Personal Data Protection Law in Indonesia – Prepare for the coming Implementation Regulation (3) =Processing of Personal Data=
We published a newsletter regarding Personal Data Protection Law in Indonesia. To view PDF version, please click the following link.
Personal Data Protection Law in Indonesia
Prepare for the coming Implementation Regulation (3)
=Processing of Personal Data=
October 2024
One Asia Lawyers Indonesia Office
Koji Umai, Lawyer (Japan)
Yusuke Tomofuji, Lawyer (State of New York, USA)
Prisilia Sitompul, Lawyer (Indonesia)
1. Introduction
The Indonesian Personal Data Protection Law (“PDP Law”)[1] was enacted on October 17, 2022, and the two-year preparation period during which the Personal Data Controllers must adjust themselves to PDP Law has come to an end. Even so, the implementing regulations for the PDP Law have not yet been promulgated, although its draft has been published (the “Draft Regulation”)[2]. Although it is uncertain when this Draft Regulation will be enacted or if any amendment may be made, as we believe it is useful to review this Draft Regulation, we would like to delve into it in this month’s newsletter.[3] While the last newsletter focused on cross-border transfers, we focused on the Processing of Personal Data this month.
2. Processing of Personal Data
The PDP Law contains the following provisions on the Processing of Personal Data.
- Processing of Personal Data
- Personal Data Processing Principles
- Basis for the Personal Data Processing
The Draft Regulation contains more detailed provisions on these items. We would like to explain this by dividing it into (1) Processing, (2) Checklists for each Processing, (3) Personal Data Processing Principles, and (4) Basis for Personal Data Processing.
(1) Processing of Personal Data
Article 16 of the PDP Law stipulates that the Processing of Personal Data includes the following, and Article 9 of the Draft Regulation stipulates the same.
- Acquisition and collection;
- Filtering and analysis;
- Storage;
- Fixing and updating;
- Display, announcement, transfer, dissemination, or disclosure and/or
- Deletion or destruction
(2) Checklist for each Processing
Articles 10-15 of the Draft Regulation provide checklists that must be complied with for each Processing as explained above. These are new provisions because the PDP Law did not contain such.
The checklist, for example, stipulates that the Processing of Personal Data shall be in accordance with the purpose or that security control measures shall be taken when Processing Personal Data. To follow this provision, it is important to note what kind of Processing is about to be conducted and which checklists shall be followed.
(3) Personal Data Processing Principles
In Processing Personal Data, the Personal Data Controller must comply with the following Principles for the Protection of Personal Data. They are set forth in Article 16(2) of the PDP Law and are set forth in more detail in the Draft Regulation in the following provisions.
- Personal Data collection is limited and specific, legally valid and transparent (Article 25)
- Processing is in accordance with its purpose (Article 26)
- Personal Data processing is carried out by guaranteeing the rights of the Personal Data Subject (Article 27)
- Processing in an accurate manner (Article 28)
- Processing is carried out by protecting the security control (Article 29)
- Processing is carried out by notification to Personal Data Subjects of purposes and Processing details (Article 30)
- Personal Data shall be destroyed after the retention period ends (Article 31)
- Processing is carried out responsibly (Article 32)
Of these, No. 1 is specific to collection, and No. 7 is specific to destroying or deletion, while the rest are commonly applicable to all types of Processing.
(4) Basis for Processing Personal Data
The Processing of Personal Data requires the following Basis for Processing.
- Explicit and valid consent
- Fulfillment of contractual obligations
- Fulfillment of a legal obligation
- Protection of the vital interests of the Personal Data Subject
- Carrying out duties in the context of the public interest
- Fulfillment of other legitimate interests
As Article 20(2) of the PDP Law stipulates above, more detailed provisions have been placed in the Draft Regulation as follows.
(a) Explicit and valid consent (Articles 45-53)
The PDP Law provides that explicit and valid consent may be the basis for the Processing of Personal Data and that in obtaining such consent, the Personal Data Controller is obliged to inform the Personal Data Subject of the following (Articles 20(2)(a) and 21(1) of the PDP Law)
- Legality of the Processing
- Purpose of Processing
- Type and the relevance of Personal Data to be Processed
- Retention period of documents containing the Personal Data
- Details regarding the Personal Data collected
- Period of the Processing
- Rights of the Personal Data subject
In addition, it is stipulated that such information shall be provided in the Indonesian language (Article 22.4(c) of the PDP Law and its elucidation).
In addition to these provisions, the Draft Regulation stipulates the following.
- The provision of the above information must be concise and precise (Article 45 of the Draft Regulation).
- The Personal Data Controller must ensure the fulfillment of the Personal Data Subject’s right to withdraw approval at any time (Article 47 of the Draft Regulation).
- The Personal Data Controller shall not refuse to provide goods or services in the event that the Personal Data Subject refuses to propose consent to provide its Personal Data (Article 49 of the Draft Regulation).
In addition to these provisions, both the PDP Law and the Draft Regulation provide parental/guardian (guardian/wali) consent for the Processing of data of minors and persons with disabilities.
(b) Fulfillment of contractual obligations (Articles 54-58)
The following can be the basis for the Processing. (Article 20(2)(b) of the PDP Law, Article 44(2)(b) and Article 54(2)(a) of these draft Regulations)
- To fulfill the contractual obligations to which the Personal Data Subject is a party.
- To fulfill the request from the Personal Data Subject at the time when the Personal Data Subject is about to enter into the contract.
In addition, Articles 54 to 57 of the Draft Regulation provide the detailed requirements of such contract or request, for example, a minimum requirement in the contract.
(c) Fulfillment of Legal Obligations of Personal Data Controllers (Article 59)
The fulfillment of legal obligations can also be a basis for the Processing of Personal Data. As examples of such, the Draft Regulation stipulates the following as legal obligations (Article 59(2) of the Draft Regulation)
- Obligations under the provisions of the law
- court orders or decisions
- orders based on decisions of state officials.
In addition, Art. 59(3) of the Draft Regulation stipulates that the Processing of Personal Data pursuant to the above legal obligations shall be carried out in order to satisfy the interests of the Personal Data Subject and/or the Personal Data Controller, and does not necessarily have to affect the public interest or public benefit.
(d) Protection of the Vital Interests of the Personal Data Subject (Articles 60-62)
Protecting the vital interests of a Personal Data subject is a basis for Processing Personal Data. The PDP Law provides an example of this, such as in a case where it is for the survival of the Personal Data Subject (Article 20(2)(d) and its elucidation of the PDP Law).
The Draft Regulation adds to this the requirement that when a threat to the physical health or property of the Personal Data Subject exists when it is difficult to obtain authorization from the Personal Data Subject and that the Personal Data Subject is unlikely to object to the Processing.
Thus, this basis for Processing is all three of the following (Article 61 of the Draft Regulation).
- Life, physical health, or property is threatened
- It is difficult to obtain approval for the Processing from the Personal Data Subject
- The likelihood of the Personal Data Subject to refuse Processing is low.
In addition, the Draft Regulation provides that the Personal Data Controller shall, after the Processing, inform the Personal Data Subject about the nature of the Processing carried out and the type of threat if the Processing was not conducted (Article 62 of the Draft Regulation).
(e) Carrying out duties in the context of the public interest (Articles 63-68)
Public interest is also a basis for the Processing. The Draft Regulation provides information on when the Processing is conducted in order to perform duties related to public interest or public service (Article 64) and when there is an official authorization to Process (Article 68).
The former contemplates situations where the public interest is directly threatened (e.g., when the President declares a state of emergency during a disaster) (Article 64 of the Draft Regulation and its elucidation). However, the latter is not explained in detail.
For reference, the General Data Protection Regulation (GDPR) of the European Union contains similar provisions, and it is generally considered that it includes cases where a bar association or medical association conducts disciplinary proceedings against its members. Thus, such cases may be contemplated in the PDP Law and the Draft Regulation.
The Draft Regulation further stipulates that in both cases, the Personal Data Controllers cannot use public interest or public service as a basis when there is a commercial impact or benefit to the Personal Data Controller (Article 65 of the Draft Regulation).
(f) Fulfillment of other legitimate interests (Articles 69-73)
Fulfillment of other legitimate interests is the last basis for the Processing. The Draft Regulation provides that the Processing may be carried out for other legitimate interests by taking into account the purposes and needs of the Processing and the balance of the interest of the Personal Data Controller and the rights of the Personal Data Subject (Article 69).
Article 70 of the Draft Regulation stipulates that the Processing on such basis shall conduct the following in advance:
- An analysis of the need for and purpose of the Processing (Article 70(1)(a))
- Balancing the rights of the Personal Data Subject against the interests of the Personal Data Controller (ibid.)
- Prior verification that the Processing shall not have legal impact or harm to the Personal Data Subject (Article 70(1)(b))
- Implement measures to mitigate the effects if there are such effects (Ibid.)
The elucidation in Article 69 stipulates that the implementation of an evaluation, the collection of a debt from an organization, or the payment of a claim to an individual can be the basis for Processing.
If the Personal Data Controller processes Personal Data on other legitimate interests, the Personal Data Controller shall document the results of this assessment and communicate them to the Data Subject (Articles 71 and 73 of the Draft Regulation), and if the Personal Data Subject objects, the Personal Data Controller shall stop the Processing (Article 70, paragraph 2 of the Draft Regulation).
4. Conclusion
The Draft Regulation provides for (1) Processing of Personal Data, (2) Checklists for each Processing, (3) Personal Data Processing Principles, and (4) Basis for Personal Data Processing. In particular, the details of the (2), (3), and (4) are not included in the PDP Law.
Although it is impossible to predict how much the Draft Regulation may be amended before it actually comes into effect, we believe that reviewing the Draft Regulation will serve as a guideline for the future operation of Personal Data.
—–
[1] For the content of PDP Law, please kindly refer to our newsletter of October 2022 (https://oneasia.legal/8947) (Please be noted that only Japanese version is available.)
[2] As of today, this proposed rule has not yet been enacted, nor have we seen any reports that it has been amended.
[3] For our previous newsletters on the Draft Regulation, please see our October 2023 Newsletter (https://oneasia.legal/en/5248) and our November 2023 Newsletter (https://oneasia.legal/en/6148).