Personal Data Protection (PDP) Law Indonesia
Pointer

Data localization, which was introduced in a previous draft, has been replaced by the general obligation for controllers to ensure data transferred across borders remains protected to a standard commensurate with the PDP Law. As for enforcement and sanctions, the PDP Law includes a large spectrum of avenues – from a private right of action for any violations of the law, to administrative fines and criminal penalties. For instance, the law sanctions “intentionally creating false data” with a criminal sentence of up to six years.

Pointer

The PDP law covers within its ambit both electronic and non-electronic systems.

Pointer

Article 2 of PDP law states that it shall apply to any person, which includes individuals and corporations, which performs legal action in Indonesia.

Pointer

Personal data is categorized into general personal data and specific personal data under the PDP law.

The Trust Challenge

Key obligations in brief:

The PDP Law applies primarily to the processing of personal data, mainly, collection, processing, analyzing, storage, correction/update, transfer disclosure and deletion of personal data .

Article 2 of the PDP Law has expressly mandated that the PDP Law shall apply extraterritorially, which enables the implementation of PDP Law to reach not only entities within Indonesia but also entities outside of Indonesia insofar as their activities have legal impact in Indonesian jurisdiction or to Indonesian citizens residing outside of the Indonesian jurisdiction.

Article 20 of the PDP Law establishes the basis for processing personal data by the Controller:

  • Consent of the personal data subject.
  • Performance of obligations under a contract.
  • Data controllers must process personal data in a limited, specific, lawful, and transparent manner.
  • Organizations must also operationalize the principle of security of the processing (Article 16(2)(e)) through appropriate technical measures Controllers must also ensure accountability by records and ensure confidentiality of data.
  • Recording all processing operations and taking other measures to demonstrate responsibility of processing. Note the obligation to record all processing activities is broader than other data protection laws.

Article 21 requires the controller to provide information to data subjects on the legality, the purposes, the type, and the relevance of processing. Additionally, the controller must be able to show that consent is valid and, if withdrawn, end any processing operation in a specified time period. If consent is withdrawn, the controller has to also delete the personal data.

Data Protection Principles:

  • Data controllers must process personal data in accordance with a stated purpose .
  • Data controllers must ensure the accuracy, completeness, and consistency of the personal data they process, including notifying the data subject of any correction they make in response to a request.
  • Legal obligations.
  • Protection of a personal data subject’s vital interests.
  • Undertaking a task in the public interest or in exercise of legal authority.
  • Fulfillment of a legitimate interest, taking into account purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.
  • Article 52 attaches a number of data controller obligations to processors as well, including:
  • Ensuring accuracy, completeness, and consistency of personal data, including “conducting verification”.
  • Recording all processing activities.
  • Ensuring the security of personal data by implementing appropriate technical and operational measures based on the risk posed by the data.
  • Maintaining confidentiality of personal data.
  • Supervising all parties involved in the processing of personal data.
  • Protecting data from unauthorized processing.
  • Preventing unlawful access of personal data.
Win-Win Situation

Key challenges in brief:

Under Article 34, controllers must conduct a data protection impact assessment (DPIA) whenever processing of personal data has a high risk of harming the data subject.

In case of a security breach, controllers must submit written notification no later than three days to the affected data subject and the DPA. The notice must contain the personal data involved in the breach, when and how the breach occurred, and any remedial measures taken by the data controller to mitigate harm.

The PDP Law enumerates personal data subject rights and obligates controllers to guarantee those rights as a fundamental data protection principle under the law (Articles 5-14). These rights include:

  • Right to obtain information.
  • Right to access.
  • Right to rectification.
  • Right to end processing, delete, or destroy their personal data.
  • Right to delay or restrict processing.
  • Right to withdraw consent.
  • Right to object to decision-making measures.
  • Right to data portability.
  • Right to sue and receive compensation.

Article 56 of the PDP Law governs transfers of personal data outside of Indonesia, subject to the following conditions:

  • The recipient's country has an adequate or higher level of Personal Data protection than that stipulated in the PDP Law.
  • There exists an adequate level of binding Personal Data protection.
  • The consent of the Data Subject for the cross-border data transfer has been obtained.

In the event condition a is not fulfilled, then the Controller shall move to the fulfillment of condition b, and only if both a and b are not fulfilled, then the Controller shall move to the fulfillment of condition.

Win-Win Situation

Solutions:

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key challenges in brief

Pointer

Applicability:-

The PDP Law applies primarily to the processing of personal data, mainly, collection, processing, analyzing, storage, correction/update, transfer disclosure and deletion of personal data .

Article 2 of the PDP Law has expressly mandated that the PDP Law shall apply extraterritorially, which enables the implementation of PDP Law to reach not only entities within Indonesia but also entities outside of Indonesia insofar as their activities have legal impact in Indonesian jurisdiction or to Indonesian citizens residing outside of the Indonesian jurisdiction.

Pointer

Basis for processing personal data:-

Article 20 of the PDP Law establishes the basis for processing personal data by the Controller:

  • Consent of the personal data subject.
  • Performance of obligations under a contract.
  • Data controllers must process personal data in a limited, specific, lawful, and transparent manner.
  • Organizations must also operationalize the principle of security of the processing (Article 16(2)(e)) through appropriate technical measures Controllers must also ensure accountability by records and ensure confidentiality of data.
  • Recording all processing operations and taking other measures to demonstrate responsibility of processing. Note the obligation to record all processing activities is broader than other data protection laws.
Pointer

Obligations of Controllers:

Article 21 requires the controller to provide information to data subjects on the legality, the purposes, the type, and the relevance of processing. Additionally, the controller must be able to show that consent is valid and, if withdrawn, end any processing operation in a specified time period. If consent is withdrawn, the controller has to also delete the personal data.

Data Protection Principles:

  • Data controllers must process personal data in accordance with a stated purpose .
  • Data controllers must ensure the accuracy, completeness, and consistency of the personal data they process, including notifying the data subject of any correction they make in response to a request.
  • Legal obligations.
  • Protection of a personal data subject’s vital interests.
  • Undertaking a task in the public interest or in exercise of legal authority.
  • Fulfillment of a legitimate interest, taking into account purpose and need of processing, and balancing the interests of the personal data controller with the rights of the personal data subject.
Pointer

Obligations of Processors:

  • Article 52 attaches a number of data controller obligations to processors as well, including:
  • Ensuring accuracy, completeness, and consistency of personal data, including “conducting verification”.
  • Recording all processing activities.
  • Ensuring the security of personal data by implementing appropriate technical and operational measures based on the risk posed by the data.
  • Maintaining confidentiality of personal data.
  • Supervising all parties involved in the processing of personal data.
  • Protecting data from unauthorized processing.
  • Preventing unlawful access of personal data.
The Trust Challenge

Key challenges in brief:

Pointer

Data Protection Impact assessment:

Under Article 34, controllers must conduct a data protection impact assessment (DPIA) whenever processing of personal data has a high risk of harming the data subject.

Pointer

Security breach notification:

In case of a security breach, controllers must submit written notification no later than three days to the affected data subject and the DPA. The notice must contain the personal data involved in the breach, when and how the breach occurred, and any remedial measures taken by the data controller to mitigate harm.

Pointer

Data Subject Rights:

The PDP Law enumerates personal data subject rights and obligates controllers to guarantee those rights as a fundamental data protection principle under the law (Articles 5-14). These rights include:

  • Right to obtain information.
  • Right to access.
  • Right to rectification.
  • Right to end processing, delete, or destroy their personal data.
  • Right to delay or restrict processing.
  • Right to withdraw consent.
  • Right to object to decision-making measures.
  • Right to data portability.
  • Right to sue and receive compensation
Pointer

Cross-border data transfers:

Article 56 of the PDP Law governs transfers of personal data outside of Indonesia, subject to the following conditions:

  • The recipient's country has an adequate or higher level of Personal Data protection than that stipulated in the PDP Law.
  • There exists an adequate level of binding Personal Data protection.
  • the consent of the Data Subject for the cross-border data transfer has been obtained.

In the event condition a is not fulfilled, then the Controller shall move to the fulfillment of condition b, and only if both a and b are not fulfilled, then the Controller shall move to the fulfillment of condition.

Win-Win Situation

Solutions

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us