These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
Indonesia
Law No. 27 of 2022 on Personal Data Protection (PDP Law)
Key Provisions
Article 1: Definitions
- Data Pribadi (Personal Data): Any information relating to an identified or identifiable individual by any means.
- Pengendali Data (Controller): The party that determines the purposes and means of processing.
- Processor Data (Processor): The party that processes data on behalf of the Controller.
- Data Spesifik (Sensitive Data): Health, biometric, genetic, financial, criminal records, etc.
Articles 2–3: Scope & Application
Applies to all processing in Indonesia and any processing outside that affects Indonesian data subjects or has legal effect in Indonesia. Exempts purely personal or household activities.
Articles 5–14: Rights of Data Subjects
- Access, correct, update, or delete their data (Articles 6–8).
- Withdraw consent at any time (Article 9).
- Object to automated decision-making (Article 10).
- Request restriction of processing (Article 11).
- Data portability: receive data in structured form (Article 13).
Articles 20–22: Lawful Processing
- Consent, contract necessity, legal obligation, public interest, or legitimate interest.
- Consent must be explicit, recorded, and clear (Article 22).
- Void if tied coercively to services (Article 23).
Articles 27–39: Controller Obligations
- Ensure accuracy, integrity and confidentiality of data (Article 29).
- Notify breaches to authority & subjects within 3×24 hours (Article 46).
- Conduct DPIAs for high-risk processing (Article 34).
- Appoint a Data Protection Officer if public service or large-scale (Article 53).
Article 51: Processor Duties
Follow the Controller's instructions at all times. Keep data confidential and assist breach notifications.
Articles 55–56: Cross-Border Transfers
- Only to countries with adequate protection.
- If not, obtain explicit consent or use binding safeguards (Article 56).
Articles 67–73: Penalties
- Unauthorized collection/use: up to 5 years jail and/or IDR 5 billion fine.
- Falsifying data: up to 6 years jail and/or IDR 6 billion fine.
- Admin fines up to 2% of global turnover (Article 57).
Compliance Checklist
Article 22: Consent
For Controllers
Record explicit, clear consent.
For Processors
Process only as instructed by Controller.
Article 46: Breach Notification
For Controllers
Notify authority & subjects within 3×24 hours.
For Processors
Alert Controller immediately on any breach.
Article 34: DPIA
For Controllers
Do DPIA for high-risk cases.
For Processors
Provide data and support for assessments.
Article 53: DPO Appointment
For Controllers
Appoint DPO if required.
For Processors
Cooperate with DPO audits.
Article 56: Cross-Border Transfers
For Controllers
Use only approved countries or binding safeguards.
For Processors
Transfer data only via approved mechanisms.
Article 29: Data Accuracy
For Controllers
Verify data accuracy & rectify promptly.
For Processors
Flag any inaccuracies in received data.
Article 35: Security Measures
For Controllers
Implement encryption & org safeguards.
For Processors
Follow security protocols as directed by Controller.
Articles 43–44: Data Retention
For Controllers
Erase data when no longer needed.
For Processors
Securely delete post-process and certify destruction.
Article 13: Data Portability
For Controllers
Provide data in portable format upon request.
For Processors
Assist with portability requests.
Article 57: Record-Keeping
For Controllers
Maintain records of all processing activities.
For Processors
Keep detailed operation logs of processing tasks.
Need Help with Indonesia PDP Compliance?
Our expert team can provide tailored data protection solutions for your Indonesian operations and ensure full compliance with Law No. 27 of 2022.
Checklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.