Law: Personal Data Protection Law (only available in Indonesian here) ('PDPL')

Regulator: There is no general data protection authority at present.

Summary: The Personal Data Protection Law (only available in Indonesian here) (PDPL) entered into force on October 17, 2022. Article 74 of the PDPL provides that controllers, processors, and any other parties related to the processing of personal data will have two years from the date of promulgation to comply with the PDPL. Further, on August 30, 2023, the Government of Indonesia released the Draft of the Government Regulation of 2023 regarding the Implementation of PDPL (only available in Indonesian here) that would provide more clarity on the implementation of the PDPL.

The PDPL applies to persons, public bodies, and international organizations, and has a broad extraterritorial application. The PDPL applies to organizations that carry out an act contemplated under the PDPL outside Indonesia, but its action has a legal impact in Indonesia and/or on Indonesian data subjects outside Indonesia. Notably, the PDPL applies to personal data processed by both electronic and non-electronic means. Further, the PDPL regulates the rights of data subjects, the obligations of data controllers, and data processors, provisions relating to cross-border transfers, and the relevant principles and requirements for processing personal data. Among the obligations of the controller under the PDPL, there is an obligation to conduct a Data Processing Impact Assessment (DPIA) if the personal data processing has a high potential risk to the personal data subjects.

Additionally, the PDPL also establishes the PDP Institution as the regulatory authority under the PDPL, that has extensive functions and powers, however, the establishment of the PDP Institution is still awaited.