As a rule, any use of personal data must be based on consent from the data owner. The consent must be in writing (i.e., express and opt-in consent), whether manually or electronically and in Bahasa Indonesia (although there is no prohibition on using a dual language format).

Prior to Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), Indonesia only recognized "valid consent" as the lawful basis for processing personal data. However, with the issuance of the PDP Law, a data controller can conduct data processing activity if it has fulfilled any or all of the following lawful basis of processing personal data (which may be similar to the EU GDPR concept):

1. Valid explicit consent from the data subject for one or several certain purposes that have been elaborated on by a data controller to the data subject
2. Fulfillment of an obligation in a contract where the data subject is one of the parties or to fulfill a request from the data subject when entering into a contract
3. Fulfillment of a legal obligation of the data controller
4. Protecting the vital interests of the data subject
5. Implementation of a public interest or public service duty, or implementation of a data controller's authority under laws and regulations
6. Fulfillment of other legitimate interests by considering the purpose, needs and balance of the data controller's obligations and data subject's rights

However, in the absence of a further implementing regulation or guideline on the additional lawful bases (e.g., on how to determine whether a data processing activity can be covered under those additional lawful bases), consent remains an integral part of processing personal data, in the sense that if the data subject intends to revoke their consent, the data controller should cease processing the personal data. Further guidance is required from the Data Protection Authority on the lawful bases.

If the personal data processing activity is based on "explicit consent," the data controller must inform the data subject of all the following information:

1. Legality of the personal data processing
2. Purpose of personal data processing
3. Type and relevance of the personal data to be processed
4. Retention period of documents containing personal data
5. Details regarding the information collected
6. Period of personal data processing
7. Rights of the personal data subject

The data controller must ensure that the above information has been communicated to the data subject prior to the data processing activity (e.g., incorporating the above information in a privacy policy). Furthermore, if there is any change in the information as mentioned above, the data controller must notify the data subject before any change in information occurs. While there is no specific explanation of "explicit consent" under Law No. 27 of 2022 on Personal Data Protection, "explicit consent" should refer to opting-in and express consent (where consent is not implied or given under duress or due to negligence). A simple "click to agree" box (or any other opt-in mechanism) should be sufficient to reflect "explicit consent." Indonesia does not have a concept of acceptance by silence and, therefore, a deemed/opt-out consent can be challenged.

If personal data is received indirectly from another entity, then in the legal documentation between the entities, the disclosing entity should represent to and warrant to the receiving entity that sufficient consent has been obtained from the data owner to allow the disclosing entity to share the personal data and for the receiving entity to process the personal data.