Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ON
Considering : a. that the protection of personal data as one of the human rights which is part of
personal self-protection requires a strong legal basis to provide personal data
security based on the 1945 Constitution of the Republic of Indonesia Year 1945;
b. that the protection of personal data is intended to guarantee the rights of citizens to
personal protection and foster public awareness and guarantee recognition and
respect for the importance of personal data protection
c. that the regulation of personal data is currently contained in a number of laws and
regulations so as to increase the effectiveness of the protection of personal data,
regulations in the form of a law is needed regarding the protection of personal data;
Referring to : Article 5 paragraph (1), Article 20, Article 28 G paragraph (1), Article 28 H paragraph (4)
and Article 28 J of the 1945 Constitution of the Republic of Indonesia;
and
HAS DECIDED TO
GENERAL PROVISIONS
Article 1
1. Personal Data is any data about a person whether identified and/or can be identified
separately or in combination with other information, directly or indirectly, through electronic
and/or non-electronic system.
2. Information is information, statements, ideas, and signs that contain values, meanings, and
messages, both data, facts, and explanations that can be seen, heard, and read that are
presented in various packages and formats in accordance with the development of
information and communication technology, electronically or non-electronically.
3. Personal Data Controller is the party that determines the purpose and controls Personal Data
processing.
4. Personal Data Processor is the party who processes Personal Data on behalf of Data Controller.
5. Third Party is any Person, Public Agency and other entity other than Personal Data Owner,
Personal Data Controller, Personal Data Processor, and other parties under the control of
Personal Data Controllers or Personal Data Processors who obtain authorization from Personal
Data Controller or Personal Data Processor to do Personal Data processing.
6. People are individuals, both Indonesian citizens, foreign nationals, and also corporation.
7. Personal Data Owner is an individual as the subject of data that has legitimate Personal Data.
8. Sector Supervisory and Regulatory Agencies are the Agencies that have the duty to oversee
the implementation of sector duties and issue regulations for the sector.
9. Public agencies are executive, legislative, judicial, and other bodies whose functions and main
tasks are related to the administration of the state, in which a part of or all funds are sourced
from the State Revenue and Expenditure Budget and/or Regional Revenue and Expenditure
Budget, or partially non-governmental organizations. All funds are sourced from the State
Revenue and Expenditure Budget and/or Regional Revenue and Expenditure Budget, society
contribution, and/or external donation from other countries.
10. Corporations are organized collections of people and/or wealth, both legal entities and non-
legal entities.
11. Business Actors are individuals, business entities, established and domiciled or conducting
activities within the jurisdiction of the Republic of Indonesia, both individually and jointly,
through agreements to conduct business activities in various economic fields.
State Secretariat: business actors can enter into corporation
12. Personal Data Violation is a violation of the rights of Personal Data Owner based on this Law.
13. Minister is the minister who organizes government affairs in the field of communication
and informatics.
Article 2
This Law applies to every Person, Public Agency, Business Actor, and organization/institution that
performs legal acts as stipulated in this Law, both those in the regions under Indonesian jurisdiction
or outside Indonesian jurisdiction, which has legal consequences in Indonesian jurisdiction and/or
outside Indonesian jurisdiction and is detrimental to the interests of Indonesia.
CHAPTER II
Article 3
This law is carried out based on the principle of protection, the principle of public interest, the principle
of fairness, and the principle of accountability.
Article 4
To implement the norms as intended in Article 3, Personal Data Protection is carried out based on the
followings:
a. Personal Data Collection is carried out in a limited and specific manner, data obtained by
using legal and fair methods, and is known and approved by the person concerned;
b. Personal Data Processing is carried out based on the agreement of Personal Data Owner;
c. Personal data processing is done accurately, completely, in a non-misleading and up-to-date
manner with due regard to the purpose of Personal Data processing;
d. Personal data processing is carried out in accordance with the purpose of its use;
e. Personal Data Processing is performed by protecting the security of Personal Data from loss,
misuse, access, and illegal disclosure, as well as change or destruction of Personal Data;
f. Personal Data Processing has a retention period according to needs based on the provision
in legislation;
Article 5
a. protect and guarantee the basic rights of citizens related to personal protection;
b. guarantee the community to get services from the government, business people, and
organization/institutions others;
c. encourage the growth of digital economy and information and communication technology
industries; and
d. support domestic industrial competitiveness improvement.
CHAPTER III
Article 6
CHAPTER IV
Article 7
Personal Data Owner has the right to request Information about identity clarity, basic legal interests,
the purpose of requesting and using Personal Data, and the accountability of parties requesting
Personal Data.
Article 8
The Personal Data Owner has the right to complete his/her Personal Data before being processed by
the Personal Data Controller.
Article 9
Personal Data Owner has the right to access and obtain a copy of his/her Personal Data to the Personal
Data Controller.
Article 10
Personal Data Owner has the right to update his/her Personal Data to the Personal Data Controller.
Article 11
Personal Data Owner has the right to terminate the processing, deletion, and/or destroy his/her
Personal Data to the Personal Data Controller.
Article 12
Personal Data Owner has the right to withdraw the agreement to process his/her Personal Data that
has been given to the Personal Data Controller.
Article 13
Personal Data Ownership has the right to object to the surveillance and/or automatic profiling actions
to the Personal Data Controller.
Article 14
Personal Data Owner has the right to choose or not to choose Personal Data processing through a
pseudonym mechanism for certain purposes.
Article 15
Personal Data Owner has the right to delay or limit the processing of Personal Data in proportion to
the purpose of Personal Data processing concerned.
Article 16
Data Personal Owner is entitled to sue and receive compensation on Personal Data Violation.
Article 17
(1) Personal Data Owners have the right to obtain their Personal Data in a form that is in accordance
with the structure and/or storage format commonly used or can be read by machines or
hardware used in interoperability between Electronic Systems.
(2) Personal Data Owner has the right to send and use Personal Data from one Personal Data
Controller to another Personal Data Controller, as long as the system can communicate with
each other safely in accordance with Personal Data Protection principles.
Article 18
The implementation of the rights of Personal Data Owner as referred to in Article 9, Article 10,
Article 11, Article 12, Article 13, and Article 15 shall be submitted through a written application to
the Personal Data Controller.
CHAPTER V
First Part
General
Article 19
Article 20
Personal data processing as referred to in Article 19 must be carried out by fulfilling the following
provisions:
a. there is a legitimate agreement between Personal Data Owner for one or several specific
purposes that have been submitted to the Personal Data Owner;
b. it is required to fulfill the agreement obligations in the event that the Personal Data Owner is
one of the parties or to fulfill the request of Data Personal Owner when agreement is going to
be entered;
c. it is required to comply with legal obligations of the Data Personal Controller in accordance
with the provision in legislation;
d. it is necessary to protect the vital interest of each Person or Personal Data Owner; and/or
e. it is needed in the framework to implement the official authority granted to the Personal Data
Controller or fulfillment of public service obligations for the benefit of general interests.
Part Three
Terms of Consent
Article 21
(1) Consent for providing Personal Data is gained through written or oral recorded consent.
(2) Written consnt as referred to in paragraph (1) can be submitted electronically or non-
electronically.
(3) Electronic consent has the same legal force as the non-electronic consent.
(4) In the event that Personal Data consent is given in writing as referred to in paragraph (1) which
contains other objectives, the request for consent must comply to these conditions:
a. can be clearly distinguished from other issues;
b. created in a format that could be understood and accessed easily; and
c. use clear simple language.
(5) Consent that does not fulfill the provisions referred to in paragraph (1) to paragraph (4) is
declared not binding for Personal Data Owner.
(6) Each clause in the Personal Data request contract that does not contain explicit consent from the
Personal Data Owner which does not meet the Personal Data Protection principle is declared
legally null and void.
Part Four
Article 22
(1) In processing personal data, personal data controllers and/or personal data processor must
maintain the confidentiality of specific personal data as referred to in Article 6 paragraph (1)
(2) Provision as referred to in paragraph (1) is exempted in a situation where:
a. Personal Data Owner has his/her consent as referred to in Article 21;
b. It is required for the purpose of carrying out certain obligations and rights of the Personal Data
Controller or of Personal Data Owner in the fields of employment, social security, and/or social
welfare which protects the basic rights and interests of the Personal Data Owner;
c. It is necessary to protect the interests of the Personal Data Owner who is incompetent both
physically and legally;
d. It is performed in association legal activities that are in accordance with the code of conduct
provided that Personal Data are not disseminated outside the scope association;
e. Personal Data have been published by Personal Data Owner; and/or
f. It is necessary for the interest of justice process in accordance with the provision in legislation.
Part Five
Article 23
(1) Visual data processing/processor equipment can be installed in public places and/or at public
service facilities for the purposes of:
a. crime prevention, initial investigation, and investigation;
b. security;
c. disaster prevention; and/or
d. traffic management or traffic information collection, analysis, and regulation.
(2) Visual data processing/processor equipment operators must display information about the
existence of visual data processing/processor equipment and/or notification that visual data
processing/ processor equipment is installed as referred to in paragraph (1).
(3) Information and/or notification as referred to in paragraph (2) is exempted in terms of law
enforcement in accordance with regulatory provision of legislation.
(4) Visual data processing/processor equipment operators are required to ensure information
security against Personal Data.
(5) Visual data processing/processor equipment operator can use the voice recorder function on
the visual data processing device or processor for the purposes referred to in paragraph (1).
CHAPTER VI
OBLIGATIONS OF PERSONAL DATA CONTROLLER, PERSONAL DATA PROCESSOR, AND THIRD PARTY
PROCESSORS IN PERSONAL DATA PROCESSING
Part One
General
Article 24
a. Person;
b. Body Public;
c. Business actor; and
d. organization/institution.
Part Two
Article 25
(1) Personal Data Controller in performing general and specific personal data processing must obtain
containl from Personal Owner Data as referred to in Article21 paragraph (1).
(2) To obtain the consent as referred to in paragraph (1), the Personal Data Controller must submit
Information about:
a. legality of Personal Data processing;
b. objective of Personal Data processing ;
c. relevance of the type of Personal Data that will be processed;
d. retention period of document that contains Personal Data;
e. details regarding Information collected;
f. time period for Personal Data processing and destruction by Personal data Controller;
and
g. Rights of Personal Data Owner to change and/or withdraw consent that has been given.
(3) The consent asl referred to in paragraph (1) is exempted in situations where:
a. it is necessary to protect Personal Data Owner from life-threatening situations;
b. it is necessary to achieve of the goal of fulfilling every right and obligation in accordance with
regulatory provision in legislation;
c. It is necesary for provide health services performed by medical personnel, health care
workers, and other personnel, and people who are bound by the obligation to maintain
patients’ confidentiality;
d. It is necessary for judicial process in accordance with the regulatory provision in legislation;
e. It is necessary for the implementation of the functions of various parties that have authority
in accordance with regulatory provision in legislation;
f. Specific Personal Data has been in the public domain because of actions taken by the Personal
Data Owner;
g. There are provision in legislation that require the processing of Personal Data; and/or
h. It is required to implement an agreement with Personal Data Owner.
(4) In the event that there is a change in the processing of Personal Data Information as referred to
in paragraph (2), the Personal Data Controller must notify the Personal Data Owner no later than
7 (seven) days after the change in information occurs.
Article 26
Personal Data Controller must display the consent given by Personal Data Owner as referred to in
Article 20 letter a
Article 27
(1) Personal Data Controllers must stop processing Personal Data in the event that Personal Data
Owner withdraws the consent for Personal Data processing.
(2) Personal Data Controller must stop the processing of Personal Data as referred to in paragraph
(1) no later than 3 (three) days from the date the of consent withdrawal Personal Data
processing is accepted.
Article 28
(1) Personal Data Controllers must postpone the processing of Personal Data in part or in when it
is requested by the Personal Data Owner.
(1) Delay in processing of Personal Data as referred to in paragraph is exempted where:
a. There are applicable legislations that do not allow delays to be made by Personal Data
Controllers;
b. Delay may endanger the safety of others; and/or
c. Personal Data Owner is bound by a written agreeement that does not allow delays in
Personal Data processing.
Article 29
Personal Data Controller must protect and ensure the security of the Personal Data it processes, by:
a. prepare and apply operational technical steps to protect Personal Data from Personal
Data processing disruption that is contrary to the provision in legislation; and
b. determine the level of security of Personal Data by taking into account the nature and
risks of Personal Data that must be protected in Personal Data processing.
Article 30
Personal Data Controller must supervise each party as referred to in Article 24 that are involved in
Personal Data processing under the instruction of the Personal Data Controller.
Article 31
Personal Data Controller must ensure the protection of Personal Data from illegal Personal Data
processing.
Article 32
(1) Personal Data Controller must prevent Personal Data that may be accessed illegally.
(2) Prevention as referred to in paragraph (1) is carried out with a security system applied on
Personal Data that it manages and/or by managing Personal Data using a reliable and safe
electronic system and being responsible in accordance with the provision in legislation.
Article 33
Each Personal Data Controller and Personal Data Processor must record all activities in Personal Data
processing.
Article 34
(1) Personal Data controllers are required to provide access the the proessed Personal Data d to
Personal Data Owner of the along with the track record of the processing of personal data.
(2) The granting of access to Personal Data Owner as referred to in paragraph (1) is carried
out from the date of receipt of the application for access in accordance with the period of
Personal Data retention.
Article 35
Personal data controllers must refuse to give access to changes in Personal Data to Personal Data
Owner if:
a. it endangers the physical security or health or mental health of individuals other than the
Personal Data Owner;
b. it leads to a disclosure of Personal Data belongs to other person; and/or
c. it is contradictory with national defense and security interests.
Article 36
(1) Personal Data Controllers must correct errors and/or inaccuracies in Personal Data immediately
after receiving a request for Personal Data correction from Personal Data Owner.
(2) Personal Data Controller must notify results of changes and/or repair of the Personal Data that
is to Personal Data Owner.
Article 37
(1) Personal Data Controllers must guarantee the accuracy, completeness and consistency of
Personal Data in accordance with the provision in legislation.
(2) In guaranteeing the accuracy, completeness, and consistency of Personal Data as referred to in
paragraph (1) Personal Data Controllers must perform verification.
Article 38
Personal Data Controllers must process Personal Data in accordance with the purpose of processing
Personal Data as approved by the Personal Data Owner.
Article 39
(1) Personal Data Controllers must terminate Personal Data processing if:
a. retention time has been reached;
b. the purpose of Personal Data processing has been achieved; or
c. there is a request from the Personal Data Owner.
(2) The termination Personal Data processing as referred to in paragraph (1) is carried out in
accordance with the provision in legislation.
Article 40
(1) Personal Data Controller must delete the Personal Data when:
a. The personal data is no longer needed for the achievement of Personal Data processing goals ;
b. Data Personal Owner has withdrewn his/her consent for Personal Data processing through a
written application to the Personal Data Controller; and/or
c. Personal data is obtained and/or processed in a way that is against the law.
(2) Deletion of Personal Data as referred to in paragraph (1) is carried out by Personal Data Controller
in accordance with the provision in legislation.
(3) Personal Data that have been deleted as referred to in paragraph (1) can be recovered/re-
displayed in its entirety in the event where there is a written request from the Personal Data
Owner.
(4) Application as referred to in paragraph (3) may be submitted in the event that it has not passed
the retention period in accordance with the provision in legislation.
Article 41
Article 42
(1) In the event where a failure to protect Personal Data occures, the Personal Data Controller must
submit a written notice in no later than 72 (seventy two) hours to:
a. Data Personal Owner; and
b. Minister or Sector Supervisory and Regulatory Agency in accordance with regulatory
provisions in legislation;
(2) In the event that the Sector Supervisory and Regulatory Agencies receive the notification as
referred to in paragraph (1), the Sector Supervisory and Regulatory Agency coordinates with the
Minister.
(3) Written notification as referred to in paragraph (1) includes:
a. Personal data disclosed;
b. when and how Personal Data is disclosed; and
c. efforts to handle and recover the disclosed Personal Data by the Personal Data
Controller.
(4) In certain cases, the Personal Data Controller must notify the public of the failure of Personal
Data Protection as referred to in paragraph (1).
Part Three
Article 43
In the event that the Personal Data Processor is appointed by the Personal Data Controller, all
provisions of the Personal Data Processing apply mutatis mutandis to the Personal Data Processor.
Article 44
(1) Personal Data Controller carries out and is responsible for all Personal Data processing.
(2) The Personal Data Controller can designate a Personal Data Processor to do part or all of the
Personal Data Processing.
(3) In the case where the Personal Data Processor processes the Personal Data for the benefit of
the Personal Data Controller, it becomes the full responsibility of the Personal Data Controller.
(4) In the case of the Personal Data Processor as referred to in paragraph (3) processes Personal
Data other than the purpose specified by the Personal Data Controller, it is entirely the
responsibility of the Personal Data Processor concerned.
Part Four
Article 45
Third party must process Personal Data for the purpose of Personal Data Processing that has been
approved by Personal Data Owner.
Part Five
Article 46
(1) In certain cases, Personal Data Controller and Personal Data Processor must appoint an
official/officer to carry out the Personal Data protection function.
(2) Certain cases as referred to in paragraph (1) include:
a. processing carried out by Personal Data Controller and/or Personal Data Processor
performing public services
b. core activities of the Personal Data Controller have the nature, scope, and/or purpose that
require regular and systematic monitoring of Personal Data on a big scale;
c. core activities of the Personal Data Controller consist of large-scale processing of specific
Personal Data and/or Personal Data that are related with violation and criminal actions.
(3) Official/officer carrying out the Personal Data protection function as referred to in paragraph
(1) must be appointed based on professional quality, knowledge of the law and Personal Data
protection practice, and the ability to fulfill his/her duties.
(4) Personal Data Protection Officer as referred to in paragraph (1) may come from within and/or
outside the Personal Data Controller or Personal Data Processor.
Article 47
(1) Officials/officers who carry out Personal Data protection functions have at least the following
duties:
a. inform and provide advice for Personal Data Controller or Personal Data Processor and
employees who carry out processing to comply with the provisions of this law;
b. monitor and ensure compliance with this Law and Personal Data Controller or Personal
Data Processor policies regarding the protection of personal data, including assignments,
responsibilities, raising awareness, and training of staff involved in the processing of
Personal Data, and related auditing;
c. provide advice on assessing the impact of personal data protection and monitor the
performance of Personal Data Controller and Personal Data Processor;
d. coordinate with Sector Supervisory and Regulatory Agency;
e. act as a contact with the Sector Supervisory and Regulatory Agency for issues related to
the processing of Personal Data, including conducting prior consultation on risk mitigation
and/or other matters.
(2) In carrying out the duties as referred to in paragraph (1), officials/officers carrying out the
Personal Data protection function must pay attention to operational risks related to the
processing of Personal Data, taking into account the nature, scope, context and purpose of
processing.
(3) Further provisions regarding officials/officers carrying out the Personal Data protection function
are regulated in Ministrial Regulations.
Part Six
Administrative Sanctions
Article 48
(1) Violations of the provisions of Article 25 paragraph (1), paragraph (2), and paragraph (4), Article
27, Article 28 paragraph (1), Article 29, Article 30, Article 31, Article 32 paragraph (1),
Article 33, Article 34, Article 35, Article 36, Article 37, Article 38, Article 39, Article 42 paragraph
(1) and paragraph (4), Article 43, Article 46 paragraph (1), are subjected to administrative
sanctions.
(2) Administrative sanctions as referred to in paragraph (1) take the form of:
a. temporary activity termination;
b. deletion or destruction of Personal Data;
c. compensation; and/or
d. administrative fine.
(3) Administrative sanctions are given by each of the heads of the Supervisory and Regulatory
Agency in accordance with the provision in legislation.
CHAPTER VII
Part One
Personal Data Transfer to a Third Partu in the Territory of the Unitary State of the Republic of
Indonesia
Article 49
(1) Personal Data Controller or Personal Data Processor can transfer Personal Data to a Third Party
within the territory of the Unitary State of the Republic Indonesia.
(2) Personal Data Controller or Personal Data Processor who transfers and the third party who
receive transfer of Personal Data as referred to in paragraph (1) must protect Personal Data as
referred to this law.
Part Two
Transfer of Personal Data to Outside of the Unitary State of the Republic of Indonesia
Article 50
The Personal Data Controller must request and obtain prior written approval from the Personal Data
Owner to transfer the Personal Data that it processes to a third party outside the jurisdiction of the
Unitary State of the Republic of Indonesia.
Article 51
Personal data as referred to in Article 50 may be transferred outside the jurisdiction of the Unitary
State of the Republic of Indonesia provided that:
a. The country or international organization has a personal data protection level that is equal
to or higher than this law;
b. there is a contract between the Personal Data Controller and a third party outside the
territory of the Unitary State of the Republic of Indonesia by taking into account the
protection aspects of Personal Data; and/or
c. there is an international agreement between countries.
Part Three
Article 52
(1) Personal Data Controller that takes the form of a legal entity that engages in merging,
separating, taking over, or consolidating a Legal Entity must submit notification of transferring
Personal Data to Personal Data Owner.
(2) The party sending and receiving the transfer of Personal Data as referred to in paragraph (1)
must protect the Personal Data as referred to in this law.
CHAPTER VIII
Article 53
Personal Data Controller, Personal Data Processor, and/or Third Party are prohibited from illegally
disclosing specific Personal Data to other parties.
Article 54
Every Person is prohibited from illegally installing and/or operating visual data processing or processor
equipment in public facilities or public service facilities that can threaten or violate Personal Data
Protection.
Article 55
(1) Everyone person is prohibited from illegally move visual data processing or processor
equipment installed in public facilities or public service facilities that are used for:
a. cime prevention, initial investigation, and investigation;
b. security;
c. disaster prevention; and/or
d. traffic management or collection, analysis, and regulation of traffic information,
to a different place.
(2) Every person is prohibited from using the voice recorder function on visual data processing or
processor equipment installed in public facilities and/or public service facilities other than for
the purposes referred to in paragraph (1).
Article 56
Third parties are prohibited from Personal Data Processing other than for the purpose of Personal
Data Processing that has been approved by Personal Data Owner.
Article 57
Personal Data Controller is prohibited from transferring Personal Data outside the jurisdiction of the
Unitary State of the Republic of Indonesia without the approval of Personal Data Owner and from
violating the following provisions:
a. the country or international organization has personal data protection level that is equivalent or
higher from this law;
b. there is a contract between the Personal Data Controller and a third party outside the territory
of the Unitary State of the Republic of Indonesia by taking into account the protection aspects of
Personal Data; and/or
c. there is an international agreement between countries.
Article 58
Personal Data Controllers and Personal Data Processors are prohibited from Personal Data Processing
for commercial purposes and/or profiling except with the approval of Personal Data Owner.
Article 59
Every person is prohibited from disclosing or using Personal Data that is not his/her property without
the consent of Personal Data Owner.
Article 60
(1) Every person is prohibited from falsifying personal data with the intention of benefiting
themselves or which can cause harm to other people.
(2) Every person is prohibited from selling or buying personal data that is not his/hers.
CHAPTER IX
Article 61
(1) Business Actors Association can develop a Personal Data Controller Conduct Guideline.
(2) In developing the Personal Data Controller Conduct Guideline as referred to in paragraph (1),
the Business Actor Association must consider:
a. Personal Data processing purpose;
b. principles of Personal Data Processing; and
c. input from Personal Data Owners or their representative Associations.
(3) The Personal Data Controller Conduct Guideline must have the same level of protection as
stipulated in this law or higher
(4) The Personal Data Controller Conduct Guideline may not conflict with this Law.
CHAPTER X
Article 62
(1) The rights of Data Personal Owner and Principles of Protection of Personal Data are exempted
when:
a. It is necesary for the sake of national defense and security;
b. It is necessary for the interest of Judicial Process according to the provisions in
legislations
c. It is necessary for the purposes of state administration and public interests, especially
economic or finance interests;
d. It is necessary for enforcing professional code of ethics;
e. It is necessary for aggregate data in which the processing is done for statistical and
scientific research interests.
(2) The exceptions as referred to in paragraph (1) shall be carried out only in the context of
implementing the provisions of the law and/or ratified international agreements.
CHAPTER XI
DISPUTE SETTLEMENT
Article 63
CHAPTER XII
INTERNATIONAL COLLABORATION
Article 64
(1) International collaboration is carried out by the Government with the government of other
countries or international organizations related to the protection of Personal Data
(2) International collaboration as referred to in paragraph (1) shall be carried out in the form of
formal cooperation or based on the principle of reciprocity.
CHAPTER XIII
Article 65
The Government guarantees the implementation of Personal Data Protection under this Law
Article 66
The Attorney General's Office as a state lawyer on the basis of safeguarding the public interest and/or
safeguarding national interests can make a lawsuit or claim for violation of personal data whether
done domestically or abroad.
Article 67
(1) Public can participate, both directly and indirectly, in raising awareness of the importance of
protecting personal data in accordance with the provisions of this law.
(2) Implementation of community participation in raising awareness of the importance of Personal
Data Protection as referred to in paragraph (3) can be done through education, training,
advocacy, technical guidance, and/or socialization.
CHAPTER XIV
CRIMINAL PROVISIONS
Article 68
Personal Data Controllers, Personal Data Processors, and/or Third Parties who intentionally and
unlawfully disclose Specific Personal Data to other parties as referred to in Article 53, shall be punished
with a fine of a maximum of Rp. 5,000,000,000 (five billion rupiahs).
Article 69
Any person who intentionally and unlawfully installs and/or operates visual data processing or
processor equipment in public facilities or public service facilities that can threaten or violate Personal
Data Protection of referred to in Article 54, shall be punished with a maximum fine of Rp.500,000.
000- (five hundred million rupiah).
Article 70
(1) Any person who intentionally and unlawfully moves a visual data processing or processor
equipment installed in a public facility or public service facility that is used for the purposes
referred to in Article 55 paragraph (1) to a different place shall be punished with a maximum fine
of Rp. 500,000,000 (five hundred million rupiah).
(2) Any person who intentionally and unlawfully uses a voice recorder function on a visual data
processing or processor equipment installed in a public facility or public service facility as referred
to in Article 55 paragraph (2) shall be punished with a maximum fine of Rp. 500,000,000 (five
hundred million rupiah).
Article 71
Third Parties who illegally process Personal Data other than for purposes that have been approved by
Personal Data Owner as referred to in Article 56 shall be punished with a fine of a maximum
of Rp. 500,000,000 (five hundred million rupiah).
Article 72
Personal Data Controller who intentionally transfers Personal Data outside the jurisdiction of the
Republic of Indonesia without the approval of Personal Data Owner and violates the following
provisions:
a. the country or international organization has personal data protection level that is
equivalent or higher from this law;
b. there is a contract between the Personal Data Controller and a third party outside the
territory of the Unitary State of the Republic of Indonesia by taking into account the
protection aspects of Personal Data; and/or
c. there is an international agreement between countries.
as referred to in Article 57, shall be liable to a fine of a maximum of Rp 50,000,000,000 (fifty billion
rupiah).
Article 73
Personal Data Controller and Personal Data Processor that intentionally processes Personal Data for
commercial purposes and/or profiling without the approval of Personal Data Owner as referred to in
Article 58 shall be punished with a maximum fine of Rp. 100,000,000,000.- (one hundred billion
rupiah).
Article 74
Any person who intentionally discloses or uses Personal Data that is not his/her property without
the approval of Personal Data Owner as referred to in Article 59 shall be punished with a fine of a
maximum of Rp.10,000,000,000.- (ten billion rupiahs).
Article 75
(1) Any person who falsifies personal data with the intention to benefit themselves or that can cause
harm to others as referred to in Article 60 paragraph (1) shall be punished with a fine of a
maximum of Rp. 3,000,000,000.00 (three billion rupiah).
(2) Any person who sells or buys personal data that is not his/her property as referred to in Article
60 paragraph (2) shall be sentenced with a fine of 4% (four percent) of the total revenue earned
from Personal Data transaction or a maximum of Rp 5,000,000,000.00 (five billion rupiah).
Article 76
In addition to being sentenced according to the basic punishments, the defendant can also be
sentenced to additional penalties in the form of deprivation of income and/or assets obtained or the
proceeds of crime as referred to in Article 68 through Article 75.
Article 77
In the case that the crime as referred to in Article 68 to Article 75 is carried out by a corporation, the
a maximum fine of (3) three times higher than the penalty imposed on individuals will be applied.
CHAPTER XV
TRANSITIONAL PROVISIONS
Article 78
When this Law comes into force, parties that have processed personal data must comply with the
provisions of Personal Data Protection under this Law no later than 2 (two) years from the
promulgation of this Law.
CHAPTER XVI
CLOSING PROVISION
Article 79
When this Law comes into force, all provision in legislation governing the Protection of Personal Data
are stated to remain valid insofar as they do not conflict with the provisions Law and are not
specifically regulated in this Law.
Article 80
In order to make everyone cognizant, order the enactment of this Law by placing it in the State Gazette
of the Republic of Indonesia.
JOKO WIDODO
YASONNA H LAOLY
I. GENERAL
The rapid development of information and communication technology has created various
opportunities and challenges. Information technology allows humans to connect to each other accross
country boundaries that it has become one of the factors driving globalization. Various life sectors
have utilized information technology systems, such as the implementation of electronic commerce (e-
commerce) in the field of trade/business sector, electronic education (e-education) in the field of
education, electronic health (e-health ) in the field of health, electronic government (e - government)
in the field of government, as well as information technology that is utilized in other fields. The use of
information technology results in easy collection and transfer of personal data from one party to
another without the knowledge of the Personal Data Owner; thus, threatening the right to one's
privacy.
Protection of Personal Data is included in the protection of human rights; hence, regulation concerning
the right to privacy of personal data is a manifestation of the recognition and protection of basic
human rights. The existence of a Law on Personal Data Protection is a necessity that cannot be delayed
anymore because it is very urgent for various national interests. Indonesian international association
also demands protection of Personal Data. This protection can facilitate transnational trade, industry,
and investment.
The Bill on Personal Data protection is mandated by Article 28G paragraph (1) of the 1945 Constitution
of the republic of Indonesia, stating: “everyone has the right to the protection of self, family, honor,
dignity, and property under his control, and has the right to security and protection from the threat
of fear of doing or not doing something that is seen as human rights". The issue of protection against
personal data arises because of concerns about violations of privacy that can be experienced by people
and/or legal entities.Violations of privacy can cause losses that are not only material in nature but also
immaterial loss that takes the form of defamation of a person or institution.
The formulation of rules regarding privacy of Personal Data can be understood because of the need
to protect individual rights in the community in connection with the processing and Personal Data
Processing, both electronically or manually, using data processing devices. Adequate protection of
privacy regarding personal data will be able to build public trust to provide Personal Data for various
interests of the greater community without being misused or without violating the person’s personal
rights. Thus, this arrangement will create a balance between the rights of individuals and the people
represented by the interests of the state. Arrangements regarding the privacy of this Personal Data
will contribute greatly to the creation of order and progress in information society.
To reduce the overlap in the provisions on Personal Data Protection, the provisions in this Law are
basically general data protection standards, both for data that are partially or wholly processed by
electronic and manual methods, where each sector can implement Personal Data Protection according
to the characteristics of the sector concerned, including the provisions of Personal Data that have
been regulated in the professional provisions.
Article 1
Self-explanatory.
Article 2
Self-explanatory.
Article 3
Self-explanatory.
Article 4
Self-explanatory.
Article 5
Self-explanatory.
Article 6
Paragraph (1)
What is referred to as Personal Data in this Law is, among others, individual data regulated in the
Population Administration Law.
Letter a
What is referred to as general personal data in this Law, among others, take the form of full name,
gender, nationality, or religion, or other personal data that are combined so as to identify someone.
Letter b
a. Health data and information, namely records or information of individuals related to their:
1) Physical health;
2) Mental health; and/or
3) Health services.;
b. Biometric data are data related to physical, physiological or individual behavior characteristics
that allow unique identification of individuals, such as facial image, or ductyloscopic
data. Biometric data also explain the uniqueness and/or characteristics of a person who must
be maintained and cared for, including but not limited to:
1) fingerprint record
2) eye retina; and
3) DNA sample.
c. Genetic data that include all data, in any form, on characteristics of an individual that is
inherited or obtained during initial prenatal development ;
d. Sexual life/orientation;
e. Political view;
f. Criminal record;
g. Child data;
h. Personal financial data, including but not limited to data on the amount of deposits in the
bank including:
1) savings;
2) deposit; and
3) credit card data;
i. other data in accordance with statutory provisions
that when they are combined will make it possible to identify someone specifically.
Paragraph (2)
What is referred to as general personal data is defined as, among others, data on full name, gender,
nationality, or religion, or Personal Data which must be combined so that it is possible to identify
someone specifically.
Paragraph (3)
Self-explanatory.
Paragraph (4)
"In certain cases" means specific personal data in the form of biometric data and genetic data that
have a high risk of the rights and freedom of Personal Data Owner.
Article 7
Self-explanatory.
Article 8
Self-explanatory.
Article 9
Self-explanatory.
Article 10
Self-explanatory.
Article 11
Self-explanatory.
Article 12
Self-explanatory.
Article 13
What is referred to as profiling is any form of Personal Data processing that automatically uses
Personal Data to evaluate aspects of work history, economic conditions, health, personal preferences,
interests, reliability, behavior, location or movement of Personal Data Owner electronically.
Article 14
"Pseudonym mechanism" means the processing of Personal Data in such a way that Personal Data
cannot be linked to the Owner of certain Personal Data without using additional information provided
to ensure that Personal Data cannot be linked to Personal Data Owner identified or identifiable.
Article 15
Self-explanatory.
Article 16
Self-explanatory.
Article 17
Self-explanatory.
Article 18
Article 19
Paragraph (1)
Self-explanatory.
Paragraph (2)
Self-explanatory.
Paragraph (3)
Article 20
Letter a
What is referred to as agreement is an agreement submitted explicitly, may not be hidden or on the
basis of oversight/negligence.
Letter b
Self-explanatory.
Letter c
Self-explanatory.
Letter d
What is referred to as legitimate interest (vital interest) is the need/necessity to protect very
important matters about one's existence.
Letter e
Self-explanatory.
Article 21
Self-explanatory.
Article 22
Paragraph (1)
Self-explanatory.
Paragraph (2)
Letter a
Self-explanatory.
Letter b
Self-explanatory c
Self-explanatory d
Self-explanatory e
What is referred to as published is actively distributing personal data and/or making it available for
public access.
Letter f
Self-explanatory
Article 23
Paragraph (1)
What is referred to as "visual data processing/processor equipment" is a video camera device used to
record or observe every person in a particular space or place including CCTV and/or all surveillance
and monitoring devices that will continue to develop according to technological developments
that maintain accountability and accuracy .
Paragraph (2)
What is referred to as "operator" is a Personal Data Processor in charge of maintaining, serving, and
running visual data processing/processor tools.
Paragraph (3)
Self-explanatory.
Paragraph (4)
Paragraph (5)
Self-explanatory.
Article 24
Letter a
Self-explanatory
Letter b
Self-explanatory
Letter c
Self-explanatory
Letter d
Article 25
Paragraph (1)
Paragraph (2)
Letter a
Self-explanatory.
Letter b
Self-explanatory.
Letter c
Self-explanatory.
Letter d
Self-explanatory.
Letter e
Self-explanatory.
Letter f
The time period for Personal Data processing is applicable as long as there is a legitimate legal
interest.
Letter g
Self-explanatory.
Paragraph (3)
Letter a
What is referred to as "life-treathening situation" includes to rescue Personal Data Owner from the
threat of crime identified by law enforcers as targeting the Personal Data Owner concerned.
Letter b
Self-explanatory.
Letter c
Self-explanatory.
Letter d
Self-explanatory.
Letter e
Self-explanatory.
Letter f
Self-explanatory.
Letter g
Self-explanatory.
Letter h
Self-explanatory.
Paragraph (4)
Self-explanatory.
Article 26
The obligation to show the consent given by Personal Data Owner is carried out to fulfil the legal
requirements for personal data processing.
Article 27
Paragraph (1)
Withdrawal of consent for Personal Data Processing includes, among others, reasons for withdrawal
and evidence.
Paragraph (2)
Self-explanatory.
Article 28
Paragraph (1)
Delays in Personal Data Processing are carried out based on the request of Personal Data Owner
which includes, among othes, reasons for processing delays and accompanied by evidence.
Paragraph (2)
Self-explanatory.
Article 29
Self-explanatory.
Article 30
Self-explanatory.
Article 31
Self-explanatory.
Article 32
Self-explanatory.
Article 33
Self-explanatory.
Article 34
Self-explanatory.
Article 35
Self-explanatory.
Article 36
Self-explanatory.
Article 37
Self-explanatory.
Article 38
Self-explanatory.
Article 39
Self-explanatory.
Article 40
Self-explanatory.
Article 41
Paragraph (1)
What is referred to as "destruction of Personal Data" is destruction carried out until Personal Data
can no longer identify a person.
Paragraph (2)
Self-explanatory.
Article 42
Paragraph (1)
Self-explanatory.
Paragraph (2)
Self-explanatory.
Paragraph (3)
Self-explanatory.
Paragraph (4)
What is referred to as "in certain cases", among others, includes when the failure to protect Personal
Data interferes with public service and/or has a serious impact on the interests of the society.
Article 43
Self-explanatory.
Article 44
Paragraph (1)
Self-explanatory.
Paragraph (2)
Self-explanatory.
Paragraph (3)
Self-explanatory.
Paragraph (4)
When the Personal Data Processor acts outside the objectives specified/ordered by the Personal Data
Controller, then the Personal Data Processor has changed into Personal Data Controller for other
purposes so that it becomes the responsibility of the party concerned.
.Article 45
Self-explanatory
Article 46
Paragraph (1)
"Officials/officers who carry out Personal data protection functions" is defined as officials/officers
responsible for ensuring compliance with the principles of Personal Data and mitigating the risk of
Personal Data protection violation.
Paragraph (2)
Self-explanatory.
Paragraph (3)
Self-explanatory.
Paragraph (4)
Self-explanatory.
Article 47
Self-explanatory.
Article 48
Self-explanatory.
Article 49
Paragraph (1)
"Personal Data Transfer" means the transfer, diversion, transmission, and/or duplication of personal
data both manually and electronically from the Personal Data Controller to another party .
Approval to transfer Personal Data is stated on a separate form from the terms and conditions for
using Personal Data.
Paragraph (2)
Self-explanatory.
Article 50
Article 51
Letter a
Self-explanatory.
Letter b
Self-explanatory.
Letter c
The development of the regulation of personal data transfer to other countries requires that each
country has equal protection with its national provisions and adopts an approach that is applied in
many countries but its implementation cannot be applied strictly so that it will still require an
international bilateral agreement.
Article 52
Self-explanatory.
Article 53
Self-explanatory.
Article 54
Self-explanatory.
Article 55
Paragraph (1)
What is referred to as "to different places" includes changing the direction and/or range of
visualization of visual data processing/processor equipment.
Paragraph (2)
Self-explanatory.
Article 56
Self-explanatory.
Article 57
Self-explanatory.
Article 58
What is referred to as "commercial purpose" is the processing of Personal Data for profit.
Article 59
Self-explanatory.
Article 60
Self-explanatory.
Article 61
Self-explanatory.
Article 62
Paragraph (1)
Letter a
Self-explanatory.
Letter b
Self-explanatory.
Letter c
What is referred to as "economic or financial interests” includes fiscal and monetary, financial
stability, budget, and taxaction system.
Letter d
Self-explanatory.
Letter e
Aggregate Data is a set of data related to a person who cannot and/or is not intended to identify
someone directly or indirectly.
Paragraph (2)
Article 63
Self-explanatory.
Self-explanatory.
Article 64
Paragraph (1)
Self-explanatory.
Paragraph (2)
The principle of reciprocity in this provision includes the extradition agreement or mutual assistance
on criminal matters.
Article 65
What is referred to as "guarantee the implementation of Personal Data Protection” includes, among
others, stipulation and implementation of policies, promotion and education, advocacy, and
supervision.
Article 66
Self-explanatory.
Article 67
Self-explanatory.
Article 68
Self-explanatory.
Article 69
Self-explanatory.
Article 70
Self-explanatory.
Article 71
Self-explanatory.
Article 72
Self-explanatory.
Article 73
Self-explanatory.
Article 74
Self-explanatory.
Article 75
Self-explanatory.
Article 76
Self-explanatory.
Article 77
Self-explanatory.
Article 78
Self-explanatory.
Article 79
Self-explanatory.
Article 80
Self-explanatory.