Introduction

The Government of Indonesia issued Law No.27 of 2022 on Protection of Personal Data (PDP Law) on 17 October 2022 (Effective Date). Please refer to our client update (here: link) for a general brief overview of the PDP Law.

The PDP Law is very broadly drafted to have potential extra-territorial reach outside of Indonesia if there will be any legal consequences: (a) within Indonesia; and/or (b) for Indonesian citizens outside Indonesia. Therefore, it is crucial for international or multinational companies to ensure their compliance with the PDP Law.

Depending on the violation, the PDP Law provides the following administrative sanctions (which again, may have extra-territorial reach):

1. written warnings;
2. temporary suspension of personal data processing;
3. erasure or destruction of personal data; and
4. administrative fines (2% of annual income or annual revenue).

The PDP Law also contains criminal penalties for certain illegal acts.

Transition period

All data controllers¹, data processors² and other related parties involved in the processing of personal data have been given a transition period of two years after the Effective Date (i.e., to 16 October 2024) to adjust to and comply with the PDP Law. We anticipate that government supervision as well as enforcement will increase following the end of the transition period.

Guidance with your personal data protection policies

Ensuring compliance with the PDP Law may pose challenges for many businesses, particularly international and multinational companies. With potentially serious consequences and a deadline approaching, ensuring legal compliance from the outset is imperative.

The main areas in which we have been assisting and advising clients with their PDP Law compliance requirements are set out below:

1. data subject rights, data controller obligations, and requirements for data transfer outside of Indonesia;
2. preparing (or reviewing) privacy policies or notices (required under the PDP Law);
3. preparing data processing and/or transfer agreements for either intra or extra group companies; and
4. preparing for and dealing with data breach incidents (including preparing a report to be submitted to the relevant government body (if applicable)).

Should you require our assistance with advising on the PDP Law or preparing any of the above documents, our team would be delighted to share their experience and expertise with you.