Last review date: 13 January 2025
☒ omnibus – all personal data
☒ sector-specific — e.g., financial institutions, governmental bodies
☒ constitutional
Last review date: 13 January 2025
- Law No. 11 of 2008 as lastly amended by Law No. 1 of 2024 on Electronic Information and Transactions (EIT Law)
- Law No. 27 of 2022 on Personal Data Protection (PDP Law)
- Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (GR 71)
- Minister of Communication and Informatics (now known as Minister of Communication and Digital - MOCD) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (MOCD Regulation 20)
(Together, Data Protection Regulations)
Please note that all regulations are in the Indonesian language.
Last review date: 13 January 2025
Indonesia does not currently have a specific cybersecurity law. Provisions on cybersecurity are mainly covered in the EIT Law and GR 71. There are also some further implementing regulations issued by the National Cyber and Code Agency (Badan Siber dan Sandi Negara - BSSN).
Last review date: 13 January 2025
In general, there is no specific regulation on non-personal data in Indonesia. Consequently, the treatment of non-personal data largely depends on contractual arrangements between parties (e.g., confidentiality, sharing, and disclosure agreements).
That said, there are several regulations that touch upon non-personal data or cover general provisions that apply to non-personal data. For example:
- The EIT Law
- Law No. 8 of 1997 on Corporate Documents
In addition, sector-related regulations cover specific treatments or restrictions towards non-personal data, such as regulations in the e-commerce, financial, healthcare, and natural resources sectors.
Last review date: 13 January 2025
Yes
The Indonesian government has enacted the PDP Law, which took effect on 17 October 2022 with a two-year transitional period ending on 17 October 2024. During this period, all parties that conduct personal data processing must carry out adjustments to conform with the PDP Law.
The PDP Law aims to provide greater certainty and clarity on personal data protection in Indonesia, enhancing protection for data subjects. It will impact how businesses process personal data.
The PDP Law does not apply to personal data processing by individuals for private or household matters. There is no further guidance on this yet, and we await the authorities’ interpretation and implementation in practice.
Ideally, during the transitional period, the Government would establish the data protection authority and issue the mandatory implementing regulations. However, even after the end of the two-year transitional period, the Government has not yet established the data protection authority or issued any implementing regulation.
We are aware that at least one implementing regulation of the PDP Law is currently being finalized by the Government. The regulation will address the following issues:
- Automatic processing of personal data
- Data subject's rights to seek damages for any violation of data processing requirements
- Data subject's rights to use and transmit personal data to other data controllers
- Technical implementation of data processing
- Data privacy impact assessment
- Data storage, transfer and deletion issues when a data controller is dissolved as a company
- Data protection officer
- Personal data transfer
- Procedures for imposing administrative sanctions by the data protection authority
- The scope of authority and functions of the data protection authority