BILL

LAW OF THE REPUBLIC OF INDONESIA NUMBER ... YEAR ...

ON

PRIVATE DATA PROTECTION

WITH THE BLESSING OF GOD THE ALMIGHTY ONE

PRESIDENT OF THE REPUBLIC OF INDONESIA

Considering : a. that the protection of personal data as one of the human rights which is part of
personal self-protection requires a strong legal basis to provide personal data
security based on the 1945 Constitution of the Republic of Indonesia Year 1945;

b. that the protection of personal data is intended to guarantee the rights of citizens to
personal protection and foster public awareness and guarantee recognition and
respect for the importance of personal data protection

c. that the regulation of personal data is currently contained in a number of laws and
regulations so as to increase the effectiveness of the protection of personal data,
regulations in the form of a law is needed regarding the protection of personal data;

d. that based on the considerations as referred to in letter a, letter b, and letter c, it is

necessary to establish a Law on the Personal Data Protection;

Referring to : Article 5 paragraph (1), Article 20, Article 28 G paragraph (1), Article 28 H paragraph (4)
and Article 28 J of the 1945 Constitution of the Republic of Indonesia;

With Joint Agreement of

HOUSE OF REPRESENTATIVE OF THE REPUBLIC OF INDONESIA

and

PRESIDENT OF THE REPUBLIC OF INDONESIA

HAS DECIDED TO

Stipulate : LAW ON PERSONAL DATA PROTECTION

 CHAPTER I

GENERAL PROVISIONS

Article 1

In this Law, what is referred to as:

1. Personal Data is any data about a person whether identified and/or can be identified
separately or in combination with other information, directly or indirectly, through electronic
and/or non-electronic system.
2. Information is information, statements, ideas, and signs that contain values, meanings, and
messages, both data, facts, and explanations that can be seen, heard, and read that are
presented in various packages and formats in accordance with the development of
information and communication technology, electronically or non-electronically.
3. Personal Data Controller is the party that determines the purpose and controls Personal Data
processing.
4. Personal Data Processor is the party who processes Personal Data on behalf of Data Controller.
5. Third Party is any Person, Public Agency and other entity other than Personal Data Owner,
Personal Data Controller, Personal Data Processor, and other parties under the control of
Personal Data Controllers or Personal Data Processors who obtain authorization from Personal
Data Controller or Personal Data Processor to do Personal Data processing.
6. People are individuals, both Indonesian citizens, foreign nationals, and also corporation.
7. Personal Data Owner is an individual as the subject of data that has legitimate Personal Data.
8. Sector Supervisory and Regulatory Agencies are the Agencies that have the duty to oversee
the implementation of sector duties and issue regulations for the sector.
9. Public agencies are executive, legislative, judicial, and other bodies whose functions and main
tasks are related to the administration of the state, in which a part of or all funds are sourced
from the State Revenue and Expenditure Budget and/or Regional Revenue and Expenditure
Budget, or partially non-governmental organizations. All funds are sourced from the State
Revenue and Expenditure Budget and/or Regional Revenue and Expenditure Budget, society
contribution, and/or external donation from other countries.
10. Corporations are organized collections of people and/or wealth, both legal entities and non-
legal entities.
11. Business Actors are individuals, business entities, established and domiciled or conducting
activities within the jurisdiction of the Republic of Indonesia, both individually and jointly,
through agreements to conduct business activities in various economic fields.
State Secretariat: business actors can enter into corporation
12. Personal Data Violation is a violation of the rights of Personal Data Owner based on this Law.
13. Minister is the minister who organizes government affairs in the field of communication
and informatics.

Article 2

This Law applies to every Person, Public Agency, Business Actor, and organization/institution that
performs legal acts as stipulated in this Law, both those in the regions under Indonesian jurisdiction
or outside Indonesian jurisdiction, which has legal consequences in Indonesian jurisdiction and/or
outside Indonesian jurisdiction and is detrimental to the interests of Indonesia.
 CHAPTER II

NORMS, PRINCIPLES AND OBJECTIVES

Article 3

This law is carried out based on the principle of protection, the principle of public interest, the principle
of fairness, and the principle of accountability.

Article 4

To implement the norms as intended in Article 3, Personal Data Protection is carried out based on the
followings:

a. Personal Data Collection is carried out in a limited and specific manner, data obtained by
using legal and fair methods, and is known and approved by the person concerned;
b. Personal Data Processing is carried out based on the agreement of Personal Data Owner;
c. Personal data processing is done accurately, completely, in a non-misleading and up-to-date
manner with due regard to the purpose of Personal Data processing;
d. Personal data processing is carried out in accordance with the purpose of its use;
e. Personal Data Processing is performed by protecting the security of Personal Data from loss,
misuse, access, and illegal disclosure, as well as change or destruction of Personal Data;
f. Personal Data Processing has a retention period according to needs based on the provision
in legislation;

Article 5

Personal Data Protection Arrangements aim to:

a. protect and guarantee the basic rights of citizens related to personal protection;
b. guarantee the community to get services from the government, business people, and
organization/institutions others;
c. encourage the growth of digital economy and information and communication technology
industries; and
d. support domestic industrial competitiveness improvement.

CHAPTER III

TYPES OF PERSONAL DATA

Article 6

(1) Personal Data consists on:

a. General personal data; and
b. Specific Personal Data.
(2) General personal data as referred to in paragraph (1) letter a can be obtained generally in access
to public services or listed in an official identity in which disclosure without attention to the
rights can harm the rights of the Data Personal Owner.
(3) Specific Personal Data as referred to in paragraph (1) letter b is personal data in which the
impact of disclosure is sensitive for the security and comfort of the life of the Personal Data
Owner that without rightful disclosure can harm the right of privacy of the Data Personal
Owner.
(4) In certain cases, the speficic Personal Data Protection Standards as referred to in paragraph (3)
are determined in accordance with the provision in legislation.

CHAPTER IV

PERSONAL DATA OWNER RIGHTS

Article 7

Personal Data Owner has the right to request Information about identity clarity, basic legal interests,
the purpose of requesting and using Personal Data, and the accountability of parties requesting
Personal Data.

Article 8

The Personal Data Owner has the right to complete his/her Personal Data before being processed by
the Personal Data Controller.

Article 9

Personal Data Owner has the right to access and obtain a copy of his/her Personal Data to the Personal
Data Controller.

Article 10

Personal Data Owner has the right to update his/her Personal Data to the Personal Data Controller.

Article 11

Personal Data Owner has the right to terminate the processing, deletion, and/or destroy his/her
Personal Data to the Personal Data Controller.

Article 12

Personal Data Owner has the right to withdraw the agreement to process his/her Personal Data that
has been given to the Personal Data Controller.

Article 13

Personal Data Ownership has the right to object to the surveillance and/or automatic profiling actions
to the Personal Data Controller.

Article 14

Personal Data Owner has the right to choose or not to choose Personal Data processing through a
pseudonym mechanism for certain purposes.

Article 15

Personal Data Owner has the right to delay or limit the processing of Personal Data in proportion to
the purpose of Personal Data processing concerned.

Article 16

Data Personal Owner is entitled to sue and receive compensation on Personal Data Violation.
 Article 17

(1) Personal Data Owners have the right to obtain their Personal Data in a form that is in accordance
with the structure and/or storage format commonly used or can be read by machines or
hardware used in interoperability between Electronic Systems.
(2) Personal Data Owner has the right to send and use Personal Data from one Personal Data
Controller to another Personal Data Controller, as long as the system can communicate with
each other safely in accordance with Personal Data Protection principles.

Article 18

The implementation of the rights of Personal Data Owner as referred to in Article 9, Article 10,
Article 11, Article 12, Article 13, and Article 15 shall be submitted through a written application to
the Personal Data Controller.

CHAPTER V

PRIVATE DATA PROCESSING

First Part

General

Article 19

(1) Personal Data Processing include:

a. acquisition and collection;
b. processing and analyzing;
c. storage;
d. repair and update;
e. appearance, announcement, delivery, disclosure, dissemination; and/or
f. deletion or destruction.
(2) Personal Data Processing as referred to in paragraph (1) is carried out in accordance with the
Personal Data Protection include:
a. approval of the Personal Data Owner;
b. basic clarity of interests and purpose of data of Personal Data Requested;
c. personal security data;
d. personal data access;
e. accuracy;
f. retention;
g. notification;
h. destruction and deletion; and
i. accountability.
(3) Technical Provisions for the implementation of Personal Data processing as referred to in
paragraph (1) in accordance with the provision in legislation.
 Part Two

Requirements of Legitimate Personal Data Processing

Article 20

Personal data processing as referred to in Article 19 must be carried out by fulfilling the following
provisions:

a. there is a legitimate agreement between Personal Data Owner for one or several specific
purposes that have been submitted to the Personal Data Owner;
b. it is required to fulfill the agreement obligations in the event that the Personal Data Owner is
one of the parties or to fulfill the request of Data Personal Owner when agreement is going to
be entered;
c. it is required to comply with legal obligations of the Data Personal Controller in accordance
with the provision in legislation;
d. it is necessary to protect the vital interest of each Person or Personal Data Owner; and/or
e. it is needed in the framework to implement the official authority granted to the Personal Data
Controller or fulfillment of public service obligations for the benefit of general interests.

Part Three

Terms of Consent

Article 21

(1) Consent for providing Personal Data is gained through written or oral recorded consent.
(2) Written consnt as referred to in paragraph (1) can be submitted electronically or non-
electronically.
(3) Electronic consent has the same legal force as the non-electronic consent.
(4) In the event that Personal Data consent is given in writing as referred to in paragraph (1) which
contains other objectives, the request for consent must comply to these conditions:
a. can be clearly distinguished from other issues;
b. created in a format that could be understood and accessed easily; and
c. use clear simple language.
(5) Consent that does not fulfill the provisions referred to in paragraph (1) to paragraph (4) is
declared not binding for Personal Data Owner.
(6) Each clause in the Personal Data request contract that does not contain explicit consent from the
Personal Data Owner which does not meet the Personal Data Protection principle is declared
legally null and void.

Part Four

Specific Data Processing

Article 22

(1) In processing personal data, personal data controllers and/or personal data processor must
maintain the confidentiality of specific personal data as referred to in Article 6 paragraph (1)
(2) Provision as referred to in paragraph (1) is exempted in a situation where:
 a. Personal Data Owner has his/her consent as referred to in Article 21;
b. It is required for the purpose of carrying out certain obligations and rights of the Personal Data
Controller or of Personal Data Owner in the fields of employment, social security, and/or social
welfare which protects the basic rights and interests of the Personal Data Owner;
c. It is necessary to protect the interests of the Personal Data Owner who is incompetent both
physically and legally;
d. It is performed in association legal activities that are in accordance with the code of conduct
provided that Personal Data are not disseminated outside the scope association;
e. Personal Data have been published by Personal Data Owner; and/or
f. It is necessary for the interest of justice process in accordance with the provision in legislation.

Part Five

Visual Data Processing/Processor Equipment

Article 23

(1) Visual data processing/processor equipment can be installed in public places and/or at public
service facilities for the purposes of:
a. crime prevention, initial investigation, and investigation;
b. security;
c. disaster prevention; and/or
d. traffic management or traffic information collection, analysis, and regulation.
(2) Visual data processing/processor equipment operators must display information about the
existence of visual data processing/processor equipment and/or notification that visual data
processing/ processor equipment is installed as referred to in paragraph (1).
(3) Information and/or notification as referred to in paragraph (2) is exempted in terms of law
enforcement in accordance with regulatory provision of legislation.
(4) Visual data processing/processor equipment operators are required to ensure information
security against Personal Data.
(5) Visual data processing/processor equipment operator can use the voice recorder function on
the visual data processing device or processor for the purposes referred to in paragraph (1).

CHAPTER VI

OBLIGATIONS OF PERSONAL DATA CONTROLLER, PERSONAL DATA PROCESSOR, AND THIRD PARTY
PROCESSORS IN PERSONAL DATA PROCESSING

Part One

General

Article 24

Personal Data Controllers and Personal Data Processors include:

a. Person;
b. Body Public;
c. Business actor; and
 d. organization/institution.

Part Two

Obligations of Personal Data Controllers

Article 25

(1) Personal Data Controller in performing general and specific personal data processing must obtain
containl from Personal Owner Data as referred to in Article21 paragraph (1).
(2) To obtain the consent as referred to in paragraph (1), the Personal Data Controller must submit
Information about:
a. legality of Personal Data processing;
b. objective of Personal Data processing ;
c. relevance of the type of Personal Data that will be processed;
d. retention period of document that contains Personal Data;
e. details regarding Information collected;
f. time period for Personal Data processing and destruction by Personal data Controller;
and
g. Rights of Personal Data Owner to change and/or withdraw consent that has been given.
(3) The consent asl referred to in paragraph (1) is exempted in situations where:
a. it is necessary to protect Personal Data Owner from life-threatening situations;
b. it is necessary to achieve of the goal of fulfilling every right and obligation in accordance with
regulatory provision in legislation;
c. It is necesary for provide health services performed by medical personnel, health care
workers, and other personnel, and people who are bound by the obligation to maintain
patients’ confidentiality;
d. It is necessary for judicial process in accordance with the regulatory provision in legislation;
e. It is necessary for the implementation of the functions of various parties that have authority
in accordance with regulatory provision in legislation;
f. Specific Personal Data has been in the public domain because of actions taken by the Personal
Data Owner;
g. There are provision in legislation that require the processing of Personal Data; and/or
h. It is required to implement an agreement with Personal Data Owner.
(4) In the event that there is a change in the processing of Personal Data Information as referred to
in paragraph (2), the Personal Data Controller must notify the Personal Data Owner no later than
7 (seven) days after the change in information occurs.

Article 26

Personal Data Controller must display the consent given by Personal Data Owner as referred to in
Article 20 letter a

Article 27

(1) Personal Data Controllers must stop processing Personal Data in the event that Personal Data
Owner withdraws the consent for Personal Data processing.
(2) Personal Data Controller must stop the processing of Personal Data as referred to in paragraph
(1) no later than 3 (three) days from the date the of consent withdrawal Personal Data
processing is accepted.
 Article 28

(1) Personal Data Controllers must postpone the processing of Personal Data in part or in when it
is requested by the Personal Data Owner.
(1) Delay in processing of Personal Data as referred to in paragraph is exempted where:
a. There are applicable legislations that do not allow delays to be made by Personal Data
Controllers;
b. Delay may endanger the safety of others; and/or
c. Personal Data Owner is bound by a written agreeement that does not allow delays in
Personal Data processing.

Article 29

Personal Data Controller must protect and ensure the security of the Personal Data it processes, by:

a. prepare and apply operational technical steps to protect Personal Data from Personal
Data processing disruption that is contrary to the provision in legislation; and
b. determine the level of security of Personal Data by taking into account the nature and
risks of Personal Data that must be protected in Personal Data processing.

Article 30

Personal Data Controller must supervise each party as referred to in Article 24 that are involved in
Personal Data processing under the instruction of the Personal Data Controller.

Article 31

Personal Data Controller must ensure the protection of Personal Data from illegal Personal Data
processing.

Article 32

(1) Personal Data Controller must prevent Personal Data that may be accessed illegally.
(2) Prevention as referred to in paragraph (1) is carried out with a security system applied on
Personal Data that it manages and/or by managing Personal Data using a reliable and safe
electronic system and being responsible in accordance with the provision in legislation.

Article 33

Each Personal Data Controller and Personal Data Processor must record all activities in Personal Data
processing.

Article 34

(1) Personal Data controllers are required to provide access the the proessed Personal Data d to
Personal Data Owner of the along with the track record of the processing of personal data.
(2) The granting of access to Personal Data Owner as referred to in paragraph (1) is carried
out from the date of receipt of the application for access in accordance with the period of
Personal Data retention.
 Article 35

Personal data controllers must refuse to give access to changes in Personal Data to Personal Data
Owner if:

a. it endangers the physical security or health or mental health of individuals other than the
Personal Data Owner;
b. it leads to a disclosure of Personal Data belongs to other person; and/or
c. it is contradictory with national defense and security interests.

Article 36

(1) Personal Data Controllers must correct errors and/or inaccuracies in Personal Data immediately
after receiving a request for Personal Data correction from Personal Data Owner.
(2) Personal Data Controller must notify results of changes and/or repair of the Personal Data that
is to Personal Data Owner.

Article 37

(1) Personal Data Controllers must guarantee the accuracy, completeness and consistency of
Personal Data in accordance with the provision in legislation.
(2) In guaranteeing the accuracy, completeness, and consistency of Personal Data as referred to in
paragraph (1) Personal Data Controllers must perform verification.

Article 38

Personal Data Controllers must process Personal Data in accordance with the purpose of processing
Personal Data as approved by the Personal Data Owner.

Article 39

(1) Personal Data Controllers must terminate Personal Data processing if:
a. retention time has been reached;
b. the purpose of Personal Data processing has been achieved; or
c. there is a request from the Personal Data Owner.
(2) The termination Personal Data processing as referred to in paragraph (1) is carried out in
accordance with the provision in legislation.

Article 40

(1) Personal Data Controller must delete the Personal Data when:
a. The personal data is no longer needed for the achievement of Personal Data processing goals ;
b. Data Personal Owner has withdrewn his/her consent for Personal Data processing through a
written application to the Personal Data Controller; and/or
c. Personal data is obtained and/or processed in a way that is against the law.
(2) Deletion of Personal Data as referred to in paragraph (1) is carried out by Personal Data Controller
in accordance with the provision in legislation.
(3) Personal Data that have been deleted as referred to in paragraph (1) can be recovered/re-
displayed in its entirety in the event where there is a written request from the Personal Data
Owner.
(4) Application as referred to in paragraph (3) may be submitted in the event that it has not passed
the retention period in accordance with the provision in legislation.
 Article 41

(1) Data Personal Controller is obliged to destroy Personal Data when:

a. data have no value to be used anymore;
b. retention time has been reached and data have been destroyed based on archive retention
schedule;
c. it is indicated that it cases a leak in the Personal Data processing system;
d. Personal Data Owner requests the destruction of Personal Data through a written application
to the Personal Data Controller; and/or
e. it is not related with legal settlement process of a case.
(2) Destruction of Personal Data as referred to in paragraph (1) is carried out in accordance with
regulatory provision in legislation.

Article 42

(1) In the event where a failure to protect Personal Data occures, the Personal Data Controller must
submit a written notice in no later than 72 (seventy two) hours to:
a. Data Personal Owner; and
b. Minister or Sector Supervisory and Regulatory Agency in accordance with regulatory
provisions in legislation;
(2) In the event that the Sector Supervisory and Regulatory Agencies receive the notification as
referred to in paragraph (1), the Sector Supervisory and Regulatory Agency coordinates with the
Minister.
(3) Written notification as referred to in paragraph (1) includes:
a. Personal data disclosed;
b. when and how Personal Data is disclosed; and
c. efforts to handle and recover the disclosed Personal Data by the Personal Data
Controller.
(4) In certain cases, the Personal Data Controller must notify the public of the failure of Personal
Data Protection as referred to in paragraph (1).

Part Three

Obligations of Personal Data Processor

Article 43

In the event that the Personal Data Processor is appointed by the Personal Data Controller, all
provisions of the Personal Data Processing apply mutatis mutandis to the Personal Data Processor.

Article 44

(1) Personal Data Controller carries out and is responsible for all Personal Data processing.
(2) The Personal Data Controller can designate a Personal Data Processor to do part or all of the
Personal Data Processing.
(3) In the case where the Personal Data Processor processes the Personal Data for the benefit of
the Personal Data Controller, it becomes the full responsibility of the Personal Data Controller.
(4) In the case of the Personal Data Processor as referred to in paragraph (3) processes Personal
Data other than the purpose specified by the Personal Data Controller, it is entirely the
responsibility of the Personal Data Processor concerned.
 Part Four

Obligations of Third Parties

Article 45

Third party must process Personal Data for the purpose of Personal Data Processing that has been
approved by Personal Data Owner.

Part Five

Officers/Officials with Personal Data Protection Function

Article 46

(1) In certain cases, Personal Data Controller and Personal Data Processor must appoint an
official/officer to carry out the Personal Data protection function.
(2) Certain cases as referred to in paragraph (1) include:
a. processing carried out by Personal Data Controller and/or Personal Data Processor
performing public services
b. core activities of the Personal Data Controller have the nature, scope, and/or purpose that
require regular and systematic monitoring of Personal Data on a big scale;
c. core activities of the Personal Data Controller consist of large-scale processing of specific
Personal Data and/or Personal Data that are related with violation and criminal actions.
(3) Official/officer carrying out the Personal Data protection function as referred to in paragraph
(1) must be appointed based on professional quality, knowledge of the law and Personal Data
protection practice, and the ability to fulfill his/her duties.
(4) Personal Data Protection Officer as referred to in paragraph (1) may come from within and/or
outside the Personal Data Controller or Personal Data Processor.

Article 47

(1) Officials/officers who carry out Personal Data protection functions have at least the following
duties:
a. inform and provide advice for Personal Data Controller or Personal Data Processor and
employees who carry out processing to comply with the provisions of this law;
b. monitor and ensure compliance with this Law and Personal Data Controller or Personal
Data Processor policies regarding the protection of personal data, including assignments,
responsibilities, raising awareness, and training of staff involved in the processing of
Personal Data, and related auditing;
c. provide advice on assessing the impact of personal data protection and monitor the
performance of Personal Data Controller and Personal Data Processor;
d. coordinate with Sector Supervisory and Regulatory Agency;
e. act as a contact with the Sector Supervisory and Regulatory Agency for issues related to
the processing of Personal Data, including conducting prior consultation on risk mitigation
and/or other matters.
(2) In carrying out the duties as referred to in paragraph (1), officials/officers carrying out the
Personal Data protection function must pay attention to operational risks related to the
processing of Personal Data, taking into account the nature, scope, context and purpose of
processing.
 (3) Further provisions regarding officials/officers carrying out the Personal Data protection function
are regulated in Ministrial Regulations.

Part Six

Administrative Sanctions

Article 48

(1) Violations of the provisions of Article 25 paragraph (1), paragraph (2), and paragraph (4), Article
27, Article 28 paragraph (1), Article 29, Article 30, Article 31, Article 32 paragraph (1),
Article 33, Article 34, Article 35, Article 36, Article 37, Article 38, Article 39, Article 42 paragraph
(1) and paragraph (4), Article 43, Article 46 paragraph (1), are subjected to administrative
sanctions.
(2) Administrative sanctions as referred to in paragraph (1) take the form of:
a. temporary activity termination;
b. deletion or destruction of Personal Data;
c. compensation; and/or
d. administrative fine.
(3) Administrative sanctions are given by each of the heads of the Supervisory and Regulatory
Agency in accordance with the provision in legislation.

CHAPTER VII

PERSONAL DATA TRANSFER AND DIVERSION

Part One

Personal Data Transfer to a Third Partu in the Territory of the Unitary State of the Republic of
Indonesia

Article 49

(1) Personal Data Controller or Personal Data Processor can transfer Personal Data to a Third Party
within the territory of the Unitary State of the Republic Indonesia.
(2) Personal Data Controller or Personal Data Processor who transfers and the third party who
receive transfer of Personal Data as referred to in paragraph (1) must protect Personal Data as
referred to this law.

Part Two

Transfer of Personal Data to Outside of the Unitary State of the Republic of Indonesia

Article 50

The Personal Data Controller must request and obtain prior written approval from the Personal Data
Owner to transfer the Personal Data that it processes to a third party outside the jurisdiction of the
Unitary State of the Republic of Indonesia.
 Article 51

Personal data as referred to in Article 50 may be transferred outside the jurisdiction of the Unitary
State of the Republic of Indonesia provided that:

a. The country or international organization has a personal data protection level that is equal
to or higher than this law;
b. there is a contract between the Personal Data Controller and a third party outside the
territory of the Unitary State of the Republic of Indonesia by taking into account the
protection aspects of Personal Data; and/or
c. there is an international agreement between countries.

Part Three

Transfer of Personal Data in the Process of Merging, Separation, Acquisition, or Consolidation of

Legal Entities

Article 52

(1) Personal Data Controller that takes the form of a legal entity that engages in merging,
separating, taking over, or consolidating a Legal Entity must submit notification of transferring
Personal Data to Personal Data Owner.
(2) The party sending and receiving the transfer of Personal Data as referred to in paragraph (1)
must protect the Personal Data as referred to in this law.

CHAPTER VIII

PROHIBITION [IN PERSONAL DATA USE]

Article 53

Personal Data Controller, Personal Data Processor, and/or Third Party are prohibited from illegally
disclosing specific Personal Data to other parties.

Article 54

Every Person is prohibited from illegally installing and/or operating visual data processing or processor
equipment in public facilities or public service facilities that can threaten or violate Personal Data
Protection.

Article 55

(1) Everyone person is prohibited from illegally move visual data processing or processor
equipment installed in public facilities or public service facilities that are used for:
a. cime prevention, initial investigation, and investigation;
b. security;
c. disaster prevention; and/or
d. traffic management or collection, analysis, and regulation of traffic information,

to a different place.
(2) Every person is prohibited from using the voice recorder function on visual data processing or
processor equipment installed in public facilities and/or public service facilities other than for
the purposes referred to in paragraph (1).

Article 56

Third parties are prohibited from Personal Data Processing other than for the purpose of Personal
Data Processing that has been approved by Personal Data Owner.

Article 57

Personal Data Controller is prohibited from transferring Personal Data outside the jurisdiction of the
Unitary State of the Republic of Indonesia without the approval of Personal Data Owner and from
violating the following provisions:

a. the country or international organization has personal data protection level that is equivalent or
higher from this law;
b. there is a contract between the Personal Data Controller and a third party outside the territory
of the Unitary State of the Republic of Indonesia by taking into account the protection aspects of
Personal Data; and/or
c. there is an international agreement between countries.

Article 58

Personal Data Controllers and Personal Data Processors are prohibited from Personal Data Processing
for commercial purposes and/or profiling except with the approval of Personal Data Owner.

Article 59

Every person is prohibited from disclosing or using Personal Data that is not his/her property without
the consent of Personal Data Owner.

Article 60

(1) Every person is prohibited from falsifying personal data with the intention of benefiting
themselves or which can cause harm to other people.
(2) Every person is prohibited from selling or buying personal data that is not his/hers.

CHAPTER IX

ESTABLISHMENT OF PERSONAL DATA CONTROL CONDUCT GUIDELINE

Article 61

(1) Business Actors Association can develop a Personal Data Controller Conduct Guideline.
(2) In developing the Personal Data Controller Conduct Guideline as referred to in paragraph (1),
the Business Actor Association must consider:
a. Personal Data processing purpose;
b. principles of Personal Data Processing; and
c. input from Personal Data Owners or their representative Associations.
(3) The Personal Data Controller Conduct Guideline must have the same level of protection as
stipulated in this law or higher
(4) The Personal Data Controller Conduct Guideline may not conflict with this Law.
 CHAPTER X

EXCEPTIONS IN PERSONAL DATA PROTECTION

Article 62

(1) The rights of Data Personal Owner and Principles of Protection of Personal Data are exempted
when:
a. It is necesary for the sake of national defense and security;
b. It is necessary for the interest of Judicial Process according to the provisions in
legislations
c. It is necessary for the purposes of state administration and public interests, especially
economic or finance interests;
d. It is necessary for enforcing professional code of ethics;
e. It is necessary for aggregate data in which the processing is done for statistical and
scientific research interests.
(2) The exceptions as referred to in paragraph (1) shall be carried out only in the context of
implementing the provisions of the law and/or ratified international agreements.

CHAPTER XI

DISPUTE SETTLEMENT

Article 63

(1) Personal Data Protection dispute settlement can be done:

a. out of court; or
b. in the court.
(2) Settlement of disputes outside the court as referred to in paragraph (1) letter a shall be
carried out in accordance with the provision in legislation.

CHAPTER XII

INTERNATIONAL COLLABORATION

Article 64

(1) International collaboration is carried out by the Government with the government of other
countries or international organizations related to the protection of Personal Data
(2) International collaboration as referred to in paragraph (1) shall be carried out in the form of
formal cooperation or based on the principle of reciprocity.

CHAPTER XIII

ROLES OF GOVERNMENT AND SOCIETY

Article 65

The Government guarantees the implementation of Personal Data Protection under this Law
 Article 66

The Attorney General's Office as a state lawyer on the basis of safeguarding the public interest and/or
safeguarding national interests can make a lawsuit or claim for violation of personal data whether
done domestically or abroad.

Article 67

(1) Public can participate, both directly and indirectly, in raising awareness of the importance of
protecting personal data in accordance with the provisions of this law.
(2) Implementation of community participation in raising awareness of the importance of Personal
Data Protection as referred to in paragraph (3) can be done through education, training,
advocacy, technical guidance, and/or socialization.

CHAPTER XIV

CRIMINAL PROVISIONS

Article 68

Personal Data Controllers, Personal Data Processors, and/or Third Parties who intentionally and
unlawfully disclose Specific Personal Data to other parties as referred to in Article 53, shall be punished
with a fine of a maximum of Rp. 5,000,000,000 (five billion rupiahs).

Article 69

Any person who intentionally and unlawfully installs and/or operates visual data processing or
processor equipment in public facilities or public service facilities that can threaten or violate Personal
Data Protection of referred to in Article 54, shall be punished with a maximum fine of Rp.500,000.
000- (five hundred million rupiah).

Article 70

(1) Any person who intentionally and unlawfully moves a visual data processing or processor
equipment installed in a public facility or public service facility that is used for the purposes
referred to in Article 55 paragraph (1) to a different place shall be punished with a maximum fine
of Rp. 500,000,000 (five hundred million rupiah).
(2) Any person who intentionally and unlawfully uses a voice recorder function on a visual data
processing or processor equipment installed in a public facility or public service facility as referred
to in Article 55 paragraph (2) shall be punished with a maximum fine of Rp. 500,000,000 (five
hundred million rupiah).

Article 71

Third Parties who illegally process Personal Data other than for purposes that have been approved by
Personal Data Owner as referred to in Article 56 shall be punished with a fine of a maximum
of Rp. 500,000,000 (five hundred million rupiah).

Article 72

Personal Data Controller who intentionally transfers Personal Data outside the jurisdiction of the
Republic of Indonesia without the approval of Personal Data Owner and violates the following
provisions:
 a. the country or international organization has personal data protection level that is
equivalent or higher from this law;
b. there is a contract between the Personal Data Controller and a third party outside the
territory of the Unitary State of the Republic of Indonesia by taking into account the
protection aspects of Personal Data; and/or
c. there is an international agreement between countries.

as referred to in Article 57, shall be liable to a fine of a maximum of Rp 50,000,000,000 (fifty billion
rupiah).

Article 73

Personal Data Controller and Personal Data Processor that intentionally processes Personal Data for
commercial purposes and/or profiling without the approval of Personal Data Owner as referred to in
Article 58 shall be punished with a maximum fine of Rp. 100,000,000,000.- (one hundred billion
rupiah).

Article 74

Any person who intentionally discloses or uses Personal Data that is not his/her property without
the approval of Personal Data Owner as referred to in Article 59 shall be punished with a fine of a
maximum of Rp.10,000,000,000.- (ten billion rupiahs).

Article 75

(1) Any person who falsifies personal data with the intention to benefit themselves or that can cause
harm to others as referred to in Article 60 paragraph (1) shall be punished with a fine of a
maximum of Rp. 3,000,000,000.00 (three billion rupiah).
(2) Any person who sells or buys personal data that is not his/her property as referred to in Article
60 paragraph (2) shall be sentenced with a fine of 4% (four percent) of the total revenue earned
from Personal Data transaction or a maximum of Rp 5,000,000,000.00 (five billion rupiah).

Article 76

In addition to being sentenced according to the basic punishments, the defendant can also be
sentenced to additional penalties in the form of deprivation of income and/or assets obtained or the
proceeds of crime as referred to in Article 68 through Article 75.

Article 77

In the case that the crime as referred to in Article 68 to Article 75 is carried out by a corporation, the
a maximum fine of (3) three times higher than the penalty imposed on individuals will be applied.

CHAPTER XV
TRANSITIONAL PROVISIONS
Article 78
When this Law comes into force, parties that have processed personal data must comply with the
provisions of Personal Data Protection under this Law no later than 2 (two) years from the
promulgation of this Law.
 CHAPTER XVI
CLOSING PROVISION
Article 79
When this Law comes into force, all provision in legislation governing the Protection of Personal Data
are stated to remain valid insofar as they do not conflict with the provisions Law and are not
specifically regulated in this Law.

Article 80

This law comes into force on the date of promulgation.

In order to make everyone cognizant, order the enactment of this Law by placing it in the State Gazette
of the Republic of Indonesia.

Enacted in Jakarta on ...

PRESIDENT OF THE REPUBLIC OF INDONESIA

JOKO WIDODO

Promulgated in Jakarta on ...

MINISTER OF LAW AND HUMAN RIGHTS OF THE REPUBLIC OF INDONESIA,

YASONNA H LAOLY

STATE GAZETTE OF THE REPUBLIC OF INDONESIA YEAR ... NUMBER ...

 EXPLANATION OF THE LAW OF THE REPUBLIC OF INDONESIA NUMBER ... YEAR ...

ON PERSONAL DATA PROTECTION

I. GENERAL

The rapid development of information and communication technology has created various
opportunities and challenges. Information technology allows humans to connect to each other accross
country boundaries that it has become one of the factors driving globalization. Various life sectors
have utilized information technology systems, such as the implementation of electronic commerce (e-
commerce) in the field of trade/business sector, electronic education (e-education) in the field of
education, electronic health (e-health ) in the field of health, electronic government (e - government)
in the field of government, as well as information technology that is utilized in other fields. The use of
information technology results in easy collection and transfer of personal data from one party to
another without the knowledge of the Personal Data Owner; thus, threatening the right to one's
privacy.

Protection of Personal Data is included in the protection of human rights; hence, regulation concerning
the right to privacy of personal data is a manifestation of the recognition and protection of basic
human rights. The existence of a Law on Personal Data Protection is a necessity that cannot be delayed
anymore because it is very urgent for various national interests. Indonesian international association
also demands protection of Personal Data. This protection can facilitate transnational trade, industry,
and investment.

The Bill on Personal Data protection is mandated by Article 28G paragraph (1) of the 1945 Constitution
of the republic of Indonesia, stating: “everyone has the right to the protection of self, family, honor,
dignity, and property under his control, and has the right to security and protection from the threat
of fear of doing or not doing something that is seen as human rights". The issue of protection against
personal data arises because of concerns about violations of privacy that can be experienced by people
and/or legal entities.Violations of privacy can cause losses that are not only material in nature but also
immaterial loss that takes the form of defamation of a person or institution.
The formulation of rules regarding privacy of Personal Data can be understood because of the need
to protect individual rights in the community in connection with the processing and Personal Data
Processing, both electronically or manually, using data processing devices. Adequate protection of
privacy regarding personal data will be able to build public trust to provide Personal Data for various
interests of the greater community without being misused or without violating the person’s personal
rights. Thus, this arrangement will create a balance between the rights of individuals and the people
represented by the interests of the state. Arrangements regarding the privacy of this Personal Data
will contribute greatly to the creation of order and progress in information society.
To reduce the overlap in the provisions on Personal Data Protection, the provisions in this Law are
basically general data protection standards, both for data that are partially or wholly processed by
electronic and manual methods, where each sector can implement Personal Data Protection according
to the characteristics of the sector concerned, including the provisions of Personal Data that have
been regulated in the professional provisions.

II. ARTICLE BY ARTICLE

Article 1

Self-explanatory.
Article 2

Self-explanatory.

Article 3

Self-explanatory.

Article 4

Self-explanatory.

Article 5

Self-explanatory.

Article 6

Paragraph (1)

What is referred to as Personal Data in this Law is, among others, individual data regulated in the
Population Administration Law.

Letter a

What is referred to as general personal data in this Law, among others, take the form of full name,
gender, nationality, or religion, or other personal data that are combined so as to identify someone.

Letter b

What is referred to as specific personal data includes:

a. Health data and information, namely records or information of individuals related to their:
1) Physical health;
2) Mental health; and/or
3) Health services.;
b. Biometric data are data related to physical, physiological or individual behavior characteristics
that allow unique identification of individuals, such as facial image, or ductyloscopic
data. Biometric data also explain the uniqueness and/or characteristics of a person who must
be maintained and cared for, including but not limited to:
1) fingerprint record
2) eye retina; and
3) DNA sample.
c. Genetic data that include all data, in any form, on characteristics of an individual that is
inherited or obtained during initial prenatal development ;
d. Sexual life/orientation;
e. Political view;
f. Criminal record;
g. Child data;
h. Personal financial data, including but not limited to data on the amount of deposits in the
bank including:
1) savings;
2) deposit; and
3) credit card data;
 i. other data in accordance with statutory provisions

that when they are combined will make it possible to identify someone specifically.

Paragraph (2)

What is referred to as general personal data is defined as, among others, data on full name, gender,
nationality, or religion, or Personal Data which must be combined so that it is possible to identify
someone specifically.

Paragraph (3)

Self-explanatory.

Paragraph (4)

"In certain cases" means specific personal data in the form of biometric data and genetic data that
have a high risk of the rights and freedom of Personal Data Owner.

Article 7

Self-explanatory.

Article 8

Self-explanatory.

Article 9

Self-explanatory.

Article 10

Self-explanatory.

Article 11

Self-explanatory.

Article 12

Self-explanatory.

Article 13

What is referred to as profiling is any form of Personal Data processing that automatically uses
Personal Data to evaluate aspects of work history, economic conditions, health, personal preferences,
interests, reliability, behavior, location or movement of Personal Data Owner electronically.

Article 14

"Pseudonym mechanism" means the processing of Personal Data in such a way that Personal Data
cannot be linked to the Owner of certain Personal Data without using additional information provided
to ensure that Personal Data cannot be linked to Personal Data Owner identified or identifiable.

Article 15

Self-explanatory.
Article 16

Self-explanatory.

Article 17

Self-explanatory.

Article 18

"Application in writing" is a registered application submitted both electronically and non-

electronically.

Article 19

Paragraph (1)

Self-explanatory.

Paragraph (2)

Self-explanatory.

Paragraph (3)

What is referred to as "provision in legislation" is the provision of sectoral legislation in accordance

with the characteristics of each agency.

Article 20

Letter a

What is referred to as agreement is an agreement submitted explicitly, may not be hidden or on the
basis of oversight/negligence.

Letter b

Self-explanatory.

Letter c

Self-explanatory.

Letter d

What is referred to as legitimate interest (vital interest) is the need/necessity to protect very
important matters about one's existence.

Letter e

Self-explanatory.

Article 21

Self-explanatory.

Article 22

Paragraph (1)
Self-explanatory.

Paragraph (2)

Letter a

Self-explanatory.

Letter b

Self-explanatory c

Self-explanatory d

Self-explanatory e

What is referred to as published is actively distributing personal data and/or making it available for
public access.

Letter f

Self-explanatory

Article 23

Paragraph (1)

What is referred to as "visual data processing/processor equipment" is a video camera device used to
record or observe every person in a particular space or place including CCTV and/or all surveillance
and monitoring devices that will continue to develop according to technological developments
that maintain accountability and accuracy .

Paragraph (2)

What is referred to as "operator" is a Personal Data Processor in charge of maintaining, serving, and
running visual data processing/processor tools.

Paragraph (3)

Self-explanatory.

Paragraph (4)

The definition of "Personal Data information" covers confidentiality, integrity, availability,

authenticity, and non-repudiation).

Paragraph (5)

Self-explanatory.

Article 24

Letter a

Self-explanatory

Letter b

Self-explanatory
Letter c

Self-explanatory

Letter d

What is referred to as "organization/institution" includes social organizations.

Article 25

Paragraph (1)

Agreements can be submitted in electronic or non-electronic forms.

Paragraph (2)

Letter a

Self-explanatory.

Letter b

Self-explanatory.

Letter c

Self-explanatory.

Letter d

Self-explanatory.

Letter e

Self-explanatory.

Letter f

The time period for Personal Data processing is applicable as long as there is a legitimate legal
interest.

Letter g

Self-explanatory.

Paragraph (3)

Letter a

What is referred to as "life-treathening situation" includes to rescue Personal Data Owner from the
threat of crime identified by law enforcers as targeting the Personal Data Owner concerned.

Letter b

Self-explanatory.

Letter c

Self-explanatory.

Letter d
Self-explanatory.

Letter e

Self-explanatory.

Letter f

Self-explanatory.

Letter g

Self-explanatory.

Letter h

Self-explanatory.

Paragraph (4)

Self-explanatory.

Article 26

The obligation to show the consent given by Personal Data Owner is carried out to fulfil the legal
requirements for personal data processing.

Article 27

Paragraph (1)

Withdrawal of consent for Personal Data Processing includes, among others, reasons for withdrawal
and evidence.

Paragraph (2)

Self-explanatory.

Article 28

Paragraph (1)

Delays in Personal Data Processing are carried out based on the request of Personal Data Owner
which includes, among othes, reasons for processing delays and accompanied by evidence.

Paragraph (2)

Self-explanatory.

Article 29

Self-explanatory.

Article 30

Self-explanatory.

Article 31

Self-explanatory.
Article 32

Self-explanatory.

Article 33

Self-explanatory.

Article 34

Self-explanatory.

Article 35

Self-explanatory.

Article 36

Self-explanatory.

Article 37

Self-explanatory.

Article 38

Self-explanatory.

Article 39

Self-explanatory.

Article 40

Self-explanatory.

Article 41

Paragraph (1)

What is referred to as "destruction of Personal Data" is destruction carried out until Personal Data
can no longer identify a person.

Paragraph (2)

Self-explanatory.

Article 42

Paragraph (1)

Self-explanatory.

Paragraph (2)

Self-explanatory.

Paragraph (3)

Self-explanatory.
Paragraph (4)

What is referred to as "in certain cases", among others, includes when the failure to protect Personal
Data interferes with public service and/or has a serious impact on the interests of the society.

Article 43

Self-explanatory.

Article 44

Paragraph (1)

Self-explanatory.

Paragraph (2)

Self-explanatory.

Paragraph (3)

Self-explanatory.

Paragraph (4)

When the Personal Data Processor acts outside the objectives specified/ordered by the Personal Data
Controller, then the Personal Data Processor has changed into Personal Data Controller for other
purposes so that it becomes the responsibility of the party concerned.

.Article 45

Self-explanatory

Article 46

Paragraph (1)

"Officials/officers who carry out Personal data protection functions" is defined as officials/officers
responsible for ensuring compliance with the principles of Personal Data and mitigating the risk of
Personal Data protection violation.

Paragraph (2)

Self-explanatory.

Paragraph (3)

Self-explanatory.

Paragraph (4)

Self-explanatory.

Article 47

Self-explanatory.

Article 48

Self-explanatory.
Article 49

Paragraph (1)

"Personal Data Transfer" means the transfer, diversion, transmission, and/or duplication of personal
data both manually and electronically from the Personal Data Controller to another party .

Approval to transfer Personal Data is stated on a separate form from the terms and conditions for
using Personal Data.

Paragraph (2)

Self-explanatory.

Article 50

Written approval can be submitted in electronic or non-electronic form.

Article 51

Letter a

Self-explanatory.

Letter b

Self-explanatory.

Letter c

The development of the regulation of personal data transfer to other countries requires that each
country has equal protection with its national provisions and adopts an approach that is applied in
many countries but its implementation cannot be applied strictly so that it will still require an
international bilateral agreement.

Article 52

Self-explanatory.

Article 53

Self-explanatory.

Article 54

Self-explanatory.

Article 55

Paragraph (1)

What is referred to as "to different places" includes changing the direction and/or range of
visualization of visual data processing/processor equipment.

Paragraph (2)

Self-explanatory.

Article 56
Self-explanatory.

Article 57

Self-explanatory.

Article 58

What is referred to as "commercial purpose" is the processing of Personal Data for profit.

Article 59

Self-explanatory.

Article 60

Self-explanatory.

Article 61

Self-explanatory.

Article 62

Paragraph (1)

Letter a

Self-explanatory.

Letter b

Self-explanatory.

Letter c

What is referred to as "economic or financial interests” includes fiscal and monetary, financial
stability, budget, and taxaction system.

Letter d

Self-explanatory.

Letter e

Aggregate Data is a set of data related to a person who cannot and/or is not intended to identify
someone directly or indirectly.

Paragraph (2)

Article 63

Self-explanatory.

Self-explanatory.

Article 64

Paragraph (1)

Self-explanatory.
Paragraph (2)

The principle of reciprocity in this provision includes the extradition agreement or mutual assistance
on criminal matters.

Article 65

What is referred to as "guarantee the implementation of Personal Data Protection” includes, among
others, stipulation and implementation of policies, promotion and education, advocacy, and
supervision.

Article 66

Self-explanatory.

Article 67

Self-explanatory.

Article 68

Self-explanatory.

Article 69

Self-explanatory.

Article 70

Self-explanatory.

Article 71

Self-explanatory.

Article 72

Self-explanatory.

Article 73

Self-explanatory.

Article 74

Self-explanatory.

Article 75

Self-explanatory.

Article 76

Self-explanatory.

Article 77

Self-explanatory.

Article 78
Self-explanatory.

Article 79

Self-explanatory.

Article 80

Self-explanatory.

SUPPLEMENT TO THE STATE GAZETTE OF THE REPUBLIC OF INDONESIA NUMBER ...