Personal Data Protection Indonesia

Personal Data Protection

Awareness and Compliance

Awareness and Compliance

Indonesia Personal Data Protection Law

As per Indonesia personal data protection law and regulation below, the rule stated (in Bahasa Indonesia):

  • Undang-Undang Nomor 23 Tahun 2006 tentang Administrasi Kependudukan
  • Pasal 2 stated personal data protection
  • Undang-Undang Nomor 24 Tahun 2013 tentang Perubahan Atas Undang-Undang Nomor 23 Tahun 2006 tentang Administrasi Kependudukan
  • Pasal 1 angka 22 stated personal data confidentiality
  • Peraturan Pemerintah Nomor 40 Tahun 2019 tentang Pelaksanaan Undang-Undang Nomor 23 Tahun 2006
  • Undang-Undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik dan Undang-Undang Nomor 19 Tahun 2016 tentang Perubahan Atas Undang-Undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik
  • Privacy rights
  • Peraturan Menteri Komunikasi dan Informatika Nomor 20 Tahun 2016 tentang Perlindungan Data Pribadi Dalam Sistem Elektronik

Ensure awareness and compliance TO THIS rEQUIREMENTS

The introduction to personal data protection is important to all citizen and companies in Indonesia. Each company needs to be fully aware about the type of personal data and privacy rights. The awareness also covers the intention of all threats and how it is related to personal data protection. Indonesia has legal obligations as a personal protector of each of its citizens based on laws and regulation stated above. Organisations who failed to comply with the regulation face the risk of fines of up to 10 billion rupiah.

Key requirements of personal Data protection

Some central aspects of personal data protection have been listed below.  

Processing of personal data for clear and legitiate processes only: Generally, personal data must be saved in a form and manner that enables the data subjects to be identified only and if It’s necessary for the processing data purposes. Once they are no longer needed for the purpose for which they were collected, personal data must be deleted. If data subject withdraws his/her consent to use or processing of their personal data, organisations are obliged to delete (‘erase’) the relevant information.

Minimising risk: To comply with laws and regulations, detailed risk assessment prior to data processing are strongly recommended. Risk assessment in this context extends from systematic description of the planned activities and purposes of processing of the personal data to documentation, of the actions planned to mitigate the risks and ensure protection of personal data.

How can tüv süd help you?

TÜV SÜD recommends that organisations identify processes falling under the scope of Indonesia law and regulations, and that they conduct initial checks by aligning existing processes with the requirements.

As a leading expert on regulatory frameworks and process optimisation, TÜV SÜD supports businesses in the process of becoming personal data protection compliant through several services mentioned below:

  • Gap analysis & risk assessment advisory services
  • GDPR/PDPA Compliance
  • ISO/IEC 27001 – Information Security Management System certification
  • ISO 27701 Privacy Information Management System (PIMS), a privacy extension to ISO 27001 Information Security Management System (ISMS)

Contact us today to learn more about our services.


White paper


Understand the key requirements of the harmonised EU standard

Learn more


Next Steps

Site Selector