Data Protection & Privacy 2026 Comparisons

Law No 27 of 2022 on Personal Data Protection (the “PDP Law”) constitutes the primary legal framework for privacy and personal data protection in Indonesia. The PDP Law is enacted as an implementation of the constitutional right to privacy (as elaborated in its General Elucidation) pursuant to Article 28G(1) of the 1945 Constitution of the Republic of Indonesia.

In Indonesia, personal data is defined as data regarding individuals (referred to as data subjects) who are identified or can be identified separately or in combination with other information, either directly or indirectly, through an electronic or non-electronic system.

Personal data is classified into two categories:

• general personal data: name, gender, nationality, religion, marital status, and/or personal data that is combined to identify an individual; and
• specific personal data: health data and information, biometric data, genetic data, criminal records, children’s data, personal financial data, and/or other data as stipulated under applicable laws and regulations.

The PDP Law establishes key principles and lawful bases for personal data processing, personal data categorisation, the processing requirements for children and persons with disabilities, data subjects rights, the scope of personal data processing, and role-based compliance obligations (ie, personal data controllers, personal data processors, and joint controllers). In addition, the PDP Law regulates the appointment of a Data Protection Officer (DPO), requirements for personal data transfer (both domestically and cross borders), administrative sanctions for non-compliance, and criminal sanctions in the event of violation. The PDP Law also addresses international co-operation in the field of personal data protection, public participation, and mechanisms for dispute resolution.

The PDP Law is expected to be supplemented by implementing regulations in the form of a government regulation. While the PDP Law governs the general framework of personal data protection in Indonesia, it is also subject to other existing and sector-specific laws and regulations. These include, among others:

• regulations in the electronic systems ecosystem:
1. Law No 11 of 2008 on Electronic Information and Transactions, as lastly amended by Law No 1 of 2024 (“EIT Law”);
2. Government Regulation No 71 of 2019 on the Operation of Electronic Systems and Transactions (“GR 71/2019”);
3. Ministry of Communication and Digital (MOCD) No 20 of 2016 on Personal Data Protection in Electronic Systems (“MOCD Reg 20/2016”); and
4. Government Regulation No 17 of 2025 on the Governance of Electronic Systems for Child Protection (“PP TUNAS”),
• other sector-specific regulations, for example, in highly regulated industries such as financial services and fintech sectors:
1. Financial Services Authority (Otoritas Jasa Keuangan, OJK) Regulation No 22 of 2023 on Consumer and Public Protection in the Financial Services Sector; and
2. Bank Indonesia (BI) Regulation No 3 of 2023 on BI Consumer Protection,

These sectoral regulations supplement or specify personal data protection rules, provided they do not conflict with the PDP Law.

The PDP Law has extraterritorial reach, applying to individuals or corporations, public bodies, or international organisations that conduct legal acts as regulated under the PDP Law, whether:

• within the territory of the Republic of Indonesia; or
• outside Indonesia where such acts have legal effects in Indonesia and/or to Indonesian citizens as personal data subjects abroad.

The PDP Law does not apply to the processing of personal data by individuals for purely personal or household purposes.

General Principles of Personal Data Processing

In Indonesia, the processing of personal data encompasses the entire life cycle of personal data, from collection, analysis, storage, rectification, display, announcement, transfer, disclosure, deletion, and destruction of personal data. Such personal data processing must follow these principles:

• Lawful, Fair, and Transparent: Processing shall be processed based on a lawful basis provided under the PDP Law. Processing shall be carried out fairly, transparently, and in a limited and specific manner, in line with the purposes communicated to the data subject. Personal data controllers are required to provide clear and accessible information to data subjects regarding the personal data processing practices.
• Data Minimisation: Personal data processing shall be relevant and limited to what is necessary for the intended purposes.
• Purpose Limitation: Personal data shall be processed only for specified purposes that are clearly communicated to data subjects.
• Data Subject Rights: The rights of data subjects shall be respected and supported through appropriate processes.
• Accuracy and Completeness: Personal data shall be accurate, complete, and kept up-to-date.
• Accountability: Processing shall be carried out responsibly and in a demonstrable manner, supported by appropriate documentation, and supervised through periodic audits to ensure ongoing compliance with applicable laws.
• Security and Confidentiality: Personal data shall be processed with appropriate technical and organisational safeguards to ensure security, integrity, confidentiality, and protection against any misuse, loss, and unauthorised access, disclosure, alteration, or destruction of personal data.
• Retention, Deletion (Penghapusan), and Destruction (Pemusnahan): Personal data shall be retained only for as long as necessary for lawful processing purposes, in accordance with the retention schedule and the applicable laws.

Data Subject Rights

Under the PDP Law, the data subjects’ rights are recognised, including:

• (i) the right to obtain clear and transparent information regarding the personal data controller, lawful basis for processing, purpose of the collection and use of personal data, and the accountability of the party requesting such personal data;
• (ii) the right to file a claim and receive compensation for any violation of personal data processing relating to the data subject;
• (iii) the right to obtain and/or use personal data relating to the data subject from the personal data controller in a structured format commonly used and/or readable by electronic systems;
• (iv) the right to complete, update, and/or correct errors or inaccuracies in personal data relating to the data subject;
• (v) the right to access and obtain a copy of personal data relating to the data subject;
• (vi) the right to withdraw previously granted consent for the processing of personal data relating to the data subject;
• (vii) the right to proportionally restrict the processing of personal data relating to the data subject in certain circumstances;
• (viii) the right to request the termination of processing, the deletion and/or destruction of personal data relating to the data subject; and
• (ix) the right to object to the processing of personal data based on an automated decision-making process, including profiling, which has a significant impact to the data subject.

The PDP Law further provides a response mechanism for the exercise of data subject rights. Where a personal data controller receives a request for the exercise of the rights referred to in items (iv) to (vii) above, the controller is required to fulfil such request within 3 × 24 hours (ie, within 72 hours).

Role-Based Compliance Obligations under the PDP Law

The main compliance of each organisation depends on its role. The PDP Law recognises several distinct roles, each subject to specific responsibilities, liabilities, and regulatory obligations, namely the personal data controller, personal data processor, and joint controller.

• Personal Data Controller: As the party that determines the purposes of personal data processing and generally exercises control and responsibility, its key obligations include:
1. ensuring that personal data is processed lawfully in accordance with the applicable lawful basis under the PDP Law;
2. establishing and implementing a governance and compliance framework, including appropriate data governance structures, internal policies, and procedures, as well as continuously monitoring compliance;
3. providing privacy notices and ensuring transparency to data subjects;
4. classifying and handling personal data appropriately, including applying the required safeguards for each category of data (general and specific personal data);
5. implementing adequate security and confidentiality measures;
6. ensuring the accuracy and integrity of personal data through verification and update mechanisms;
7. conducting a data protection impact assessment (DPIA) in the event that the processing of personal data has the potential to pose a high risk to the data subject;
8. establishing and maintaining records of processing activities (RoPA);
9. ensuring that data transfers and third-party engagements comply with the PDP Law;
10. implementing incident or personal data breach handling procedures, including notification within 3 x 24 hours (ie, within 72 hours);
11. establishing a data retention schedule and mechanism for deletion and/or destruction in accordance with applicable laws;
12. appointing a DPO, where required; and
13. handling data subject rights.
• Personal Data Processor: A personal data processor is required to process personal data strictly based on the instructions of the personal data controller and must obtain the controller’s prior written approval if it engages another personal data processor (sub-processor). Primary liability for personal data processing rests with the personal data controller. However, a personal data processor may be held independently liable where it processes personal data contrary to the controller’s instructions, or where it violates applicable laws and regulations.
• Joint Controller: Joint controllers are also required to comply with all obligations applicable to personal data controllers. Two key obligations must be observed:
1. The controllers are required to enter into an agreement that sets out the roles, responsibilities, and legal relationship between the parties.
2. Joint personal data controllers are jointly responsible for providing information to data subjects, including the controllers involved, lawful basis, purpose, category of personal data, methods and contact person.

The PDP Law does not set out separate processing regimes for general personal data and specific personal data. However, the processing of specific personal data may trigger additional regulatory obligations. Under PDP Law, such processing may: (i) serve as an indicator of “high-risk processing”, thereby requiring the conduct of a DPIA or risk assessment; or (ii) serve as one of the indicators for the mandatory appointment of a DPO.

Processing of Children and Persons with Disabilities

The PDP Law further provides that the processing of children’s personal data and the personal data of persons with disabilities must be carried out in a specific manner and subject to additional requirements. In the case of children, processing requires parental consent and/or legal guardians in accordance with applicable laws and regulations. For persons with disabilities, processing must be conducted using appropriate communication methods as regulated under applicable laws, and requires consent from the individual concerned and/or their legal guardian.

In addition, the processing of children’s (defined as individuals who use or access the products, services, and features and are under 18 years of age) personal data through electronic systems is subject to PP TUNAS (see 1.1 Overview of Data and Privacy-Related Laws). PP TUNAS applies to all electronic system operators (ESOs), both public and private, whose products, services, or features are intended for use by children or are likely to be accessed by them. As an implementing regulation of the EIT Law, PP TUNAS introduces a range of obligations and prohibitions relating to children’s privacy and personal data protection, including requirements on parental consent and notification, high-privacy settings by default, the conduct of DPIAs, and the appointment of a DPO, as well as prohibitions on profiling and precise geolocation tracking by default, and manipulative practices (any methods, techniques, or non-transparent practices that can encourage children to overshare data, disable privacy settings, or engage in harmful behaviour), are strictly forbidden.

In principle, the PDP Law does not prohibit the processing of personal data or anonymise data for research and development purposes, provided that such processing complies with the PDP Law and any applicable sector-specific regulations (for example, healthcare regulations).

Although the PDP Law does not currently contain specific provisions governing research and development activities, it recognises that certain data subject rights may be exempted for public interest purposes, including for statistical purposes and scientific research.

Where personal data is processed for the statistical activities and scientific research, the exempted rights are (i) the right to withdraw consent; (ii) the right to object to automated decision-making and profiling; (iii) the right to restrict processing; (iv) the right to data portability; and (v) the right to request the termination of processing, deletion, and/or destruction of personal data.

Accordingly, while the PDP Law does not provide a dedicated research and development regime, it allows limited restrictions on certain data subject rights, without relieving compliance with the core principles and obligations under the PDP Law.

Indonesia’s legal framework on artificial intelligence (AI) is still in an emerging stage, and there is currently no comprehensive statute governing the development or use of AI. Regulatory oversight is fragmented and primarily derived from existing, sector-specific laws and policy instruments issued and supervised by various authorities. These include, among others, the MOCD, which issued Circular Letter No 9 of 2023 on AI Ethics, as well as sectoral guidance from other regulators, such as the OJK, which introduced the OJK and Fintech Associations AI Code of Ethics. The personal data protection-related aspects under these instruments are relatively general in nature. They require that any processing of personal data involving automated decision-making and AI systems comply with the PDP Law and other applicable regulations.

The PDP Law does not contain AI-specific provisions. Nevertheless, the use of AI systems or models involving the processing of personal data is subject to the general requirements under the PDP Law. In particular, such processing may be classified as high-risk processing, as the use of new or emerging technologies is expressly recognised as one of the indicators of high-risk processing under the PDP Law framework and further triggers the requirement to conduct a DPIA.

In addition, the PDP Law grants data subjects specific rights in relation to automated decision-making. Where a data subject objects to a decision made solely through automated processing, which may include decisions generated automatically through AI, the data subject may request that the decision be reviewed or re-made with human involvement, in accordance with the PDP Law.

In the event of a data breach or personal data protection failure, the personal data controller must provide a written notification no later than 3 x 24 hours (ie, within 72 hours) to the affected personal data subject and to the personal data protection authority (“PDP Authority”). In certain cases, where the personal data protection failure interferes with public services and/or has a significant impact on the public interest, the personal data controller must notify the public of such personal data protection failure.

The written notification shall at least contain the following:

• the disclosed personal data;
• when and how the personal data are disclosed; and
• efforts to handle and recover from the disclosure of personal data by the personal data controller.

The PDP Law stipulates that the data privacy litigation or dispute resolution is conducted through court, arbitration, or other alternative dispute resolution bodies.

In practice, a data breach involving ESOs must also be notified to the MOCD within 72 hours from the discovery of the personal data protection incident. The MOCD provides a specific reporting form for data breach/incident, which must be completed by the ESOs and submitted together with relevant supporting documents evidencing the occurrence of the personal data protection breach.

With respect to investigations conducted by the MOCD, the legal basis for such investigative powers is derived from the EIT Law and MOCD Reg 20/2016. Under the EIT Law, the competent authorities, specifically investigators from the MOCD, the Indonesian National Police and certain authorised civil servant investigators, are granted the authority to examine the following:

• the accuracy of reports or information relating to criminal offences in the field of information technology and electronic transactions;
• any person and or business entity reasonably suspected of committing a criminal offence in the field of information technology and electronic transactions; and
• any tools and/or facilities related to information technology activities that are suspected of being used to commit criminal offences in the field of information technology and electronic transactions

Under MOCD Reg 20/2016, the MOCD is authorised to trace and follow up on reports of personal data protection failures and, for supervisory purposes, may request data and information from ESOs in connection with personal data protection, either periodically or at any time as deemed necessary.

PDP Authority

The PDP Law mandates an independent PDP Authority appointed by the President. The PDP Authority has the power to:

• govern and establish policies in the field of personal data protection;
• conduct supervision over the compliance of personal data controllers;
• impose administrative sanctions for violations of personal data protection committed by personal data controllers and/or personal data processors;
• assist law enforcement authorities in handling alleged personal data violations as referred to in the PDP Law;
• co-operate with personal data protection authorities of other countries in order to resolve alleged cross-border personal data protection violations;
• assess the fulfilment of requirements for the transfer of personal data outside the jurisdiction of the Republic of Indonesia;
• issue orders as follow-up to the results of supervision of personal data controllers and/or personal data processors;
• publish the results of personal data protection supervision in accordance with applicable laws and regulations;
• receive complaints and/or reports concerning alleged violations of personal data protection;
• conduct examinations and tracing in relation to complaints, reports, and/or supervisory findings of alleged violations of personal data protection;
• summon and require the attendance of any person and/or public institutions related to alleged violations of personal data protection;
• request explanations, data, information, and documents from any person and/or public institutions in connection with alleged violations of personal data protection;
• summon and require the attendance of experts as necessary for examinations and tracing relating to alleged violations of personal data protection;
• conduct examinations and tracing of electronic systems, facilities, rooms, and/or premises used by personal data controllers and/or personal data processors, including obtaining access to data and/or appointing third parties; and
• request legal assistance from the public prosecutor in the resolution of personal data protection disputes.

As of the date of this guide, the President has yet to appoint the PDP Authority to assume the roles above. Hence, it is also important to identify other authorities who might have mandates based on sectoral regulations.

Sectoral Regulators

Subject to the applicable sectoral laws and regulations, there are sectoral regulators who might have mandates to supervise the personal data processing, as outlined below.

MOCD

The MOCD derives its authority in personal data protection from the EIT Law and GR 71/2019 and currently serves as the primary supervisory authority for ESOs. Its mandate includes issuing data protection-related regulations for electronic systems, overseeing compliance, conducting investigations and administrative enforcement for violations, and co-ordinating with law enforcement agencies and other relevant sectoral authorities.

OJK

The OJK holds specialised supervisory authority over personal data protection within the financial services sector, covering banks and other financial institutions, financial technology and digital payment providers, capital markets and securities companies, as well as insurance, pension funds, and other non-bank financial service institutions. The OJK conducts regular co-ordination with the MOCD regarding overlapping jurisdictions, particularly for fintech and digital financial services utilising electronic systems.

National Cyber and Crypto Agency (Badan Siber dan Sandi Negara, BSSN)

The BSSN is the primary technical authority for cybersecurity aspects of personal data protection in Indonesia, particularly in cases involving cyber incidents, national vital infrastructure, or cross-border cyber threats. Under BSSN Regulation No 1 of 2024 on Cyber Incident Management (“BSSN Reg 1/2024”), ESOs, especially those operating vital information infrastructure, must report cyber incidents to the National Cyber Incident Response Team (Nat-CSIRT) within 24 hours. The BSSN is empowered to conduct technical investigations and digital forensics, identify system vulnerabilities, provide incident containment and recovery assistance, and lead the response to major cyber incidents affecting the security of personal data.

Law enforcement

Law enforcement agencies, including the Indonesian National Police and Attorney General’s Office, possess authority in handling criminal cases related to personal data protection based on (i) criminal sanctions in the PDP Law and (ii) cyber-crimes and criminal sanctions under the EIT Law. Criminal law enforcement is conducted in accordance with the Criminal Procedure Code (KUHAP), special procedures in the EIT Law for cyber crimes, and digital evidence handling protocols.

Law enforcement agencies co-ordinate with the MOCD, the OJK, and the BSSN regarding (i) information exchange for investigation purposes; (ii) technical assistance in digital forensic analysis; (iii) cross-jurisdictional case co-ordination; and (iv) prevention of overlapping legal processes.

Cross-Border Co-Ordination

Pursuant to the cross-border co-ordination, the PDP Law grants the authorities, including the PDP Authority, the power to conduct international co-operation in personal data protection, including: (i) information exchange with foreign data protection authorities; (ii) mutual legal assistance in investigations; (iii) harmonisation of data protection standards; and (iv) joint capacity development.

The PDP Authority possesses comprehensive investigative powers, including the ability to conduct examinations, request documentation, interview relevant parties, and co-ordinate with other authorities. The PDP Authority may initiate investigations based on data breach notifications, public complaints, audits, or referrals from other government agencies.

Administrative Sanctions

The PDP Law grants the PDP Authority the power to impose administrative sanctions, including written warnings, temporary suspension of personal data processing activities, permanent suspension of processing operations, deletion of personal data, and imposes administrative fines. The PDP Law imposes fines of up to 2% of the annual revenue of the personal data controller or personal data processor in the preceding financial year.

However, as of the date of this guide, the detailed procedures for imposing administrative sanctions, including assessment criteria, severity violations, penalty calculation guidelines, and appeal mechanisms, have not been fully elaborated through implementing regulations. The PDP Law provides the statutory foundation, but operational procedures remain under development by the competent authorities.

Criminal Sanctions

The PDP Law also regulates the criminal sanctions, as follows:

• Unlawful Collection or Obtaining of Personal Data: Any person who intentionally and unlawfully obtains or collects personal data that does not belong to them, for their own benefit or the benefit of another person, and which results in loss to the data subject, is subject to imprisonment of up to five years and/or a fine of up to IDR5 billion.
• Unlawful Disclosure of Personal Data: Any person who intentionally and unlawfully discloses personal data that does not belong to them is subject to imprisonment of up to four years and/or a fine of up to IDR4 billion.
• Unlawful Use of Personal Data: Any person who intentionally and unlawfully uses personal data that does not belong to them is subject to imprisonment of up to five years and/or a fine of up to IDR5 billion.
• Forgery of Personal Data: Any person who intentionally creates false personal data or falsifies personal data with the intent to obtain a benefit for themselves or another person, and which causes loss to another person, is subject to imprisonment of up to six years and/or a fine of up to IDR6 billion.

Further, Law No 1 of 2026 on Criminal Sentencing Adjustment introduced a category-based fine system that substantially reduced the monetary penalties. Unlawful collection, disclosure, and use of personal data are now subject to fines capped at IDR200 million, while the forgery of personal data is subject to fines capped at IDR500 million, without any reduction in the applicable prison terms.

Where these offences are committed by or for a corporation, criminal liability may be imposed on both the company and the individuals involved, and corporate fines may be increased by up to ten times the statutory maximum fines applicable to individuals.

The PDP Law came into effect in October 2024, following the end of the two-year statutory grace period. However, administrative enforcement has not yet been fully implemented, as the PDP Authority mandated by the PDP Law has not been established. As a result, although the administrative sanctions framework under the PDP Law is formally in force, no formal PDP Authority-led administrative penalties have yet been issued.

Unlike administrative sanctions, criminal sanction enforcement under the PDP Law has been active and there are several court decisions in relation to criminal sanctions in the PDP Law. The first court decision is Karanganyar District Court Decision No 5/Pid.Sus/2023/PN Krg dated 16 March 2023, in which the perpetrator was found guilty of data falsification and imprisoned for four years, and also ordered to pay an IDR1 billion fine.

The number of privacy-related proceedings in Indonesian courts remains relatively low, with the legal framework still developing following the enactment of the PDP Law.

Claimant Types and Legal Standing Issues

The primary category of claimants in privacy-related disputes consists of individual data subjects who have suffered direct harm from personal data processing violations. These individuals typically include affected customers or users following data breaches, unauthorised disclosure incidents, or other forms of personal data protection failure.

The second category of claimants are consumer groups or public interest litigants. However, in practice, significant legal standing challenges have emerged regarding collective or representative actions brought by consumer groups or public interest organisations. The legal standing of such entities to represent broader classes of affected individuals remains debatable under Indonesian procedural law, with courts demonstrating inconsistent approaches to these claims.

Available Remedies Under PDP Law

The PDP Law provides a framework of remedies for data subjects who suffer harm from personal data protection violations, including the right to claim compensation. The mechanism to claim compensation is expected to be further elaborated in the implementing regulation of the PDP Law.

In addition to compensation, the PDP Law allows courts to order injunctive and corrective measures, including requiring the suspension of unlawful data processing, the implementation of appropriate security safeguards, and the correction of inaccurate personal data.

The ongoing enforcement cases have mainly relied on criminal sanctions under the PDP Law and the EIT Law, particularly in cases involving unlawful access, disclosure, or forgery of personal data.

Aside from the criminal cases, there are several constitutional court decisions in Indonesia related to the PDP Law. The landmark decision on the PDP Law is Constitutional Court Decision No 151/PUU-XXII/2024 dated 30 July 2025, which clarifies the interpretation of the fulfilment of criteria requiring a data protection controller or data protection processor to appoint a DPO.

Indonesia allows collective redress through class actions under Supreme Court Regulation No 1 of 2002 on Class Action Procedure. This mechanism permits one or more plaintiffs to represent a larger group with common facts and legal issues. In principle, personal data protection violations may be pursued through this mechanism.

Indonesia does not currently have a single, comprehensive legal framework specifically governing the protection and processing of non-personal data. Instead, the regulation of non-personal data is primarily fragmented into several sectoral laws.

By way of example, in the electronic ecosystem, the relevant regulations include (among others) GR 71/2019, Government Regulation No 80 of 2019 on Electronic Commerce, MOCD Regulation No 5 of 2020 as amended by Minister of Communication and Informatics Regulation No 10 of 2021 on Private Electronic System Providers (“MOCD Reg 5/2020”), and applicable cybersecurity regulations. In the financial sector, among others, OJK Regulation No 44 of 2024 on Bank Secrecy, OJK Regulation No 22 of 2023 on Consumer and Public Protection in the Financial Services Sector and BI Regulation No 3 of 2023 on BI Consumer Protection also apply. There are also archival and record-keeping laws, including Law No 8 of 1997 on Company Documents (“Company Documents Law”) and Law No 43 of 2009 on Archives.

In general, these regimes regulate data management throughout its life cycle without distinguishing between personal and non-personal data, including data governance and use, security and confidentiality, sector-specific handling requirements, archiving and retention periods, data transfers, and incident or breach response obligations, including reporting timelines and notifications to relevant sectoral authorities. Where certain regulations make reference to personal data, their interaction with the PDP Law is addressed in 3.2 Interaction of Data Regulation and Data Protection.

The interaction between sectoral regulations and the PDP Law generally takes two forms. First, certain sector-specific regulations expressly refer to the PDP Law for personal data protection compliance. Second, other regulations impose additional, supplementary, or more specific personal data processing requirements in respect of particular categories of data or regulated activities. For example, while the PDP Law does not expressly regulate data retention periods, such requirements may be addressed under applicable sectoral regulations (eg, under the Company Documents Law, records, bookkeeping evidence, and supporting financial administrative data must be retained for a period of ten years, calculated from the end of the relevant company’s financial year).

In essence, sector-specific data handling rules are applicable in parallel with the PDP Law, provided they do not conflict with its provisions. Where data qualifies as personal data, the PDP Law operates as the primary legal framework, while sectoral regulations typically supplement the PDP Law by regulating sector-specific processing scenarios or imposing heightened obligations.

The applicable rights and obligations largely depend on the relevant sector and regulatory context. In practice, contractual arrangements also play a critical role in allocating rights, obligations, and liability.

Organisations should therefore ensure that their contracts clearly define the agreed arrangements, including, among others, roles and responsibilities of each party in relation to the data and its processing, permitted uses or purposes, and applicable technical and organisational measures, while also ensuring the inclusion of provisions addressing compliance with any applicable sector-specific regulatory requirements.

In relation to non-personal data, enforcement authority depends on the nature of the data and the relevant sector. Competent authorities include, among others, the MOCD for ESOs, the OJK for the financial services sector, and the BSSN for cybersecurity matters.

Co-ordination among regulators typically arises in practice where incidents affect both non-personal and personal data. In such cases, sectoral regulators may co-ordinate with the personal data protection authority under the PDP Law, as well as with other relevant government bodies, depending on the affected sector.

A notable recent trend is the increasing frequency and sophistication of cybersecurity incidents in various sectors, which require more active inter-agency co-ordination, particularly where an incident affects both personal and non-personal data and simultaneously implicates data protection, system security, and sector-specific compliance obligations.

Indonesia does not currently have a specific regulation that expressly governs the use of cookies, software development kits (SDKs), or other online tracking technologies.

However, to the extent that such technologies involve the processing of personal data, their use is subject to the general principles and requirements under the PDP Law and the EIT Law, including to provide clear information and transparency to data subjects regarding the collection and use of their personal data in such cookies.

The PDP Law does not specifically regulate personalised or targeted advertising activities. However, where such activities involve the processing of personal data or profiling activities, they are subject to the general principles and requirements under the PDP Law.

Given the absence of specific provisions governing personalised advertising or marketing, the applicable marketing requirements must be assessed on a sectoral basis. For instance, in the financial services sector, OJK Reg 22/2023 prohibits financial services business actors from offering products and/or services to prospective consumers and/or consumers through personal communication channels without the consent of prospective consumers and/consumers.

In the electronic ecosystem, particularly under PP TUNAS, ESOs that are potentially directed at or intended for children are prohibited from conducting profiling by default, by any means or methods, including for product or service offerings or other purposes. Where profiling is to be carried out, it must be justified through a risk assessment or demonstrated to be essential for the provision of the service.

There are currently no employment-specific personal data protection laws. The processing of employees’ personal data is therefore subject to the PDP Law and its implementing regulations.

Employee-related processing activities, including employee monitoring, are not specifically prohibited, provided that they are conducted in accordance with the PDP Law, and are typically grounded in contractual arrangements between the employer and the employee.

In current practice, employers in Indonesia commonly rely on employment agreements as the primary lawful basis for processing employee personal data, without prejudice to the availability of other lawful basis under the PDP Law for specific employee-related data processing activities.

The PDP Law regulates personal data protection requirements in the context of corporate actions, including mergers, acquisitions, spin-offs, and dissolutions. Under the PDP Law, a personal data controller in the form of a legal entity that undergoes a merger, acquisition, spin-off, and/or dissolution is required to notify personal data subjects of the personal data transfer both prior to and after the completion of such corporate action.

In the event that a personal data controller in the form of a legal entity is dissolved or liquidated, the storage, transfer, deletion, or destruction of personal data must be carried out in accordance with applicable laws and regulations, and such actions must be notified to the relevant personal data subjects.

Further procedural details are expected to be regulated under the forthcoming government regulation implementing the PDP Law.

In practice, notifications to data subjects may be delivered through any medium that is reasonably accessible to them. For example, in the context of an acquisition where Indonesian corporate law requires pre- and post-acquisition announcements to be published in national newspapers, PDP-related notifications may be incorporated into such mandatory corporate announcements, provided that it is made clear that the announcement is also addressed to data subjects, and not solely to creditors.

Accordingly, each corporate action must be assessed on a case-by-case basis to determine whether the role of the personal data controller remains unchanged, is transferred to another entity, or is otherwise impacted.

Under the PDP Law, a cross-border transfer of personal data occurs where a personal data controller or personal data processor makes personal data available or provides access to another party located outside the jurisdiction of Indonesia, whether by transmission, remote access, hosting, or any other technical means. This includes cloud hosting, cross-border access to databases, and sharing of data with overseas affiliates or vendors.

Based on PDP Law, cross-border transfers of personal data are permitted only if one of the following safeguards is satisfied:

• Adequacy Principle: A transfer is permitted where the recipient country or international organisation provides a level of personal data protection that is equal to or higher than that under Indonesian law.
• Contractual Safeguards: Where the recipient country does not provide an equivalent level of protection, a transfer may still take place if the personal data controller or processor implements binding contractual safeguards that ensure the protection of personal data in accordance with the PDP Law.
• Consent of the Data Subject: If neither adequacy nor contractual safeguards can be satisfied, a cross-border transfer may still be carried out based on the consent of the personal data subject.

Cross-border transfers of non-personal electronic data are governed by GR 71/2019, which allows private ESOs to host, process, store electronic systems and electronic data (including non-personal data) outside the territory of Indonesia, except for the financial sector, which is subject to sectoral regulations.

The PDP Law does not stipulate a prior approval requirement by PDP Authority for international personal data transfers. However, the PDP Law grants the PDP Authority specific powers to conduct assessments of cross-border data transfer requirements for fulfillment.

In relation to the electronic system, private ESOs are obligated to co-ordinate with MOCD in relation to international transfers.

The regulatory requirements in relation to international transfers may be subject to sectoral laws, among others:

• Digital Financial Asset (Including Crypto-Assets): OJK Regulation No 27 of 2024 on the Organisation of Trading of Digital Financial Assets including Crypto Assets (“OJK Reg 27/2024”) establishes specific requirements for personal data handling within the digital asset sector, though it does not explicitly stipulate comprehensive cross-border data transfer procedures. However, the regulation mandates that any transfer of data subjects’ personal data to third parties must be notified to the OJK.
• Healthcare: Government Regulation No 28 of 2024 concerning Health (“GR 28/2024”) establishes stringent authorisation requirements for international transfers of health-related personal data, that cross-border transfers of health data must obtain prior approval from the Minister of Health of the Republic of Indonesia, which applies to all categories of health data transfers, including patient records, medical research data, pharmaceutical information, and public health surveillance data.
• Banking and Financial Services: Bank Indonesia Regulation No 23/6/PBI/2021 on Payment Systems allows payment transaction processing to be conducted outside the territory of the Republic of Indonesia, provided that prior approval is obtained from Bank Indonesia. Such approval may be granted by taking into account, among others, the use of electronic systems and/or operational activities integrated with the principal office of the payment service provider located outside Indonesia, the readiness of national industry and infrastructure, and other factors determined by Bank Indonesia.

In general, the PDP Law does not require data localisation. Remote access from abroad is generally treated as a cross-border data transfer and is therefore subject to the PDP Law transfer safeguards.

The following are some sectors in which data localisation is mandatory or required:

• Healthcare: GR 28/2024 requires health data and health information systems to be stored and processed in data centres located within Indonesian jurisdiction. This includes hospitals, clinics, digital health platforms, and other healthcare service providers.
• Banking: OJK Regulation No 11 of 2022 (“OJK Reg 11/2022”) establishes comprehensive data localisation obligations for the banking sector. This provision mandates that both primary data centres and disaster recovery centres must be located within Indonesian territory, ensuring complete domestic control over critical banking infrastructure.
• Digital Financial Asset (including Crypto-Assets): OJK Reg 27/2024 and Government Regulation No 49 of 2024 on the Implementation of Crypto Asset Trading (“GR 49/2024”) require crypto-asset service providers to maintain both their data centres and disaster recovery centres within Indonesian territory, thereby imposing comprehensive data localisation and infrastructure residency obligations.
• Financial Technology: OJK Regulation No 3 of 2024 on the Implementation of Financial Technology Innovation and Aggregation Services (“OJK Reg 3/2024”) establishes specific data localisation obligations for the financial technology sector, including payment system aggregators and technological innovation organisers in financial services. OJK Reg 3/2024 requires that data centres and data recovery centres be located within Indonesia, ensuring domestic control over fintech data infrastructure.
• Non-Bank Financial Institutions: OJK Regulation No 4 of 2021 (“OJK Reg 4/2021”) imposes data localisation requirements on non-bank financial institutions, including insurance companies, pension funds, financing institutions, and other non-bank financial service providers, requiring relevant data processing infrastructure to be located within Indonesian territory.

Although the PDP Law does not contain blocking provisions against foreign courts, MOCD Reg 5/2020 authorises the government to implement access blocking of electronic systems. Under these regulations, MOCD can block access to a private ESO if:

• the private ESO fails to grant access to its systems or data for domestic law enforcement or regulatory oversight;
• the system facilitates the distribution of content deemed prohibited under Indonesian law; or
• the private ESO fails to meet the mandatory registration requirements.

The more detailed requirements on international data transfer are expected to be regulated under the upcoming Government Regulation regarding the implementation of PDP Law, including formal criteria for assessing foreign data protection regulation, standards for data transfer agreements, binding corporate rules, and requirements for transfer impact assessments.