Personal Data Protection (PDP) Law Indonesia

Learn Privacy

Know Your Privacy Obligations

Want to check which privacy laws apply to you

Take Privacy Quiz

Check out our quick privacy quiz

Why (DBoM) Data Bill of Materials

The Data Bill of Materials (DBoM) records the ownership, sharing history, storage and collection purpose of a unit of data.

Blogs

Get latest information on data security,
data protection, and data privacy.

Events

Meet us in person or virtually in
upcoming events!

News

Be the first to catch our latest news,
happenings and more.

Follow Us

Products

Privacy Automation

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks.

Data Inventory

TurtleShield DI (Data Inventory) automates data asset inventory and performs realistic data mapping.

Privacy Intelligence

TurtleShield PI (Privacy Intelligence) applies the unique oil drilling-like approach to data discovery across the entire data footprint and not just a subset of data.

Data Minimization

TurtleShield DM (Data Minimization) helps you reduce the data and focus on enterprise-centric data.

Assured Deletion

With TurtleShield AD (Assured Deletion) businesses are empowered to comply with mandatory deletion of personal data.

Consent Management

TurtleShield CM (Consent management) is the process of obtaining, tracking, and managing individuals' consent for the collection and processing of their personal data.

Responsible AI

TurtleShield RA (Responsible AI) enables organizations to assess AI risk for internal applications and Third Party softwares utilizing AI.

Training and Awareness

TurtleShield TA (Training and Awareness) provides modern & engaging awareness solutions focused on effective privacy implementations that reach the last mile in your organization.

Solutions
Build Consumer Trust

Responsibility to protect customer data, opportunity to build brand value

Robust Enterprise Security

Implement a data-centric security approach which is aligned to your business-critical data.
Case Study / Use Cases

Fintech/BFSI

E-Commerce

Insurance

Banking

Data Protection (UK)

Heathcare Use Case

Edutech Use Case

TMT Use Case
Privacy Profit Center

Transform privacy from cost center to profit center

Data Minimization

Minimize data, and reduce business risk with data minimization

Industry

Fintech/BFSI

Privacy and meaningful data centric security for your Fintech/BFSI

Healthcare

Importance of data privacy in healthcare organizations

E-commerce

Safeguarding data privacy in E-commerce Industry

Insurance

Navigating data privacy regulations in the Insurance Industry

Edutech

Data protection in EduTech Industry is the need of the hour

Technology, Media &
Telecommunications (TMT)

The importance of data privacy in the TMT Industry

Compliance
Privacy

Data privacy compliance

India (DPDPA)

USA - United States (UCPA)

Europe (GDPR)

Australia - Privacy Act

Bahrain - (PDPL)

Brazil - (LGPD)

Angola - (PDPL)

Ukraine - (PDP)

California - (CCPA)

China - (PIPL)

Colorado - (CPA)

Connecticut - (CTDPA)

Ghana - (DPA)

Irish - (DPA)

Kenya - (DPA)

UK - (DPA)

Russia Fedral Law

Nigeria - (DPA)

Honkong - (PDPO)

Indonesia - (PDP)

Japan - (APPI)

Kuwait - (DPPR)

Malaysia - (PDPA)

Oman - (PDPL)

Philippines - (DPA)

New Zealand Privacy Act

Qatar - (PDPP)

Saudi Arabia - (PDPL)

Singapore - (PDPA)

South Africa - (POPIA)

South Korea - (PIPA)

Srilanka - (PDPA)

Thialand - (PDPA)

Uganda - (DPPA)

Virginia - (CDPA)
Security

Data security compliance

Cyber Security - IRDAI

Reserve Bank - RBI
Sectoral

Sectoral compliance

COPPA

FERPA

HIPAA

Telecom TRAI
Company

About us

Ardent is on a mission to help enterprises implement meaningful security and privacy programs aligned to their business mission; building trust, and protecting data assets.

Pricing

Get pricing aligned to your business needs. Stay data protected with best plans tailored to your needs.

Contact us

Contact us to know more about how Ardent can help you implement a robust privacy program.

Personal Data Protection (PDP) Law Indonesia

On September 20, 2022, Indonesia’s House of Representatives passed the Personal Data Protection Bill (PDP Bill). This is the first step towards enactment of the PDP Bill as law. The second step was Presidential assent, which happened on October 17, 2022, and signifies the enactment and coming into force of the law.

Data localization, which was introduced in a previous draft, has been replaced by the general obligation for controllers to ensure data transferred across borders remains protected to a standard commensurate with the PDP Law. As for enforcement and sanctions, the PDP Law includes a large spectrum of avenues – from a private right of action for any violations of the law, to administrative fines and criminal penalties. For instance, the law sanctions “intentionally creating false data” with a criminal sentence of up to six years.

The PDP law covers within its ambit both electronic and non-electronic systems.

Article 2 of PDP law states that it shall apply to any person, which includes individuals and corporations, which performs legal action in Indonesia.

Personal data is categorized into general personal data and specific personal data under the PDP law.

Key obligations in brief:

Applicability

The PDP Law applies primarily to the processing of personal data, mainly, collection, processing, analyzing, storage, correction/update, transfer disclosure and deletion of personal data .

Article 2 of the PDP Law has expressly mandated that the PDP Law shall apply extraterritorially, which enables the implementation of PDP Law to reach not only entities within Indonesia but also entities outside of Indonesia insofar as their activities have legal impact in Indonesian jurisdiction or to Indonesian citizens residing outside of the Indonesian jurisdiction.

Basis for processing personal data

Article 20 of the PDP Law establishes the basis for processing personal data by the Controller:

Consent of the personal data subject.
Performance of obligations under a contract.
Data controllers must process personal data in a limited, specific, lawful, and transparent manner.
Organizations must also operationalize the principle of security of the processing (Article 16(2)(e)) through appropriate technical measures Controllers must also ensure accountability by records and ensure confidentiality of data.
Recording all processing operations and taking other measures to demonstrate responsibility of processing. Note the obligation to record all processing activities is broader than other data protection laws.

Obligations of Controllers

Article 21 requires the controller to provide information to data subjects on the legality, the purposes, the type, and the relevance of processing. Additionally, the controller must be able to show that consent is valid and, if withdrawn, end any processing operation in a specified time period. If consent is withdrawn, the controller has to also delete the personal data.

Data Protection Principles:

Data controllers must process personal data in accordance with a stated purpose .
Data controllers must ensure the accuracy, completeness, and consistency of the personal data they process, including notifying the data subject of any correction they make in response to a request.
Legal obligations.
Protection of a personal data subject’s vital interests.
Undertaking a task in the public interest or in exercise of legal authority.
Fulfillment of a legitimate interest, taking into account purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.

Obligations of Processors

Article 52 attaches a number of data controller obligations to processors as well, including:
Ensuring accuracy, completeness, and consistency of personal data, including “conducting verification”.
Recording all processing activities.
Ensuring the security of personal data by implementing appropriate technical and operational measures based on the risk posed by the data.
Maintaining confidentiality of personal data.
Supervising all parties involved in the processing of personal data.
Protecting data from unauthorized processing.
Preventing unlawful access of personal data.

Key challenges in brief:

Data Protection Impact assessment

Under Article 34, controllers must conduct a data protection impact assessment (DPIA) whenever processing of personal data has a high risk of harming the data subject.

Security breach notification

In case of a security breach, controllers must submit written notification no later than three days to the affected data subject and the DPA. The notice must contain the personal data involved in the breach, when and how the breach occurred, and any remedial measures taken by the data controller to mitigate harm.

Data Subject Rights

The PDP Law enumerates personal data subject rights and obligates controllers to guarantee those rights as a fundamental data protection principle under the law (Articles 5-14). These rights include:

Right to obtain information.
Right to access.
Right to rectification.
Right to end processing, delete, or destroy their personal data.
Right to delay or restrict processing.
Right to withdraw consent.
Right to object to decision-making measures.
Right to data portability.
Right to sue and receive compensation.

Cross-border data transfers

Article 56 of the PDP Law governs transfers of personal data outside of Indonesia, subject to the following conditions:

The recipient's country has an adequate or higher level of Personal Data protection than that stipulated in the PDP Law.
There exists an adequate level of binding Personal Data protection.
The consent of the Data Subject for the cross-border data transfer has been obtained.

In the event condition a is not fulfilled, then the Controller shall move to the fulfillment of condition b, and only if both a and b are not fulfilled, then the Controller shall move to the fulfillment of condition.

Solutions:

Data discovery, inventory and mapping

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Third party Privacy Intelligence (monitors third party sharing)

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Data Minimization

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Right to be Forgotten (RTBF) with Assured Deletion

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Enable Data subject rights with cost savings and compliance in totality

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Key challenges in brief

Applicability:-

The PDP Law applies primarily to the processing of personal data, mainly, collection, processing, analyzing, storage, correction/update, transfer disclosure and deletion of personal data .

Basis for processing personal data:-

Article 20 of the PDP Law establishes the basis for processing personal data by the Controller:

Consent of the personal data subject.
Performance of obligations under a contract.
Data controllers must process personal data in a limited, specific, lawful, and transparent manner.
Organizations must also operationalize the principle of security of the processing (Article 16(2)(e)) through appropriate technical measures Controllers must also ensure accountability by records and ensure confidentiality of data.
Recording all processing operations and taking other measures to demonstrate responsibility of processing. Note the obligation to record all processing activities is broader than other data protection laws.

Obligations of Controllers:

Data Protection Principles:

Data controllers must process personal data in accordance with a stated purpose .
Data controllers must ensure the accuracy, completeness, and consistency of the personal data they process, including notifying the data subject of any correction they make in response to a request.
Legal obligations.
Protection of a personal data subject’s vital interests.
Undertaking a task in the public interest or in exercise of legal authority.
Fulfillment of a legitimate interest, taking into account purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.

Obligations of Processors:

Article 52 attaches a number of data controller obligations to processors as well, including:
Ensuring accuracy, completeness, and consistency of personal data, including “conducting verification”.
Recording all processing activities.
Ensuring the security of personal data by implementing appropriate technical and operational measures based on the risk posed by the data.
Maintaining confidentiality of personal data.
Supervising all parties involved in the processing of personal data.
Protecting data from unauthorized processing.
Preventing unlawful access of personal data.

Key challenges in brief:

Data Protection Impact assessment:

Under Article 34, controllers must conduct a data protection impact assessment (DPIA) whenever processing of personal data has a high risk of harming the data subject.

Security breach notification:

Data Subject Rights:

The PDP Law enumerates personal data subject rights and obligates controllers to guarantee those rights as a fundamental data protection principle under the law (Articles 5-14). These rights include:

Right to obtain information.
Right to access.
Right to rectification.
Right to end processing, delete, or destroy their personal data.
Right to delay or restrict processing.
Right to withdraw consent.
Right to object to decision-making measures.
Right to data portability.
Right to sue and receive compensation

Cross-border data transfers:

Article 56 of the PDP Law governs transfers of personal data outside of Indonesia, subject to the following conditions:

The recipient's country has an adequate or higher level of Personal Data protection than that stipulated in the PDP Law.
There exists an adequate level of binding Personal Data protection.
the consent of the Data Subject for the cross-border data transfer has been obtained.

Solutions

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.