Indonesia's Law No. 27 of 2022 regarding Personal Data Protection (PDP Law) requires a personal data controller to have a legal basis for carrying out personal data processing, which includes:
- a valid and explicit consent from the personal data subject for one or more specific purposes conveyed by the personal data controller to the personal data subject;
- fulfilment of contractual obligations to which the personal data subject is a party, or to fulfil the request of the personal data subject at the time of entering into an agreement;
- fulfilment of the legal obligations of the personal data controller in accordance with the provisions of laws and regulations;
- fulfilment of the protection of the vital interests of the personal data subject;
- the implementation of tasks in the context of the public interest, public services or the implementation of the authority of the personal data controller by the laws and regulations; and
- fulfilment of other legitimate interests by taking into account the objectives, needs and balance of the interests of the personal data controller and the rights of the personal data subject.
While the Personal Data Protection Regulations (PDP Regulations) mandate obtaining consent for any processing of personal data, the PDP Regulations do not provide further guidance on how this consent is to be given.
Government Regulation No. 71 of 2019 regarding the Provision of Electronic Systems and Transactions (GR 71/2019) stipulates other lawful bases, other than consent, for processing personal data, as follows:
- processing an individual’s personal data to satisfy the obligations of a contract or to fulfil the request of such personal data owner;
- the fulfilment of the legal obligation of the personal data controller in line with the applicable laws and regulations;
- guarding the vital interest of the personal data owner;
- performing the legal obligations of the personal data controller;
- performing the obligations of the personal data controller in the interest of the public; and
- satisfying another valid interest of the personal data controller or the personal data owner.
Further, under GR 71/2019, consent can only be considered lawful if it fulfils the following conditions:
- it is explicitly given, apparent and not hidden;
- it is not based on fault, negligence or duress;
- it is for one or more specific purposes; and
- it is for the informed purposes.
Excerpted from Lexology Panoramic: Data Protection & Privacy 2024, published by Law Business Research.
Find the Indonesia chapter of Lexology Panoramic: Data Protection & Privacy 2024 here.
Further reading:
Indonesia Data Protection: What Categories and Types of Personal Information Are Covered by the Law?
What Are the Consequences of Breaches of Data Protection Law in Indonesia?
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.