top of page

Personal Data Protection

90.png

Personal Data Protection and Cyber Security

Introduction

The rapid development of information and communication technology has transformed the way individuals and organizations interact, process, and share information. While this technological progress has generated numerous opportunities, it has also introduced substantial challenges, particularly in ensuring the protection of personal data. In 2023, Indonesia faced a major data breach when sensitive information from the social security agency was leaked. Acknowledging personal data protection as a fundamental human right, the Government enacted Law 27 of 2022 on Personal Data Protection ("Law 27/2022"). Effective as of 17 October 2022, Law 27/2022 sets comprehensive regulations applicable to all personal data processing activities.

 

Law 27/2022 establishes a legal framework to protect Personal Data in all stages of processing in order to guarantee the constitutional rights of the Personal Data subject. In this case, Personal Data means data relating to an identified or identifiable individual, wherein an identifiable individual is a person who can be identified, either independently or in a combination with other information, directly or indirectly, through an electronic or nonelectronic system.

 

Law 27/2022 applies to every person, public agency, and international organization processing Personal Data: (i) within the jurisdiction of the Republic of Indonesia; or (ii) outside the jurisdiction of the Republic of Indonesia, if their activities have legal consequences within the jurisdiction of the Republic of Indonesia or towards Indonesian citizens abroad. To ensure a seamless transition for the stakeholders, Law 27/2022 provides a 2 (two)-year transitional period during which organizations are required to align their policies and systems with the provision of Law 27/2022.

 

In addition, the Government also issued PR No. 82/2022 that establishes a legal framework to provide direction, basis, and legal certainty in protecting vital information infrastructure from any kind of disruption as a result of misuse of electronic information and electronic transactions.

Types of Personal Data and Personal Data Processing

Law 27/2022 stipulates that Personal Data shall consist of: (i) specific Personal Data; and (ii) general Personal Data. Further, specific Personal Data shall include:

 

  • health data and information, referring to individual records or information relating to physical health, mental health, and/or health services;

  • biometric data, referring to the data relating to the physical, physiological, or behavioral characteristics of an individual that allows unique identification of an individual, such as facial images or dactyloscopy data. Biometric data also describes the uniqueness and/or characteristics of a person that must be maintained and cared for, including but not limited to fingerprints records, eye retina, and DNA samples;

  • genetic data, referring to all data of any kind regarding the characteristics of an individual that is inherited or acquired during early prenatal development;

  • crime records, referring to written record of a person who has committed unlawful act or violated laws or is currently in the judicial process for the committed act, including police records and inclusion in the list of prevention or deterrence;

  • child data;

  • personal financial data, which shall include not limited to data on the amount of deposits in bank including savings, time deposits and credit card data; and/or

  • other data in accordance with provisions of laws and regulations.

 

Meanwhile, the general Personal Data shall include:

  • full name;

  • gender;

  • citizenship;

  • religion;

  • marital status; and/or

  • combined Personal Data to identify a person, among others, a cellular phone number and IP address.

 

Furthermore, Law 27/2022 stipulates that the processing of Personal Data includes several stages, starting from collecting to deleting the Personal Data. As for the specific stages of Personal data processing are as follows:

 

  • acquisition and collection;

  • filtering and analysis;

  • storage;

  • fixes and updates;

  • display, announcement, transfer, dissemination or disclosure; and/or

  • deletion or destruction.

 

Personal Data processing as mentioned above shall be carried out in accordance with the Personal Data Protection principles, including:

Personal Data Protection Principles

Personal Data Protection Principles

Source: Law 27/2022.

In this regard, Personal Data processing may be carried out by 2 (two) or more Personal Data Controllers. In the event that Personal Data processing is carried out by 2 (two) or more Personal Data Controllers, there are several minimum requirements that must be met: (i) an agreement between the Personal Data Controller that contains the roles, responsibilities, and relationship between the Personal Data Controllers; (ii) interrelated purposes and ways of Personal Data Processing which are mutually determined; and lastly (iii) there is a jointly appointed contact person.

Stakeholders in Personal Data Protection

Law 27/2022 regulates the stakeholders that involved in Personal Data Protection, which demonstrated in the graph below:

Picture1.png

Stakeholders in Personal Data Protection

Source: Law 27/2022.

  • ​Stakeholders in Personal Data Protection

Personal Data Subject means an individual to whom Personal Data is attached.[1]  Personal Data Subject shall have the rights that must be protected, among others:

 

  1. end processing, delete, and/or destroy Personal Data regarding themselves in accordance with provisions of laws and regulations;

  2. withdraw the consent to the processing of Personal Data concerning themselves that has been given to the Personal Data Controller;

  3. object a decision based solely on automated processing, including profiling, which has a legal impact concerning themselves or has a significant impact on the Personal Data Subject; 

  4. postpone or restrict the processing of Personal Data in proportion to the purpose for which the Personal Data is processed;

  5. obtain and/or use Personal Data concerning themselves from a Personal Data Controller in a structured, commonly used and/or electronic system-readable format; and

  6. use and transmit Personal Data concerning themselves to another Personal Data Controller, to the extent the system used can mutually exchange communications securely within the principle of Personal Data Protection based on Law 27/2022.

Nevertheless, the rights of Personal Data Subject as mentioned above are excluded for the following purposes:

 

  1. the interest of national defense and security;

  2. the interest of law enforcement;

  3. the public interest in the scope of the administration of state;

  4. the interest of supervision of the financial sector, monetary sector, financial system, and financial system stability carried out within the scope of the administration of the state; or

  5. the purpose of statistical and scientific research.

 

In addition, the implementation of the rights of Personal Data Subject as stipulated in Law 27/2022 shall be submitted through a registered application that is submitted electronically or non-electronically to a Personal Data Controller.

  • Personal Data Controller

Personal Data Controller shall include (i) any Person, (ii) Public Agency, and (iii) International Organization. Further, a Personal Data Controller must have a basis for Personal Data processing, which shall include:

WhatsApp Image 2025-01-31 at 09.13.24_b51d2aef.jpg

Personal Data Processing Basis

Source: Law 27/2022.

Further, approval for Personal Data processing shall be carried out through a written or recorded consent that may be given electronically or nonelectronically. In the event that the approval contains other purposes, the request for approval must meet the following conditions:

 

  1. clearly distinguishable from other matters;

  2. be made in a comprehensible and easily accessible form; and

  3. use simple and clear language.

 

In processing Personal Data, the Personal Data Controller must show proof of consent given by a Personal Data Subject and process Personal Data in a limited and specific, lawful, and transparent manner.[3] Law 27/2022 also stipulates that the Personal Data Controller must carry out the Personal Data processing in accordance with the purpose of the Personal Data processing and record all Personal Data processing activities. The Personal Data Controller shall also ensure accuracy, completeness, and consistency of Personal Data in accordance with the laws and regulations.

 

In addition, the Personal Data Controller has the obligation to protect and ensure the security of the Personal Data that they process, by performing:

 

  1. preparation and implementation of operational technical measures to protect Personal Data from disruption in the Personal Data processing that is contrary to provisions of laws and regulations; and

  2. determination of the security level Personal Data by taking into account the nature and risks of Personal Data that must be protected in the Personal Data processing.

 

A Personal Data Controller must maintain the confidentiality of the Personal Data and supervise each party that is involved in the Personal Data processing under the control of the Personal Data Controller. In this regard, the Personal Data Controller must also protect the Personal Data from unauthorized processing and to prevent illegal access thereto. Such preventive measures shall be carried out by using an electronic system in a reliable, secure, and responsible manner that is carried out in accordance with provisions of laws and regulations. In the event of a failure of Personal Data Protection, the Personal Data Controller must provide a written notification no later than 3 x 24 (three times twenty-four) hours to: (i) the Personal Data Subject and (ii) the agency. However, in certain cases, the Personal Data Controller is also required to notify the public regarding the failure of Personal Data Protection.

 

Moreover, a Personal Data Controller in the form of a legal entity that performs a merger, spin-off, acquisition, consolidation, or dissolution of the legal entity must submit a notification regarding the transfer of Personal Data to the Personal Data Subject, which shall be made both before and after the merger, spin-off, acquisition, consolidation, or dissolution of the legal entity.  In the event that the said Personal Data Controller dissolves or is dissolved, the storage, transfer, deletion, or destruction of Personal Data shall be carried out in accordance with provisions of laws and regulations and shall be notified to the Personal Data Subject.

However, certain obligations of a Personal Data Controller that stipulated in Law 27/2022 shall be exempted for:

 

  1. the interests of the national defense and security;

  2. the interests of law enforcement process;

  3. public interest in the context of state administration; or

  4. the interests of supervision of the sectors of financial services, monetary, payment system, and financial system stability carried out in the context of state administration.

  • Personal Data Processor

Personal Data Processor shall include: (i) any Person, (ii) Public Agency, and (iii) International Organization. The obligations of Personal Data Processor based on Law 27/2022 are as follows:

 

  1. in the event that a Personal Data Controller appoints a Personal Data Processor, the Personal Data Processor must process Personal Data based on the instructions of the Personal Data Controller, which shall be carried out in accordance with Law 27/2022 and included in the responsibility of the Personal Data Controller;

  2. the Personal Data Processor may involve other Personal Data Processor in Personal Data processing and must obtain a written approval from the Personal Data Controller before involving other Personal Data Processors; and

  3. in the event that the Personal Data Processor performs the Personal Data processing outside of the orders and purposes set by the Personal Data Controller, the Personal Data processing shall be the responsibility of the Personal Data Processor.

 

Furthermore, there are certain obligations of the Personal Data Controller which also apply to the Personal Data Processor, as follows:

 

  1. the Personal Data Processor must ensure the accuracy, completeness, and consistency of Personal Data in accordance with provisions of laws and regulations;

  2. in ensuring the accuracy, completeness, and consistency of Personal Data, the Personal Data Processor must carry out a verification.

  3. the Personal Data Processor must record all Personal Data processing activities;

  4. the Personal Data Processor must protect and ensure the security of the Personal Data that they process;

  5. in conducting Personal Data processing, the Personal Data Processor must maintain the confidentiality of the Personal Data;

  6. the Personal Data Processor must supervise each party that is involved in the Personal Data processing;

  7. the Personal Data Processor must protect Personal Data from unauthorized processing; and

  8. the Personal Data Processor must prevent the Personal Data from being accessed illegally.

  • Officials or Officers Carrying Out Personal Data Protection Function

Article 53 Law 27/2022 stipulates that Personal Data Controller and Personal Data Processor must appoint officials or officers who carry out the Personal Data Protection function, based on professionalism, knowledge of the law, Personal Data Protection practice, and ability to fulfil their duties, in the event that:

 

  1. the processing of Personal Data is carried out for the purpose of public services;

  2. the core activities of the Personal Data Controller have the nature, scope, and/or purposes that require regular and systematic monitoring of Personal Data on a large scale; and/or

  3. the core activities of the Personal Data Controller consist of the Personal Data processing on a large scale for specific Personal Data and/or Personal Data related to criminal act.

 

Furthermore, the officials or officers who carry out the Personal Data Protection function shall have at least the following duties:

 

  1. inform and provide advice to the Personal Data Controller or the Personal Data Processor in order to comply with Law 27/2022;

  2. monitor and ensure compliance with Law 27/2022 and the policies of the Personal Data Controller or Personal Data Processor;

  3. provide advice on assessing the impact of Personal Data Protection and monitoring the performance of the Personal Data Controller and the Personal Data Processor; and

  4. coordinate and act as a liaison for issues related to the processing of Personal Data.

 

Additionally, officials or officers who carry out the Personal Data Protection function shall take into account the risk related to the Personal Data processing, by taking into the account the nature, scope, context, and purpose of the processing.

 

  • Personal Data Protection Agency

 

Law 27/2022 stipulates that the Government shall participate in the organization of Personal Data Protection, which shall be conducted by an agency that is established by the President and responsible to the President. Furthermore, in order to realize the implementation of Personal Data Protection, the agency shall carry out:

 

  1. formulation and stipulation of policies and strategies for Personal Data Protection which shall become the guideline for Personal Data Subject, Personal Data Controller, and Personal Data Processor;

  2. supervision on the organization of Personal Data Protection;

  3. enforcement of administrative law on violations of Law 27/2022; and

  4. facilitation of dispute settlement out of court.

 

Further provisions regarding the referred agency will be regulated by Presidential Regulation. Moreover, Article 61 Law 27/2022 stipulates that the procedures for the implementation of authority over the mentioned agency will be regulated in Government Regulation. However, until today, the intended Presidential Regulation has not been enacted.

Transfer of Personal Data

Law 27/2022 stipulates that Personal Data Controller may transfer Personal Data to other (i) Personal Data Controller within the jurisdiction of the Republic of Indonesia; and (ii) Personal Data Controller and/or Personal Data Processor outside the jurisdiction of the Republic of Indonesia.

 

  • Transfer of Personal Data Within the Jurisdiction of the Republic of Indonesia

 

The Personal Data Controller may transfer Personal Data to other Personal Data Controller within the jurisdiction of the Republic of Indonesia. The Personal Data Controller who transfers Personal Data and who receives the transfer of Personal Data must carry out Personal Data Protection as referred to in Law 27/2022.

 

  • Transfer of Personal Data Outside the Jurisdiction of the Republic of Indonesia

 

The Personal Data Controller may transfer Personal Data other Personal Data Controller and/or Personal Data Processor outside the jurisdiction of the Republic of Indonesia in accordance with the provisions stipulated under Law 27/2022. In carrying out the transfer of Personal Data, the Personal Data Controller must ensure that the country of domicile of the Personal Data Controller and/or the Personal Data Processor that receives the transfer of Personal Data has a Personal Data Protection level that is equal to or higher than those that are regulated under Law 27/2022.

 

In the event that the above provisions are not fulfilled, the Personal Data Controller must ensure that there is adequate and binding Personal Data Protection and must obtain consent of the Personal Data Subject.

Dispute Settlement and Procedural Law

Picture2.png

Dispute Settlement based on Law 27/2022

Source: Law 27/2022.

In resolving disputes related to Personal Data, the settlement of a Personal Data Protection dispute shall be conducted through arbitration, court, or other alternative dispute resolution agencies in accordance with provisions of laws and regulations. Furthermore, the procedural law that applies to the settlement of a Personal Data Protection dispute and/or judiciary process shall be implemented based on the procedural law that is applicable in accordance with provisions of laws and regulations.

 

Moreover, the valid evidence in Law 27/2022 shall consist of: (i) evidence as referred to in the procedural law; and (ii) other evidence in the form of electronic information and/or electronic documents in accordance with provisions of laws and regulations. In the event that it is necessary to protect the Personal Data, the court proceeding may be carried out in a closed court.

Prohibitions in The Use of Personal Data and Criminal Provisions

Diving deeper into Law 27/2022, it explicitly prohibits unlawful act related to obtaining or collecting Personal Data that do not belong to them with the intention to benefit themselves or other persons which may result in the loss of the Personal Data Subject. Furthermore, every Person is prohibited from unlawfully disclosing and using Personal Data that do not belong to them.

 

To address these prohibitions, Article 67 Law 27/2022 stipulates that every Person who intentionally or unlawfully:

 

  • obtains or collects Personal Data that do not belong to them with the intention to benefit themselves or other persons which may result in the loss of the Personal Data Subject, shall be sentenced to a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp5,000,000,000,- (five billion Rupiah);

  • discloses Personal Data that do not belong to them, shall be sentenced to a maximum imprisonment of 4 (four) years and/or a maximum fine of Rp4,000,000,000,- (five billion Rupiah); and

  • uses Personal Data that do not belong to them, shall be sentenced to a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp5,000,000,000,- (five billion Rupiah).

 

Concurrently, Article 68 Law 27/2022 provide specific provision for any Person who intentionally makes false Personal Data or falsifies Personal Data to intentionally benefit themselves or other persons which may result in the loss of other persons shall be sentenced to imprisonment of up to 6 (six) years and/or a fine of up to Rp6,000,000,000,- (six billion Rupiah). In addition to sentences, an additional sentence may be imposed in the form of confiscation of obtained profits and/or assets or proceeds from criminal acts and compensation payment.

 

Moreover, in the event that the crimes as referred to in Article 67 and Article 68 Law 27/2022 are conducted by a Corporation, the sentence may be imposed on the management, controller, commanding officer, beneficial owner, and/or Corporation. In this regard, the only sentence that may be imposed on Corporation is fines, which amounting to maximum 10 (ten) times of the maximum sentence imposed. Specifically, in addition to the fines, a Corporation may be imposed with an additional penalty of:

 

  • seizure of profits and/or assets acquired or proceeds from crimes;

  • suspension of entire or part of the Corporation’s business;

  • a permanent prohibition on engaging in certain actions;

  • closure of the all or part of the place of business and/or activities of the Corporation;

  • compulsory of the obligations that have been neglected;

  • payment of compensation;

  • revocation of license; and/or

  • dissolution of the Corporation.

Cyber Security

 

  • Vital Information Infrastructure Protection
     

Vital Information Infrastructure is defined as electronic system that utilizes information technology and/or operational technology, either stand-alone or interdependent with other electronic systems in supporting strategic sectors, which in the event of a disruption, damage, and/or destruction of said infrastructure has a serious impact on public interest, public services, defense and security, or the national economy. PR 82/2022 provide the legal basis for clear direction, a solid foundation, and legal certainty in protecting Vital Information Infrastructure from all types of interference caused by the misuse of electronic information and electronic transactions. Vital Information Infrastructure can be carried out by several actors, including state agencies, business entities and/or any organization that owns or operates Vital Information Infrastructure.
 

Subsequently, protection of Vital Information Infrastructure aims to:
 

  1. protects the continuity of Vital Information Infrastructure organization in a safe, reliable, and trustworthy manner;

  2. prevent disruption, damage and/or destruction of Vital Information Infrastructure due to cyber-attacks and/or other threats/vulnerabilities; and

  3. improve preparedness in facing cyber incidents and accelerating recovery from the impacts of cyber incidents.

 

  • Identification of Vital Information Infrastructure Sector
     

The operation of Vital Information Infrastructure may be carried out in a number of sector as listed below:[5]

  1. government administration;

  2. energy and mineral resources;

  3. transportation;

  4. finance;

  5. health;

  6. information and communication technology;

  7. food;

  8. defense; and

  9. other sectors determined by the President, qualifying as strategic sectors, which in the event of disruption, damage, and/or destruction of Vital Information Infrastructure within the sector in question have a serious impact on public interest, public services, defense and security, or the national economy.[6]

 

Ministries or agencies in charge for the said Vital Information Infrastructure referred to point (a)-(h) shall determined as follows:

 

  1. National Cyber and Crypto Agency (“BSSN”), for the governmental administration sector;

  2. the ministry which organizes government affairs in the energy and mineral resources sector, for the energy and mineral resources sector;

  3. the ministry which organizes government affairs in the transportation sector, for the transportation sector

  4. financial sector regulatory and supervisory authorities, for the financial sector;

  5. the ministry which organizes government affairs in the health sector, for the health sector;

  6. the ministry which organizes government affairs in the field of communication and informatics, for the information and communication technology sector;

  7. the ministry which organizes government affairs in the agricultural sector, for the food sector; and

  8. the ministry which organizes organize government affairs in the field of defence, for the defence sector.

 

In order to determine the other sectors referred in point (i), the President shall determine and propose them along with the relevant ministry or agencies to the Head of BSSN. The proposal shall be submitted based on the results of the Vital Information Infrastructure protection organization coordination meeting. In determining the relevant ministries or agencies, President shall stipulate it under a Presidential Decree.

 

Vital Information Infrastructure identification must be conducted by all electronic system organizers within the scope of Vital Information Infrastructure sector at least 1 (one) time in 1 (one) year. Pursuant to this obligation, each electronic system organizers shall report the results of the Vital Information Infrastructure identification, together with relevant information, to the relevant ministry or agency. Moreover, the ministry or agency shall verify the reported Vital Information Infrastructure identification results and subsequently designate the electronic system as an Vital Information Infrastructure and the electronic system organizer within the Vital Information Infrastructure sector as an Vital Information Infrastructure organizer.

 

Cyber Security Management
 

Additionally, PR 82/2022 establishes cyber security standards and management protocols specifically for the protection of Vital Information Infrastructure. Article 9 (1) PR 82/2022 requires that Vital Information Infrastructure organizer shall implement Vital Information Infrastructure protection in a reliable and secure manner and shall be responsible for ensuring the proper operation on Vital Information Infrastructure. Cybersecurity risk management shall be effectively implemented by each Vital Information Infrastructure organizer and ensure compliance with the applicable laws and regulations, standards applicable to the relevant Vital Information Infrastructure sector, and the internal control system applicable to the Vital Information Infrastructure organizer.
 

Vital Information Infrastructure organizers shall report the results of cybersecurity risk management implementation to the relevant ministries or agencies. In the case that a ministry or agency acts as a Vital Information Infrastructure organizer, the results shall be reported to the BSSN. Cyber security incident management under PR No. 82/2022 is carried out through a cyber incident response team, which operates at three levels:

image.png

Cyber security incident management based on PR No. 82/2022

Source: PR No. 82/2022.

Measurement of Cyber Security Maturity Levels

PR 82/2022 requires Vital Information Infrastructure organizer to independently conduct Cyber Security Maturity Level  measurement at least once a year and report the results to the relevant ministries or agencies, or to BSSN where a ministry or agency acts as the Vital Information Infrastructure organizer. Referring to BSSN Reg. 10/2023, Cyber Security Maturity is a condition that reflects an organization’s capability and progress in implementing, enhancing, and operating cybersecurity effectively and efficiently. The Cyber Security Maturity Level represents the outcome of Cyber Security Maturity assessment.

 

In alignment with PR 82/2022, BSSN Reg. 10/2023 further regulates the conduct of Cyber Security Maturity Level measurement as well as the reporting and verification of Cyber Security Maturity Level measurement results. Accordingly, Vital Information Infrastructure organizer are required to independently conduct Cyber Security Maturity Level measurements at least once a year using domains set out in the cyber security framework. Such measurements cover 4 (four) key domains, namely identification, protection, detection, and response and recovery.

 

In this context, the identification domain consists of activities that at least include the identification of organizational roles and responsibilities, the formulation of strategies, policies, and procedures for the protection of Vital Information Infrastructure, the management of information assets, the assessment and management of cybersecurity risks, and the management of supply chain risk. Meanwhile, the protection domain consists of activities that at least include the management of identity, authentication, and access control, the protection of physical assets, data, applications, and networks, as well as the protection and awareness of human resources.

 

The detection domain consists of activities that at least include the detection of cyber security incidents, the analysis of cyber security incidents, and the continuous monitoring of cyber security incidents. Lastly, the response and recovery domain consists of activities that at least include the planning of response and recovery actions, the analysis and reporting of cyber security incidents, the implementation of response and recovery actions for cyber security incidents, and the enhancement of security following the occurrence of cyber security incidents.

 

Moreover, the measurement of Cyber Security Maturity Level shall be conducted using a measurement instrument prepared and published by BSSN, which contains evaluation indicators for the implementation of the framework domains and activity categories. Additionally, the ministries or agencies may establish sector-specific measurement instruments by referring to the BSSN measurement instrument. Based on the measurement result, Cyber Security Maturity Level are classified into 5 (five) levels as follows:

 

image.png

Further, Vital Information Infrastructure organizer shall report their Cyber Security Maturity Level measurement results at least once within 1 (one) year to the relevant ministry or agency, or directly to BSSN in cases where a ministry or agency acts as the Vital Information Infrastructure organizer. Such reporting shall be submitted by enclosing: (i) a cover letter for the submission of Cyber Security Maturity Level measurement results; (ii) the results of the self-assessment that have been authorized by an official representing the Vital Information Infrastructure organizer; (iii) supporting evidence; and (iv) contact information.

 

The reported results are subject to verification by the relevant ministry or agency or BSSN, which may be conducted through document review, interviews, on-site observation, and consistency checks. Where the verification is conducted by a ministry or agency, the verification results shall be submitted to BSSN and the Vital Information Infrastructure organizer no later than January of the following year. On the other hand, where the verification is conducted by BSSN, BSSN shall report the verification results to the ministry or agency no later than January of the following year.
 

To that end, the provisions governing the measurement of  Cyber Security Maturity Level serve as the reference for ministries or agencies in establishing sector-specific Cyber Security Maturity measurement regulations, which shall be developed in coordination with BSSN.

bottom of page