Last review date: 13 January 2025

Yes

Under the PDP Law, a DPO shall have at least the following duties:

• To inform and provide advice to the personal data controller or the personal data processor to comply with the provisions of the PDP Law
• To monitor and ensure compliance with the PDP Law and the policies of the personal data controller or personal data processor
• To provide advice on assessing the impact of personal data protection and monitoring the performance of the personal data controller and the personal data processor
• To coordinate and act as a liaison for issues related to the processing of personal data

Last review date: 13 January 2025

Yes

The PDP Law requires a data controller and data processor to appoint officials or officers who will carry out the personal data protection function if all of the following conditions are fulfilled:

• The personal data are for the benefit of public services
• The nature, scope, and/or purposes of the core activities of the data controller require regular and systematic monitoring of personal data on a large scale
• The core activities of the data controller consist of processing of personal data on a large scale for specific personal data and/or personal data related to crimes

Further implementing regulation may be required, as the thresholds are still unclear (e.g., how to determine if data processing is considered as "large scale").

If yes, under what circumstances?

☒  the processing is carried out by a public authority or body, except for courts acting in their judicial capacity

☒  the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale

☒  the core activities of the controller or the processor consist of processing on a large scale of special categories of data

Last review date: 13 January 2025

Yes

If yes, what are these requirements?

☒  other

The PDP Law only stipulates that a DPO must be appointed based on professionalism, legal knowledge, personal data protection practice, and ability to fulfill their duties. Subject to the upcoming implementing regulation of the PDP Law, there is no certification requirement for the DPO. The PDP Law allows the data controller or data processor to appoint a DPO from within and/or outside of the data controller or data processor.

Last review date: 13 January 2025

No

Under Indonesian laws, there is a general requirement to register every electronic system operator.

Under GR 71, both public and private electronic system operators must register themselves and their electronic systems with the MOCD to obtain an electronic system operator registration certification.

In late 2020, the MOCD issued Regulation No. 5 of 2020 on Private Electronic System Operators, as lastly amended by MOCD Regulation No. 10 of 2021 (MOCD Regulation 5). MOCD Regulation 5 extends the registration obligation to foreign private electronic system operators that meet one of the criteria below:

• They provide services in Indonesia.
• They conduct business activities in Indonesia.
• Their electronic systems are used and/or offered in Indonesia.