Professional Documents
Culture Documents
Erwin Purba - Data Protection Presentation - PP
Erwin Purba - Data Protection Presentation - PP
Erwin Purba - Data Protection Presentation - PP
Primary sources of the regulation on data Directly applicable and has consistent effect in
protection: all Member States (of European Union).
Extra-territorial scope.
A new draft Bill on the Protection of Private Personal Data (the "Bill") is being discussed and
to this date it has not been issued.
Key features in the Bill that may be regulated but is not currently regulated:
• Clear definition of Personal Data;
• Classification of Personal Data: (i) General Data; and (ii) Specific Data;
• Impose additional obligation in collecting and processing the Specific Data;
• Differentiate the Controller of Personal Data and Processor of Personal Data;
• Specifies the rights of Personal Data owner, such as right to be forgotten and right of
access;
• Different period of notification of breach of Personal Data to the Personal Data owner and
the relevant supervising agencies;
• New procedure of transfer of Personal Data outside Indonesia; and
• Introduce criminal sanctions for breaching the provision of the Bill.
Personal Data
INDONESIAN LAW GDPR
Reg. 82 and MOCI Regulation defines GDPR defined ‘Personal Data’ as "any
‘Personal Data’ as “data of an individual, information relating to an identified or
which is stored, maintained and which identifiable natural person“. “Identifiable"
correctness is pre-served and of which its means if the natural person can be identified
confidentiality is protected”. using “all means reasonably likely to be used”
the information is personal data.
What is “data of an individual”?
Any identifier will be considered Personal Data
(e.g. IP address, phone number, location data)
No specific definition in Reg. 82 and
MOCI Regulation. In contrast to Indonesian law, GDPR
Common practice to refer to Law No. differentiates Personal Data into: (i) ‘special
24 of 2013 regarding the Amendment categories’ of personal data; and (ii) personal
of Law No. 23 of 2006 regarding Citizen data relating to criminal convictions and
Administration (“Law No. 23”). offences.
Personal Data (Cont’d)
INDONESIAN LAW
Pursuant to Article 58 of Law No. 23, ‘individual data’ includes: a. the family card
number; b. population (identity card) number; c. full name; d. sex; e. place of birth; f.
date/month/year of birth; g. blood type; h. religion or belief; i. marital status; j. family
relationship status; k. physical or mental disability; l. last education; m. type of job; n.
population number of the biological mother, name of the biological mother; o.
population number of the father, name of the father; p. previous address; q. current
address; r. birth certificate; s. number of birth certificate; t. marital certificate; u.
number of marital certificate; v. date of marriage; w. divorce certificate; x. date of
divorce; y. fingerprint; z. eye iris; aa. signature; and bb. other elements of disgraceful
information regarding a person.
Additional principles and lawful bases for collection apply for collection and processing
‘special category of personal data’ and ‘criminal convictions and offences data’.
Transfer
INDONESIAN LAW GDPR
Article 22 (2) of Reg. 82 regulates the transfer of Transfer outside EU:
data, which provides in any case that in the
implementation of an Electronic System and/or
Electronic Document aimed to transfer Electronic
Transfers of personal data by a controller
Information and/or Electronic Document, the or a processor (or a data exporter) to
Electronic Information and/or Electronic third countries outside of the EU (and
Document must be unique and (the provider shall) Norway, Liechtenstein and Iceland) are
explain the control and possession of the only permitted where the conditions laid
Electronic Information and/or Electronic
Document.
down in the GDPR are met.
Article 22 (1) of the MOCI Regulation states that transferring Personal Data that is managed by an
ESP at the government and regional government institution including the public or private sector
domiciled in the territory of Indonesia to [parties] outside the territory of Indonesia must:
Coordinate with the MOCI or the official or institution being authorized for such purpose;
and
Implement the laws and regulations regarding the transboundary exchange of Personal Data.
To report the implementation plan of Personal Data transfer, at least containing the clear
name, designated country, recipient subject name, implementation date, and
reason/purpose of the transfer;
To request for advocacy, if needed; and
To report the activities implementation result.
Security
INDONESIAN LAW GDPR
The obligations of ESP are regulated under Reg. 82 The GDPR is not prescriptive about specific
and MOCI Regulation, which amongst other things technical standards or measures.
include the obligation to: However the GDPR does require controllers and
processors to consider the following when
guarantee the confidentiality of the source assessing what might constitute adequate security:
code of the software;
ensure agreements on minimum service The pseudonymization and encryption of
level and information security towards the personal data;
information technology services being The ability to ensure the ongoing
used as well as security and facility of confidentiality, integrity, availability and
internal communication security it resilience of processing systems and
implement; services;
protect and ensure the privacy and The ability to restore the availability and
personal data protection of users; access to personal data in a timely manner in
ensure the appropriate lawful use and the event of a physical or technical incident;
disclosure of the personal data; A process for regularly testing, assessing and
provide data centre and disaster recovery evaluating the effectiveness of technical and
centre (for ESP for public services); organizational measures for ensuring the
provide the audit records on all Provision security of the processing.
of Electronic Systems activities;
Security (Cont’d)
INDONESIAN LAW
provide information in the Electronic System based on legitimate request from investigators
for certain crimes;
provide options to the Personal Data owner regarding the Personal Data that is processed so
that [the Personal Data] can or cannot be used and/or displayed by/ at third party based on
the Consent as long as it is related with the purpose of obtaining and collecting the Personal
Data;
provide access or opportunity to Personal Data owner to change or renew his/her Personal
Data without disturbing the system management of the Person-al Data, except regulated
otherwise by laws and regulations;
delete the Personal Data if (i) where it has reached the period of storing the Personal Data
(at the shortest 5 years or based on the applicable regulations/ specific sectoral regulations);
or (ii) by request from the Personal Data owner, except regulated otherwise by the laws and
regulations; and
provide contact person that is easy to be contacted by the Personal Data owner in relation to
his/her Personal Data.
Breach Notification
INDONESIAN LAW GDPR
Notification to the Regulator The GDPR contains a general requirement
for a personal data breach to be notified
Article 20 (3) of Reg. 82 provides that if there is a by the controller to its supervisory
failure or disturbance to the system which has a
authority, and for more serious breaches
serious impact as a result of another party towards
the Electronic System, then the ESP must secure the to also be notified to affected data
data and the first opportunity report it to law subjects.
enforcement official or the Supervising and Regulatory
Authority of the relevant sector. The controller must notify a breach to the
supervisory authority without undue
Notification to the Personal Data Owner delay, and where feasible, not later than
72 hours after having become aware of it.
Article 15 (1) (a) of Reg. 82 provides that an ESP must
preserve the secrecy, integrity, and availability of the
Personal Data it manages. Article 15 (2) of Reg. 82
further provides that the ESP must provide a written
notification to the Personal Data Owner, upon its
failure to protect the Personal Data.
Breach Notification (Cont’d)
INDONESIAN LAW
The more detailed provision on the implementation of Personal Data protection under Reg. 82 is regulated in the
MOCI Regulation. Article 28 (c) of MOCI Regulation stipulates that the ESP must provide a written notice to the
Personal Data owner if there is a failure in protecting the secrecy of the Personal Data in the Electronic System.
The provisions regarding the notice are as follows:
must provide reason or cause of the occurrence of the failure in protecting the secrecy of the Personal
Data;
can be conducted electronically if the Personal Data owner has given Consent for it at the time of obtaining
and collecting his/her Personal Data;
must ensure that the notice has been received by the Personal Data Owner if the failure contains potential
loss to the relevant Personal Data owner; and
a written notice is sent to the Personal Data owner at the latest 14 (fourteen) days since the failure is
discovered.
Enforcement
INDONESIAN LAW GDPR
In Indonesia, the sanctions for breaches of data The GDPR empowers supervisory authorities to
privacy are found under the relevant legislation impose fines of up to 4% of annual worldwide
and are essentially fines. Imprisonment may be turnover, or EUR 20 million (whichever is
imposed in severe instances such as in the higher);
event of intentional infringement. The highest fines up to EUR 20 million or, in the
The EIT Law provides criminal penalties ranging case of an undertaking, up to 4% of total
from: worldwide turnover of the preceding year,
Rp. 600,000,000 fine to Rp. 800,000,000 whichever is higher, apply to infringement of:
and/or 6 to 8 years imprisonment for
unlawful access; The basic principles for processing
Rp. 800,000,000 fine and/ or 10 years including conditions for consent Data
imprisonment for subjects’ rights;
interception/wiretapping of transmission; International transfer restrictions;
Rp. 2,000,000,000 to Rp. 5,000,000,000 Any obligations imposed by Member
and/or 8 to 10 years imprisonment for State law for special cases such as
alteration, addition, reduction, processing employee data;
transmission, tampering, deletion, Certain orders of a supervisory
moving, hiding Electronic Information authority;
and/or Electronic Records.
Enforcement (Cont’d)
INDONESIAN LAW GDPR
Failure to comply with Reg. 82 is subject to The lower category of fines up to EUR 10
administrative sanctions (which do not million or, in the case of an undertaking, up to
eliminate any civil and criminal liability). These 2% of total worldwide turnover of the
administration sanctions are in the forms of: preceding year, whichever is the higher, apply
written warning; to infringement of;
administrative fines;
temporary dismissal; or Obligations of controllers and
expulsion from the list of registrations (as processors, including security and data
required under the regulation). breach notification obligations;
Failure to comply with MOCI Regulations is Obligations of certification bodies;
subject to administrative sanctions in the form Obligations of a monitoring body.
of:
verbal warning;
written warning;
temporary dismissal of activities; and/or
an announcement in the online website.
Implementation Example in Indonesia
PT X is a company engaged in the business line of communication and information services. PT X created an application to
improve its services to the customer. In order to use the application, the customer must input their name, identity number, and
phone number in the application. Furthermore, PT X also intends to transfer the customer’s personal data to its parent
company located in Germany for further processing.
Implementation:
• PT X is considered as an ESP.
• PT X is considered as an ESP for public services (communication and information services). Note: There is the obligation
to create data centre in Indonesia.
• Name, identity number, and phone number are considered as Personal Data, therefore, Consent from Personal Data
owner is required.
• Transferring Personal Data to Germany is considered as transboundary transfer.
PT X coordinates
Report the activities Report the implementation
Transfer the with MOCI for the
implementation plan of Personal Data
Personal Data transfer of Personal
result to MOCI. transfer outside Indonesia
Data