Data Protection in Indonesia: Breaches and Marketing

Legal Updates
Data Protection in Indonesia: Breaches and Marketing
3 November 2017

By Winnie Y. Rolindrawan and Meta N. Mustikaningrum

Data Breaches

A data breach involving a financial institution in Indonesia does not trigger an immediate reporting requirement to the relevant authority. Instead, periodical reports on consumer complaints and further services and settlements provided to such consumers must be made to the Financial Services Authority (OJK) or Bank Indonesia (BI), depending on the service rendered by the financial institution. For the OJK, this reporting must be done quarterly, whereas the reporting period to BI depends on the payment system service provided by the financial institution.

On a related note, data owners must be notified of any data breach if such breach resulted from a failure in the electronic system managed by the financial institution. This notification must include the reason the data breach occurred.

Furthermore, any work of a financial institution that is outsourced to third-party vendors will remain the liability of the financial institution.As a preliminary matter, a financial institution has the general obligation to ensure that any third party with which it cooperates implements at least the same standard of consumer protection as the financial institution itself. Subsequently, if a consumer suffers harm due to the fault or negligence of the third party, the financial institution continues to be liable upon such action.

Use of Data for Marketing Purposes

There is no regulation in Indonesia that specifically addresses the use of personal data by financial institutions for marketing purposes or in any form of new media.

However, OJK Regulation No. 1/POJK.07/2013 regarding Consumer Protection in the Financial Services Sector (OJK Reg. 1/2013) stipulates that financial institutions are prohibited from using a using a consumer's "unfortunate circumstances" to market their products or services to that consumer. This means that any personal information or data obtained by a financial institution cannot be used in its marketing efforts insofar as it would prey on the circumstances of consumers.

An example provided in the elaboration of OJK Reg. 1/2013 refers to offering a non-collateral loan to a consumer with little cash and a sick child. In such a case, in order to ensure his child receives proper care, the consumer would take the offer of non-collateral loan without considering his future ability to pay back the money.

This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user's own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.

For More Information, Please Contact
Back to Indonesia Law Blog
Related Articles