This post is also available in: Indonesia (Indonesian) 简体中文 (Chinese (Simplified))

Data Protection Regulations in Indonesia

Data Protection Regulations in Indonesia
There are going to be new data protection regulations in Indonesia amid the growing worries about personal data security breaches. The law will be the first of its kind in the country.

Indonesia becomes the fifth Southeast Asian country to introduce such a regulation. Other countries include Singapore, Malaysia, Philippines, and Thailand.


The new Data protection regulations, in Indonesia will be known as Personal Data Protection Law (PDPL). The regulations will be based upon that of the General Data Protection Regulations by the European Union (EU GDPR).

These new regulations will clearly outline on what legal basis personal information and data can be obtained. There will be strict rules in place about administrative and criminal sanctions should anyone be found guilty of breaking this law.

The data protection regulations in Indonesia apply to both international companies and local businesses. International businesses will be held accountable for the way that they handle Indonesian consumers’ data. Corporate fines under the regulations could be as much as 2% of a company’s annual revenue. Individuals breaching this law can be fined up to 6 billion rupiah (US$400,000).


Other Key Features Of the Data Protection Regulations in Indonesia

There are several other key areas that will be covered under the PDPL. These areas include controllers, personal data subjects, and processors. Personal data subjects are defined as “the individual whom the data belongs to). Under the regulations, the data subjects will be entitled to information about how their personal data is being utilised.

Personal data controllers are classified as a “person, organisation, or public body” that is acting to exercise control over how personal data is getting processed. Personal data processors are a “person, organisation, or public body” who processes the data on behalf of the data controllers.

It is important that both parties ensure personal data is handled with utmost accuracy and security.

Under the PDPL, personal data can be obtained legally through the following alternatives:


  • Legal obligation
  • Contractual
  • Consent
  • Legitimate interest
  • Public task
  • Vital interest


Are There Any Exemptions Under the New Data Protection Regulations in Indonesia?

Yes, some exemptions apply under the PDPL. Under the exemptions, personal data for household or personal use is not eligible for processing. These exemptions include the following:


  • Public interest (for state administrative purposes)
  • Financial services sector supervision
  • Law enforcement
  • National defense and security purposes


The financial services sector is also broadly exempted. Furthermore, controllers will have to undergo stricter requirements. For example, when it comes to record-keeping obligations by the company board, or the unique provisions that facial recognition technologies use.
Data Protection Regulations in Indonesia

What About Other Territories and Jurisdictions

Any individual, public body, or organisation (local and international) must conduct activities that are within the scope of the PDPL. This especially applies if the are within Indonesian jurisdiction or outside Indonesia’s jurisdiction. If they are located externally but the actions have a legal impact on the jurisdiction of Indonesia, the PDPL still applies.