Mayapada Tower I, 12th and 14th Floor
Jl. Jend. Sudirman Kav. 28
Jakarta, 12920
Indonesia
Law No. 27 of 2022 regarding Personal Data Protection (PDP Law), the main legislation in Indonesia concerning the protection of personal information (PI), does not specify the retention period to which personal data controllers must adhere.
However, the law does stipulate that personal data shall be destroyed or deleted after the expiry of the retention period or at the request of the personal data subject, unless otherwise stipulated by laws and regulations.
Further, any data stored within an electronic system may be destroyed only after:
- the lapse of the regulatory data retention period under MOCI Regulation 20/2016 or any other regulation issued by the relevant authority; or
- upon the request of the data subject, unless otherwise governed under laws and regulations.
In addition, Minister of Communication and Informatics (MOCI) Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (MOCI Regulation 20/2016) provides that electronic service providers (ESPs) must retain personal data for a minimum of five years unless stipulated otherwise by sectoral regulations. Data may be retained beyond the five-year period if it is to be used following its initial purpose.
Consent is also required for the deletion of data, which is considered part of data processing. In practice, the form of consent that data subjects are required to provide to an ESP is worded as broadly as possible to cover all types of data processing.
Excerpted from Lexology Panoramic: Data Protection & Privacy 2024, published by Law Business Research.
Find the Indonesia chapter of Lexology Panoramic: Data Protection & Privacy 2024 here.
Further reading:
Legitimate Processing of Personal Information in Indonesia
What Are the Consequences of Breaches of Data Protection Law in Indonesia?
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.
