Law No. 27 /2022 on the Personal Data Protection of Personal Data was eventually ratified on October 17, 2022. The law confirms that the rights to Personal Data Protection (PDP) is human rights, which is part of personal self-protection.
The law is also aimed at guaranteeing the rights of citizens to personal protection and raising public awareness as well as ensuring recognition and respect for the importance of PDP. The law is the legal umbrella for good personal data management in Indonesia.
This article consists of two parts. The first part explains the jurisdiction of Law No. 27/2022, types of personal data, rights of personal data subjects and obligations of personal data controllers and processors of personal data.
Jurisdiction of Law No. 27/2022
Law No. 27/2022 exercises extraterritorial jurisdiction. The law is applicable to every person, public body, and international organization that is inside or outside the jurisdiction of Indonesia, those that have legal consequences in the jurisdiction of Indonesia or have legal consequences for the subject of personal data of Indonesian citizens outside the jurisdiction of Indonesia. However, Law No. 27/2022 does not regulate the processing of personal data by individuals in personal or household activities.
Types of Personal Data
Law No. 27/2022 defines personal data as data about individuals identified or can be identified separately or in combination with other information, either directly or indirectly through electronic or non-electronic systems.
Personal data consists of two types, namely specific personal data and general personal data.
Personal data of a specific nature includes:
a. health data and information;
b. biometric data;
c. genetic data;
d. crime records;
e. child data;
f. personal financial data; and/or
g. other data in accordance with the provisions of the legislation
Personal data of a general nature includes:
a. full name;
e. marital status; and/or
f. personal data combined to identify a person.
Personal Data Subject Rights
The subject of personal data is an individual to whom personal data is attached. Law No. 27 /2022 stipulates the rights of personal data subjects, as follows:
a. the right to obtain information about identity clarity, the basis of legal interest, the purpose of requesting and using personal data, and the accountability of parties requesting personal data.
b. the right to complete, update, and/or correct errors and/or inaccuracies in personal data about him/her in accordance with the purpose of processing personal data.
c. the right to gain access and obtain a copy of personal data about himself in accordance with the provisions of the legislation.
d. the right to end processing, delete, and/or destroy personal data about him/her in accordance with the provisions of laws and regulations.
e. the right to withdraw the consent to the processing of personal data about him/her that has been given to the personal data controller.
f. the right to object to decision-making actions based solely on automated processing, including profiling, that have legal consequences or have a significant impact on the subject of personal data.
g. the right to suspend or limit the processing of personal data in proportion to the purpose of processing personal data.
h. the right to sue and receive compensation for violations of the processing of personal data about him in accordance with the provisions of the legislation.
i. the right to obtain and/or use personal data about him/herself from the personal data controller in a form that is in accordance with the structure and/or format commonly used or readable by the electronic system.
j. the right to use and transmit personal data about himself to other personal data controllers, as long as the system used can communicate with each other securely in accordance with the principles of personal data protection under this law.
The rights of such personal data subjects are excluded for:
a. the interests of national defense and security;
b. the interests of the law enforcement process;
c. the public interests in the context of state administration;
d. the interests of supervision of the financial services sector, monetary, payment system, and financial system stability carried out in the context of state administration; or
e. the interests in statistics and scientific research.
Obligations of Personal Data Controllers and Personal Data Processors
Personal data controller is any person, public body, and international organization acting individually or jointly in determining the objectives and exercising control over the processing of personal data.
Personal data processor is any person, public body, and international organization acting individually or jointly in processing personal data on behalf of the personal data controller. In the event that the personal data controller appoints the personal data processor, the personal data processor is obliged to carry out the processing of personal data based on the personal data controller’s order. Personal data processors may involve other personal data processors in processing personal data.
In processing personal data, the personal data controller must have a basis for processing personal data. The basis for processing personal data includes:
a. explicitly valid consent of the personal data subject for one or several specific purposes that has been submitted by the personal data controller to the personal data subject;
b. fulfillment of agreement obligations in the event that the personal data subject is a party or to fulfill the request of the personal data subject at the time of executing the agreement;
c. fulfillment of the legal obligations of the personal data controller;
d. protection of the vital interests of the personal data subject;
e. carrying out tasks in the context of public interest, public services, or exercising the authority to control personal data based on laws and regulations; and/or
f. fulfillment of other legitimate interests by taking into account the objectives, needs, and balance of the interests of the personal data controller and the rights of the personal data subject.
In terms of obtaining explicit valid consent from the personal data subject, the personal data controller is required to submit information related to:
a. the legality of the processing of personal data;
b. the purpose of processing personal data;
c. the type and relevance of personal data to be processed;
d. the retention period of documents containing personal data;
e. details regarding the Information collected;
f. the period of processing of personal data; and
g. personal data subject rights.
The clause of the agreement in which there is a request for processing personal data that does not contain the explicit legal consent of the personal data subject is declared null and void.
Personal data controllers and personal data processors are required to perform processing:
1. in a limited and specific manner, legally valid, and transparent;
2. according to the purpose of processing personal data;
3. by ensuring the accuracy, completeness, and consistency of personal data in accordance with the provisions of laws and regulations;
4. by updating and/or correcting errors and/or inaccuracies of personal data no later than 3 x 24 hours from the time the personal data controller receives the request for updating and/or correction of personal data;
5. by notifying the results of updating and/or correcting personal data to the subject of personal data;
6. by providing access to the subject of personal data to personal data that is processed along with a track record of processing personal data in accordance with the period of storage of personal data. Such access is granted no later than 3×24 hours from the time the personal data controller receives the access request;
7. by refusing to give access to changes to personal data to the subject of personal data in the event that:
• endanger the safety, physical health or mental health of the Personal data subject and/or other people;
• impact on the disclosure of other people’s personal data; and/or
• contrary to the interests of national defense and security.
8. by conducting a PDP impact assessment in the event that the processing of personal data has a high potential risk to the subject of personal data;
9. by protect ing and ensuring the security of the personal data it processes;
10. by maintaining the confidentiality of personal data.
11. by supervising each party involved in the processing of personal data under the control of the personal data controller;
12. by protecting personal data from unauthorized processing;
13. by preventing personal data from being accessed illegally;
14. by stopping the processing of personal data in the event that the personal data subject withdraws his consent to the processing of personal data;
15. by delaying and limiting the processing of personal data either partially or completely no later than 3 x 24 hours as of the personal data controller receives the request for delay and limitation of personal data processing and notifies it;
16. by terminating the processing of personal data in the event that:
• has reached the retention period;
• the purpose of processing personal data has been achieved; or
• there is a request from the subject of personal data.
17. by deleting personal data in the event of:
• personal data is no longer required for the purpose of processing personal data;
• the personal data subject has withdrawn the personal data processing dispute;
• there is a request from the subject of personal data; or
• personal data is obtained and/or processed in an unlawful manner.
18. by destroying personal data in the event of:
• the retention period has expired and is described as being destroyed based on the archive retention schedule;
• there is a request from the subject of personal data;
• not related to the settlement of the legal process of a case; and/or
• personal data is obtained and/or processed in an unlawful manner.
19. by notify ingthe deletion and/or destruction of personal data to the subject of personal data;
20. submit a written notification to the subject of personal and institutional data in the event of a failure of the PDP;
21. by being responsible for processing personal data and demonstrate accountability in the obligation to implement the PDP principles;
22. personal data controllers are required to carry out institutional orders in the context of administering PDP in accordance with Law no. 27 Year 2022.
R. Yudha Triarianto Wasono, S.H., M.H.
Mail : email@example.com
Phone : +62-21 799 7973 / +62-21 799 7975
Mail : firstname.lastname@example.org
Phone : +62-21 799 7973 / +62-21 799 7975
Any information contained in this article is provided for informational purposes only and should not be construed as legal advice on any matter. You may not act or refrain from acting on any content included in this legal update without seeking legal or other professional advice. This document is copyright protected. No part of this document may be disclosed, distributed, reproduced or transmitted in any form or by any means, including photocopying and recording or stored in any retrieval system without the prior written consent of SIP Law Firm.