Management of Personal Data: What Companies in Indonesia Should Know

By Fahrul S. Yusuf and Indrawan Dwi Yuriutomo The management of personal data under Indonesian law is largely consent based. This consent must be given in writing by the owners of the personal data, either manually or electronically, after the owners are given a full explanation of any actions that will be taken in regard to their personal data – including any cross-border transfer. Any company that obtains such consent can manage the personal data as long as this management falls under the scope of the consent given. So, for example, a company may not disclose the personal data if the owner of the data has not given his or her consent for such disclosure. Transfer of Personal Data Outside of Indonesia The newly issued Minister of Communication and Informatics (“MOCI”) Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (“Reg. 20/2016”), provides that any electronic system provider that operates in Indonesia must fulfill several requirements if it intends to transfer personal data outside of Indonesia. First, the electronic system provider must coordinate with the MOCI or an authorized government official prior to and after the transfer. This coordination includes (i) reporting the planned transfer of personal data, including at least the destination country, the full name of the party that will receive the personal data, the date of the transfer, and the reason or purpose of the transfer and (iii) reporting the result of the transfer. Second, the electronic system provider must fulfill all applicable regulatory provisions on the cross-border exchange of personal data. %0