š®š© Indonesia
Informations
Extracts :
Extract :
No mention of the subject rignt related to Citizens outside their jurisdiction
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"For instance, the PDP Law includes a broad exterritorial scope provision that will apply to organizations as long as their processing activities have legal consequences in Indonesia or cover Indonesian citizens outside of Indonesia. "
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways and Context
Information on Indonesia's PDP bill
Link to reference Extracts :
Extract :
No mention of the subject rignt related to Persons within their jurisdiction
2021
Reference :
India Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"For instance, the PDP Law includes a broad exterritorial scope provision that will apply to organizations as long as their processing activities have legal consequences in Indonesia or cover Indonesian citizens outside of Indonesia. "
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways and Context
Information on Indonesia's PDP bill
Link to reference Extracts :
Extract :
No mention of the subject rignt related to Legal entities
2021
Reference :
India Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
The PDP Law applies to persons, public bodies, and international organizations that process personal data or otherwise perform legal acts recognized under the law in the jurisdiction of Indonesia (Art 2). Persons refer to both natural individuals and corporations (natural and legal persons), while public bodies are organizations that fulfill core administrative functions and receive some funds from state budgetary agencies
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways and Context
Information on Indonesia's PDP bill
Link to reference Extracts :
Extract :
No mention of the data controller's obligation/responsibility to Organizations located outside the jurisdiction processing regulated subjects data.
2021
Reference :
India Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"For instance, the PDP Law includes a broad exterritorial scope provision that will apply to organizations as long as their processing activities have legal consequences in Indonesia or cover Indonesian citizens outside of Indonesia. "
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways and Context
Information on Indonesia's PDP bill
Link to reference Extracts :
Extract :
"With respect to the personal data controller, the PDP Bill provides that the personal data controller must be responsible for the processing of personal data and demonstrate its responsibility in fulfilling the obligations of implementing the personal data protection principle.Meanwhile, the personal data processor's responsibility is limited to conducting the processing of personal data based on instruction or order of the personal data controller, unless otherwise provided under the laws and regulations."
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
Similar to other data protection laws, the PDP Law distinguishes between āPersonal Data Controllersā and āPersonal Data Processors.ā āControllersā refer to any person, public body, or international organization acting individually or together to determine the purpose and exercise control of personal data processing. Article 1 defines a processor as the party that processes personal data on behalf of the controller.Ā
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways and Context
Information on Indonesia's PDP bill
Link to reference Extracts :
Extract :
Like other data protection laws inspired by the GDPR, the PDP Law appliesĀ extraterritoriallyĀ to covered actors outside of Indonesia (Art 2). However, unlike other laws, this extraterritorial effect applies as long as the processing of personal data has legal consequences (i) in Indonesia or (ii) for personal data subjects of Indonesian citizens outside of Indonesia. This applicability covers more processing activities than typically seen in other data protection frameworks.
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways and Context
Information on Indonesia's PDP bill
Link to reference Extracts :
Extract :
Extracts :
Extract :
"Sensitive data: This term is not explicitly defined but 'specific personal data' is defined as personal data which, in its processing, may have a bigger impact on the personal data subject, such as discriminatory acts and other losses to the personal data subject (Article 3 of the PDPL and Article 7(2) of the Draft PDPL Implementing Regulation). Specific personal data includes (Article 3 of the PDPL and Article 7(1) of the PDPL Implementing Regulation Draft):
data and information regarding health;
biometric data;
genetic data;
criminal records;
data of children;
personal financial data; and/or
any other data in accordance with the relevant laws and regulations."
2023
Reference :
Indonesia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"Sensitive data: This term is not explicitly defined but 'specific personal data' is defined as personal data which, in its processing, may have a bigger impact on the personal data subject, such as discriminatory acts and other losses to the personal data subject (Article 3 of the PDPL and Article 7(2) of the Draft PDPL Implementing Regulation). Specific personal data includes (Article 3 of the PDPL and Article 7(1) of the PDPL Implementing Regulation Draft):
data and information regarding health;
biometric data;
genetic data;
criminal records;
data of children;
personal financial data; and/or
any other data in accordance with the relevant laws and regulations."
2023
Reference :
Indonesia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"Sensitive data: This term is not explicitly defined but 'specific personal data' is defined as personal data which, in its processing, may have a bigger impact on the personal data subject, such as discriminatory acts and other losses to the personal data subject (Article 3 of the PDPL and Article 7(2) of the Draft PDPL Implementing Regulation). Specific personal data includes (Article 3 of the PDPL and Article 7(1) of the PDPL Implementing Regulation Draft):
data and information regarding health;
biometric data;
genetic data;
criminal records;
data of children;
personal financial data; and/or
any other data in accordance with the relevant laws and regulations."
2023
Reference :
Indonesia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"Sensitive data: This term is not explicitly defined but 'specific personal data' is defined as personal data which, in its processing, may have a bigger impact on the personal data subject, such as discriminatory acts and other losses to the personal data subject (Article 3 of the PDPL and Article 7(2) of the Draft PDPL Implementing Regulation). Specific personal data includes (Article 3 of the PDPL and Article 7(1) of the PDPL Implementing Regulation Draft):
data and information regarding health;
biometric data;
genetic data;
criminal records;
data of children;
personal financial data; and/or
any other data in accordance with the relevant laws and regulations."
2023
Reference :
Indonesia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"Sensitive data: This term is not explicitly defined but 'specific personal data' is defined as personal data which, in its processing, may have a bigger impact on the personal data subject, such as discriminatory acts and other losses to the personal data subject (Article 3 of the PDPL and Article 7(2) of the Draft PDPL Implementing Regulation). Specific personal data includes (Article 3 of the PDPL and Article 7(1) of the PDPL Implementing Regulation Draft):
data and information regarding health;
biometric data;
genetic data;
criminal records;
data of children;
personal financial data; and/or
any other data in accordance with the relevant laws and regulations."
2023
Reference :
Indonesia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
There is nothing in the official text on this.
2022
Reference :
Indonesia Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2019
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
" Unlawful Collection, Disclosure, or Use ā Under Article 67, a person that unlawfully collects or uses personal data that falls under the criminal provisions of the law could receive maximum imprisonment of five years and/or a maximum fine of 5 billion rupiah. Those that disclose information, in the same manner, may face up to four years in jail and/or a maximum fine of 4 billion Rupiah. In all circumstances, authorities may confiscate profits or assets obtained from the criminal offense (Art 69).
Unlawful Creation of False Data ā Article 68 imposes a similar penalty for individuals and organizations that intentionally create false data. In these circumstances, a court may impose a six-year term of imprisonment, a maximum fine of 6 billion rupiah, and/or confiscate assets obtained in the illegal act. "
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways, and Context
Information on Indonesian criminal penalties
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"PDP Regulations
Under Article 12 of GR 71, ESPs must apply risk management towards damages or losses that they incurred. Such provision provides the meaning of 'risk management' as conducting risk analysis and for- mulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system which it manages.
PDP Bill
More elaborated provisions pertaining to Data Protection Impact Assessment ('DPIA') are contained in the PDP Bill. Article 27(b) of the PDP Bill obliges controllers to protect and ensure the safety of personal data by determining the safety level of personal data through considering the nature and risk to per- sonal data during processing. The language of such provision indicates that a DPIA must be done when- ever a data process occurs."
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"There is no mandatory requirement to appoint a data protection officer ('DPO'). Under the PDPA, ap- pointment of a DPO would be at the discretion of the company. However, the Enforcement Rules sug- gest that a company shall allocate sufficient manpower to handle the relevant matters.
In addition, the Enforcement Rules state that in taking proper security and maintenance measures as required by Article 6 of the PDPA, measures taken by non-government agencies could include, among other things, allocating management personnel and substantial resources, establishing a mechanism of risk assessment and management of personal data, and establishing a mechanism of preventing, giving notice of, and responding to a data breach (Article 12(1) of the Enforcement Rules)."
2021
Reference :
Taiwan Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The fundamental principle of data processing is the existence of consent from the data subject. This approval indicates the freedom for the data subject to object to any form of processing with which they
disagree."
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"There is no provision concerning the right to data portability in the PDP Regulations."
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"All data subjects have the right to object to any automated decision-making processes, including profiling, that may significantly impact the data subjects.
Further provisions relating to how data subjects may exercise their right to object to automated decision-making will be provided in future government regulations."
2023
Reference :
Indonesiaās Protection of Personal Data Law: Explained
Information on Indonesia's data protection regulation | Securiti
Link to reference Extracts :
Extract :
ā8.1. Right to be informed
The following information should be provided to data subjects at the point of collection of the personal
data:
ā¢ the purpose of the collection of the personal data;
ā¢ other possible purposes that may arise in the future that would involve processing the personal
data; and
ā¢ a contact person who can be easily contacted by the data subject related to the management
of their personal data.ā
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"8.2. Right to access
Pursuant to Article 26 of Kominfo Regulation 20, data subjects are entitled to:
ā¢ obtain access or the opportunity to change or update their personal data without interfering
with the personal data management system, unless otherwise provided by applicable laws and regulations; and
ā¢ obtain access or the opportunity to receive the history of their personal data, which has been
given to an ESP insofar as it is still in accordance with the applicable laws and regulations."
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
Kominfo Regulation 20 provides that data subjects shall be entitled to gain access or opportunity to alter
or renew their personal data without disrupting the personal data management system, unless stipulated
otherwise by the provisions of laws and regulations. This shall mean that data subjects can rectify
its personal data in cases of inaccuracy, so long as it doesn't disrupt the personal data management
system.
Such right is also mentioned in Article 59(2)(d) of GR 80, which provides that personal data shall be accurate
and up to date. This should be achieved by giving the data subject the chance to update their personal
data."
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
A data subject is entitled to request the deletion of their personal data, or it may be erased once the
storage time limit lapses, provided that such request is in accordance with the applicable laws and regulations.
In this regard, GR 71 distinguishes the rights of the data subject into the right to erasure and the right to
delisting in which the ESP is then obliged to delete electronic information no longer under its control. In
particular, Article 15 of GR 71 defines the right to erasure as erasing irrelevant information or electronic
documents (including those obtained without the person's consent), whereas the right to delisting
means to delist such information from the internet search engine through a court order."
2021
Reference :
Indonesia Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Much like other data protection laws, the PDP Law requires processors to perform the processing based on an agreement with the controller under its supervision. However, the PDP Law leaves the ultimate responsibility for data processing with the controllers unless processing occurs outside the agreement, in which case it is the responsibility of the processor. Notably, some obligations of the controllers extend to processors following specific provisions in the PDP Law (see Section 5).
Article 51(4) explicitly permits processors to engage other organizations in sub-processing arrangements ā but requires that they obtain written consent from the controller before involving other processors. It is unclear if generalized consent to the use of sub-processors would satisfy this requirement, though this may be clarified in forthcoming regulations."
2022
Reference :
Indonesia's Personal Data Protection Bill: Overview, Key Takeaways and Context
Information on Indonesia's PDP bill
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Section 10: The data fiduciary shall be responsible for complying with the provisions of the Bill in respect of any processing undertaken by it or on its behalf."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - IND
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Communications and Information Technology Ministry (Kementerian Komunikasi dan Informatika, or KOMINFO) | Yet to form | Regulator | Govt authority/ministry | |
| Indonesian Broadcasting Commission (KPI) | Yet to form | Regulator | Govt authority/ministry | |
| Electronic Transactions and Information Security Agency (BSSN) | Yet to form | Regulator | Govt authority/ministry | |
| Indonesian Anti-Monopoly and Unfair Business Practices Commission (Komisi Pengawas Persaingan Usaha, or KPPU) | Yet to form | Regulator | Govt authority/ministry | |
| Ministry of Trade (Kementerian Perdagangan, or KEMENPERDAG) | Yet to form | Regulator | Govt authority/ministry | |
| Financial Services Authority (Otoritas Jasa Keuangan, OJK) | Yet to form | Regulator | Govt authority/ministry | |
| The PDP Institution | Yet to form | Regulator | Govt authority/ministry |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| PDP Law | Personal Data Protection Law (PDPL) | General privacy/data protection law | 2022 | Active | 2022 | Several aspects |