Data Privacy by Sector in Indonesia

Legal Updates
Data Privacy by Sector in Indonesia
18 September 2018

There are laws in a number of specific areas in Indonesia that deal indirectly with data privacy. These include:


There is no specific stipulation in Indonesian employment laws on the protection of personal data of employees. It would normally be considered sufficient for employers in Indonesia to regulate the protection of the personal data of their employees by way of unilateral employee consents, employment agreements, company regulations or collective labour agreements. The basis to make these agreements and/or consents depends on the freedom of contract principle under Article 1338 of the Indonesian Civil Code. These agreements and/or consents authorise the collection, retention, disclosure and use of employees' personal data or other confidential information.

Health sector

Article 57 of Law No. 36 of 2009 regarding Health stipulates that in principle, every person is entitled to the confidentiality of their personal health information that has been provided to, or collected by, health care providers.

Financial sector

In financial institutions, data management is largely covered by consumer protection regulations. For example, financial service providers are prohibited by Article 31 of Financial Services Authority (Otoritas Jasa Keuangan or "OJK") Regulation No. 1/POJK.07/2013 regarding Financial Consumer Protection from disclosing customer data and/or information to third parties, unless they receive written consent from the customer or are required to by lawful authority.

If a financial service provider obtains the personal data and/or information of a person and/or a group of persons from a third party, it is required to have written confirmation from the third party that the person or group has agreed to the disclosure.

OJK Circular Letter No. 2/SEOJK.07/2014 regarding Consumer Complaint Services and Settlement, Bank Indonesia ("BI") Regulation No. 16/1/PBI/2014 regarding Consumer Protections in Payment System Services and BI Circular Letter No 16/16/DKSP regarding Implementing Procedures for the Protection of Consumers in Payment System Services provide similar provisions.

The protection of consumers' personal data and/or information in relation to the payment transaction process conducted by payment system service providers is provided under Article 25 of BI Regulation No. 18/40/PBI/2016 regarding the Provision of Payment Transaction Processing.

Certain financial institutions, including banks and insurance companies, regulate in further depth the management of personal and financial data in separate regulations, including:


  • OJK Regulation No. 69/POJK.05/2016 regarding Insurance Business Implementation for Sharia Insurance Companies, Re-Insurance Companies, and Sharia Re-Insurance Companies;
  • Law No. 7 of 1992 regarding Banking, as lastly amended by Law No. 10 of 1998;
  • BI Regulation No. 2/19/PBI/2000 regarding Requirements and Procedures to Grant a Written Order or Approval to Disclose Bank Secrets;
  • Government Regulation in Lieu of Law No. 1 of 2017 regarding Access to Financial Information for Taxation Purposes;
  • Minister of Finance ("MOF") Regulation No. 70/PMK.03/2017 regarding Technical Guidance for Access to Financial Information for Taxation Purposes, as lastly amended by MOF Regulation No. 73/PMK.03/2017; and
  • OJK Regulation No. 38/POJK.03/2016 regarding Implementation of Risk Management in the Use of Information Technology by Commercial Banks.

These financial sector regulations do not contain more onerous requirements for financial data management than those in general regulations.

Telecommunications sector

Article 40 of Law No. 36 of 1999 regarding Telecommunications (the "Telecommunications Law") prohibits the "tapping" of information transmitted through telecommunications networks. Telecommunications services operators must keep any information transmitted, and/or received, by a telecommunications service subscriber, through a telecommunications network and/or telecommunications services provided by the relevant operator, confidential (Article 42, Telecommunications Law).

There are no sectoral laws that specifically stipulate the freedom of expression.

This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user's own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.

For More Information, Please Contact
Back to Indonesia Law Blog
Related Articles