GDPR and the Urgency of

Data Protection Law in

Indonesia
IBA – PERADI Corporate Counsel Conference
by: Erwin Purba, Robert Hasan & Michael Pandjaitan
Overview
• Regulations
• Personal Data
• Who does the Regulations apply to?
• National Data Protection Authority
• Registration
• Collection & Processing
• Transfer
• Security
• Breach Notification
• Enforcement
• Implementation Example in Indonesia
Regulations
INDONESIAN LAW GDPR
 There is no general law on data protection.  General Data Protection Regulation (“GDPR”).

 Primary sources of the regulation on data  Directly applicable and has consistent effect in
protection: all Member States (of European Union).

 Law No. 11 of 2008 regarding  Territorial Scope: The GDPR applies to

processing of personal data carried out by
Electronic Information and
organisations operating within the EU. It also
Transactions (“Law No. 11/2008”) as
applies to organisations outside the EU that
amended by Law No. 19 of 2016
offer goods or services to individuals in the EU.
regarding the Amendment of Law No.
11/2008 (“EIT Law”),
 Government Regulation No. 82 of 2012
regarding Provisions of Electronic
systems and Transactions (“Reg. 82”)
 Minister of Communications &
Informatics Regulation No. 20 of 2016
regarding the Protection of Personal
Data in an Electronic System (the
“MOCI Regulation”).
Regulations (Cont’d)
INDONESIAN LAW

 Extra-territorial scope.

 A new draft Bill on the Protection of Private Personal Data (the "Bill") is being discussed and
to this date it has not been issued.

 Key features in the Bill that may be regulated but is not currently regulated:
• Clear definition of Personal Data;
• Classification of Personal Data: (i) General Data; and (ii) Specific Data;
• Impose additional obligation in collecting and processing the Specific Data;
• Differentiate the Controller of Personal Data and Processor of Personal Data;
• Specifies the rights of Personal Data owner, such as right to be forgotten and right of
access;
• Different period of notification of breach of Personal Data to the Personal Data owner and
the relevant supervising agencies;
• New procedure of transfer of Personal Data outside Indonesia; and
• Introduce criminal sanctions for breaching the provision of the Bill.
Personal Data
INDONESIAN LAW
 Reg. 82 and MOCI Regulation defines
‘Personal Data’ as “data of an individual,
which is stored, maintained and which
correctness is pre-served and of which its
confidentiality is protected”.
 What is “data of an individual”?
 No specific definition in Reg. 82 and
MOCI Regulation.
 Common practice to refer to Law No.
24 of 2013 regarding the Amendment
of Law No. 23 of 2006 regarding Citizen
Administration (“Law No. 23”).
GDPR
 GDPR defined ‘Personal Data’ as "any
information relating to an identified or
identifiable natural person“. “Identifiable"
means if the natural person can be identified
using “all means reasonably likely to be used”
the information is personal data.
 Any identifier will be considered Personal Data
(e.g. IP address, phone number, location data)
 In contrast to Indonesian law, GDPR
differentiates Personal Data into: (i) ‘special
categories’ of personal data; and (ii) personal
data relating to criminal convictions and
offences.
Personal Data (Cont’d)
INDONESIAN LAW
 Pursuant to Article 58 of Law No. 23, ‘individual data’ includes: a. the family card
number; b. population (identity card) number; c. full name; d. sex; e. place of birth; f.
date/month/year of birth; g. blood type; h. religion or belief; i. marital status; j. family
relationship status; k. physical or mental disability; l. last education; m. type of job; n.
population number of the biological mother, name of the biological mother; o.
population number of the father, name of the father; p. previous address; q. current
address; r. birth certificate; s. number of birth certificate; t. marital certificate; u.
number of marital certificate; v. date of marriage; w. divorce certificate; x. date of
divorce; y. fingerprint; z. eye iris; aa. signature; and bb. other elements of disgraceful
information regarding a person.

 No specific definition on “sensitive personal data”.

Who does the Regulations apply to?
INDONESIAN LAW
 Electronic System Provider (“ESP”).
 Reg. 82 defines ESP as “any Person, state
administrator, Business Entity, and the
public who provide, manage, and/or
operate an Electronic System individually
or jointly to the User of Electronic Systems
for its own purpose and/or the purpose of
another party.”
 Reg. 82 further defines Electronic System
as “a series of electronic devices and
procedures which function to prepare,
collect, process, analyze, store, display,
publish, transfer, and/or disseminate
Electronic Information.”
GDPR
 Applies to ‘controllers’ and ‘processors’ of
the personal data.
 A ‘controller’ is the party who determines
the purposes and means of processing
personal data. The controller will be the
one to dictate how and why data is going
to be used by the organization.
 A ‘processor’ is the party who responsible
for processing personal data on behalf of
a controller.
 GDPR imposes direct obligations on both
the controller and the processor, although
fewer obligations are imposed on the
processor.
National Data Protection Authority
INDONESIAN LAW
 There is no national data protection
authority for data privacy in general in
Indonesia.
 Sectoral authority may act as national
data protection authority. For example
the Ministry of Communication and
Informatics or Indonesian Financial
Services Authority (‘OJK'). OJK has the
authority to act as the regulator of data
privacy in the capital markets sector
(since 31 December 2012) and with
regard to banks' customer data privacy
issues (since 31 December 2013).
Note: The upcoming Bill may regulate the
Indonesian Data Protection Authority.
GDPR
 The European Data Protection Board
comprised of delegates from the
supervisory authorities from each of the
Member States to monitors the
application of the GDPR across the EU.
 Every Member State has their own Data
Protection Board (for example, the Dutch
Data Protection Authority & Information
Commissioner's Office in the United
Kingdom).
Registration
INDONESIAN LAW GDPR
 Minister of Communication and Informatics  There are no EU-wide systems of
Regulation No. 36 of 2014 regarding registration for controller and processor
Procedures of Electronic System Provider of personal data.
Registration (“MOCI Reg 36”) differentiates ESP
into:

 ESP for non-public services; and

 ESP for public services.

 ESP for non-public services is not specifically

defined under MOCI Reg 36, but in general
other legal entities that are not related with
government, such as private corporations, can
be classified as ESP for non-public services.
Registration (Cont’d)
INDONESIAN LAW
 In practice: The regulators interpret ‘public service’ in regards to electronic system provider
pursuant to Government Regulation No. 96 of 2012 regarding Implementation of Law No. 25
of 2009 regarding Public Service (“GR No. 96”).
 The company engaged in the education, teaching, work and business, housing,
communication and information, environment, health, social security, energy, banking,
transportation, natural resources, tourism and other strategic sectors shall fall into the
category of ESP for public services.
 An ESP for public services must conduct registration, while an electronic system provider for
non-public services may conduct registration, which suggests registration is not mandatory
for an ESP for non-public services.
 Based on MOCI Reg. 36, the requirements to conduct registration as an ESP indicate that the
applicant must be in a form of an Indonesian limited liability company.
 Further obligation for ESP for public services to place data center and disaster recovery center
in the territory of Indonesia for the interest of the law enforcement, protection and
enforcement of state’s sovereignty towards the data of its citizens.
Collection & Processing
INDONESIAN LAW
 Reg. 82 and the MOCI Regulation
specifically regulate the obligation to
obtain "consent" from the owner of the
Personal Data in the case of data
collection, use and processing.
 Consent  written agreement either
manually and/or electronically being
given by the owner of Personal Data after
obtaining a full explanation regarding the
process for acquiring, collecting,
processing, analyzing, storing, displaying,
announcing, sending, and disseminating
including the confidentiality or non-
confidentiality of the Personal Data.
 Consent must be made in the Indonesian
language.
GDPR
 Controllers are responsible for compliance
with a set of core principles:
 lawfulness, fairness and transparency
principle;
 purpose limitation principle;
 data minimization principle;
 accuracy principle;
 storage limitation principle; and
 integrity and confidentiality principle.
 The lawful bases for processing are set out
in Article 6 of the GDPR where at least one
of these must apply whenever you process
personal data:
 the data subject has given consent to
the processing of his or her personal
data for one or more specific
purposes;
Collection & Processing (Cont’d)
INDONESIAN LAW
 must also be limited to the relevant and
suitable information in accordance to its
purpose and must be conducted
accurately.
 can only be processed and analysed in
accordance with the needs of the
electronic system provider that have been
stated clearly at the time the Personal
Data is obtained and collected.
GDPR
 processing is necessary for the
performance of a contract to which
the data subject is party or in order
to take steps at the request of the
data subject prior to entering into a
contract;
 processing is necessary for
compliance with a legal obligation
to which the controller is subject;
 processing is necessary in order to
protect the vital interests of the
data subject or of another natural
person;
 processing is necessary for the
performance of a task carried out in
the public interest or in the exercise
of official authority vested in the
controller;
Collection & Processing (Cont’d)
GDPR
 processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.

 Additional principles and lawful bases for collection apply for collection and processing
‘special category of personal data’ and ‘criminal convictions and offences data’.
Transfer
INDONESIAN LAW GDPR
 Article 22 (2) of Reg. 82 regulates the transfer of  Transfer outside EU:
data, which provides in any case that in the
implementation of an Electronic System and/or
Electronic Document aimed to transfer Electronic
Transfers of personal data by a controller
Information and/or Electronic Document, the or a processor (or a data exporter) to
Electronic Information and/or Electronic third countries outside of the EU (and
Document must be unique and (the provider shall) Norway, Liechtenstein and Iceland) are
explain the control and possession of the only permitted where the conditions laid
Electronic Information and/or Electronic
Document.
down in the GDPR are met.

 Article 21 (1) of MOCI Regulation states that

displaying, announcing, transferring, broadcasting,
and/or opening Personal Data access in the
Electronic System can only be conducted:

 By Consent, except stipulated otherwise by

laws and regulations; and
 After its accuracy and compability with the
purpose of obtaining and collecting such
Personal Data is verified.
Transfer (Cont’d)
INDONESIAN LAW
 Transfer outside Indonesia:

Article 22 (1) of the MOCI Regulation states that transferring Personal Data that is managed by an
ESP at the government and regional government institution including the public or private sector
domiciled in the territory of Indonesia to [parties] outside the territory of Indonesia must:

 Coordinate with the MOCI or the official or institution being authorized for such purpose;
and
 Implement the laws and regulations regarding the transboundary exchange of Personal Data.

The implementation of the coordination are:

 To report the implementation plan of Personal Data transfer, at least containing the clear
name, designated country, recipient subject name, implementation date, and
reason/purpose of the transfer;
 To request for advocacy, if needed; and
 To report the activities implementation result.
Security
INDONESIAN LAW
 The obligations of ESP are regulated under Reg. 82
and MOCI Regulation, which amongst other things
include the obligation to:
 guarantee the confidentiality of the source
code of the software;
 ensure agreements on minimum service
level and information security towards the
information technology services being
used as well as security and facility of
internal communication security it
implement;
 protect and ensure the privacy and
personal data protection of users;
 ensure the appropriate lawful use and
disclosure of the personal data;
 provide data centre and disaster recovery
centre (for ESP for public services);
 provide the audit records on all Provision
of Electronic Systems activities;
GDPR
 The GDPR is not prescriptive about specific
technical standards or measures.
 However the GDPR does require controllers and
processors to consider the following when
assessing what might constitute adequate security:
 The pseudonymization and encryption of
personal data;
 The ability to ensure the ongoing
confidentiality, integrity, availability and
resilience of processing systems and
services;
 The ability to restore the availability and
access to personal data in a timely manner in
the event of a physical or technical incident;
 A process for regularly testing, assessing and
evaluating the effectiveness of technical and
organizational measures for ensuring the
security of the processing.
Security (Cont’d)
INDONESIAN LAW
 provide information in the Electronic System based on legitimate request from investigators
for certain crimes;
 provide options to the Personal Data owner regarding the Personal Data that is processed so
that [the Personal Data] can or cannot be used and/or displayed by/ at third party based on
the Consent as long as it is related with the purpose of obtaining and collecting the Personal
Data;
 provide access or opportunity to Personal Data owner to change or renew his/her Personal
Data without disturbing the system management of the Person-al Data, except regulated
otherwise by laws and regulations;
 delete the Personal Data if (i) where it has reached the period of storing the Personal Data
(at the shortest 5 years or based on the applicable regulations/ specific sectoral regulations);
or (ii) by request from the Personal Data owner, except regulated otherwise by the laws and
regulations; and
 provide contact person that is easy to be contacted by the Personal Data owner in relation to
his/her Personal Data.
Breach Notification
INDONESIAN LAW GDPR
 Notification to the Regulator  The GDPR contains a general requirement
for a personal data breach to be notified
Article 20 (3) of Reg. 82 provides that if there is a by the controller to its supervisory
failure or disturbance to the system which has a
authority, and for more serious breaches
serious impact as a result of another party towards
the Electronic System, then the ESP must secure the to also be notified to affected data
data and the first opportunity report it to law subjects.
enforcement official or the Supervising and Regulatory
Authority of the relevant sector.  The controller must notify a breach to the
supervisory authority without undue
 Notification to the Personal Data Owner delay, and where feasible, not later than
72 hours after having become aware of it.
Article 15 (1) (a) of Reg. 82 provides that an ESP must
preserve the secrecy, integrity, and availability of the
Personal Data it manages. Article 15 (2) of Reg. 82
further provides that the ESP must provide a written
notification to the Personal Data Owner, upon its
failure to protect the Personal Data.
Breach Notification (Cont’d)
INDONESIAN LAW
The more detailed provision on the implementation of Personal Data protection under Reg. 82 is regulated in the
MOCI Regulation. Article 28 (c) of MOCI Regulation stipulates that the ESP must provide a written notice to the
Personal Data owner if there is a failure in protecting the secrecy of the Personal Data in the Electronic System.
The provisions regarding the notice are as follows:

 must provide reason or cause of the occurrence of the failure in protecting the secrecy of the Personal
Data;
 can be conducted electronically if the Personal Data owner has given Consent for it at the time of obtaining
and collecting his/her Personal Data;
 must ensure that the notice has been received by the Personal Data Owner if the failure contains potential
loss to the relevant Personal Data owner; and
 a written notice is sent to the Personal Data owner at the latest 14 (fourteen) days since the failure is
discovered.
Enforcement
INDONESIAN LAW
 In Indonesia, the sanctions for breaches of data
privacy are found under the relevant legislation
and are essentially fines. Imprisonment may be
imposed in severe instances such as in the
event of intentional infringement.
 The EIT Law provides criminal penalties ranging
from:
 Rp. 600,000,000 fine to Rp. 800,000,000
and/or 6 to 8 years imprisonment for
unlawful access;
 Rp. 800,000,000 fine and/ or 10 years
imprisonment for
interception/wiretapping of transmission;
 Rp. 2,000,000,000 to Rp. 5,000,000,000
and/or 8 to 10 years imprisonment for
alteration, addition, reduction,
transmission, tampering, deletion,
moving, hiding Electronic Information
and/or Electronic Records.
GDPR
 The GDPR empowers supervisory authorities to
impose fines of up to 4% of annual worldwide
turnover, or EUR 20 million (whichever is
higher);
 The highest fines up to EUR 20 million or, in the
case of an undertaking, up to 4% of total
worldwide turnover of the preceding year,
whichever is higher, apply to infringement of:
 The basic principles for processing
including conditions for consent Data
subjects’ rights;
 International transfer restrictions;
 Any obligations imposed by Member
State law for special cases such as
processing employee data;
 Certain orders of a supervisory
authority;
Enforcement (Cont’d)
INDONESIAN LAW
 Failure to comply with Reg. 82 is subject to
administrative sanctions (which do not
eliminate any civil and criminal liability). These
administration sanctions are in the forms of:
 written warning;
 administrative fines;
 temporary dismissal; or
 expulsion from the list of registrations (as
required under the regulation).
 Failure to comply with MOCI Regulations is
subject to administrative sanctions in the form
of:
 verbal warning;
 written warning;
 temporary dismissal of activities; and/or
 an announcement in the online website.
GDPR
 The lower category of fines up to EUR 10
million or, in the case of an undertaking, up to
2% of total worldwide turnover of the
preceding year, whichever is the higher, apply
to infringement of;
 Obligations of controllers and
processors, including security and data
breach notification obligations;
 Obligations of certification bodies;
 Obligations of a monitoring body.
Implementation Example in Indonesia
PT X is a company engaged in the business line of communication and information services. PT X created an application to
improve its services to the customer. In order to use the application, the customer must input their name, identity number, and
phone number in the application. Furthermore, PT X also intends to transfer the customer’s personal data to its parent
company located in Germany for further processing.

Implementation:
• PT X is considered as an ESP.
• PT X is considered as an ESP for public services (communication and information services). Note: There is the obligation
to create data centre in Indonesia.
• Name, identity number, and phone number are considered as Personal Data, therefore, Consent from Personal Data
owner is required.
• Transferring Personal Data to Germany is considered as transboundary transfer.

Contains full explanation of the

PT X creates a acquiring, collecting, processing, Customer ‘click’ the
Privacy Policy. analyzing, storing, displaying, Consent obtained.
Consent tick box.
transfer of the Personal Data.

PT X coordinates
Report the activities Report the implementation
Transfer the with MOCI for the
implementation plan of Personal Data
Personal Data transfer of Personal
result to MOCI. transfer outside Indonesia
Data