This article is a part of the article explaining Law No. 27/2022 on the Protection of Personal Data. This second part of the article describes notification to data subjects in the event of a corporate action, failure of personal data protection, personal data protection (PDP) administration institutions, PDP officials, personal data transfer, administrative sanctions, dispute resolution and procedural law, prohibitions and criminal threats as well as transitional provisions. .

Notification to Data Subjects In the Event of A Corporate Action

Law No. 27/2022 grants new obligations to personal data controllers in the form of legal entities in the event of a corporate action, such as a merger, separation, acquisition, consolidation, or dissolution to submit a notification of the transfer of personal data to the personal data subject. Notification of transfer of personal data is carried out before and after the corporate action is carried out.

PDP Failure

PDP failure refers to the failure to protect a person’s personal data in terms of the confidentiality, integrity, and availability of personal data, including security breaches, whether intentional or unintentional, leading to destruction, loss, alteration, disclosure, or unauthorized access to data. that are sent, stored, or processed.

In the event of a failure of the PDP, the personal data controller is required to submit a written notification containing the personal data disclosed, when and how the personal data is disclosed, and the handling and recovery efforts of the personal data controller by the personal data controller.

Notification must be submitted no later than 3 x 24 hours to: (a) personal data subjects and (b) institutions. In certain cases the personal data controller is obliged to notify the public about the failure of the PDP.

Institution

Law No. 27/2022 stipulates that the PDP is implemented by an institution designated and responsible to the President. Provisions regarding this institution will be determined further by a Presidential Regulation.

The authority of the institution is as follows:

  1. to formulate and establish policies in the field of PDP;
  2. to supervise the compliance of personal data controllers;
  3. to impose administrative sanctions for violations of personal data protection by personal data controllers and/or personal data processors;
  4. to assist law enforcement officers in handling alleged criminal acts of personal data as referred to in this law;
  5. to cooperate with other country’s PDP institutions in the context of resolving allegations of cross-border PDP violations;
  6. to conduct an assessment of the fulfillment of the requirements for the transfer of personal data outside the jurisdiction of the Republic of Indonesia;
  7. to give orders in order to follow up the results of supervision to personal data controllers and/or personal data processors;
  8. to publish the results of the implementation of PDP supervision in accordance with the provisions of the legislation;
  9. to receive complaints and/or reports regarding alleged violations of the PDP;
  10. to conduct inspections and searches on complaints, reports, and/or results of supervision of alleged PDP violations;
  11. to summon and present every person and/or public body related to the alleged violation of the PDP;
  12. to request information, data, information, and documents from any person and/or public body related to alleged violations of the PDP;
  13. to summon and present the necessary experts in the examination and investigation related to alleged PDP violations;
  14. to conduct inspections and searches on electronic systems, facilities, rooms, and/or places used by personal data controllers and/or personal data processors, including obtaining access to data and/or appointing third parties; and
  15. to request legal assistance from the prosecutor’s office in resolving the PDP dispute.

PDP Official

What is meant by “officials or officers carrying out the PDP function” are officials or officers who are responsible for ensuring compliance with PDP principles and mitigating the risk of PDP violations. Officials or officers carrying out the PDP function are appointed based on professionalism, knowledge of law, PDP practice, and ability to fulfill his duties.

Personal data controllers and personal data processors are required to appoint officials or officers who carry out PDPi functions in terms of:

  1. the processing of personal data for the benefit of public services;
  2. the core activity of controlling personal data has the nature, scope and/or objectives that require regular and systematic monitoring of personal data on a large scale; and
  3. the core activity of controlling personal data consists of processing personal data on a large scale for specific personal data and/or personal data related to criminal acts.

Basically PDP officials have the following tasks:

  1. to inform and provide advice to personal data controllers or personal data processors to comply with the provisions of Law no. 27 of 2022;
  2. to monitor and ensure compliance with Law no. 27 of 2022 and policies for personal data controllers or personal data processors;
  3. to provide advice on PDP impact assessments and monitor the performance of personal data controllers and personal data processors; and
  4. to coordinate and act as a contact person for issues related to data processing p

Transfer of Personal Data

The personal data controller can transfer personal data to other personal data controllers both within and outside the jurisdiction of the Republic of Indonesia provided that both the sender and the recipient have a PDP level that is equal to or higher than that stipulated in Law No. 27/2022.

Administrative Sanctions

Violation of several provisions in Law No. 27/2022 is the subject to administrative sanctions in the form of:

  1. written warning;
  2. temporary suspension of personal data processing activities;
  3. deletion or destruction of personal data; and/or
  4. administrative fine.

The maximum amount of the above administrative fines is two percent of annual income or annual revenue for the violation variable. Administrative sanctions are imposed by the institution.

Dispute Resolution and Procedural Law

PDP dispute resolution is carried out through arbitration courts, courts, or other alternative dispute resolution institutions, and procedural law is carried out in accordance with the provisions of the applicable laws and regulations. In the event that it is necessary to protect personal data, the trial process is carried out behind closed doors.

Legal evidence is evidence as referred to in procedural law; and other evidence in the form of electronic information and/or electronic documents in accordance with the provisions of laws and regulations.

Criminal Prohibition and  Sanctions

Law No. 27/2022 specifically stipulates the prohibition and its criminal sanctions as follows:

No.ProhibitionCriminal Sanctions
1Any person (individual or corporation) who intentionally and unlawfully obtains or collects personal data that does not belong to him with the intention of benefiting himself or others which can result in the loss of the subject’s personal data.imprisonment for a maximum of fve years and/or a maximum fine of five billion rupiahs
2Any person who knowingly and unlawfully discloses personal data that does not belong to him.imprisonment for a maximum of four years and/or a maximum fine of four billion rupiahs
3Any person who knowingly and unlawfully uses personal data that does not belong to him..imprisonment for a maximum of five years and/or a maximum fine of five billion rupiahs
4Any person who knowingly creates false personal data or falsifies personal data with the intention of benefiting themselves or others that can cause harm to others.imprisonment for a maximum of six years and/or a maximum fine of six billion rupiahs
Additional penalties can also be imposed in the form of confiscation of profits and/or assets obtained or proceeds from criminal acts and payment of compensation.

 

In the case of criminal acts committed by corporations (legal entities / non-legal entities), sanctions can be imposed on administrators, controllers, givers of orders, beneficial owners, and/or corporations. Fines imposed on corporations are a maximum of ten times the maximum fine that is imposed, and can be subject to additional sanctions in the form of:

  1. confiscation of profits and/or assets obtained or proceeds from criminal acts;
  2. freezing all or part of the corporate business;
  3. permanent prohibition to perform certain actions;
  4. closure of all or part of the place of business and/or corporate activities;
  5. implementing obligations that have been neglected;
  6. payment of compensation;
  7. license revocation; and/or
  8. dissolution of corporation

Transition Terms

Personal data controllers, personal data processors, and other parties related to the processing of personal data, must comply with the provisions for processing personal data based on Law No. 27/2022 no later than two years since the enactment of Law no. 27 of 2022 .

 

Author/Contributor:

 

R. Yudha Triarianto Wasono, S.H., M.H.

Partner

Contact:

Mail       : yudha@siplawfirm.id

Phone    : +62-21 799 7973 / +62-21 799 7975

 

 

M. Ihsan Abdurrahman, S.H.

Associate

Contact:

Mail       :  ihsan@siplawfirm.id

Phone    : +62-21 799 7973 / +62-21 799 7975

 

DISCLAIMER

Any information contained in this Article is provided for informational purposes only and should not be construed as legal advice on any matter. You must not act or refrain from acting on any content included in this Legal Update without seeking legal or other professional advice. This document is copyright protected. No part of this document may be disclosed, distributed, reproduced or transmitted in any form or by any means, including photocopying and recording or stored in any retrieval system without the prior written consent of SIP Law Firm.