AHRP IBLG Chapter X

Business Compliance

Language Requirement

Every entrepreneur intending to conduct business in Indonesia is required to comply with the prevailing laws and regulations related to the use of Indonesian to complete business transactions in Indonesia; among others is the requirement to use Bahasa. The obligation to use Bahasa in conducting business transactions is emphasized under Law No. 24/2009 and PR No. 63/2019. Bahasa is the official language for transactions and commercial documents. The following documents are required to use Bahasa in respect to conduct businesses in Indonesia:

state official documents;
MoU or agreement; and
for the name of trademarks and business institutions.

The Obligations to Use Indonesian in State Official Documents

Law No. 24/2009 obligates the state official documents, for instance decisions letters, commercial papers, statement letters, identity card, and court decisions to use Bahasa. Moreover, certain agreements for instance sale and purchase deed/akta jual-beli and agreement letters/surat perjanjian are also qualified as state official documents. The relevant laws allow state official documents which apply internationally to be accompanied with the foreign language version. It is worth noting that the nature of the foreign language version is complimentary to state official documents and the Indonesian version must be the official governing language of the documents. Hence, the Bahasa prevails as the main reference in the event of differing interpretations between the Indonesian and foreign language version

The Obligations to Use Indonesian in MoU or Agreement

A MoU or an agreement involving a state institution, a government agency, an Indonesian private entity, or an Indonesian citizen must use Bahasa. This provision impacts the binding contractual language between the parties, which gives rise to the issue on how language is regulated for MoU or agreement that involves a foreign party.

The Involvement of Foreign Parties

A MoU or an agreement involving a foreign party is allowed to be executed in bilingual form, which consists of Bahasa and accompanied by a foreign language translation and/or English version. It is worth noting that the foreign language translation and/or English version of the MoU or agreement is only used as an equivalent or translation of the Bahasa to reconcile the understanding of the MoU or agreement involving foreign party. However, if there are any inconsistencies or different interpretation between the language versions, the governing language shall be determined upon agreement by the parties involved and as stipulated in the MoU or agreement.

Indonesian Parties

According to Article 31 (1) Law No. 24/2009 jo. Article 26 (1) PR No. 63/2019 affirm that any MoU and agreement involving an Indonesian party (i.e., an Indonesian state institution, an Indonesian government agency, an Indonesian private entity, or an Indonesian citizen) is mandatory to use Bahasa. Regarding use of foreign language translation and/or English version of MoU or agreement and the ability to choose the governing language, it only applies when the MoU or agreement involves a foreign party

Obligations to Use Indonesian for Trademarks and Business Institutions

The name of trademarks is obliged to use Bahasa, as affirmed in Article 35 (1) PR No. 63/2019. The obligation to use Indonesian for the name of trademarks only limited to trademarks owned by Indonesian citizen or Indonesian legal entity, while foreign licensing trademarks are exempted from this obligation.

As stated in Article 36 PR No. 63/2019, the name of business institutions is required to use Bahasa. However, this obligation only applies to business institutions incorporated or owned by Indonesian citizens and Indonesian legal entity in the form of limited liability company where all its shares are owned by Indonesian citizen or Indonesian legal entity.

Legal Consequences for Non-Compliance to Use Indonesian

Law No. 24/2009 and PR No. 63/2019 do not provide for any provisions in relation to sanctions for non-compliance. The current laws and regulations state that the supervisory BoD of this regulation from central government is the ministry who is responsible for education which is MoECRT. Moreover, it also mentioned that the use of Bahasa is supervised by the regional government, which is carried out by the governor and/or mayor or regent in accordance with their authority.

Despite the uncertainty regarding the sanction for non-compliance, the failure to fulfill the obligation to use Bahasa would constitute as a breach and may result in the agreement being declared null and void.

The Investment Activity Report/Laporan Kegiatan Penanaman Modal (LKPM)

General Provisions on LKPM

Every investor in Indonesia has the obligation to generate LKPM and submit it to BKPM. LKPM is a report regarding development on investment realization and problems that are encountered by entrepreneurs. This report must be generated and submitted periodically. Subsequently, entrepreneurs are obliged to submit LKPM for each business sector and/or location through OSS system. LKPM submission will refer to data on business licensing, including data changes contained in OSS system based on the current period, and shall be conducted with the following provisions:

small business actors shall submit LKPM every 6 (six) months in 1 (one) year report;
large and medium business actors shall submit LKPM every 3 (three) months.

However, LKPM submission is not obliged for:

Micro business actors; and
upstream oil and gas, banking, non-bank financial institutions, and insurance business

Accordingly, the LKPM submission is conducted with the following provisions:

Any entrepreneur shall have a right to access OSS system which is obtained after the entrepreneur conducted NIB registration;

the provision on LKPM submission for micro business actors with the following submission period:
1. report of semester I is submitted no later than 10 July on the respective year; and
2. report of semester II is submitted no later than 10 January on the following year;

LKPM for large and medium business actors shall consist of:

LKPM on the construction/preparation stage for business activities that have not conducted production/operated commercially yet; and
LKPM on production/commercial operations for business activities that have already been conducting production/operating commercially;

LKPM submission for LKPM on the construction/preparation/production/commercial stage with the following period:

report of the quarter I is submitted no later than 10 April on the respective year;
information of quarter II is submitted no later than 10 July on the respective year;
report of quarter III is submitted no later than 10 October on the respective year;
information of quarter IV is submitted no later than 10 January on the following year.

Sanctions

There is a consequence for the entrepreneur who does not conduct LKPM submission. The entrepreneur who does not submit LKPM will be subjected to the following administration sanctions by OSS Agency, provincial DPMPTSP, DPMPTSP in regency/city, KPBPB entrepreneur, KEK administrator, ministry/agency or other relevant institution:

written warning;
temporary suspension of business activities;
revocation of business licenses; or
revocation of business licenses to support business activities.

Legalization of Foreign Documents

Background

Under current regulations, requirements for the legalization of documents apply to public documents. The requirements apply to the MoLHR, MoFA, and the foreign embassy or consulate of the country where the document is to be produced. In practice, this process involves several authorities which may lead to an inconvenient and arduous waiting time.

However, in January 2021, Indonesia declared its accession to the Convention Abolishing the Requirement of Legalization for Foreign Public Documents or commonly known as “Apostille Convention” by way of the enacting of PR No. 2/2021.

Apostille Convention applies only to the following, which deemed as public documents:

documents emanating from an authority or official connected with state courts or tribunals, including those emanating from a public prosecutor, a clerk of a court, or a process-server;
administrative documents;
notarial acts; and
official certificates placed on documents signed by persons in their private capacity, such as official certificates recording the registration of a document or its existence on a specific date and notarial authentications of signatures.

Therefore, the abovementioned documents shall be exempted from the legalization requirement under current regulations. However, the Apostille Convention shall not apply to the following documents:

documents signed by a diplomatic or consular official; and
administrative documents directly related to commercial or customs activities.

Procedure on Legalizing Document at MoFA

The legalization of documents is to create administrative order and provide legal certainty in using documents inside and outside the territory of the Republic of Indonesia. Aside from the exempted documents above, the following documents are required to be legalized by MoFA:

documents issued in the territory of the Republic of Indonesia and will be used abroad;
documents issued abroad or issued by a foreign country representative domiciled in the territory of the Republic of Indonesia and will be used in the territory of the Republic of Indonesia; and
documents issued by state representatives’ foreigners who are domiciled in the territory of the Republic of Indonesia and will be used abroad.

The procedures to legalize the above documents is as follows:

Legalization Process at Ministry of Foreign Affairs

Source: MoFA Reg. No. 13/2019.

However, it is essential to note that the application to legalize documents may be rejected if the document is in the following condition:

the specimen is not suitable;
documents are unreadable;
information is not in line with the uploaded documents; and/or
there is a report which indicates data misuse and information by the applicant.

If the documents are not legalized based on the abovementioned procedures, the documents cannot be used correctly either in the territory of the Republic of Indonesia and abroad as a consequence. It is important to note that falsifying legalization is punishable by a maximum imprisonment of 6 (six) years. Moreover, forgery of documents is punishable by a maximum imprisonment of 8 (eight) years if the following documents are forged:

authentic deeds;
in debentures or certificates of debts of a state or part thereof or of a public institution;
in shares or debentures or share certificates or debt certificates of an association, foundation, partnership, or company;
in counterfoils, dividend or interest evidence belonging to one described documents under the preceding numbers, or in evidence issued in substitution for these documents; and/or
in credit or commercial papers intended for circulation.

The Role of Notary and Notarial Documentation

The involvement of a notary is required in conducting transactions in various sectors. The notary is a public official who is authorized to make authentic deeds and has other powers referred to in Law No. 30/2004. In general, public notaries are authorized to make authentic deeds regarding all agreements and stipulations required by laws and regulations and/or a matter needed to be stated in an authentic deed. Moreover, the notary is also authorized to guarantee the deed’s drafting date, keeping the deed, providing the grosse, copy, and except the deed.

The public notaries are also authorized to do the following matters:

to validate the signature and set a specific date of the private letter by registering in a particular book;
to book personal letters by registering for a specific book;
to make a copy of the original private letters in the form of a copy containing a written description in the said letter;
to validate the compatibility of the photocopy with the original documents;
to provide legal education in connection with the making of the deeds;
to make the deeds relating to the land matters; and
to make a deed of auction minutes.

However, it is essential to note that aside from the abovementioned, a notary is specifically required for the matters relating to the legal entities such as limited liability company, foundation, and cooperatives and land matters as follows:

The Role of Notary related to the Existence of Limited Liability Companies

The Deed of Incorporation and Articles of Association of Limited Liability of Companies

The notary shall draft the deed of incorporation of limited liability companies in Indonesia. Besides, the deed of incorporation shall include AoA and other matters as follows:

full name, place, and date of birth, occupation, residential, and nationality of the individual founder, or name, domicile, and complete address, as well as the number and date of the ministry of law and human rights decree regarding the ratification of legal entity promotors of the company;
full name, place, and date of birth, occupation, residential, and nationality of the first members of the BoD and the BoC to be appointed; and
names of shareholders who have subscribed to the shares, the detail of the number of shares and nominal value of shares subscribed and paid-up.

Moreover, AoA of the company must include the following matters:

name and domicile of the company;
purposes and objectives as well as the business activities of the company;
period of incorporation of the company;
amount of authorized capital and issued capital, and paid-up capital;
number of shares, shares classification if any, including the number of the shares for each category, rights attached to each share, and share nominal value;
name of title or position and the number of members of the BoD and the BoC;
determination of the place and procedures for holding a GMS;
methods of appointment, replacement, and dismissal of the members of the BoD and the BoC; and
method for profit utilization and dividend distribution.

If the shareholders intend to amend the AoA, the amendments shall be declared under notarial deeds in Indonesian. However, it is essential to note that if the amendment is not drawn up in a notarial deed of minutes of the meeting, it shall be drawn up in a notarial deed not later than 30 (thirty) days the date of the resolution of the GMS.

It is worth noting that following amendments of the AoA shall obtain the approval of MoLHR:

name and/or domicile of the company;
purposes and objectives as well as business activities of the company;
period of incorporation of the company;
amount of authorized capital;
reduction of issued and paid-up capital; and/or
change of the status of the company from private company to issuer or otherwise.

The MoLHR must be notified of any other matters of amendments not mentioned above. The notary shall submit application for approval and/or notification of the amendment of AoA to the MoLHR within 30 (thirty) days since the date of the notarial deed containing the amendments of the AoA.

Transfer of Shares

The notary has an important role in the transfer of shares as such transfer shall be conducted in a deed of transfer of right. Transfer of shares can be executed by way of sale and purchase, grants, or inheritance. Subsequently, notary shall submit notification of the change of shareholding composition due to transfer of right to the MoLHR within 30 (thirty) days since the registration date of such transfer of right over the shares.

Mergers, Acquisitions, Consolidations, and Spin-offs

The plan of merger, consolidation, acquisition, and spin-off which has been approved by the GMS shall be set forth into the deed drawn up by notary in Indonesian. In addition, deed of acquisition which is executed directly from the shareholders shall be obliged to be stated in a notarial deed in Indonesian.

Specifically, for consolidation, deed of consolidation drawn up by notary shall be the basis for the drawing up the new consolidating company’s deed of incorporation. The notary shall enclose the copy of deed of consolidation in the application to the Ministry of Law and Human Rights for obtaining the Ministry of Law and Human Rights Decree regarding the ratification of consolidating company.

The Role of Notary related to the Existence of Foundations

The Deed of Incorporation and Articles of Association of Foundations

The incorporation of foundations shall be carried out by means of a deed of incorporation made in Indonesian. The deed of incorporation shall at least incorporate AoA and other matters as follows:

name and domicile of the foundation;
purposes and objectives;
period of incorporation of the foundation;
the amount of initial assets separated from the personal assets of the founder in the form of money or goods;
how to acquire and use assets;
procedures for the appointment, dismissal and replacement of members of Governing Board/Pembina, Executive Board/Pengurus, and Supervisory Board/Pengawas;
rights and obligations of Governing Board/Pembina, Executive Board/Pengurus, and Supervisory Board/Pengawas;
procedures for organizing foundation’s organ meeting;
provisions regarding amendments to the AoA;
merger and dissolution of foundations; and
use of remaining assets upon liquidation or distribution of foundation’s assets after dissolution.

A foundation obtains its legal entity status upon the approval of deed of incorporation by the MoLHR. The notary shall file an application of such approval to MoLHR within 10 (ten) days from the signing date of foundation’s deed of incorporation. Such application shall be filed by the notary in writing. The approval of this application will be delivered within 30 (thirty) days from completion of application.

It is important to note that foundation’s AoA may be amended. An exception to this that the foundation’s aims and objectives cannot be amended. Amendments to the foundation’s AoA can only be executed based on a Governing Board/Pembina’s meeting resolution. Such meeting can be convened if attended by at least 2/3 (two thirds) of the number of Governing Board/Pembina’s members. The amendment of AoA shall be incorporated under notarial deed in Indonesian.

In Merger Process

A merger in respect of a foundation can be done by merging 1 (one) or more foundations with other foundation, resulting in dissolution of the merging foundations. The proposal for foundations mergers can be submitted by the Executive Board/Pengurus to Governing Board/Pembina. A merger in relation to a foundation can only be carried out based on the Governing Board/Pembina’s meeting resolution attended by at least ¾ (three quarters) of the number of Governing Board/Pembina’s members and approved by at least ¾ (three quarters) Governing Board/Pembina’s attending members.

Foundation merger plan shall be approved by each foundation’s Governing Board/Pembina. Upon approval, said merger plan shall be incorporated under merger deed drawn up by notary in Indonesian. Such merger plan deeds shall be conveyed by notary to Minister of Law and Human Rights to obtain approval in case the merger is followed by amendment of foundation’s AoA. The approval from MoLHR will be provided within 60 (sixty) days upon the acceptance date of application.

The Role of Notary related to the Existence of Cooperatives

The incorporation of cooperatives shall be carried out by means of deed of incorporation containing AoA. The AoA shall at least cover the following:

list of promotors;
name and domicile of the cooperatives;
purposes and objectives as well as the business activities;
provisions regarding membership;
provisions regarding management;
provisions regarding capital matters;
provisions regarding the duration of association;
provisions regarding remaining results of operations; and
provisions regarding penalty.

Meanwhile, the amendment of cooperative’s AoA to be carried on based on members’ meeting resolution. If the AoA does not stipulate otherwise, the resolution can be carried out if the meeting is attended by at least ¾ (three quarters) of the members and approved by at least ¾ (three quarters) Governing Board/Pembina’s attending members.

MoCSME will provide the ratification of amendment of cooperative’s AoA within 30 (thirty) days at the latest if:

it does not contravene with Law No. 25/1992; and
it does not contravene with public order and decency.

The Deed, Legalization, and Waarmerking

Deed

A notary carries out their position in the context of providing legal services to the public, recording all legal events into an authentic deed and automatically guaranteeing the certainty of the making of the deed, keeping the deed, providing grosse, copies and quotations of the deed.

A deed functions as proof of rights in the form of authentic written evidence made before or by an authorized official. The authorization of the official will ensure that an agreement, stipulation, or a legal event made or carried out has received legal certainty and protection.

Moreover, the authenticated deed contains the rights and obligations of the parties. Should any dispute arise between the parties in the future, the authenticated deed can act as valid proof.

Legalization

Legalization is referred to the notary’s act of legalizing signatures and determining the certainty of the date of the private letter. The legalization is then recorded or registered in a special book. Such special book lists the validation of signatures and the determination of the date of a document related to letters, lists, household affairs letters, and other writing documents made without intermediaries or made not in the presence of a public official.

Waarmerking

Waarmerking is not clearly defined or regulated by prevailing regulations in Indonesia. However, Law No. 30/2004 implicitly stipulated waarmerking as the act of recording private letters by registration in a special book. In practice, the notary’s authorization is also known as underhand registration of letters with the code: "Register" or Waarmerking or Waarmerk.

The Role of Notary related to Land Transactions

The General Role of Notary in Land Transactions

A notary who is also eligible to act as PPAT plays important roles in transactions of land. PPAT can concurrently serve as a notary at the domicile of a notary. The main task of PPAT is to carry out land registration activities by making deeds as evidence of certain legal actions as follows:

sale and purchase;
exchange;
grant;
deposit in kind (inbreng);
sharing of joint rights;
granting of HGB or right to use over freehold title;
granting security right; and/or
granting power of attorney to encumber security right.

The PPAT’s working area is in one province region. In order to execute the abovementioned tasks, the PPAT is authorized to make authentic sales and purchase of land deeds in connection with all legal aspects concerning land titles and right of ownership over stacked units/hak milik atas satuan rumah susun located within their working area. Besides, the making of such deeds shall be witnessed by at least 2 (two) witnesses.

Land Registration and Encumbrance of Right

Transfer of land titles and right of ownership over stacked units/hak milik atas satuan rumah susun through sale and purchase, exchange, grants, deposit in kind (inbreng) and other legal actions of transfer of rights, except the transfer of rights through auction can only be registered if it is proven by deeds made by the authorized PPAT according to the provisions of prevailing laws and regulations.

Within 7 (seven) business days from the signing date of the relevant deed, PPAT is obliged to submit the deed made along with the relevant documents and written notification to BPN to be registered.

Moreover, PPAT is also obliged to register encumbrance of right over land such as security right, right to use and right to lease for buildings, and other encumbrance over land titles or right of ownership over stacked units/hak milik atas satuan rumah susun determined by drafting authorized deeds in accordance with applicable laws and regulations. Registration of encumbrance of rights over land must also be submitted within 7 (seven) business days from the signing date of the relevant deed to BPN, by attaching relevant documents and written notification.

Mortgage/Hak Tanggungan

Mortgage is a right over collateral imposed on land title along with other objects which are an integral part of the land therewith for the settlement of certain debts, which give priority to certain creditors over others. Mortgage shall be stated in mortgage deed drafted by a notary who is also eligible to act as PPAT. The purpose of mortgage deed is to ensure the settlement of more than 1 (one) debts. If 1 (one) land is encumbered with more than 1 (one) mortgage right, then the rank of each security right is determined according to the date of registration at the BPN. In the event that there is more than 1 (one) security right registered on the same date, then the rank is determined by the drafting date of relevant security right deed.

A mortgage shall be registered to BPN. Within 7 (seven) business days from the signing date of security right deed, PPAT shall submit such security right deed and other relevant documents to BPN to be registered. Moreover, the encumbrance of security right may also be performed by way of providing power of attorney from relevant party. The power of attorney shall be drafted by notarial deed and shall comply with the following terms, it must:

not including the authorization to do other legal action other than the encumbrance of security right;
not mention any substitution right; and
provide clear information on the object of mortgage, outstanding amount, name and identity of creditor, name, and identity of debtor in case the debtor is not the grantor of security right.

The power of attorney shall not be revoked or terminated unless the expiration period has passed. The relevant power of attorney must also be followed by the drafting of security right deed within 1 (one) month at the latest, upon providing it to PPAT. The notary is also responsible for registering the transfer of security right to BPN due to cessie, subrogation, inheritance, or other reasons that caused the security right to be transferred to new creditor.

Taxation

Taxes are mandatory contributions from individuals or entities to the state, where it will be utilized to meet the state’s necessity and the people’s welfare. The government utilizes taxes to give equal distribution of welfare by providing health insurance, government support or aid, and public facilities procurement.

In regard to parties who are obligated to pay taxes, generally every individual whether Indonesian citizens or foreign citizens residing in Indonesia and entities that incorporated or domiciled in Indonesia are included as taxpayers, unless the laws and regulations stipulate otherwise. Hence, it can be understood that taxpayers are classified into 2 (two) categories, and along with these following provisions:

Individuals
1. who receive income above Non-Taxable Income/Penghasilan Tidak Kena Pajak (PTKP), as the limit is determined and regulated under Law No. 7/1983; and
2. who stay in Indonesia for more than 183 (one hundred and eighty-three) days in any 12 (twelve) months period, or individuals who live in Indonesia during a tax year and intend to reside in Indonesia.

Entity

unity of a group of people and/or capital, whether doing business, including limited liability company, limited partnership, other form of companies, state-owned enterprise, or regional government-owned enterprise in any form, firm, joint venture, cooperative/koperasi, pension funds, associations, partnership, foundation, mass organization, socio-political organization, institutions, or any other organizations or institutions including collective investment contracts and permanent establishment/badan usaha tetap; and
incorporated domiciled, or effective place of management in Indonesia.

Tax Identity

Subsequently, for the purpose of tax administration and to implement self-assessment system, taxpayers have the obligation to register themselves to KPP, KP4, or through e-registration at www.pajak.go.id to be given tax identity. The form of tax identity is divided into 2 (two) categories, namely, NPWP and NPPKP.

NPWP

The NPWP is a number issued to a taxpayer as means of taxation administration which is used as a personal identity or taxpayer identity in conducting his taxation rights and obligations. The NPWP is necessary to be obtained by taxpayers, otherwise the taxpayer can be subject to a rate 100% higher than the tax rate applied to taxpayers who have NPWP.[2] In addition, holding a NPWP is fulfilling one of the requirements in processing SIUP.

NPPKP

The NPPKP is an identity of taxpayers who are categorized as PKP and subject to both VAT and VAT on Luxury Goods. In order to be confirmed as a PKP, local research will be carried out to determine the existence and activities of business concerned. With the inauguration of an entrepreneur as PKP, a tax invoice/faktur pajak must be issued upon delivery of taxable goods or taxable services.

Tax Collection System

Generally, there are 3 (three) types of tax collection system, namely self-assessment system, official assessment system, and withholding assessment system. Since the amendment of tax laws and regulations in 1983 – known as Indonesian tax reform, Indonesia has changed its tax collection system from official assessment system to self-assessment system. As for now, self-assessment system is the most used tax collection system in Indonesia.

Self-Assessment System

Through the self-assessment system, taxpayers are required to carry out their tax obligations independently. They must register themselves, calculate their own payable tax, pay taxes to the bank or post office, and report the calculation results and tax payments that have been made to KPP. Furthermore, the tax collection system is applicable for the imposition of central taxes, such as income tax and VAT which will be explained further in the next section.

Official Assessment System

The official assessment system is one of the tax collection systems which enables the tax authority as tax collector to determine the amount of tax payable by taxpayers. In this type of tax collection system, the taxpayer is passive as the payable tax is determined and informed by the tax authority. The official assessment system applies to regional taxes, such as land and building tax which will be explained further in the next section.

Withholding Assessment System

In the withholding assessment system, the amount of payable tax is calculated by third parties who are neither taxpayers nor tax authorities. This type of tax collection system makes tax obligations easier to meet. This is because it is the role of third parties to calculate the tax payable and directly withdraw certain amount of taxes that should be paid by each taxpayer. An example of a withholding system is a deduction of employee income by the treasurer, other parties who are eligible to deduct or the related agency. Hence, the employees no longer need to fulfill or pay their payable tax themselves. Indonesia imposes a withholding assessment system for several types of taxes, including:

Article 4 (2) Law No. 7/1983 (PPh Final), regarding tax imposed on entity and/or personal taxpayers for several types of income specified in Article 4 (2) Law No. 7/1983, where both of the income and the withholding tax are final;
Article 21 Law No. 7/1983 (PPh 21), regarding tax imposed on income in the form of salaries, wages, allowances, and other payments in connection with employment, services, honorarium, and activities conducted by individuals who are resident tax subjects;
Article 22 Law No. 7/1983 (PPh 22), regarding income tax imposed on certain business entities, both government and private, who carry out export and import activities;
Article 23 Law No. 7/1983 (PPh 23), regarding tax imposed on income in the form of dividend, interest, royalty, gift, bonus, rent and other income in connection with the use of assets, excluded from rent for land and/or buildings, fees in connection with technical, management, construction, consulting services, and other services that have been deducted by Article 21 Law No. 7/1983 (PPh 21).
Article 26 Law No. 7/1983 (PPh 26), regarding tax imposed to tax subjects who provide income to foreign tax subjects.

Types of Tax in Indonesia

In Indonesia, taxes are classified into 2 (two), which are central taxes/pajak pusat and regional taxes/pajak daerah. Central taxes are managed by the central government, particularly by the Directorate General of Taxation under the Ministry of Finance. Subsequently, the types of taxes which categorized as central taxes are as follows:

income tax;
VAT;
VAT on luxury goods;
stamp duty;
land and building tax; and
acquisition of rights on land and buildings duty.

Whereas, regional taxes are taxes managed by the regional governments at both the provincial and regency level. In this case, regional taxes are handled by the Regional Revenue Agency/Dinas Pendapatan Daerah which governed under Law No. 28/2009. Regional taxes are further divided into 2 (two), namely provincial taxes and regency/city taxes.

provincial taxes
1. motor vehicle and water vehicle taxes;
2. excise/tax for transfer of ownership of motor vehicle;
3. motor vehicle fuel tax;
4. surface water tax; and
5. cigarette tax

regency/city taxes
1. hotel tax;
2. entertainment tax;
3. restaurant tax;
4. parking tax
5. advertisement tax;
6. tax on non-metal mineral and rock;
7. street lighting tax;
8. ground water tax;
9. tax on sallows' nest.
10. rural and urban and building tax; and
11. excise/tax acquiring right on land and building.

Income Tax

Income Tax/Pajak Penghasilan (PPh) is a tax imposed on an individual or entity on income they earned or received in a tax year. Subsequently, the object of income tax is that any additional economic capacity derived from Indonesia or outside Indonesia that can be used by the taxpayer for consumption or to increase wealth’s of the respective taxpayer. The taxable objects of income tax can be in the form of salaries, bonuses, honorarium, any other compensation for the work’s performance, business profits, interests, royalties, and any other incomes stipulated in Law No. 7/1983. Subsequently, in order to support ease of doing business, the government exempts dividends distributed based on GMS (interim dividends) and dividends originating from within Indonesia received by domestic taxpayers, as the object of income tax.

Under the Law No. 7/1983, the subject of income tax is distinguished into 2 (two) types, there are domestic tax subject and foreign tax subject. Domestic tax subject includes any individuals who reside, or entities incorporated or domiciled in Indonesia within the period of time specify in Law No. 7/1983. While foreign tax subject includes any individuals who are not reside, or entities incorporated or domiciled outside Indonesia. Furthermore, income tax is imposed on tax subject who is obliged to pay, withhold, and collect taxes due on tax objects. Hence, the subjects of income tax could be either:

individual;
entity or corporate; or
permanent establishment/badan usaha tetap.

Value Added Tax (VAT)

VAT is a tax imposed on the consumption of taxable goods or taxable services in a customs area. Customs area/daerah pabean refers to the territory of the Republic of Indonesia which includes land, waters, and air space thereon. Individuals, entities, or government who consume taxable goods or services are subject to the imposition of VAT. Generally, all goods and services are categorized as taxable goods or services, unless otherwise stipulated by the Law No. 8/1983. The following are the objects of VAT which will be imposed to entrepreneur who conduct:

local delivery of taxable goods and/or services;
import and export of taxable goods;
consumption of services and/or intangible foods from offshore within the Indonesian customs territory; and
export of intangible taxable goods and taxable services.

However, the goods and services which are exempted from the obligation of VAT are specified in Article 4A Law No. 8/1983, for instance basic necessities of the community.

The producer of goods and/or services, who is the PKP, collect, deposit, and report the VAT. However, the party who is obliged to pay the VAT is the end consumer of the goods and/or services produced by the PKP. The end consumer will be imposed on single VAT rate at 10% (ten percent), and in terms of exports, the VAT rate is 0% (zero percent).

Value Added Tax on Luxury Goods

Aside from being subject to VAT, the purchases of certain taxable goods which are classified as luxury goods are also subject to VAT on luxury goods/pajak pertambahan nilai atas barang mewah. This tax imposition has the same characteristics as VAT, which is imposed to the end consumer who consumes or utilizes the goods. The objects of taxable luxury goods and their rates are stipulated and regulated in the sectoral regulations regarding VAT on luxury goods, which includes:

goods that are not included as basic necessities;
goods that only consumed by certain communities;
goods that generally consumed by high-income communities; and/or
goods that are consumed to indicate the status.

Furthermore, Article 8 (1) Law No. 8/1983 stipulates the sales tax rate on luxury goods of at least 10% (ten percent) and a maximum of 200% (two hundred percent).

Land and Building Tax

Land and building tax are tax imposed on ownership or utilization of land and/or buildings. In basic terms, it is categorized as one of the central taxes, however almost all of the realization of land and building tax revenue is submitted to the regional government, both provincial and/or regency/city. Subsequently, the objects of land and building tax are:

environmental roads located within building area such as hotel, factory and its emplacement, and other buildings that are within the building area;
toll road;
swimming pool;
luxury fence;
sport venue;
shipyard and dock;
luxury garden;
oil, water and gas storages/refineries, and oil pipelines; and
other facilities that produce benefit.

The subject of land and building tax is a person or an entity that have the rights over the land and/or receive benefits over the land, and/control and/or receive benefit from a building. Based on Article 5 Law No. 12/1985, the tax rate imposed on land and building is 0.5% (five tenth percent). Subsequently, land and building tax is imposed based on sales value of

taxable object/nilai jual objek pajak. Sales value of taxable object is the average price obtained from reasonable buying and/or selling transactions, and if there is no such transaction, the sales value of taxable object will be determined by price comparisons with other similar objects, obtaining new value, or selling value of the replacement tax object.

Aside from an obligation to pay land and building tax, ownership through the acquisition of rights over the land and/or buildings also gives rise to BPHTB. As well as land and building tax, BPHTB categorized as central tax, however its realization revenue is submitted to the regional government, both provincial and/or regency/city.

Stamp Duty

Stamp duty/bea materai is a tax imposed on certain documents. It is imposed on documents which represent the occurrence of civil relation and it can be used as a valid evidence in court. The documents which require stamp duty are specify in Law No. 10/2020, as follows:

letter of agreement;
certificate;
letter of statement;
notarial deed;
land deed made by PPAT;
securities transaction documents;
auction documents;
documents stating the amount of money with a nominal value more than Rp5.000.000,- (five million Rupiah) that mentions the receipt of money or contains acknowledgment that the debt in whole or in part has been paid or taken into account; and
other documents.

Stamp duty is payable as a fixed amount of Rp10.000,- (ten thousand Rupiah) for documents as mentioned above.

Taxes Exemptions

In relation to the ease of doing business in Indonesia, the government provides a facility in a form of tax holiday. Tax holiday is a tax incentive for entrepreneurs. Taxpayers who conduct a new investment in a pioneer industry may obtain reduction or even exemption of income tax for entrepreneur in a certain term. Provisions on tax holiday are regulated in Law No. 25/2007, tax holidays are provided through exemption or reduction of corporate income tax in a specific amount and period may only be granted to:

a new investor engaged in a pioneer industry;
entities with added value and high externality;
entities which introduces new technology.
entities with strategic value for the national economy;
entities with legal status as an Indonesian legal entity; and
entities which debt-to-equity ratio as prescribed by the ministry of finance of the Republic of Indonesia.

In accordance with MoF Reg. No. 130/2020, the tax exemption or reduction facility (tax holiday) applies to these following pioneer industries:

Business Sectors that are Exempted from Tax

Source: MoF Reg. No. 130/2020.

Currency

Indonesian Rupiah is the prevailing currency for any transaction within the Republic of Indonesia. Transactions are obliged to use Indonesian Rupiah for any payment, and obligation settlements that require cash payment, and/or other financial transaction. The obligation to use Indonesian Rupiah is required for both cash and any transactions that are using cashless tools and mechanisms. However, there are some exemptions on the obligation for the use of Indonesian Rupiah as prevailing currency. In accordance with Article 4 BIR No. 17/2015, the obligation to use Indonesian Rupiah will be exempted for the following:

certain transactions involving national income and expenditures;
include grant to or from foreign countries;
international trade transactions;
foreign currency savings in banks; and
international financing transactions.

The exemption to use of Indonesian Rupiah also applies to transaction in foreign currencies, such as business activities in foreign currencies which are conducted by banks, transactions of securities issued by Indonesian government in foreign currencies, as well as other transactions in foreign currencies which are conducted in accordance with the laws and regulations.

Obligation to Comply with Laws on TKDN

The Local Content Requirements in Indonesia

Common with many developing countries, Indonesia aspires to upgrade its industrial competitiveness, as well as increase the value-added of its manufacturing sector. One of the ways is by using local content requirement policy, which is frequently known as TKDN policy in Indonesia. According to RPJMN 2020-2024, one of the policy directions in order to increase economic value-added in 2020-2024, is by increasing high value-added exports as well as strengthening TKDN. The said policy directions shall be conducted through the following strategies:

Strategies to Increase High Value-Added Exports and Strengthening TKDN

Source: Appendix I PR No. 18/2020.

In congruence with RPJMN 2020-2024, Law No. 3/2014 requires the government to increase the use of local products. The local products must be used by:

state institutions, ministries, non-ministry government institutions, and regional working units in the procurement of goods/services if their sources of financing come from APBN or APBD including domestic or foreign loans or grants; and

BUMN, BUMD, and private business entities of which financing for the procurement of goods/services comes from the APBN, APBD, and/or of which work activities are conducted through any cooperation between the government and private business entities and/or which utilize resources controlled by the state.

Additionally, in the case of procurement above-mentioned, the use of local product becomes mandatory when there is a local product with a combined volume of TKDN and BMP of 40% (forty percent). The circumstances also specifies that the volume of TKDN should be 25% (twenty five percent). This policy is in accordance with the obligations on BMP, since the maximum amount of BMP is 15% (fifteen percent). These rules are very critical because the minimum specifications for local content would be specified on the tender documents.

Other than the obligation to use local content, the government also encourages private business entities to increase the use of local products. For those purposes, the government may provide facilities which are at least in the form of:

price preferences and administrative incentives in the procurement of goods/services; and
certification on the local component level.

The requirement to use local items shall be carried out in compliance with the amount of local content accommodated in any goods/services as indicated by the percentage of local content used. Such percentage which is generally referred to as TKDN, shall be measured in compliance with the regulations stipulated by the Minister of Industry. TKDN is the utilization of local items, which is measured on the basis of the amount of local components found in goods, services and a combination of goods and services. The composition of TKDN consists of (i) TKDN of goods; (ii) TKDN of services; and (iii) TKDN of combination of goods and services. Further description of the local components contained on each output can be found below:

The Composition of TKDN on each Output

Source: MoI Reg. No. 16/2011.

The Calculation Procedure for Local Content Requirements in Indonesia

TKDN of Goods

TKDN for goods shall be calculated based on the ratio between the prices of finished goods reduced by the price of foreign components upon the price of finished goods. The price of the finished goods is the production cost incurred by the company to produce an item. The production costs include (i) costs for direct materials/supplies; (ii) direct labor costs; and (iii) factory indirect costs (factory overhead). The calculation of production costs does not include the calculation of profit variables, company overhead, and output taxes.

The Equation for TKDN for TKDN of Goods Percentage

Source: MoI Reg. No. 16/2011.

TKDN of Goods

TKDN for services is calculated based on ratio between the overall services price reduced by price of foreign services against the overall services price. The overall services price as mentioned before, is a cost which is incurred to produce services which are calculated until the onsite location. The overall services costs shall consist of: (i) workers’ cost; (ii) working tool/working facility cost; and (iii) general service cost. The calculation of production costs does not include the calculation of profit variables, company overhead, and output taxes.

The Equation for TKDN of Service Percentage

Source: Appendix V MoI Reg. No. 16/2011.

TKDN of Combination between Goods and Services

TKDN of combination of goods and services is the ratio between overall local component cost against the overall price of goods and services. The overall cost of goods and services is the costs which are incurred to produce the combination of goods and services which are calculated up to the onsite location. TKDN for the combination of goods and services is calculated in any work activity of the combination of goods and services, including construction works and integrated construction works.

The Equation for TKDN of Combination of Goods and Services Percentage

Source: Appendix VII MoI Reg. No. 16/2011.

The Sectors with Specific Local Content Requirements in Indonesia

According to GR No. 29/2018, beyond the general requirements, the Minister may provide a minimum limit of TKDN specifically for each sector. Sectors that have specific regulations can be seen on the following chart:

Sectors with Specific Local Content Requirements in Indonesia

Source: Consultant Analysis.

The Sanctions of Local Content Requirements Violation

In order to promote the use of local products, any official in the procurement of goods/services who violates the regulation regarding utilization of local products shall be subject to administrative sanctions, in the form of:

written warnings;
administrative fines; and/or
dismissal from the position as an official for the procurement of goods/services.

Those sanctions are, however, excluded where local products are neither available nor sufficient. Aside from sanctions in relation to officials, financial sanctions can also apply to violators of the obligation, with the aim of facilitating the compulsory use of local components. The application of financial sanctions in the form of administrative fines must firstly be proved against a breach of the duty to cooperate with the use of local items in the procurement of goods/services.

All composition of TKDN calculations, including TKDN for Goods, TKDN for Services, as well as TKDN of combination of goods and services are carried out based on accountable data. If the data used in the equation cannot be accounted for, the value of the TKDN for the variable involved would be assessed as zero. In this regard, financial penalties would be imposed on suppliers of goods/services who are knowingly providing goods/services with the TKDN implementation value that does not satisfy the TKDN quoted on the tender phase.

Such financial sanctions shall be determined on the basis of the gap between the TKDN quoted value and the TKDN implementation value multiplied by the bid price, with the difference in the TKDN value being no more than 15% (fifteen percent). The calculation for financial sanctions can be seen below:

The Equation for Financial Sanctions for the Violation of Local Content Requirements

Source: MoI Reg. No. 16/2011.

Data Protection

Personal data protection is essential for protecting human rights as part of the protection of private life guaranteed under Article 28G (1) of the Indonesian Constitution. The Government of Indonesia has finally enacted Law No. 27/2022 concerning personal data protection on 17 October 2022. Prior to the enactment of Law No. 27/2022, the aspects of personal data protection were covered in more sector-specific legislation, for instance, Law No. 11/2008, GR No. 71/2019, and many others. Even though personal data protection has been covered by several laws and regulations in Indonesia, there is still a pressing need for one. As personal data leakage from the use of information technology and communication increases from time to time, Law No. 27/2022 is urgently needed.

Article 2 Law No. 27/2022 states that it will not apply to personal data processing carried out by individuals in private or household activities, however, it does apply to any individual, public agency, or international organization that carries out legal actions as regulated by Law No. 27/2022 if they are (i) located within the Indonesian jurisdiction and (ii) outside the Indonesian jurisdiction but having a legal impact in the Indonesian jurisdiction and/or for individuals who are Indonesian citizens outside the Indonesian jurisdictions who are the subjects of personal data.

Law No. 27/2022 defines personal data as any electronic and/or non-electronic data that may directly or indirectly identify a person. Personal data falls into two categories:

General personal data: full name; gender; nationality; religion; marital status; and/or personal data that may identify an individual.
Specific personal data; health data and information; biometric data; genetics data; criminal record; children’s data; personal finance data; and/or other data pursuant to the prevailing laws and regulations.

Personal data subject is defined as any individual with associated personal data. Law No. 27/2022 grants data subjects nine rights, including but not limited to:

the right to be informed about clarity of identity, the basis of legal interests, purpose of requesting and using of personal data, and accountability of the party requesting personal data;
the right to complete, update, and/or correct errors and/or inaccuracies of personal data in accordance with the purpose of processing personal data;
the right of access and obtain the copy of personal data in accordance with the prevailing laws and regulations;
the right to end processing, deleting, and/or destructing the personal data in accordance with the prevailing laws and regulations;
the right to withdrew consent to processing of personal data who has been given to the Personal Data Controller;
the right to file objection to automated decision making based solely on automatic processing, including profiling, which has law consequences or have a significant impact on the personal data subject;
the right delay or limit processing of personal data in a proportionate manner with the purpose of processing personal data.;
the right to file objection and accept compensation for violations of processing personal data in accordance with the prevailing laws and regulations; and
the right to (i) obtain and/or use personal data from Personal Data Controller in an appropriate form with the usual structure and/or format used or readable by electronic systems; and (ii) use and transmit personal data to other Personal Data Controllers, throughout the system used to communicate securely with each other in accordance with the principles of Personal Data Protection based on this Law No. 27/2022.

Furthermore, Law No. 27/2022 differentiates between Personal Data Controllers and Personal Data Processors as defined below:

Personal Data Controller is every person, public agency and international organization that acts individually or jointly in determining the purposes of and has control over the processing of personal data.
Personal Data Processor is every person, public agency and international organization that acts individually or jointly in processing personal data on behalf of personal data controller.

Regarding Personal Data Processors, personal data processing covers the following actions relating to data

acquisition and collection;
processing and analysis;
storage;
correction and updates;
demonstration, announcement, transfer, dissemination, or disclosure; and
removal or destruction.

Meanwhile, the Data controllers’ obligations are as follows:

If processing personal data requires consent, provide the data subject with information on:

whether the relevant personal data being processed are legal;
the purpose of processing personal data;
the kind of personal data that will be processed and its significance;
the length of time that personal data-containing documents are kept for;
the specifics of the personal data that was collected;
the time frame for processing personal data; and
the rights of the person providing the data.

verify the personal data to make sure that it is accurate, complete, and consistent in accordance with the prevailing laws and regulations;
correct personal data errors and/or inaccuracies, and then inform the data subject of the update;
give the data subject access to both the processed personal data and the background to the personal data;
assess the impact of personal data protection when the processing of personal data may pose a "high risk" to the data subject in accordance with a number of regulated parameters;
take a variety of regulated measures to protect and ensure the security of the processed personal data;
maintain confidentiality, prevent unauthorized and illegal access, and supervise all parties involved in the processing of personal data;
stop processing the personal data if the data subject withdraws consent for personal data processing;
(under a variety of regulated circumstances), delete personal data and notify the data subject;
within three days of a failure to protect a data subject's personal data, notify the data subject in writing and the relevant agency (which the President has yet to establish);
notify the data subject of the transfer of personal data if a data controller conducts a merger, spin-off, acquisition, consolidation, or dissolution.

Data processors’ obligations are as follows:

If a data controller appoints a data processor, the latter must process personal data based on the personal data controller’s instruction and in accordance with Law No. 27/2022, and also to obtain the data subject’s written approval prior to involving other data processors.
Certain data controller’s obligation will be applicable to data processors.

Law No. 27/2022 introduces the obligation for data controllers and data processors to appoint a designated official or officer who will be in charge of minimizing the risks of personal data breaches and ensuring compliance with personal data protection principles in a variety of regulated situations.

For a data controller to transfer personal data abroad, either to other data controllers or processors, the transferring data controller must ensure that the country receiving the data has a level of personal data protection that is at least as high as the Law No. 27/2022. Otherwise, the data controller is responsible for ensuring that personal data are adequately and legally protected.

Several possible administrative sanctions in the event of failure to fulfill the criteria for cross-border data transfer, data processor’s obligations and data controller’s obligations are as follows:

written warnings;
temporary suspension of personal data processing activities;
deletion or destruction of personal data; and/or
administrative fines.

Following the enactment of Law No. 27/2022, all provisions of laws and regulations governing the Protection of Personal Data, are declared to still be valid if they do not conflict with the provisions of Law No. 27/2022. In this regard, the provisions on personal data protection can be found separately in several laws and regulations. The associated primary law on personal data protection is Law No. 11/2008, which predominantly accommodates the need to regulate the use of technology. However, it sets the foundation for personal data protection as it defines personal data protection as part of privacy rights, which has expanded to the digital space. The privacy rights are defined as follows:

Definition of Privacy Rights

Source: Elucidation of Article 26 (1) Law No.11/2008.

Subsequently, Law No. 11/2008 gives birth to GR No. 71/2019 and MoCI Reg. No. 20/2016 as the implementing regulations. Though both implementing regulations provide the measures for personal data protection, they regulate in different areas, and it is evident as they define personal data differently. GR No. 71/2019 defines personal data as every data concerning a person, whether identified and/or identifiable separately or combined with other information directly or indirectly through electronic and/or non-electronic systems. Whereas MoCI Reg. No. 20/2016 defines personal data as certain types of personal data that have their validity preserved, maintained, and safeguarded, as well as their confidentiality protected. Based on both definitions, we can conclude that personal data protection means protecting every activity concerning personal data and protecting privacy rights, while personal data means every data that identifies a person, individually or combined with other information, which is preserved and its confidentially protected.

Personal Data Protection Outside Law No. 27/2022

Article 26 (1) Law No. 11/2008 stipulates protection on privacy rights by obligating personal data usage shall require consent from the personal data owner. Consequently, any person whose privacy rights are violated may file a lawsuit for the losses incurred. On the other hand, it also prohibits the transfer of electronic information deliberately and without any rights or against the law to an electronic system owned by another person that is not entitled. The right to be forgotten is set out in Article 26 (3) Law No. 11/2008 states that every electronic system provider is obliged to delete irrelevant electronic information and/or document under its control at the request of the related person concerned by court order. Subsequently, the electronic system provider shall provide a mechanism for deleting irrelevant electronic information and/or document. As the implementing regulation of Law No. 11/2008, GR No. 71/2019 regulates that electronic system provider is obliged to conduct personal data protection principles in processing personal data consisting of:

personal data collection is conducted in a limited and specific manner, legally valid, fair, with consent and agreement of personal data owner;
personal data processing is conducted following its objectives;
personal data processing is conducted by ensuring the rights of personal data owner;
personal data processing is conducted accurately, completely, not misleading, up-to-date, accountable, and considering the intention of personal data processing;
personal data processing is conducted by protecting the personal data security from loss, misappropriation, access and illegal disclosure, as well as alteration or destruction of personal data;
personal data processing is conducted by notifying the purpose of collection, processing activities, and failure in protecting personal data; and/or
personal data processing is destroyed and/or deleted unless in a retention period following the need based on laws and regulations.

Suppose there has been a failure in protecting personal data in accordance with the principles as stipulated above, the electronic system provider shall notify in writing the personal data owner.

In terms of irrelevant electronic information or document, the electronic system provider shall delete the irrelevant electronic information or document under its control based on the request of the relevant person. Hence, the obligation to delete certain electronic information or document introduces the right to erasure and delisting, reflecting the right to be forgotten in Law No. 11/2008. Data that is subject to erasure may consist of personal data that:

was obtained and processed without the consent of the personal data owner;
the consent of personal data owner has been withdrawn;
are acquired and processed illegally;
no longer in accordance with the acquisition purpose based on the agreement and/or laws and regulations;
the utilization has exceeded the period in accordance with the agreement and/or laws and regulations; and/or
is displayed by the electronic system provider, which causes a loss for the personal data owner.

Data owners may request deletion of irrelevant electronic information or/document from the search engine list (right to delisting) by acquiring a court order.

This provision ensures protection for personal data owners to take down information when it is transmitted or spread unlawfully. Article 26 MoCI Reg. No. 20/2016 stipulates that the data owner is entitled of:

on the confidentiality of their personal data;
file a complaint to MoCI in the context of resolving dispute of personal data for the failure in protection the confidentiality of their personal data by the electronic system operator;
gain access or opportunity to change or update their personal data without interfere with the personal data management system, unless otherwise stipulated by the prevailing laws and regulations;
gain access or opportunity to obtain historical of personal data that has been submitted to the electronic system operator as long as it is still in accordance with the prevailing laws and regulations; and
request the destruction of their certain personal data in the electronic system managed by electronic system operators, unless otherwise stipulated by the prevailing laws and regulations.

It is worth pointing out that MoCI Reg. No. 20/2016 is the first regulation that specifically regulate personal data protection in electronic systems in Indonesia. Beyond the definition, personal data protection comprises protection toward the acquisition, collection, processing, analyzing, storage, display, announcement, delivery, dissemination, and erasure of personal data.

To ensure the foregoing, MoCI Reg. No. 20/2016 obliges the electronic systems to be certified and that each electronic systems provider must have internal policy on data protection as a preventive action to avoid any form of failure. The internal policy must be drafted by considering certain aspects, such as technology implementation, human resources, method, and costs. Other preventive actions to avoid protection failure include:

by increasing awareness of personal data protection to its human resources; and
by holding training on how to prevent personal data protection failure.

Although the regulation has determined the forms of preventive measures, it does not eliminate the potential failure from occurring. When it does, the electronic systems provider must notify the personal data owner in writing with the following conditions:

it should be accompanied with the reasons or causes of the failure;
may be carried out electronically if the personal data owner has granted approval for its which has been declared at the time when the acquisition and collection of their personal data takes place;
should ascertain that the personal data owner has received it if such failure contains potential harm against the personal data owner; and
written notice should be sent to the personal data owner no later than 14 (fourteen) days after the failure is known.

In the event that the electronic systems provider does not give the aforesaid written notification to the personal data owner, the electronic systems provider is subject to administrative sanctions by the MoCI. However, it is worth noting that the imposition of administrative sanctions does not eliminate criminal or civil responsibilities. The administrative sanctions shall be imposed in the form of:

written reprimand;
administrative fine;
temporary suspension;
access termination; and/or
removal from the list.

From the owner's perspective, all personal data owners have the right to file a complaint to the MoCI for the failure of personal data protection based on the following reasons:

there is no written notice of the failure of personal data protection made by the electronic system provider to the personal data owner, regardless of it being potentially or non-potentially harmful; or
the personal data owner in relation to the failure of personal data protection has suffered a loss, even though written notice of the failure has been carried out, yet the notification is too late.

The MoCI may coordinate with the head of Supervisory Institutions and Sector Administrators to follow up on the complaint. The aforesaid complaint shall be settled by way of deliberation or through other alternative dispute resolution and the settlement authority is delegated to the DGIA by the MoCI. Consequently, the DGIA may establish a personal data dispute settlement panel. Following the said settlement has not been agreed upon, the personal data owner may file a lawsuit on the occurrence of the failure. The timeline for the explained above is as follows:

Data Breach Procedure

Source: MoCI Reg. No. 20/2016.

Sectoral Laws on Personal Data Protection

Apart from The Law No. 27/2022 and MoCI Reg. No. 20/2016, the recognition of personal data protection is spread in various sectoral regulations outlined below:

Telecommunication and Information Sector

Personal data protection in the telecommunication sector is regulated under Law No. 36/1999, which protects individuals from the misuse of telecommunication means. Individual privacy rights are recognized and protected through the prohibition of wiretapping on information channeled through telecommunication networks in any form. Wiretapping means an activity of installing tools or enhancements to telecommunication networks for the purpose of obtaining information in an invalid way. However, in special cases, wiretapping is allowed by virtue of laws and regulations, for instance, in the event there is a presumption of corruption, the Corruption Eradication Commission may perform wiretapping in conducting preliminary investigation and investigation.

Apart from wiretapping, Law No. 36/1999 also obliges telecommunication services provider to ensure the confidentiality of information sent and/or received by customers of telecommunication networks and/or telecommunication services provided, unless required for criminal justice process purposes, which allows the telecommunication services provider to record information and provide the necessary information based on: (i) a written request from the Office of the Prosecutor and/or the Chief of the Indonesian National Police for certain crimes; or (ii) a request form an investigator for certain crimes.

Furthermore, Law No. 14/2008 stated that the information related to privacy rights are not part of the public information that the government agency shall provide. The aforesaid provision also supported by Article 17 Law No. 14/2008 that stipulated the restriction of the public information may be obtained by the applicant of public information, which stated the public information should not include public information which opened and provided may reveal confidential personal information, namely:

history and condition of family members;
history, condition, and treatment of a person's physical or psychological health;
a person's financial condition, assets, income, and bank account;
evaluation results in relation to capability, intellectuality, recommendation based on capability of a person; and
records in relation to a person's activities of formal education or non-formal education units.

Administration Sector

As for personal data protection in the administration sector, Law No. 23/2006 regulates that the resident personal data must be stored and protected by the state. The resident personal data that must be protected consists of:

information on physical and/or mental disability;
fingerprint;
iris;
signature; and
other data element that is a person's ignominy.

The responsible minister for protection and granting access of personal data to the province officer or officer of implementing agency is the MoHA. As consequence of spreading the personal data without any rights, may be sentenced to maximum imprisonment of 2 (two) years and/or maximum fine of Rp25.000.000,- (twenty five million Rupiah).

Finance and Banking Sector

In the banking sector, Law No. 7/1992 states that banks and its affiliations are obliged to keep the information on the depositors and their deposits confidential except in the following events:

For the purpose of taxation, the Chairman of BI based on MoF's request authorizes to issue a written instruction for the bank to provide information and written proof as well as documents on the Depositors financial condition;
for the purpose of settlement of bank receivables that have been submitted to the Accounts Receivable Agency and State Auction Committee for State Receivable Affairs, the Chairperson of BI issues permit to obtain information from the bank regarding the deposit of the depositors;
for the purpose of criminal justice process, the Chairperson issues permit to the police, prosecutor, or judge to obtain information from the bank regarding the deposit of the suspect or defendant in the bank;
in civil cases between the bank and its customer, the board of directors may inform the court regarding the financial condition of the customer concerned and provide other information relevant to the case; and
in the event of exchanging information between banks, the board of directors may inform its customers financial condition to the other bank.

Moreover, OJK regulates the data protection in OJK Reg. 6/2022. It stipulates that the financial services business actor is prohibited in any way from providing data and/or information related to its customers to a third party. Nonetheless,there are exceptions to the said prohibition, whereby those exceptions are triggered in the event that: (i) the customers give written

consent; or (ii) it is obligated by the laws and regulation. In this regard, when the financial services business actor obtains personal information from a third party in conducting its activities, the financial services business actor shall make a written statement conveying that the third party has obtained written consent from the related person to give the referred information to any party, including the financial services business actor and inform the customers in regard to where the financial services business actor obtain such information Other than that, the financial services business actor shall uphold consumer protection in performed its business activities. Additionally, OJK regulates personal data protection by issuing OJK Circular Letter Number 14/SEOJK.07/2014 that defines the scope of data and/or personal information and constraints for the financial services business actor related to the data/personal information.

Trade Sector

In respect of the trade sector, Law No. 7/2014 stipulates that the use of electronic system for any business trading goods and/or services must comply with the provisions of Law on Electronic Information which is Law No. 11/2008 and its implementing regulations.

Considering how digital transactions has evolved, the Indonesian government formed and enacted GR No. 80/2019 to ensure data protection in digital commerce, specifically on transactions by means of electronic system that has to optimize protection on personal data. In particular, GR No. 80/2019 regulates the personal data protection standards, or the prevalence shall at least meet the following rules of protection:

personal data must be obtained legally from the personal data owner accompanied by the existence of choices and guarantees for the safeguarding and prevention of loss to the owner of said personal data;
personal data must be owned for one or more purposes that are described in a specific and valid manner, as well as cannot be further processed in a way that is not in accordance with the said purposes;
personal data that are obtained must be proper, relevant, and not too broad in relation to the purpose of their processing as previously conveyed to personal data owner;
personal data must be accurate and up to date by way of giving opportunities to the personal data owner to update its personal data;
personal data must be processed in accordance with the purpose of the acquisition and allocation, as well as cannot be possessed longer than the required time;
personal data must be processed in accordance with the rights of the personal data owner as regulated under the laws and regulations;
the party which stores personal data must possess a proper security system to prevent leaks or prevent any unlawful utilization or processing of personal data, as well as be responsible for unexpected losses and damages to the said personal data; and
personal data cannot be sent to another country or area outside Indonesia, except the country and area that have been declared as having the same protection level and standard as Indonesia by the Minister of Trade.

Health Care Services Sector

Compared to other sectors above, the health care services sector is the first sector that regulates data protection in detail, especially for data found in patient's medical record. According to Law No. 29/2004, the patient's medical record must be stored and kept confidential by the doctor or dentist and the directors of the health care facility. This provision is restated in Law Number 36 of 2009 on Health, Law Number 44 of 2009 on Hospital, Law Number 36 of 2014 on Health Workers, and Law Number 38 of 2014 on Nursing.

A patient's rights include the right to confidentiality in relation to the health condition that has been shared with the health care provider. In the event a data loss occurred due to leakage of data and information on a patient's health condition obtained by health worker while conducting its work, then the related patient may claim compensation from person, health worker, and/or health care services provider who causes loss due to error or negligence.