Global Business Guide Indonesia

Sign up for the GBG Indonesia Quarterly Business Intelligence Report for the latest news on your sector.
Sign Up
Legal Updates | Management of Personal Data: What Companies in Indonesia Should Know

The management of personal data under Indonesian law is largely consent-based. This consent must be given in writing by the owners of the personal data, either manually or electronically, after the owners are given a full explanation of any actions that will be taken in regards to their personal data – including any cross-border transfer.

Any company that obtains such consent can manage the personal data as long as this management falls under the scope of the consent given. So, for example, a company may not disclose the personal data if the owner of the data has not given his or her consent for such disclosure.

Transfer of Personal Data Outside of Indonesia

The newly-issued Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (“Reg. 20/2016”), provides that any electronic system provider that operates in Indonesia must fulfill several requirements if it intends to transfer personal data outside of Indonesia.

First, the electronic system provider must coordinate with the MOCI or an authorised government official prior to and after the transfer. This coordination includes (i) reporting the planned transfer of personal data, including at least the destination country, the full name of the party that will receive the personal data, the date of the transfer, and the reason or purpose of the transfer; and (iii) reporting the result of the transfer.

Second, the electronic system provider must fulfill all applicable regulatory provisions on the cross-border exchange of personal data.

That said, there are currently no further regulatory provisions on the cross-border exchange of personal data. Such provisions are contained in a draft law on the protection of personal data. This draft law stipulates that any cross-border transfer of personal data must obtain the prior consent of the owner of the transferred personal data.

This transfer of personal data must be done in accordance with the purpose of the acquisition and collection of the data.

Definition of an Electronic System Provider

An electronic system provider is defined as any person, state administrator, business entity, or community that provides, manages and/or operates an electronic system, either individually or collectively, to electronic system users for its own or another party’s interests.

Accessing and Storing Personal Data

Reg. 20/2016 provides for the right of owners of personal data to access their data stored by an electronic system provider, including to change or update the data. It also provides that electronic system providers that provided, stored and managed personal data prior to the enactment of Reg. 20/2016 must continue to maintain the privacy of the personal data managed and to comply with all provisions under Reg. 20/2016 at the latest two years after the enactment of Reg. 20/2016 (i.e., by 1st December 2018).

Non-compliance with the provisions of Reg. 20/2016 may result in administrative sanctions. These sanctions are (i) written warnings, (ii) temporary suspension of business activities, and/or (iii) an announcement on the website of the non-compliant party.

SSEK - 3rd march 2017

icone share

Indonesia Snapshot

Capital: Jakarta
Population: 259 million (2016)
Currency: Indonesian Rupiah
Nominal GDP: $936 billion USD (IMF, 2016)
GDP Per Capita: $3,620 USD at Current Prices (IMF, 2016)
GDP Growth: 5.0% (2016)
External Debt: 36.80% of GDP (BI, Q2 2016)
Ease of Doing Business: 91/190 (WB, 2017)
Corruption Index: 90/176 (TI, 2016)