[Last updated: 23 February 2023]
☒ a) data localization / data residency laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may be also be stored outside of the jurisdiction):
GR 71 classifies electronic system operators into two categories, i.e., public electronic system operators (e.g., government institutions and their appointed parties) and private electronic system operators (e.g., private companies).
Only public electronic system operators must process and store personal data only in Indonesia. In general, private electronic system operators can process and store personal data offshore provided that they maintain the effectiveness of legal enforcement and monitoring in Indonesia (e.g., by providing access to data if there is a valid request from government authorities or legal enforcer). However, if the private electronic system operators are bound to sectoral regulations (e.g., financial services sector), they may be required to process and store personal data only in Indonesia.
☒ b) other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:
☐ national security laws
☐ anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation
☒ tax or financial record laws
☐ employment laws
☐ export control laws