1) What national laws regulate the collection and use of personal data?

The general rule governing the collection and use of personal data in Indonesia is Law No. 11 of 2008 as amended by Law No. 19 of 2016 on the Information and Electronic Transaction (“IET Law”), as implemented by Government Regulation No. 82 of 2012 on the Implementation of Electronic System and Transaction (“GR 82”), Regulation of Minister of Communication and Informatics No. 36 of 2014 (“Reg 36”) on the Procedure of Registration of Electronic System Operator and Regulation of Minister of Communication and Informatics No. 20 of 2016 on the Protection of Personal Data in Electronic System (“Reg 20”).

2) To whom do the laws apply?

The laws apply for all Electronic System Operators, the term which is broadly defined as any person (including business entity) providing managing and/or operating an electronic system for its own interests or third party’s interest. As a general rule, Indonesian laws have territorial effect, meaning they apply only within Indonesian jurisdiction and should not apply to non-Indonesian outside Indonesia’s jurisdiction. Nonetheless, exception applies in relation to IET Law, where it specifically sets of an extra-territorial provision.

3) What data is regulated?

Any true and accurate information that adhere and can be identified, either directly or indirectly to an individual which is stored and maintained in an electronic system.

4) What acts are regulated?

All of collecting, processing, analyzing, storing, displaying, announcing, transmitting and deletion of Personal Data.

5) What is the jurisdictional scope of the rules?

Please refer to our response in #2.

6) Is notification or registration required before processing data?

No specific notification or registration is required. Prior to processing personal data, the Electronic System Operator is obliged to explain the processing method/mechanisms.  Nonetheless, note that an Electronic System Operator conducting public services (for example: online trading and online financial transaction) is required to register its electronic system with the Ministry of Communication and Telematics (“MCI”) and obtain the so called Evidence of Electronic System Operator Registration (Tanda Daftar Penyelenggara Sistem Elektronik).

7) What are the main obligations imposed on data controllers to ensure data is processed properly? What are the main exemptions (if any)?

To process any personal data, an Electronic System Operator must:

  • Obtain a prior written approval from the data owner;
  • Verify the accuracy and the validity the personal data with the data subject; and
  • Only used the data according to the needs of the Electronic System Operator.

The prior written approval requirement is exempted in case of criminal litigation process, on the basis of a request from the relevant authority (e.g. police officer).

8) Is the consent of data subjects required before processing data?

Yes, consent is required before processing data.

9) If consent is not given, on what other grounds (if any) can processing be justified?

Please refer to our response in #7.

10) Do special rules apply for certain types of data, such as sensitive data?

No regulatory differentiation on types of Personal Data, but any data owner has the right to instruct an Electronic System Operator to maintain the confidentiality of certain requested information.

11) What information should be provided to data subjects at the point of collection of the personal data?

When collecting the persona data, an Electronic System Operator must inform the data owner on the data collection activity and how the data will be processed, analyzed, stored, displayed, transmitted or transferred.

Data owners also have the rights to update/revise the personal data.

12) What other specific rights are granted to data subjects?

Reg 20 lists down rights of a data owners:

  • confidentiality rights;
  • to submit a report/complain to the MCI for any security breach of its personal data;
  • access to change or update its personal data;
  • access to track his/her data historical data given to the Electronic System Operator; and
  • to delete his/her personal data.

 13) Do data subjects have the right to request the deletion of their data?

 Yes.

 14) What security requirements are imposed in relation to personal data?

    • The electronic system used by the Electronic System Operator must be certificated by the MCI.
    • The Electronic System Operator to apply a protection internal rule;
    • The electronic system must have interoperability and compatibility ability and to only use an authorized software;
    • If the Electronic System Provider is conducting public services, its data centre and disaster recovery centre must be located in Indonesia;
    • Other measures to prevent security breach, for example: security training for its employee.
    • Electronic System Operator must notify MCI of its plan to transfer personal data outside Indonesia and submit a post transfer report to MCI.

15) Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

Yes, particularly to the data owner. Reg 20 requires an Electronic System Operator to notify the data owner in writing, specifying the reason or cause of the breach within 14 days after it becomes aware of the security breach.

16) What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

The regulation is not really specific on this, but the general rule is that any use of data by a third party on behalf of the Electronic System Operator must first be approved by the data owner.

17) What rules regulate the transfer of data outside your jurisdiction?

An Electronic System Operator is required to notify MCI of its plan to transfer the personal data outside Indonesia before the transfer. Subsequently, after the transfer, it must submit a post-transfer report to MCI.

The report must at least include: (i) name of designated country; (ii) name of recipient; (iii) date of transfer; and (iv) reason/purpose of transfer.

18) What are the enforcement powers of the national regulator?

In case of non-compliance, the government has the authority to impose administrative sanctions specified in #20 below. According to the news, is a precedent where the MCI sent warning letters to Facebook Indonesia on misuse of data.

19) What are the sanctions and remedies for non-compliance with data protection laws?

Administrative sanction in the form of warnings, suspension of activity and public announcement.