Indonesia: Data Protection & Cyber Security

This country-specific Q&A provides an overview to Data Protection & Cyber Security laws and regulations that may occur in Indonesia.

  1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?

  2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?

  3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

  4. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

  5. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?

  6. How do the laws in your jurisdiction address children’s PII?

  7. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.

  8. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

  9. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

  10. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

  11. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

  12. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

  13. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

  14. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)

  15. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?

  16. Does your jurisdiction impose requirements of data protection by design or default?

  17. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?

  18. How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?

  19. Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.

  20. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

  21. Please describe any laws addressing email communication or direct marketing?