Data Protection Policy
Pt IBF Net Indonesia (hereafter “IBFNet”) administers the following sites:
- Netversity.io site, at https://netversity.io/
1. Governing Texts
The concern of data protection exists wherever personal data is collected or stored. As general guidance, Indonesia protects the data of its citizens in the Constitution of the Republic of Indonesia 1945 (’the Constitution’). In particular, Article 28G of the Constitution states that ‘each person shall have the right to the protection of their selves, families, respect, dignity, and possessions under their control.
‘Nevertheless, at present, no law explicitly regulates data protection in Indonesia in a comprehensive manner. The provisions applicable for data protection in Indonesia are found in several regulations.
1.1. Key acts, regulations, directives, bills
In the past decades, Indonesia’s data protection laws have undergone significant progress and development. To date, Indonesia has enacted various laws relating to data privacy in several areas. Most notably, Indonesian citizens are entitled to the protection of their data collected under Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) (‘the Demography Law’), which came into force on 24 December 2013.
Personal data protection laws and regulations
Further to the above, there are provisions governing the protection of personal data specified in the realm of electronic systems which apply to electronic service providers (‘ESPs’), from now on referred to as (‘the PDP Regulations’).
Such provisions can be found in Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions (only available in Indonesian here) (‘the Electronic Information Law’), which came into force on 25 November 2016. The procedural guidelines for the Electronic Information Law are contained in Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (only available in Indonesian here) (‘GR 71’), which revokes the previous Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transactions (‘GR 82’).
The Electronic Information Law provides that, unless otherwise regulated, the use of any information about a person’s data through electronic media requires the consent of the such person. The elucidation of the Electronic Information Law provides that the protection of personal data is a part of the right to privacy which encompasses the following:
- the right to enjoy a private life, free of any disturbance;
- the right to communicate with other people without any espionage; and
- the right to monitor the access of information about a person’s personal life and data.
To further clarify and implement data protection in electronic systems, the Minister of Communication and Information (‘Kominfo’) issued, on 1 December 2016, Regulation No. 20 of 2016 on Personal Data Protection in Electronic System (‘Kominfo Regulation 20’). Kominfo Regulation 20 came into force on 1 December 2016. It established consent as the core foundation of data privacy protection under Indonesian privacy laws, so all processing can only be implemented after obtaining consent from the data subject.
Most recently, the Government of Indonesia (‘the Government’) further clarified the scope of protection for personal data by issuing Government Regulation No. 40 of 2019 on the Implementation of Law No. 23 of 2006, as amended by Law No. 24 of 2013 on Demographic Administration (only available in Indonesian here) (‘GR 40’). GR 40 came into force on 24 May 2019.
Furthermore, the activity of trading through electronic systems is governed by Government Regulation No. 80 of 2019 regarding Trading through Electronic System (only available to download in Indonesian here) (‘GR 80’).
Finally, as mentioned above, in October 2019, the Government issued GR 71, which came into force on 10 October 2019 and, aside from reaffirming existing concepts of personal data protection encapsulated in present Indonesian data protection regulations, contains several previously unrecognized additions to ESP’s obligation with regards to the protection of personal data previously set out in GR 82.
Draft law on personal data protection
In addition to the PDP Regulations outlined above, the Indonesian House of Representatives (‘DPR’) is in the process of discussing a draft of the Personal Data Protection Act (only available in Indonesian here) (‘the PDP Bill’). The enactment of the PDP Bill would result in the first comprehensive law in Indonesia that deals explicitly with protecting personal data, particularly data under the control of a private data controller.
As of April 2021, the PDP Bill is still being examined under stage I of discussions (out of 2 stages) by the DPR and relevant ministries appointed by the President. The examination was expected to be completed in early or mid-2021, yet as of now, the progress remains stagnant.
The primary reference for personal data protection in Indonesia is the PDP Regulations. There are no notable guidelines or best practices commonly adopted by relevant stakeholders in personal data protection.
Personal data in the health sector is also governed under the Ministry of Health Regulation No. 269/MENKES/PER/III/2008 on Medical Record (only available in Indonesian here) which provides for obligations regarding the storing, deletion, and confidentiality of medical records.
Meanwhile, in the field of banking, personal data is also governed under the Bank Indonesia Regulation No. 22/20/PBI/2020 regarding Protection of Bank Indonesia Consumer (only available in Indonesian here) which regulates the obligation for banking or non-banking entities which are under the supervision of Bank Indonesia to keep the confidentiality and security of its consumers’ data (e.g., requirement of consumer’s consent before transferring their data).
The main reference for personal data protection in Indonesia is the PDP Regulations. There are no notable guidelines or best practices commonly adopted by relevant stakeholders in personal data protection.
1.3. Case Law
Cases on breaches of the Electronic Information Law primarily concern defamation through electronic platforms. There are only very few notable cases concerning unlawful acts specifically regarding personal data protection.
Some of the notable/landmark cases concerning personal data protection are outlined below.
Constitutional Court Decision No. 20/PUU-XIV/2016
Decision No. 20/PUU-XIV/2016 (only available in Indonesian here) was submitted by Setya Novanto, the former speaker of the DPR. He requested that the Constitutional Court of the Republic of Indonesia (‘the Constitutional Court’) adjudicate the constitutionality of several Articles about interception and evidence contained in the Electronic Information Law (before the latest amendment was issued) and Law No. 20 of 2001 on the Amendments to Law No. 31 of 1999 regarding the Eradication of Criminal Acts of Corruption (only available in Indonesian here) (‘the Corruption Law’). The articles concerned were Article 5(1) and (2) and Article 44(b) of the Electronic Information Law and Article 26A of Corruption Law, which state that electronic information and/or documents are valid evidence before a court. The main contention of the applicant was that the articles mentioned above did not provide limitations regarding the type of electronic information and/or documents that are valid evidence before a court, therefore opening up the possibility of admitting electronic information and/or documents that are obtained through the unlawful interception by an unauthorized party.
In its decision, the Constitutional Court, while acknowledging that interception may impinge on the right of individuals, emphasized that there were already several legal bases that stipulate the procedure for a lawful interception. In addition, the Constitutional Court held that the interpretation of the term ‘electronic information and/or documents in the context of evidence before a court will contradict the Constitution unless it is interpreted alongside the phrase ‘[e]lectronic information and/or electronic documents obtained under applicable laws and regulations and/or carried out in the framework of law enforcement at the request of the Police, Attorney General’s Office, the Corruption Eradication Commission, and/or other law enforcement agencies.’
Therefore, the Constitutional Court limited the scope of valid ‘electronic information and/or documents’ evidence in courts to electronic information and/or documents obtained by law and/or carried out by law enforcement agencies.
Central Jakarta District Court Case No. 235/PDT.G/2020/PN.JKT.PST
Central Jakarta District Court Case No. 235/PDT.G/2020/PN.JKT.PST (only available to download in Indonesian here) is the most recent notable case regarding data protection law. The parties involved in the case are the Indonesian Consumer Community (‘KKI’), acting as plaintiff, and Kominfo and PT Tokopedia, as defendants. The case concerns the recent leakage of Tokopedia’s consumer personal data for approximately 15 million accounts. However, since the case is still ongoing, the Court has not issued a decision. We believe the Court decision on this matter would become a notable precedent case that may impact data protection law going forward.
Other than the cases above, it is essential also to note that there was recently a significant allegation of personal data leakage that occurred in Indonesia in May 2021 involving Indonesia’s Health Social Security Administrator Body (‘BPJS Kesehatan’). The amount of personal data leaked was alleged to be approximately 279 million personal data. As of August 2021, there is still no publicly available record of court decision about this allegation.
2. Scope of Application
2.1. Personal Scope
The PDP Regulations primarily focus on electronic information. Accordingly, the personal scope of the PDP Regulations is relatively broad as demonstrated through the definition of an ESP under the PDP Regulations, which seems to be generic. An ‘ESP’ is defined as every person, state administrator, business entity, and community providing, managing, and/or operating an electronic system, either individually or jointly, for electronic system users for its purpose and/or another party’s purpose.
In this regard, the term ‘electronic system’ is defined in GR 71 and Kominfo Regulation 20 as a set of electronic devices and procedures that prepare, collect, process, analyze, retain, display, publish, transmit, and/or disseminate electronic information. In this case, the interpretation applied by Kominfo is that any person or entity that stores data electronically would be considered an ESP using an electronic system and therefore subject to the PDP Regulations.
Furthermore, GR 71 distinguishes two types of ESP: public scope ESPs and private scope ESPs. Public scope ESPs is:
- state administrative agencies, defined in GR 71 as legislative, executive, and judiciary institutions at the central and regional level; and
- other agencies formed under laws and regulations; and
- institutions appointed by state administrative agencies.
The latter refers to institutions providing electronic systems with a public scope on behalf of the appointing state administrative agency. It should be noted that Article 2(4) of GR 71 excludes public scope ESPs which are regulatory and supervisory authorities in the financial sector.
In contrast, the definition of private scope ESPs covers the provision of electronic systems by individuals, business entities, and the public, which includes:
- ESPs regulated or supervised by the ministries or institutions based on laws and regulations; and
- ESPs with portals, sites, or applications in a network via the internet that are used for specific purposes, such as providing, managing, and/or operating offers and/or trade of goods and/or services, including ESPs whose electronic system is used and/or offered in Indonesia (Article 2(5)(b) of GR 71).
The provisions of the PDP Bill apply to individuals, legal entities, business entities, government institutions, public entities, and civil society organizations.
2.2. Territorial Scope
The data protection provisions of the Electronic Information Law apply extra-territorially in certain circumstances. In particular Article 2 of the Electronic Information Law, states that the Electronic Information Law ‘applies to every person who commits a legal act as regulated under this Law, both who are within Indonesian jurisdiction and outside of Indonesian jurisdiction, and which has legal consequences in Indonesian jurisdiction and/or outside of Indonesian jurisdiction and which is detrimental to Indonesia’s interest.
The elucidation of Article 2 further emphasizes the extraterritorial scope. These provisions have been enacted considering that using information technology for electronic information and the electronic transaction can be cross-territorial or universal.
The phrase ‘[d]etrimental to Indonesia’s interest’ should be construed to include, but not be limited to, detriments to national economic interests, strategic data protection, the dignity of the nation, state defense and security, state sovereignty, citizens, as well as Indonesian legal entities.
The provisions of the PDP Bill apply to entities both in and outside of the territory of Indonesia where their actions:
- result in legal consequences within the territory of Indonesia; and/or
- affect Indonesian citizens in and outside of the territory of Indonesia.
2.3. Material Scope
Kominfo Regulation 20 regulates the following processes:
- acquisition and collection;
- processing and analyzing;
- display, publication, transmission, dissemination, and/or access opening; and
On the other hand, Article 56(4) of GR 40 grants access to personal data for national security and law enforcement, subject to approval from the Minister of Home Affairs.
The provisions of the PDP Bill regulate specifically sensitive personal data, which consists of data related to religion, health, physical and mental conditions, sexual life, personal financial data, and other personal data that may danger or harm the privacy of the data subject.
Please note that the DPR has since confirmed that data relating to sexual orientation may be deleted from the PDP Bill and therefore may not be regulated therein.
3. Data Protection Authority | Regulatory Authority
3.1 Main regulator for data protection
No general data protection authority, regulatory body, or organization is specifically responsible for protecting personal information and ensuring that legal subjects (e.g., individuals and companies) comply with data protection laws. Furthermore, there is no central records database in Indonesia.
Nevertheless, Kominfo is empowered to carry out government affairs in the field of communication and information technology, under Presidential Regulation No. 54 of 2015 concerning the Ministry of Communication and Information Technology (only available in Indonesian here) and Kominfo Regulation No. 6 of 2018 concerning Organization and Work Procedure of the Ministry of Communication and Information Technology (only available in Indonesian here).
Furthermore, under Article 85 of the Demography Law, the personal data of citizens shall be maintained accurately and protected by the administrator and executive agency.
The PDP Bill provides a data protection authority that will have the authority to ensure that the implementation of personal data complies with the provisions under the PDP Bill. The data protection authority is the Central Information Commission based on Law No. 14 of 2008 on Public Information Disclosure (only available in Indonesian here).
3.2. Main powers, duties, and responsibilities
According to the PDP Regulations, the Government is encumbered with the duty of supervision, advocacy, evaluation, enforcement, and other conducts necessary to ensure personal data protection. Furthermore, both the Electronic Information Law and the GR71 contain provisions that require the Government to protect public interests in electronic communication. In particular, the Government is empowered, among other things, to determine the national cybersecurity strategy and regulate information security standards.
Furthermore, Kominfo is authorized, among other things, to formulate and implement policies as well as technical guidance and supervision in communication and information technology.
As for the administrator and executive agency referred to in the Demography Law, Articles 1(6) and (7) of the Demography Law stipulate that the administrator agency consists of the central government, provincial government, and regency or city government which are responsible for and are authorized to oversee population administration affairs. In contrast, the executive agency consists of the apparatus of the regency/city government responsible for and authorized to implement services related to population administration affairs.
4. Key Definitions
Existing definitions under the PDP Regulations
Data controller: Data on specific individuals that are stored, managed, and maintained, the accuracy and confidentiality of which are maintained and protected. More specifically, it refers to any accurate and actual information attached and identifiable, either directly or indirectly, to each individual, the purpose of which is under the laws and regulations.
Examples of ‘personal data under Article 84 of the Demography Law include:
- family identification card number;
- personal population identification card number;
- date of birth;
- information regarding any physical or mental condition;
- biological mother’s population identification card number;
- father’s population identification card number;
- other important events involving birth, death, marriage, divorce, child legalization, name change, or change of nationality;
- eye scan;
- signatures; and
- other information considered shameful (e.g. embarrassing) for any individual.
The term ‘shameful’ elements are further elaborated under GR 40. Under Article 54 of GR 40, other information that is considered shameful includes elements of data from a momentous event that should not be disclosed to other people. These events include:
- a child born whose parents’ origins are unknown;
- gender change;
- a child born outside of marriage; and
- other important events determined by the Minister of Home Affairs.
Proposed definitions under the PDP Bill
Data controller: A party that determines the purpose and exercises control over the processing of personal data (Article 1 of the PDP Bill).
Data processor: A party that processes personal data on behalf of the controller. The PDP Bill further dissects the ‘processor of personal data’ to include individuals, legal entities, public agencies, and organizations or institutions (Article 1 of the PDP Bill).
Personal data: Any data regarding an identified person or a person that can be identified either individually or in combination with other information, directly or indirectly, by using electronic and/or non-electronic systems (Article 1 of the PDP Bill).
Sensitive data: Personal data that requires special protection, and includes data concerning religion or belief, health, physical and mental conditions, sexual life, personal financial data, and other personal data that may be dangerous or detrimental to the privacy of the data subject (Article 3 of the PDP Bill). Please note that the DPR has since confirmed that data relating to sexual orientation may be deleted from the PDP Bill and therefore may not be regulated therein.
Health data: There is no definition of health data provided under the PDP Regulations. However, GR 71 through Articles 99(1) and (2) acknowledges that the health sector possesses strategic electronic data which must be protected. The closest term to health data being defined in the existing law is the term medical record based on Minister of Health Regulation No. 269/MENKES/PER/III/2008 (only available in Indonesian here), meaning files containing records and documents regarding patients’ identity, examination, medication, conducts and other services which have been given to a patient.
On the other hand, an explicit definition of health data could be found in the PDP Bill which stipulates that ‘[w]hat is referred to as ‘health data and information’ is the individual’s record or description relating to physical health, mental health, and/or health service.’
Biometric data: There is no explicit definition of biometric data in the PDP Regulations. However, the elucidation of Article 40(1)(a)(3) of GR 71 provides examples of biometric data, which are retina and fingerprint data. Additionally, the elucidation of Article 3 of the PDP Bill stipulates that ‘[what] is referred to as ‘biometric data is data relating to the physical, physiological, or characteristic of individuals’ behavior which allows the unique identification of an individual, such as facial images or dactyloscopy data. Biometric data also describes the unique nature and/or characteristic of an individual which should be kept and maintained, including but not limited to fingerprint records, eye retina, and a DNA sample.’
Pseudonymization: This term is neither defined in the PDP Regulations nor the PDP Bill.
Data subject: There is no explicit definition of the data subject under the PDP Bill. Article 1 of the PDP Bill however does define ‘personal data owners’ as ‘individuals as data subjects who have personal data attached to themselves,’ from now on referred to as ‘data subjects.’
5. Legal Bases
Consent is an important principle regulated strictly by the PDP Regulations.
Under Article 26(1) of the Electronic Information Law, the use of any information through electronic media which is related to the personal data of a person must be conducted with consent from the person concerned, ****unless otherwise determined by laws and regulations.
Under Article 14(3) of GR 71, the processing of personal data is subject to the provision of consent for one or more specific purposes that have been conveyed to the data subject.
Under Article 9(1) of Kominfo Regulation 20, the acquisition and collection of personal data by ESPs should be based on consent or the provisions of laws and regulations.
Finally, Law No. 36 of 2009 on Health as amended by Law No. 11 of 2020 regarding Job Creation (only available to download in Indonesian here) (‘the Health Law’) contains specific regulations regarding personal data in the health sector. Article 44 (3) of the Health Law stipulates that human testing shall require the collection of the subject’s informed consent. Before such consent is obtained, the researcher must, among other things, guarantee the confidentiality of the identity and personal data of the data subject.
5.2. Contract with the data subject
Article 14(4)(a) of GR 71 stipulates, among other things, that aside from the obtainment of consent, data processing shall be carried out to fulfill contractual obligations if the data subject is one of the parties or to fulfill the request of the data subject upon agreeing.
5.3. Legal obligations
Article 14(4)(b) of GR 71 provides that data processing shall be carried out, aside from obtaining the data subject’s consent, to fulfill the controller’s legal obligations by statutory provisions.
5.4. Interests of the data subject
Under Article 14(4)(c) of GR 71, aside from obtaining consent, personal data shall be processed to fulfill the data subject’s vital interests. There is no exhaustive nor non-exhaustive list of the data subject’s interests. The elucidation of Article 14(4)(c) of GR 71 elaborates the meaning of ‘vital interest’ as the need/necessity to protect essential matters about a person’s existence.
5.5. Public interest
Under Article 14(4)(e) of GR 71, aside from the obtainment of consent, personal data may be processed to fulfill the obligations of the controller in public services for the public interest.
5.6. Legitimate interests of the data controller
Under Article 14(4)(f) of GR 71, aside from obtaining consent, personal data may be processed to fulfill the controller’s legitimate interests. There is no exhaustive nor non-exhaustive list of the legitimate interests of the data controller. Data controllers may pursue any interests so long as they adhere to the prohibitions and obligations set out in the PDP Regulations.
5.7. Legal bases in other instances
Under Article 3 of the Electronic Information Law, the utilization of IT and electronic transactions shall be implemented based on legal certainty, benefit, prudence, good faith, and freedom to choose technology or technology neutral.
Under Articles 2 and 4 of Kominfo Regulation 20, ****the processing of personal data shall be carried out based on the principle of good personal data protection, which includes the following elements (see also Article 36 of Kominfo Regulation 20):
- having due regard towards personal data as private;
- personal data is confidential, following the consent of the data subject, and/or based on the provisions of laws and regulations;
- obtaining sufficient consent from the data subject, and basing its processing activities on such consent;
ensuring processing is relevant to the purpose of acquisition, collection, processing, analyzing, storage, display, announcement, delivery, and dissemination;
- limiting processing activities to what is necessary;
- ensuring the suitability of the electronic system that is being used;
- having the good faith to immediately notify data subjects of any failure concerning personal data protection;
- ensuring the availability of internal regulation for the management of personal data protection;
- having responsibility for any personal data under possession of users;
- ensuring ease of access to and correction of personal data for data subjects; and
- ensuring the integrity, accuracy, and validity of personal data, and ensuring that personal data is up to date.
7. Controller and Processor Obligations
General obligations applicable to ESPs
As there are several stakeholders in the field of personal data protection, the PDP Regulations provide for different obligations for the various stakeholders.
Article 27 of Kominfo Regulation 20 governs the obligations of personal data users which are to:
- maintain the confidentiality of personal data they receive, collect, process, and analyze;
- solely use personal data following the needs of users;
- protect personal data and documents containing such personal data from any misappropriation; and
- be responsible for the personal data that is under their control (i.e. either control by way of an organization that falls under their authority or individual control), if any misappropriation occurs.
Articles 4 and 28 of Kominfo Regulation 20 govern the obligations of ESP which are to:
- undergo certification process for electronic systems under its management following the provisions of laws and regulations;
- safeguard the authenticity, validity, confidentiality, accuracy, and relevance as well as the conformity to acquire, collect, process, analyzing, store, displaying, announce, delivering, disseminate, and erase personal data;
ensuring that personal data stored in an electronic system is encrypted;
- have internal regulations relating to the protection of personal data which conforms with the provisions of laws and regulations (e.g. provide audit track records on all electronic system organization activities that are under its management);
- provide options to data subjects regarding whether their data may or may not be used and/or displayed by/to any third party based on approval as long as it still relates to the purpose of acquiring and collecting personal data;
grant access or opportunity to data subjects to alter or renew their data without disrupting the personal data management system, unless stipulated otherwise by the provisions of laws and regulations;
- delete personal data following the provisions of Kominfo Regulation 20; and
- provide a point of contact who can be easily contacted by data subjects as regards the management of their data.
Contracts with data subjects
While there is no explicit provision requiring the existence of a contract with the data subject, the PDP Regulations emphasize the importance of adherence to contractual obligations arising from agreements between the personal data processors with the data subject. Additionally, the PDP Regulations provide general requirements regarding electronic contracts, including electronic contracts involving data subjects.
Under Article 1(17) of the Electronic Information Law and Article 1(17) of GR 71, an electronic contract is defined as an agreement between the parties made through an electronic system. As the implementing regulation of the Electronic Information Law, GR 71 provides further rules regarding electronic contracts. In particular, Article 46(2) of GR 71 stipulates that an electronic contract is valid if it:
- contains the consent between those who bind themselves;
- is entered by legal subjects having the capacity or authority to agree;
- regulates a particular subject matter; and
- has a legal cause.
An electronic contract with a data subject is only valid if it fulfills the requirements above.
Internal policies for ESPs
Kominfo Regulation 20 requires ESPs to have an internal policy on the protection of personal data when implementing the following data processing operations:
- acquisition and collection;
- processing and analyzing;
- presentation, publication, transmission, dissemination, and/or access opening; and
Usually, ESPs create their data protection guidance/policy for users of their electronic systems and/or services, which should comply with the PDP Regulations.
Obligations for trading activities through electronic systems
GR 80 provides strict regulations on the personal data protection of consumers, providing that business entities conducting trade through electronic systems shall keep personal data following the standard of personal data protection or the common business practice. The following rules must carry out such personal data protection:
- personal data must be obtained truthfully and legally from the owner of the personal data concerned, accompanied by the existence of choices and guarantees for the safeguarding and prevention of loss to the data subject;
- personal data must be used for one or more purposes that are described in a specific and valid manner, as well as cannot be further processed in a way that is not by said purposes;
- personal data that is obtained must be proper, relevant, and not too broad about the purpose of their processing as previously conveyed to the data subject;
- personal data must be accurate and must always be up to date by way of giving opportunities to data subject to update their data;
- personal data must be processed following the purpose of their acquisition and allocation, as well as cannot be possessed longer than the required time;
- personal data must be processed following the rights of data subjects as regulated under laws and regulations;
parties that store personal data must possess a proper security system to prevent leaks or prevent any unlawful utilization or processing of personal data, as well as be responsible for unexpected losses or damages to said personal data; and
- personal data cannot be sent to another country or area outside Indonesia, except if said country or area has been declared as having the same protection level and standard as Indonesia by the Minister of Trade.
7.1. Data processing notification
The PDP Regulations do not require notification or registration before data processing.
7.2. Data transfers
The transfer of personal data is prohibited without the consent of the data subject, as stipulated under Article 27(1) of the Electronic Information Law and emphasized in Article 21(a) of Kominfo Regulation 20.
The Electronic Information Law also provides that anyone who intends, without valid rights, to change, add, reduce, transmit, destroy, eliminate, transfer, or hide electronic information and/or electronic documents owned by another person or owned by the public shall be prohibited from doing so.
Additionally, Article 59(2)(h) of GR 80 provides that personal data is prohibited from being transferred to another country or territory outside Indonesia unless the Minister of Trade has declared such country or territory as having an equal standard or level of personal data protection.
Furthermore, Article 31 of Regulation No. 1/POJK.07/2013 concerning Consumer Protection in Financial Services Sectors (‘OJK Regulation 1/2013’), issued by Financial Services Authority (‘OJK’), also limits the transfer of personal data to a third party by financial services providers, except when there is written consent from the consumer and/or as required by laws and regulations.
7.3. Data processing records
The PDP Regulations do not mention the term data processing records. However, under Article 22(1) of GR 71, ESPs must provide an audit trail for all activities of the electronic system organization. This includes:
- maintaining the transaction log following the provider data retention policy, by-laws and regulations;
- notifying the consumer if a transaction has been conducted; and
- ensuring the availability of audit trail function to be able to detect an effort and/or incursion which must be reviewed or evaluated periodically.
In addition, if the processing and audit trail are the responsibilities of the third party, then such audit trail process shall follow the standard that the ESP has determined.
7.4. Data protection impact assessment
Under Article 12 of GR 71, ESPs must apply risk management towards damages or losses incurred. Such provision defines ‘risk management as conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system it manages.
More elaborated provisions about Data Protection Impact Assessment (‘DPIA’) are contained in the PDP Bill. Article 27(b) of the PDP Bill obliges controllers to protect and ensure the safety of personal data by determining the safety level of personal data by considering the nature and risk to personal data during processing. The language of such a provision indicates that a DPIA must be done whenever a data process occurs.
7.5. Data protection officer appointment
The PDP Regulations do not require the appointment of a data protection officer (‘DPO’). However, Article 28(i) of Kominfo Regulation 20 requires ESPs to provide a point of contact who can be easily contacted by the data subject relating to their data management.
Furthermore, Article 45 of the PDP Bill introduces the requirement for controllers and processors to appoint a DPO, in certain circumstances, namely where:
- the data processing is carried out for the public interest;
- the nature, scope, and/or purposes of the main activity of the controller require organized and systematic supervision on a large scale; or
- the main activity of the controller consists of large-scale processing specific and/or related to criminal conduct.
7.6. Data breach notification
Implementing the Electronic Information Law, GR 71 regulates the notification obligation for ESPs if there is a failure to protect personal data. Under Article 14(1) and (5) of GR 71, it is stipulated that ESPs must adhere to the principles of personal data protection in the processing of personal data including by notifying the failure to protect personal data. The notification must be made in writing to the data subject.
Furthermore, under Article 28 of Kominfo Regulation 20, an ESP is generally obliged to notify the data subject in case of a breach. Such notification should contain the reason or cause of the failure to protect the confidentiality of the personal data. The notification may be sent electronically if the data subject has approved such electronic notification during the acquisition and collection of their data. An ESP must ensure that the data subject has received the notification if the data breach can potentially cause loss to the relevant data subject. The written notification must be sent to the data subject no later than 14 days after identifying the breach. Although this requirement is not mandatory, a data subject can file a complaint to Kominfo if no notification is given or loss to the data subject has occurred due to such a breach.
7.7. Data retention
Implementing the Electronic Information Law, GR 71 regulates the obligation for ESPs to delete specific personal data. ESPs must delete personal data which is irrelevant. Personal data is irrelevant when:
- it is acquired and processed without the consent of the data subject;
- the data subject has withdrawn consent;
- it is acquired and processed illegally;
- processing is no longer following the acquisition purpose based on an agreement and/or laws and regulations;
- its utilization has exceeded the period by an agreement and/or laws and regulations; and/or
- the ESP’s treatment of it has caused a loss for the data subject.
The obligation of deletion stipulated in GR 71 consists of erasure and delisting from search engines.
As for the timeframes for data retention, GR 71 and the Electronic Information Law do not explicitly stipulate a timeframe for data retention or a maximum retention period, but instead, it defers to the authority to do such, and to other relevant laws. One relevant law that mentions the retention period for personal data is Law No. 43 of 2009 regarding Archive (only available in Indonesian here) (‘the Archiving Law’). The Archiving Law distinguishes data into data with a maximum of 10-year retention period and data with a maximum of the 25-year retention period. The data and its retention period shall be listed further in a retention schedule archive.
While deferring the retention period to other laws, GR 71 is strict in regulating that data retention must comply with the retention period of each personal data. Article 14(1)(g) of GR 71 stipulates that personal data should be destroyed and/or deleted unless in a retention period following the need based on laws and regulations.
More elaborated provisions on data retention may be found in the PDP Bill. Under the PDP Bill, the following data retention provisions would apply:
- personal data must be destroyed and/or erased after the retention period is over or based on the request of the data subject except otherwise regulated by the law (Article 17(2)(g) of PDP Bill);
- to obtain approval for data processing, the personal data controller must convey the information regarding, among other things, the retention period for the documents containing the personal data (Article 24(1)(d) of the PDP Bill);
- the personal data controller must end the processing of personal data if, among other events, the retention period has been reached (Article 37(1)(a) of the PDP Bill);
- if the retention period has not elapsed, personal data which has been erased may be recovered or redisplayed in its entirety based on the written request of the data subject (Article 38(4) of the PDP Bill); and
- the personal data controller must destroy personal data if, among other events, its retention period is over, and based on the retention schedule archive the data must be destroyed (Article 39(1)(b) of the PDP Bill).
7.8. Children’s data
Kominfo Regulation 20 regulates the processing of children’s data in the context of obtaining consent. Article 37 of Kominfo Regulation 20 provides that, if the data subject constitutes a person who falls under the category of children following the provisions of laws and regulations, then the granting of consent as referred to under Kominfo Regulation 20 should be carried out by the parent or guardian of the child in question. The parent should be the father or mother of the child in question following the provisions of laws and regulations. The guardian should be the person who must take care of the child in question before the child reaches adulthood following the provisions of laws and regulations.
Kominfo Regulation 20 defers the authority to set the age of consent to other laws. Based on Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014 (only available in Indonesian here, a child is an individual who has not reached the age of 18.
7.9. Special categories of personal data
There are no explicit obligations regarding the processing of criminal data.
However, GR 71 specifically addresses personal data related to criminal conduct. In particular, Article 33 of GR 71 stipulates that ‘for the criminal justice process, the ESP must provide electronic information and/or electronic data which is contained in the electronic system, or electronic information and/or electronic data which are processed by the electronic system, at the valid request from an investigator for certain criminal acts following the authority regulated in laws.’
7.10. Controller and processor contracts
There is no reference in the PDP Regulations which requires a contract to be in place between a data controller and processor.
- Data Subject Rights
In general, under Article 26 of Kominfo Regulation 20, data subjects are entitled to:
- confidentiality of their data;
- file complaints to Kominfo about disputes over the failure of the relevant ESP to protect the confidentiality of their data;
- obtain access or the opportunity to change or update their data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations;
- obtain access or the opportunity to receive the history of their data, which has been given to an ESP insofar as it is still following the applicable laws and regulations; and
- request the destruction of their data in an electronic system managed by an ESP, unless otherwise determined by the applicable laws and regulations.
8.1. Right to be informed
The following information should be provided to data subjects at the point of collection of the personal data:
- the purpose of the collection of personal data;
- other possible purposes that may arise in the future would involve processing personal data; and
- a contact person who can be easily contacted by the data subject about managing their data.
8.2. Right to access
Under Article 26 of Kominfo Regulation 20, data subjects are entitled to:
- obtain access or the opportunity to change or update their data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations; and
- obtain access or the opportunity to receive the history of their data, which has been given to an ESP insofar as it still follows the applicable laws and regulations.
8.3. Right to rectification
Kominfo Regulation 20 provides that data subjects shall be entitled to gain access or the opportunity to alter or renew their data without disrupting the personal data management system unless stipulated otherwise by the laws and regulations. This shall mean that data subjects can rectify their data in cases of inaccuracy, so long as it doesn’t disrupt the personal data management system.
Such right is also mentioned in Article 59(2)(d) of GR 80, which provides that personal data shall be accurate and up to date. This should be achieved by giving the data subject the chance to update their data.
8.4. Right to erasure
A data subject is entitled to request the deletion of their data, or it may be erased once the storage time limit lapses, provided that such request is following the applicable laws and regulations.
In this regard, GR 71 distinguishes the rights of the data subject into the right to erasure and the right to delisting in which the ESP is then obliged to delete electronic information no longer under its control. In particular, Article 15 of GR 71 defines the right to erasure as erasing irrelevant information or electronic documents (including those obtained without the person’s consent). In contrast, the right to delisting means delisting such information from the internet search engine through a court order.
8.5. Right to object/opt-out
The fundamental principle of data processing is consent from the data subject. This approval indicates the freedom for the data subject to object to any form of processing with which they disagree.
Additionally, the data subject is given the right to revoke their consent. Article 16 of GR 71 emphasizes that personal data which ESPs must erase include the data subject has withdrawn personal data for which consent to be used.
8.6. Right to data portability
There is no provision concerning the right to data portability in the PDP Regulations.
8.7. Right not to be subject to automated decision-making
The PDP Regulations do not regulate the right not to be subject to automated decision-making.
However, the protection of a similar right could be found in the PDP Bill. Under Article 10 of the PDP Bill, data subjects would have the right to object to decision-making solely based on the automatic processing of an individual’s profile (i.e. profiling). Although the language of Article 10 of the bill does not explicitly mention ‘objection to automated decision-making,’ it addresses concerns regarding decisions taken solely based on automatic profiling.
8.8. Other rights
There are two types of sanctions for violation of the PDP Regulations: administrative and criminal sanctions. Articles 46 and 48 of the Electronic Information Law, among others, stipulate the following sanctions for the violation of personal data protection in an electronic system:
- any person who unlawfully accesses the electronic system of another person shall be sentenced to imprisonment not exceeding six years and/or a fine not exceeding IDR 600 million (approx. €36,000);any person who unlawfully accesses the electronic system of another person with the intent to obtain electronic information and/or electronic records shall be sentenced to imprisonment not exceeding seven years and/or a fine not exceeding IDR 700 million (approx. €42,200);
- any person who unlawfully accesses the electronic systems of another person by breaching, hacking into, trespassing into, or breaking through security systems shall be sentenced to imprisonment not exceeding eight years and/or a fine not exceeding IDR 800 million (approx. €48,200);
- any person who unlawfully alters, adds, reduces, transmits, tampers with, deletes, moves, or hides the electronic information and/or electronic records of another person or of the public shall be sentenced to imprisonment not exceeding eight years and/or a fine not exceeding IDR 2 billion (approx. €120,500);
- any person who unlawfully moves or transfers electronic information and/or electronic records to the electronic system of an unauthorized person shall be sentenced to imprisonment not exceeding nine years and/or a fine not exceeding IDR 3 billion (approx. €180,800); and
- Any person who unlawfully alters, adds, reduces, transmits, tampers with, deletes, moves, or hides the electronic information and/or electronic records of another person or of the public, which results in such information becoming publicly accessible in a distorted form (i.e., data’s integrity is no longer as is) shall be sentenced to imprisonment not exceeding ten years and/or a fine not exceeding IDR 5 billion (approx. €300,000).
Sanctions for the violation of personal data protection, in general, are regulated under Article 36 of Kominfo Regulation 20, which stipulates that any person who unlawfully obtains, collects, processes, analyzes, deposits, displays, announces, transmits, and/or disseminates personal data is subject to administrative sanctions in the form of:
- verbal warning;
- written warning;
- temporary suspension of activities; and
- announcement of its name on sites within the network (websites).
Sanctions for the violation of the implementation of an electronic system are regulated under GR 82, which stipulates that an ESP may be subject to administrative sanctions in the form of:
- written warning;
- administrative fine; and
- temporary suspension.
Further, Article 58 of GR 40 imposes administrative sanctions for the violation of using personal data exceeding one’s authority granted by law or any approval or to display the collected personal data in public without prior approval from the Ministry, in the form of revocation of user access rights, destruction of data that has been accessed, and an administrative fine of IDR 10 billion (approx. €602,000).