{"id":139484,"date":"2026-04-22T09:25:42","date_gmt":"2026-04-22T09:25:42","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=139484"},"modified":"2026-04-22T09:45:12","modified_gmt":"2026-04-22T09:45:12","slug":"indonesia-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/indonesia-data-protection-cybersecurity\/","title":{"rendered":"Indonesia: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-139484","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-indonesia"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">SSEK Law Firm<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/SSEK-logo.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">SSEK Law Firm<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/SSEK-logo.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Indonesia<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The main regulations governing data protection, privacy and cybersecurity in Indonesia include:<\/p>\n<ol>\n<li>Law No. 27 of 2022, dated October 17, 2022, regarding Personal Data Protection (\u201cPDP Law\u201d): main framework for general privacy and data protection in Indonesia, both electronic and physical, across all types of activities (e.g., collection, processing, utilization, etc.)<\/li>\n<li>Law No. 11 of 2008, dated April 21, 2008, regarding Electronic Information and Transaction, as last amended by Law No. 1 of 2024 (\u201cEIT Law\u201d): serves as the umbrella regulation for electronic transactions and also pertains, to a certain extent, to the protection of personal data and cybersecurity.<\/li>\n<li>Government Regulation No. 71 of 2019, dated October 4, 2019, regarding the Implementation of Electronic Systems and Transactions (\u201cGR 71\/2019\u201d): one of the implementing regulations for the EIT Law, which mainly governs Electronic System Providers (\u201cESPs\u201d) and the maintenance of electronic systems in the context of personal data protection.<\/li>\n<li>Government Regulation No. 17 of 2025, dated March 27, 2025, regarding the Governance of Electronic System Operations in the Protection of Children (\u201cGR 17\/2025\u201d).<\/li>\n<li>Minister of Communication and Informatics (\u201cMOCI\u201d) Regulation No. 20 of 2016, dated November 7, 2016, regarding the Protection of Personal Data within Electronic Systems (\u201cMOCI Reg. 20\/2016\u201d): an implementing regulation for the EIT Law that elaborates on the collection of personal data and its protection within electronic systems.<\/li>\n<li>MOCI Regulation No. 5 of 2020, dated November 16, 2020, regarding the Implementation of Private ESPs, as last amended by MOCI Regulation No. 10 of 2021, dated May 21, 2021 (\u201cMOCI Reg. 5\/2020\u201d): another implementing regulation for the EIT Law, further regulates the registration requirement for ESPs in the private sector.<\/li>\n<li>Ministry of Communication and Digital Affairs (\u201cMOCDA\u201d) (previously the MOCI) Regulation No. 5 of 2025, dated March 18, 2025, regarding Public ESPs (\u201cMOCDA Reg. 5\/2025\u201d): an implementing regulation for the EIT Law, which further regulates the registration requirement for ESPs in the public sector.<\/li>\n<li>Other institutional rules or circular letters (circular letters are not regulations per se but can serve as guidance to interpret the stance of authorities) issued by relevant institutions such as the National Cyber and Crypto Agency (<em>Badan Siber dan Sandi Negara<\/em> or \u201cBSSN\u201d).<\/li>\n<\/ol>\n<p>All current regulations governing the protection of personal data and the operation of electronic systems apply extraterritorially in this context.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Indonesian government, through the MOCDA (formerly the MOCI) and BSSN, is drafting several new regulations related to data protection, privacy, and the broader cybersecurity landscape.<\/p>\n<p>Following the enactment of the PDP Law, the Indonesian government is in the process of finalizing and enacting the Draft Government Regulation on the Implementation of the PDP Law (\u201cDraft GR on PDP\u201d). This will be the first implementing regulation for the PDP Law and will provide detailed provisions on various aspects of personal data protection, including the obligations of personal data controllers, the role of personal data protection officers (\u201cDPOs\u201d), and further clarification on consent requirements.<\/p>\n<p>In early 2024, a new amendment to the EIT Law was enacted. This amendment primarily introduces additional regulatory frameworks, including certification requirements for electronic signatures and documents, enhanced protection for minors in electronic systems, and an expanded list of prohibited actions \u2014 such as defamation and doxing \u2014 particularly through social media platforms.<\/p>\n<p>Following the amendment of the EIT Law, the government is expected to issue revisions to GR 71\/2019, along with new regulations on online child protection, artificial intelligence (\u201cAI\u201d) policy, content moderation, and cybersecurity legislation.<\/p>\n<p>Most recently, the government issued GR 17\/2025, which establishes governance requirements for electronic system operators to ensure the protection for children in the digital space.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While court decisions in data protection cases remain limited, incidents of personal data breaches across various institutions have not shown a significant decline. The roles of the MOCDA and law enforcement agencies in enforcing data protection laws remain evident, albeit infrequent.<\/p>\n<p>Regulatory priorities include enforcing compliance to protect children in the use of electronic systems, addressing the use of AI, and ensuring the mandatory appointment of DPOs for organizations handling large-scale sensitive data. The MOCDA has also recently appointed a Personal Data Protection Professional Certification Body, which will be responsible for certifying DPOs.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Both MOCI Reg. 5\/2020 and MOCDA Reg. 5\/2025 mandate that Electronic System Providers (\u201cESPs\u201d) in both the public and private sectors must be registered with the MOCDA, as evidenced by the issuance of an ESP registration certificate.<\/p>\n<p>For reference, public and private sector ESPs are defined as follows:<\/p>\n<ul>\n<li>Private ESP refers to the implementation of electronic systems by individuals, business entities, or community groups.<\/li>\n<li>Public ESP refers to electronic systems operated by a state administrative agency or an institution appointed by such an agency.<\/li>\n<\/ul>\n<p>A Private ESP may be categorized as a Public ESP if it is formally appointed through a legal instrument.<\/p>\n<p>MOCDA Reg. 5\/2025 explicitly excludes Public ESPs that act as regulatory and supervisory authorities in the financial sector.<\/p>\n<p>While MOCI Reg. 5\/2020 does not specify any exemptions, it sets out the criteria for ESPs that must be registered, including:<\/p>\n<ol>\n<li>ESPs that are regulated by or under the supervision of a specific government ministry or agency; and\/or<\/li>\n<li>ESPs that operate any online portal, site, or application accessible via the internet that is used for:<\/li>\n<\/ol>\n<p>a. Providing, managing, and\/or operating the offering or trade of goods and\/or services;<br \/>\nb. Providing, managing, and\/or operating financial transaction services;<br \/>\nc. Distributing paid digital materials or content through data networks, whether by downloads, email, or other applications sent to users\u2019 devices;<br \/>\nd. Providing, managing, and\/or operating communication services, including but not limited to SMS, voice or video calls, emails, and online chats via digital platforms, online services, or social media;<br \/>\ne. Operating search engine services or providing electronic information in the form of text, audio, images, animations, music, videos, films, games, or any combination thereof;<br \/>\nf. Processing personal data for public service operational activities related to electronic transactions.<\/p>\n<p>In practice, private ESPs that are directly accessible to end consumers are generally required to register. However, private ESPs that provide backend systems, such as those involved in payment system infrastructure, typically are not subject to this registration requirement.<\/p>\n<p>Failure to register is subject to administrative sanctions, includijng written warnings, administrative fines, temporary suspension, and access termination. However, these sanctions are not yet enforceable due to the absence of implementing regulations. In practice, enforcement typically takes the form of written warnings. If the relevant party fails to comply within the specified timeframe or does not engage with the MOCDA, the ministry may proceed with access blocking.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The most commonly used term in Indonesian legislation is \u201cPersonal Data.\u201d While multiple definitions exist across different regulations, they share a common essence and are accompanied by key qualifications, as outlined below:<\/p>\n<p>Under the PDP Law, GR 71\/2019, and Reg. 5\/2020, Personal Data is defined as data concerning an individual who is identified or identifiable, either on its own or in combination with other information, whether directly or indirectly, through electronic or non-electronic systems.<\/p>\n<p>In the EIT Law, Personal Data is defined as Certain Individual Data that is stored, maintained, with its validity preserved and its confidentiality protected.<\/p>\n<p>Reg. 20\/2016 defines Personal Data as certain individual data whose accuracy is stored, maintained, and secured, and whose confidentiality is protected.<\/p>\n<p>The EIT Law also recognizes the term \u201cCertain Individual Data,\u201d defined as any accurate and actual information that is associated with an identifiable individual, either directly or indirectly, and whose use is governed by applicable laws and regulations.<\/p>\n<p>Additionally, the PDP Law recognizes the term \u201cInformation\u201d, defined as information, statements, ideas, and signs that contain value, meaning, or messages, including data, facts, and explanations that can be seen, heard, or read, presented in various forms and formats in line with the development of information technology, whether electronically or non-electronically.<\/p>\n<p>In terms of the scope of application, please note that the PDP Law explicitly exempts the processing of personal data by individuals for personal or household activities. However, it still applies to individuals acting in a business or commercial capacity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the PDP Law, Personal Data is further classified into two categories:<\/p>\n<p>a. General Personal Data, which includes full name, gender, nationality, religion, marital status, and\/or other personal data that, when combined, can be used to identify an individual; and<\/p>\n<p>b. Specific Personal Data, which includes data related to an individual\u2019s health, biometric and genetic information, criminal records, children\u2019s data, personal financial data, and any other data as may be designated under applicable laws.<\/p>\n<p>In its elucidation, the PDP Law states that Specific Personal Data refers to personal data whose processing may have a greater impact on the data subject, including, but not limited to, discriminatory treatment or more significant harm. This category includes:<\/p>\n<p>a. Health Data and Information: medical records and information relating to an individual\u2019s physical or mental health;<br \/>\nb. Biometric Data: unique physical or behavioral characteristics, such as fingerprints or facial recognition;<br \/>\nc. Genetic Data: inherited or acquired genetic characteristics;<br \/>\nd. Criminal Records: data related to criminal convictions or offenses;<br \/>\ne. Children&#8217;s Data: personal data of minors (under 18 years of age);<br \/>\nf. Personal Financial Data: bank account details, assets, and other financial information; and<br \/>\ng. Other Data: any other categories designated under applicable laws and regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Based on the PDP Law, the general principles governing the processing of personal data in Indonesia include:<\/p>\n<p>a. Personal data must be collected in a limited, specific, lawful, and transparent manner;<br \/>\nb. The processing of personal data must be carried out in accordance with its intended purpose;<br \/>\nc. The processing must guarantee the rights of the Personal Data Subject;<br \/>\nd. Personal data must be processed accurately, completely, not misleadingly, in an up-to-date manner, and accountably;<br \/>\ne. The processing must ensure the security of personal data from unauthorized access, disclosure, alteration, misuse, destruction, and\/or loss;<br \/>\nf. The purposes and activities of processing, as well as any failures in personal data protection, must be communicated;<br \/>\ng. Personal data must be destroyed and\/or deleted after the retention period ends or upon the request of the Personal Data Subject, unless otherwise stipulated by law; and<br \/>\nh. The processing of personal data must be carried out in a responsible and demonstrably accountable manner.<\/p>\n<p>Furthermore, the processing of personal data must be based on a valid legal basis, which includes:<\/p>\n<p>a. Consent: Explicit and informed consent from the Personal Data Subject for one or more specific purposes, as conveyed by the Personal Data Controller;<br \/>\nb. Contract: Fulfillment of contractual obligations when the Personal Data Subject is a party to the contract, or to meet the request of the Personal Data Subject prior to entering into a contract;<br \/>\nc. Legal Obligation: Compliance with legal obligations imposed on the Personal Data Controller under prevailing laws and regulations;<br \/>\nd. Vital Interest: Protection of the vital interests of the Personal Data Subject;<br \/>\ne. Public Task: Execution of tasks in the public interest, delivery of public services, or the exercise of official authority by the Personal Data Controller in accordance with the law;<br \/>\nf. Legitimate Interest: Fulfillment of other legitimate interests, provided there is a balance between the interests of the Personal Data Controller and the rights of the Personal Data Subject.<\/p>\n<p>Regarding data retention, MOCI Reg. 20\/2016 stipulates that personal data stored within an electronic system must be retained for a minimum of five years, starting from the point at which the data subject ceases to use the system. In practice, this five-year period is often applied as a general benchmark for personal data retention.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In general, the applicable personal data protection regulations require the obtainment of express consent prior to processing personal data.<\/p>\n<p>Under the PDP Law, when processing personal data based on consent, the data controller is required to provide the following information (collectively referred to as \u201cConsent Information\u201d):<\/p>\n<p>a. The legal basis for processing the personal data;<br \/>\nb. The purpose of processing the personal data;<br \/>\nc. The type and relevance of the personal data to be processed;<br \/>\nd. The retention period for documents containing personal data;<br \/>\ne. A description of the information collected;<br \/>\nf. The duration of personal data processing; and<br \/>\ng. The rights of the personal data subject.<\/p>\n<p>Consent for the processing of personal data must be obtained either in writing or in recorded form and can be conveyed electronically or non-electronically. Both methods have the same legal validity.<\/p>\n<p>Such Consent Information must be provided in the Indonesian language (bilingual is permissible). If there is any change to the previously provided Consent Information, the Data Controller must notify the Personal Data Subject prior to implementing such change.<\/p>\n<p>Similarly, GR 71\/2019 requires ESPs to obtain valid consent from the owner of the personal data for one or more specific and clearly disclosed purposes. &#8220;Valid consent&#8221; is defined as consent that is explicitly given, and not inferred from inaction, negligence, or obtained under coercion.<\/p>\n<p>In practice, consent may be incorporated within broader documents \u2014 such as terms of service \u2014 or bundled with other matters, provided that explicit consent is clearly given by the relevant individual.<\/p>\n<p>As a matter of practice, consent within electronic systems must be obtained through an opt-in mechanism, a declaration, or another affirmative action by the data subject. A click-to-accept action is generally considered sufficient to constitute valid consent.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDP Law has yet to set specific guidance on how one should treat Specific Personal Data differently from General Personal Data. However, it does contain several articles on the treatment of children\u2019s personal data and the personal data of persons with disabilities, as follows:<\/p>\n<p>a. For children&#8217;s data, the consent of their parents or guardian must be obtained;<\/p>\n<p>b. For persons with disabilities, the processing of personal data must be carried out in a specific manner in accordance with applicable regulations. However, further clarification on the precise procedures is still pending, as the relevant implementing regulation has yet to be issued. Additionally, consent must be obtained from the person with a disability and\/or their guardian prior to processing their personal data.<\/p>\n<p>Additionally, when processing Specific Personal Data, organizations must obtain clear consent by explaining the type and purpose of the data collected, appoint a DPO if handling large volumes of sensitive data, and conduct a DPIA if the processing poses a high risk to individuals.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Following the enactment of GR 17\/2025 and MOCDA Regulation No. 9 of 2026, dated March 6, 2026, regarding the Implementing Regulation of Government Regulation No. 17 of 2025 on the Governance of Electronic Systems in Child Protection (\u201cMOCDA Reg. 9\/2026\u201d), the requirements for the collection, use, disclosure or processing of the personal information of children have shifted to a strict enforcement model.<\/p>\n<p>Under these regulations, a child is defined as any person under the age of 18 who uses or accesses a product, service, or feature. The minimum age threshold is 3 years old, with the following age groupings:<\/p>\n<p>a. 3 to 5 years old;<br \/>\nb. 6 to 9 years old;<br \/>\nc. 10 to 12 years old;<br \/>\nd. 13 to 15 years old; and<br \/>\ne. 16 to below 18 years old.<\/p>\n<p>The key requirements are as follows:<\/p>\n<p>a. Parental Consent: The processing of any data pertaining to minors under 18 years of age generally requires verified consent from a parent or guardian.<br \/>\nb. Age Thresholds: Platforms must deactivate accounts for children under 16 years old on high-risk services, such as social media. For lower-risk services, the applicable threshold is 13 years old.<br \/>\nc. Mandatory Safeguards: ESPs are required to implement age verification measures, conduct risk self-assessments, and submit compliance reports to the MOCDA by a specified deadline.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, under the PDP Law, the processing of personal data may be exempt from certain obligations in specific circumstances, including:<\/p>\n<p>a. for the interests of national defense and security;<br \/>\nb. for the purposes of law enforcement;<br \/>\nc. in the public interest within the context of state administration; or<br \/>\nd. for the supervision of financial services, monetary policy, payment systems, and financial system stability carried out as part of state administration.<\/p>\n<p>In such scenarios, certain obligations of the data controller and certain rights of the data subject may be restricted.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under the PDP Law, a DPIA must be conducted to evaluate potential risks associated with the processing of personal data. The DPIA also identifies the measures that must be taken to mitigate these risks, safeguard the rights of data subjects, and ensure compliance with the PDP Law.<\/p>\n<p>The data controller is required to carry out a DPIA if the personal data processing carries a high potential risk to the data subject. Personal data processing which has a high potential risk includes:<\/p>\n<p>a. automatic decision-making that has legal consequences or a significant impact on the data subject;<br \/>\nb. processing of specific personal data;<br \/>\nc. processing of large-scale personal data;<br \/>\nd. processing of personal data for purposes of systematic evaluation, scoring, or monitoring activities related to data subjects;<br \/>\ne. processing of personal data for the activity of matching or combining a group of data;<br \/>\nf. the use of new technologies in the processing of personal data; and\/or<br \/>\ng. processing of personal data that limits the exercise of the rights of the data subject.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Sector-specific regulations exist in Indonesia, particularly in the financial sector, which is regulated by the Financial Services Authority (Otoritas Jasa Keuangan or \u201cOJK\u201d) and Bank Indonesia, as well as in the health sector, which is regulated by the Ministry of Health (\u201cMOH\u201d). Please also refer to our response to Question No. 12 regarding children&#8217;s data.<\/p>\n<p>In the financial sector, the applicable regulations are generally aligned with the PDP Law, requiring a valid legal basis for the processing of personal data and ensuring the confidentiality of customers&#8217; personal data.<\/p>\n<p>The management of health data within relevant institutions is specifically regulated under MOH Regulation No. 24 of 2022, dated August 31, 2022, regarding Medical Records (\u201cMOH Reg. 24\/2022\u201d). This regulation governs the handling of electronic medical records and mandates that all health service facilities implement electronic medical record systems, with patient data forming part of such records.<\/p>\n<p>The electronic system used to manage medical records may be developed by: (i) the MOH directly; (ii) the health service facility itself; or (iii) in cooperation with an ESP. For systems developed under options (ii) or (iii), the system must be interoperable with the MOH&#8217;s system and registered in the MOH&#8217;s database.<\/p>\n<p>Pursuant to MOH Reg. 24\/2022, a request to access medical records with the patient&#8217;s consent must be submitted to the head of the relevant health service facility. In cases where patient consent is not obtained, access must be approved by the MOH. The prescribed retention period for medical records is 25 years.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the PDP Law requires personal data controllers to maintain records of all personal data processing activities. However, it does not provide detailed guidance on the specific manner in which such records should be maintained. In addition, GR 71\/2019 and MOCI Reg. 20\/2016 impose obligations on ESPs \u2013 and, by extension, personal data controllers operating electronic systems \u2013 to maintain an audit trail of all activities within the system, including the processing of personal data.<\/p>\n<p>In practice, the record-keeping obligation under the PDP Law is generally fulfilled through a Record of Data Processing Activities (ROPA), which tracks all personal data processing activities within an organization. Additionally, the mechanism for maintaining such records is often embedded during the development phase of the electronic system. Depending on the design and implementation of the system, this may already meet regulatory requirements, though a case-by-case assessment is needed to ensure full compliance.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Although the PDP Law does not specify a mandatory retention period, other regulations set out applicable timeframes for storing personal data in electronic systems. These regulations include MOCDA (formerly MOCI) Reg. 20\/2016 and Government Regulation No. 80 of 2019, dated November 25, 2019, regarding Trade through Electronic Systems (\u201cGR 80\/2019\u201d). Under these regulations, the following retention periods generally apply:<\/p>\n<p>a. Personal data: 5 years after the data subject ceases to use the electronic system;<br \/>\nb. Financial transaction data: 10 years from the date the data is obtained.<\/p>\n<p>Certain sectors may impose longer retention periods; for example, medical records must be kept for at least 25 years.<\/p>\n<p>The obligation to dispose of or destroy personal data applies in specific situations, such as upon a request from the data subject or once the retention period has expired. An organization may also delete personal data if it is no longer relevant to the original purpose of processing or retain it longer if required by law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Consultation is required or encouraged in several situations, including prior to conducting cross-border personal data transfers, in carrying out a DPIA, in the event of a failure in personal data protection within an electronic system, and for the facilitation of out-of-court dispute resolution.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In certain types of personal data processing, organizations, whether acting as a data controller or data processor, may be required to appoint a DPO. A DPO must be appointed in the following situations:<\/p>\n<p>a. When personal data processing is conducted in the context of public services;<br \/>\nb. When the core activities of the Controller involve the regular and systematic monitoring of personal data on a large scale; and<br \/>\nc. When the core activities consist of large-scale processing of specific personal data and\/or data related to criminal acts.<\/p>\n<p>The DPO plays a key role in ensuring compliance and accountability in personal data processing. The duties of a DPO under the PDP Law include:<\/p>\n<p>a. informing and advising the data controller or data processor on compliance with applicable legal provisions;<br \/>\nb. monitoring and ensuring compliance with the PDP Law and internal policies;<br \/>\nc. providing advice on DPIAs and overseeing their implementation; and<br \/>\nd. acting as a liaison and coordinating on issues related to the processing of personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Pursuant to GR 71\/2019, ESPs are required to provide, educate, and train personnel responsible for the security and protection of electronic system facilities and infrastructure.<\/p>\n<p>In addition, the Draft GR on PDP also mandates that data controllers establish internal personal data protection policies that include periodic training and capacity building.<\/p>\n<p>In practice, when assessing the level of compliance \u2013 such as in the event of a data breach \u2013 the government will typically inquire whether the company has provided training to its employees, as an indicator of its good-faith efforts to comply with its obligations under the PDP Law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Indonesian data protection laws require data controllers to inform data subjects about their personal data processing activities in several situations. This includes:<\/p>\n<p>a. When obtaining personal data based on consent, the data controller must provide the required Consent Information;<br \/>\nb. Before making any changes to the Consent Information or updates to the purpose of processing;<br \/>\nc. In the event of a personal data protection failure, the data controller must notify the data subject within 3&#215;24 hours of becoming aware of the incident. In certain cases, the controller must also notify the general public;<br \/>\nd. When a legal entity acting as a data controller undergoes a merger, spin-off, acquisition, consolidation, or dissolution, the controller must notify the data subjects both before and after the corporate action. This notice may be delivered publicly through electronic or non-electronic mass media.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under the PDP Law:<\/p>\n<p>a. A Data Controller is any individual, public entity, or international organization, acting alone or jointly, that determines the purpose and exercises control over the processing of personal data.<br \/>\nb. A Data Processor is any individual, public entity, or international organization, acting alone or jointly, that processes personal data on behalf of the controller.<\/p>\n<p>The PDP Law also recognizes the concept of a Joint Controller, where two or more controllers jointly determine the purpose and means of processing. This is indicated by (i) an agreement between the controllers outlining roles, responsibilities, and the relationship between them; (ii) a shared objective and jointly determined method of processing; and (iii) a designated point of contact appointed collectively by the controllers.<\/p>\n<p>In terms of implications, controllers bear greater responsibilities and obligations than processors. For example, controllers are responsible for ensuring a valid legal basis for processing, and for providing notifications to data subjects and government authorities when required.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>With regard to automated decision-making or profiling, the PDP Law does not explicitly prohibit or restrict these activities. However, it grants personal data subjects the right to object to decisions made solely through automated processing, including profiling, if such decisions have a significant impact on them.<\/p>\n<p>The PDP Law defines profiling as any activity used to identify an individual, including but not limited to their employment history, economic status, medical records, personal preferences, interests, aptitudes, behavior, location, or movements.<\/p>\n<p>In addition, activities such as monitoring, tracking, or the use of cookies must adhere to the general principles of personal data protection, which include obtaining the data subject&#8217;s consent and, where the activity poses a high risk to their rights, conducting a DPIA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific regulation in Indonesia that directly governs the use of cookies, pixels, online tracking, targeted advertising, or behavioural advertising. The general principles of the PDP Law nonetheless apply to any activity involving the collection and processing of personal data through such means, including the requirement to obtain the data subject&#8217;s consent prior to processing and, where the activity poses a high risk to the data subject&#8217;s rights, the obligation to conduct a DPIA.<\/p>\n<p>With regard to electronic marketing more generally, GR 80\/2019 provides that it must be conducted in good faith and in accordance with applicable consumer protection and advertising laws, through channels such as registered mail, email, online sites, electronic media, or other forms of electronic communication. Any electronic offer must be accompanied by clear terms and conditions that are honest, fair, and balanced, and is only considered accepted upon the recipient&#8217;s agreement to such terms.<\/p>\n<p>The PDP Law does not explicitly prohibit targeted advertising or profiling. However, it grants data subjects the right to object to decisions made solely through automated processing, including profiling, where such decisions have a significant impact on them. The PDP Law defines profiling as any activity used to identify an individual, including but not limited to their employment history, economic status, medical records, personal preferences, interests, aptitudes, behaviour, location, or movements.<\/p>\n<p>The most notable exception applies in the context of child protection. Under GR 17\/2025 and its implementing regulation, MOCDA Regulation No. 9 of 2026, ESPs are explicitly prohibited from targeting their products, services, and features at children under 3 years of age. For children aged 3 years and above but below 18 years, ESPs are required to conduct a self-assessment of the risks faced by children as targets of commercial offerings, taking into account indicators such as the targeting of children for commercial offerings, the optimization of advertising performance based on child profiling, and the facilitation of payment systems directed at children.<\/p>\n<p>In regulated sectors such as banking and financial services, OJK regulations impose additional requirements, including the obligation to obtain explicit prior consent before conducting marketing activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Indonesian laws do not specifically regulate the sale of personal data. However, any activity involving the transfer or disclosure of personal data, including for commercial purposes, must comply with the general personal data protection principles under the PDP Law. This includes obtaining a valid legal basis, such as the consent of the data subject, and ensuring that the data is not used beyond the stated purposes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Please refer to our response to question number 22.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric data is classified as specific personal data under Indonesian law, as discussed in our response to question number 9.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data protection laws in Indonesia are currently silent on AI. However, the use of AI may fall under the category of new technologies, which can trigger the requirement to conduct a DPIA before its implementation. In addition, where data processing involves decisions made solely through automated processing, including profiling, that produce legal consequences or have a significant impact on the data subject, the data subject has the right to object to such decisions.<\/p>\n<p>In addition, AI is addressed through non-binding institutional guidelines, specifically MOCI Circular Letter No. 9 of 2023, dated December 19, 2023, regarding the Ethics of Artificial Intelligence (\u201cMOCI CL 9\/2023\u201d). This circular provides ethical guidance for the implementation of AI, emphasizing principles such as inclusivity, humanity, privacy and personal data security, accessibility, transparency, credibility and accountability, personal data protection, sustainable environmental development, and intellectual property protection.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Indonesia, data localization requirements differ depending on whether the entity is a public or private ESP. Under GR 71\/2019, Public ESPs, being government agencies, are required to store and process data within Indonesia, with very limited exceptions where the required technology is unavailable domestically. Private ESPs are generally permitted to store data outside of Indonesia, provided that they ensure the government retains access for oversight and supervisory purposes.<\/p>\n<p>However, certain sectors are subject to stricter requirements, and in particular, the health and financial services sectors are governed by sector-specific regulations that typically mandate the use of local data centers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDP Law allows the transfer of personal data outside of Indonesia under certain conditions. The transfer is permitted if one of the following requirements is met:<\/p>\n<p>a. The recipient country has an equal or higher level of personal data protection than Indonesia;<br \/>\nb. There are adequate and binding personal data protection safeguards in place; or<br \/>\nc. The data subject has given consent to the transfer.<\/p>\n<p>The above requirements are not fully in effect yet, mainly because there is no Data Protection Authority (\u201cDPA\u201d) in place. For now, in cases of cross-border data transfers involving electronic systems, ESPs must notify the MOCDA both before and after the transfer. While the regulations do not explain the procedure for such notification, the MOCDA has provided an internal template for the notification letter to help guide the process.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDP Law requires organizations to protect personal data in their possession or control by securing it against unauthorized access, disclosure, unlawful modification, misuse, damage, and\/or loss. For personal data stored in an electronic system, MOCDA Reg. 20\/2016 requires that such data be encrypted.<\/p>\n<p>While the PDP Law does not prescribe specific security measures, if personal data controllers also qualify as ESPs, they must comply with specific security requirements under GR 71\/2019 and BSSN Reg. 8\/2020, which govern the operation and protection of electronic systems.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific security obligation prescribed for particular categories of personal data under the applicable regulations. However, in practice, given the sensitive nature of certain categories of personal data and the heightened risk they may pose to data subjects, the government expects companies to implement a higher degree of protection for such data. This may include measures such as encryption, anonymization, and other appropriate safeguards.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The PDP Law defines a &#8220;security breach&#8221; as a &#8220;failure of personal data protection.&#8221; A &#8220;failure of personal data protection&#8221; refers to a failure to protect personal data in terms of its confidentiality, integrity, or availability, including security breaches, whether intentional or unintentional, that result in the destruction, loss, alteration, disclosure, or unauthorized access to personal data while it is being transmitted, stored, or processed.<\/p>\n<p>When such a failure occurs, the PDP Law requires the data controller to report the incident to the authorities (specifically the DPA, which has not yet been established) and to the affected data subjects within 3\u00d724 hours from when the failure is discovered. The notification must include at least (i) details of the personal data that was disclosed, (ii) when and how the data was disclosed, and (iii) the measures taken by the data controller to address and rectify the disclosure.<\/p>\n<p>In certain circumstances, the data controller is also required to inform the public if the failure disrupts public services or has a serious impact on the public interest.<\/p>\n<p>Separately, GR 71\/2019 also obliges ESPs to immediately report any serious system failures or disruptions caused by external actions to the relevant ministries or institutions, as well as to law enforcement authorities. In practice, this generally includes reporting to the MOCDA, the BSSN (for cyber-related incidents), and any sector-specific institution.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the PDP Law provides the following rights to data subjects:<\/p>\n<p>a. Right to transparency regarding data usage;<br \/>\nb. Right to complete, update, and\/or revise their personal data;<br \/>\nc. Right to access their personal data;<br \/>\nd. Right to request the termination of the processing, deletion, and\/or destruction of their personal data;<br \/>\ne. Right to withdraw consent;<br \/>\nf. Right to object to automatic processing;<br \/>\ng. Right to postpone or limit data processing;<br \/>\nh. Right to claim and seek indemnification; and<br \/>\ni. Right to acquire and use personal data and transfer the data to another controller (data portability)<\/p>\n<p>Currently, the PDP Law does not provide further elaboration on how these rights must be fulfilled, except for the rights listed in items 2, 3, 5, and 7. These specific rights must be fulfilled by the data controller within 3\u00d724 hours from the receipt of the request. Typically, companies fulfill these obligations by providing the contact information of the data controller on their websites or offering an opt-out option through their websites.<\/p>\n<p>The exercise of the rights listed above may be restricted under the following circumstances:<\/p>\n<p>a. In the interest of national defense and security;<br \/>\nb. In the interest of law enforcement processes;<br \/>\nc. In the public interest for the purpose of state administration;<br \/>\nd. In the interest of supervision in the sectors of financial services, monetary matters, payment systems, and financial system stability conducted for state administration purposes; or<br \/>\ne. In the interest of statistical or scientific research.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, an individual may file a civil lawsuit in court, either on the basis of tort or breach of contract. This right is expressly provided under the PDP Law for violations relating to personal data processing, and under MOCDA Reg. 20\/2016 for failure to protect personal data.<\/p>\n<p>With regard to class actions, Indonesian procedural law permits such actions provided that certain requirements are met. There must be common legal or factual issues among the claims of the class members that predominate over individual issues. The class must be sufficiently large to render individual lawsuits impractical, thereby emphasizing practicality and efficiency. The claims or defenses of the representative parties must be typical of those of the class, and their interests must align with those of the class members. Additionally, the representative parties must adequately protect the interests of the class, ensuring competency and the absence of conflicts of interest.<\/p>\n<p>It should be noted that litigation practice involving data breaches remains limited in Indonesia. In general, a data breach affecting a large number of individuals would be more susceptible to a class action, whereas a breach affecting a single individual would more likely be pursued through an individual civil claim.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, this right is granted under the PDP Law. In general, immaterial damages \u2013 such as emotional distress, harm to reputation, or similar non-pecuniary losses \u2013 are only considered in cases involving death, defamation, or bodily harm. Outside of these circumstances, claims for immaterial damages are subject to strict scrutiny by the courts.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDP Law provides for dispute resolution through alternative means and court proceedings. However, enforcement remains limited. Violations constituting crimes follow standard legal procedures, while the MOCDA may impose administrative sanctions on businesses like ESPs. Civil lawsuits may also be filed by personal data subjects to claim compensation for losses.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDP Law, non-compliance with data protection requirements may lead to:<\/p>\n<p>(a) Administrative Sanctions \u2013 including written warnings, suspension of data processing activities, deletion or destruction of personal data, and administrative fines (up to 2% of annual income or revenue). Administrative sanctions under GR 71\/2019 and MOCI Reg. 20\/2016 also include access blocking, delisting from registered ESPs, and public announcements.<\/p>\n<p>(b) Criminal Sanctions \u2013 including imprisonment (4\u20136 years) and criminal fines. If committed by a corporation, fines can be up to 10 times the maximum fine for individuals. Additional corporate sanctions include profit confiscation, business suspension, prohibition of certain activities, closure, license revocation, and dissolution.<\/p>\n<p>Separately, under the EIT Law, breaches involving personal data in electronic systems may result in imprisonment (6\u201312 years) and fines ranging from IDR 600 million to IDR 12 billion. Corporate sanctions may also apply, with enhanced penalties.<\/p>\n<p>As of now, there are no guidelines or rules governing the calculation of such fines or the imposition of sanctions under either the PDP Law or the EIT Law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. As with other regulatory matters, any order issued by regulators \u2013 primarily the MOCDA in this context \u2013 may be appealed to the administrative court. Decisions rendered by the administrative court may subsequently be appealed through the standard judicial appellate process, including appeal and cassation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, under BSSN Reg. 8\/2020, ESPs are required to independently implement an Information Security Management System (<em>Sistem Manajemen Pengamanan Informasi<\/em> or &#8220;<strong>SMPI<\/strong>&#8220;) and conduct a self-assessment of their electronic systems based on risk principles. This assessment considers factors such as system investment, user volume, types of personal data processed, and potential impact of a security breach. Based on the assessment, electronic systems are categorized into one of three risk levels:<\/p>\n<ul>\n<li><strong>Strategic<\/strong>: Systems critical to national interests (e.g., public services, defence).<\/li>\n<li><strong>High<\/strong>: Systems impacting specific sectors or regions.<\/li>\n<li><strong>Low<\/strong>: Systems with limited impact beyond their immediate use.<\/li>\n<\/ul>\n<p>Based on the risk category, BSSN Reg. 8\/2020 sets the following security standard requirements:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"141\"><strong>Risk Category<\/strong><\/td>\n<td width=\"411\"><strong>Security Standard Requirements<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"141\">Strategic<\/td>\n<td width=\"411\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SNI ISO\/IEC 27001<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Other cybersecurity standards set by BSSN<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Other standards set by the relevant Ministry or Agency<\/td>\n<\/tr>\n<tr>\n<td width=\"141\">High<\/td>\n<td width=\"411\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SNI ISO\/IEC 27001 and\/or other cybersecurity standards set by BSSN<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Other standards set by the relevant Ministry or Agency<\/td>\n<\/tr>\n<tr>\n<td width=\"141\">Low<\/td>\n<td width=\"411\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SNI ISO\/IEC 27001<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Other cybersecurity standards set by BSSN<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Please note that while the applicable regulations require compliance from all ESPs, both foreign and domestic, enforcement in practice is primarily directed at domestic entities. In addition, certain sector-specific regulations may impose further requirements depending on the nature of the sector and the applicable regulatory framework.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. As discussed in our response to question number 38, ESPs are required to implement an SMPI and obtain formal certification from a BSSN-recognized certification body.<\/p>\n<p>In this regard, the SNI ISO\/IEC 27001 is the substantive benchmark that ESPs must meet in order to obtain the SMPI certification. The SMPI certificate therefore serves as formal evidence that an ESP has successfully implemented and complied with the SNI ISO\/IEC 27001 standard, or such other cybersecurity standard as may be prescribed by BSSN, following an information security audit conducted by a BSSN-recognized certification body.<\/p>\n<p>The SMPI certificate is valid for up to three years and must be renewed at least three months prior to its expiry. Certification bodies are also required to conduct supervisory audits at least once per year. Failure to comply is subject to administrative sanctions in the form of written warnings issued by BSSN.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The cybersecurity laws do not impose specific requirements regarding supply chain management. Related obligations are generally addressed under broader data protection, electronic system operation, and risk management standards, rather than through standalone supply chain regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The cybersecurity laws do not require the appointment of a specific person responsible for cybersecurity. However, BSSN Regulation No. 1 of 2024, dated January 10, 2024, regarding Cyber Incident Management (&#8220;BSSN Reg. 1\/2024&#8221;), mandates the establishment of Cyber Incident Response Teams (&#8220;CIRTs&#8221;), organized at three levels: (i) national, (ii) sectoral, and (iii) organizational. A CIRT is defined as a group of individuals responsible for managing and responding to cyber incidents within a defined scope of authority and responsibility.<\/p>\n<p>BSSN Reg. 1\/2024 outlines the responsibilities of CIRTs, which include:<\/p>\n<p>a. containing and recovering from cyber incidents;<br \/>\nb. reporting incidents to relevant authorities or parties; and<br \/>\nc. disseminating information to prevent or mitigate future incidents.<\/p>\n<p>When a cyber incident occurs, the organizational CIRT must escalate the report to the next-level CIRT.<\/p>\n<p>With regard to formalities, BSSN Reg. 1\/2024 requires that all sectoral and organizational CIRTs register with the national CIRT. The registration process involves the submission of a registration form accompanied by supporting documents, including a profile document in the format of Request for Comment 2350, legal documents evidencing the establishment or mandate of the CIRT, data on publicly accessible electronic assets, and information on the competencies of the CIRT&#8217;s human resources. The national CIRT will then validate the application and, upon approval, issue a registration certificate. The registration certificate is valid for five years for sectoral CIRTs and three years for organizational CIRTs. Re-registration is required upon expiry or in the event of organizational or sectoral changes that affect the composition of the CIRT.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under GR 71\/2019, in the event of a system failure or disruption with a serious impact resulting from actions by a third party against an electronic system, the ESP is required to secure the relevant electronic information and\/or documents and to report the incident at the earliest opportunity to the authorities (i.e., MOCDA and BSSN). This obligation relates to system failures or disruptions generally and is not limited to breaches involving personal data.<\/p>\n<p>Under BSSN Reg. 1\/2024, a cyber incident is defined as one or more events that disrupt or threaten the operation of an electronic system. The regulation imposes specific reporting obligations on organizational CIRTs, which are required to report cyber incidents to the sectoral CIRT with a copy to the national CIRT. The report must contain at a minimum the contact information of the reporting party, a description of the incident, the chronology of the incident, and the impact of the incident.<\/p>\n<p>Where a cyber incident occurs within Vital Information Infrastructure (\u201cVII\u201d), the reporting obligation is subject to a stricter timeline, whereby the organizational CIRT must submit the report within 1 x 24 hours of discovering the incident. VII is defined as an electronic system utilizing information technology and\/or operational technology, either independently or interdependently with other electronic systems in supporting strategic sectors, which if disrupted, damaged and\/or destroyed would have a serious impact on the public interest, public services, defense and security, or the national economy.<\/p>\n<p>Following the submission of a report, the organizational CIRT is also required to conduct a post-incident review and submit its findings to the sectoral CIRT, with a copy to the national CIRT. The findings may also be disseminated through applicable information-sharing mechanisms.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Please refer to our response to question number 33.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity issues are generally addressed through standard enforcement mechanisms. BSSN, as the primary regulatory body for cybersecurity matters, may impose administrative sanctions on businesses, including ESPs. Civil lawsuits are also available for parties claiming losses. In practice, cybersecurity incidents in Indonesia typically result from external third-party actions, and the focus tends to be on resolving the issue rather than pursuing formal disputes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>BSSN and sector-specific authorities generally have the authority to inspect or audit organizations when necessary, particularly in response to a cybersecurity incident.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>BSSN is authorized to impose administrative sanctions on ESPs, primarily in the form of a written reprimand. In addition, sanctions under the EIT Law, as discussed in question number 36, also apply to cybersecurity-related breaches.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Please refer to our response to question number 34.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">9303<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/139484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=139484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}