In accordance with the PDP Law (Law No. 27 of 2022 regarding Personal Data Protection), a breach of data protection law may be subject to administrative sanctions and criminal penalties. Under article 57 (1) of the PDP Law, some breaches of data protection are subject to the imposition of administrative sanctions in the form of:
- a written warning;
- temporary suspension of personal data processing activities;
- deletion or destruction of personal data; and
- administrative fines.
Criminal penalties may also apply as follows:
- imprisonment for five years or a maximum fine of 5 billion rupiah (or both) for any person who intentionally and unlawfully obtains or collects personal data that does not belong to them to benefit themself or another person and which may result in losses for the personal data subject;
- imprisonment for four years or a maximum fine of 4 billion rupiah (or both) for any person who intentionally and unlawfully discloses personal data that does not belong to them;
- imprisonment for five years or a maximum fine of 5 billion rupiah (or both) for any person who intentionally and unlawfully uses personal data that does not belong to them; and
- imprisonment for six years or a maximum fine of 6 billion rupiah (or both) for intentionally creating false personal data or falsifying personal data to benefit themself or another person and which may result in a loss for another person.
The PDP Law also specifies the types of penalty that may be imposed on corporations that conduct criminal acts related to data protection law. In such cases, the penalty can be imposed on one or more of the management, controller, instruction provider, beneficial owner and the company itself in the form of a criminal fine up to a maximum of 10 times the maximum penalty imposed.
The company may also face additional penalties, including the confiscation of profits and assets obtained from criminal acts, suspension of all or part of the company’s business, permanent prohibition from performing certain actions, closing all or part of the company’s place of business or activities, payment of indemnification, license revocation and dissolution of the company.
Excerpted from Lexology Panoramic: Data Protection & Privacy 2024, published by Law Business Research.
Find the Indonesia chapter of Lexology Panoramic: Data Protection & Privacy 2024 here.
Further reading:
Looking Ahead to Indonesia’s Personal Data Protection Agency
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.