Last review date: 13 January 2025

Yes.

☒  obligation to take specific security measures e.g., encryption

MOCD Regulation 20 requires that any data that is stored in an electronic system be encrypted. However, the minimum encryption requirement is unclear.

☒  other

The PDP Law requires data controllers to prevent any unauthorized access to personal data by using a secure and reliable security system and/or electronic system. However, the PDP Law does not specify any minimum standards for these security systems or their utilization methods.

Last review date: 13 January 2025

Yes.

☒  financial services requirements

☒  other

If yes, please provide brief details of the relevant law or regulation.

GR 71 requires every electronic system operator to implement a security system that includes procedures, prevention measures, and countermeasures against threats and attacks that could cause disturbances, failures, and losses in the electronic system. Under GR 71, a "prevention and countermeasures system" includes, among other things, antivirus software, anti-spamming measures, firewalls, intrusion detection and prevention systems, and/or the organization of information security management systems.

Regulation of the Financial Services Authority No. 22 of 2023 on Consumer and Public Protection in the Financial Services Sector (FSA Regulation 22/23) requires every provider of financial services to ensure the security of information systems and cyber resilience for consumer protection. This would include the processes of identification of assets, threats, and vulnerability, detection of cyber incidents, and response and recovery of cyber incidents.

No

Last review date: 13 January 2025

Yes

The PDP Law defines a "personal data breach" as a failure to protect a person's personal data in terms of confidentiality, integrity, and availability. This includes security breaches, whether intentional or unintentional, that result in the destruction, loss, alteration, disclosure, or unauthorized access to personal data being transmitted, stored, or processed.

The data breach notification must be made in writing and must at least contain the following information:

• The disclosed personal data
• When and how personal data is disclosed
• Efforts to handle and recover disclosed personal data by the data controller

Last review date: 13 January 2025

☒  Controller/ owner

There is no specific requirement for a data processor to give notification to the data subject or the data protection authority regarding a data breach incident. However, given that the data processor is under the responsibility of the data controller, and the data controller is required to provide data breach notification, the data processor should notify the data controller before the data breach notification period (i.e., three days) lapses.

Last review date: 13 January 2025

Yes

☒  financial services requirements

e.g., financial services institutions (such as banks and insurance companies) personal data breach requirements

Details regarding the identified data security breach notification requirements

There is no specific definition of a security breach - this can refer to the version in the PDP Law. However, financial services institutions (e.g., banks) are required to notify the OJK within three days if there is a violation by their IT service providers of bank secrecy obligations or the obligation to maintain the confidentiality of customers' personal data. A violation of this notification provision could lead to administrative sanctions (e.g., warning letters and the suspension of business activity).