Data Protection and Cybersecurity in Indonesia: General Requirements
By Denny Rahmansyah and Farah Nabila
Indonesia\'s Electronic Information Law, Government Regulation 82 regarding the Implementation of Electronic Systems and Transactions, and MOCI Regulation 20 regarding the Protection of Personal Data in Electronic Systems (jointly referred to as the PDP Regulations) require Electronic System Providers (ESPs) to adopt an internal policy related to the protection of personal data for the purpose of, including but not limited to, acquiring, collecting, processing, analyzing, storing, dissemination, transmission and destruction of data. This internal policy shall be drafted as a means to prevent any failure in the protection of data in their system.
With regard to access, data subjects are granted the right to:
- obtain access or the opportunity to change or update their personal data without interfering with the personal data management system, unless otherwise provided by applicable laws and regulations;
- obtain access or the opportunity to receive the history of their personal data that has been given to the ESP insofar as it is still in accordance with the applicable laws and regulations; and
- request the destruction of their personal data in an electronic system managed by the ESP, unless otherwise determined by the applicable laws and regulations.
The PDP Regulations do not govern the use of data pursuant to anonymization, de-identification, or pseudonymisation.
Restrictions on or allowances for profiling, automated decision-making, online monitoring or tracking, Big Data analysis and artificial intelligence do not exist in the current PDP Regulations.
The existing PDP Regulations provide for \"loss,‚Äù which can be loosely translated as \"injury‚Äù or \"harm,‚Äù as a ground to file a complaint of an alleged data breach. However, the PDP Regulations do not define the scope of the term \"loss‚Äù for this purpose.
This first appeared in the Chambers Corporate M&A 2019 Guide, published by Chambers and Partners. You can find the full chapter here.
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user\'s own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.