner when concluding an agreement; (2) the fulfilment of the legal obligation of the personal data controller in line with the applicable laws and regulations; (3) guarding the vital interest of the personal data owner; (4) performing the legal obligation of the personal data controller; (5) performing the obligation of a public service personal data controller in the interest of the public; and (6) satisfying another valid interest of the personal data controller and/or the personal data owner.
Note, however, that the wording used in the relevant clause regarding lawful bases is rather ambiguous and may be interpreted to mean that consent is still required despite the existence of these lawful bases.
Although GR 71 uses the term “data controller” to define the above lawful bases, it provides no further guidance on the legal obligations of the data controller or their role and responsibilities. Moreover, GR 71 and the PDP Regulations do not define data processors or distinguish them from data controllers. Therefore, we understand that “data controllers” above primarily refer to ESPs.
MOCI Reg. 20 provides that one of the key forms of personal data protection is that the processing of personal data must be in accordance with the original purpose of its processing. Further, GR 71 provides that ESPs must disclose the purpose of their processing of personal data to the data subjects.
MOCI Reg. 20 provides that ESPs may only use the personal data of data subjects in accordance with the needs of the data subjects. Further, GR 71 provides that ESPs must put in place a mechanism that accommodates the deletion of personal data if it has outlived its relevance.
The PDP Regulations do not address the proportionality principle.
MOCI Reg. 20 provides that ESPs must retain personal data for a minimum period of five years unless stipulated otherwise by sectoral regulations. Data may be retained beyond the five-year period if it is to be used in accordance with its initial purpose.