The main regulation governing privacy and data protection is Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”). 

In addition to the PDP Law, provisions on data protection in the following existing regulations remains applicable insofar as they are not in contrary with the PDP Law:
-    Law No. 11 of 2008 on Electronic Information and Transactions, as lastly amended by Law No. 1 of 2024 (the “EIT Law”);
-    Government Regulation No. 71 of 2019 on the Provision of Electronic Systems and Transactions (“GR 71”);
-    Minister of Communications and Information Technology (“MCIT”, currently known as the Minister of Communications and Digital or “MOCD”) Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (“MR 20”); and 
-    MCIT Regulation No. 5 of 2020 on Private Electronic Systems Operators, as amended by MCIT Regulation No. 10 of 2021 (“MR 5”) 

There are also data protection regulations that apply to specific sectors (e.g., medical sector, financial sector).

The Indonesian Government is currently drafting the implementing regulation of the PDP Law which will be in a form of Government Regulation (“Draft GR PDP”). This draft regulation is expected to clarify and expand upon the provisions of the PDP Law, guiding organizations on how to comply effectively.

The PDP Law defines “personal data” as “any data related to an individual (natural person), whether identified or capable of being identified independently or in combination with other information, whether directly or indirectly, through the use of an electronic system and/or non-electronic means”. Such individual is referred to as a “data subject”.

Personal data under the PDP Law is categorized into “general personal data” and “specific personal data”:
-    General personal data includes full name, gender, nationality, religion, marital status, and/or personal data that is combined to identify a person.
-    Specific personal data (equivalent to “sensitive personal data”) includes health data, biometric data, genetic data, criminal records, children’s data, personal financial data, and/or other data in accordance with the laws and regulations.

The protection of personal data is generally established by, among others:

-    Requiring the implementation of personal data protection principles;
-    Requiring the establishment of a lawful basis for personal data processing for general and specific personal data;
-    Setting out a set of data subject’s legal rights related to personal data;
-    Legally mandated implementation of technical and organizational measures by data controllers and data processors;
-    Imposing additional requirements for engaging in cross-border personal data transfer;
-    Establishment of an independent data protection authority which is focused in overseeing the implementation and enforcement of the PDP Law.

When processing “specific personal data”, additional requirements must be fulfilled:
-    carrying out a DPIA – the PDP Law requires the data controller to carry out a DPIA when processing personal data with a high potential risk to data subjects, including for the processing of specific personal data
-    appointing a Data Protection Officer (“DPO”), if the data controllers or data processors fulfills the criteria described in Q18 below.

Generally, the PDP Law applies to all legal acts conducted:
-    within the jurisdiction of in Indonesia; and
-    outside the jurisdiction of Indonesia (i.e., overseas), which have legal consequences (i) in the jurisdiction of Indonesia and/or (ii) on a data subject who is an Indonesian citizen outside the jurisdiction of Indonesia.

In this case, any party that engages in activities that come within the ambit of the PDP Law would be subject to the PDP Law provisions. The exemption applies to any processing of personal data by individuals engaged in personal or household activities.

Data controllers and data processors are subject to the privacy obligations set forth under PDP Law. The PDP Law defines a data controller as ‘any individuals, public bodies and international organization that acts individually or jointly in determining the purpose and controls the personal data processing’ and data processor as ‘any individuals, public bodies and international organization that acts individually or jointly that processes the personal data on behalf of data controller.’

Processing under the PDP Law includes the entire cycle of personal data handling, including the acquisition and collection, processing and analysis, storage, rectification and update, display, publication, transfer, dissemination, or disclosure, and/or deletion or destruction of personal data.

The PDP Law provides that processing of personal data must regard the following principles:
-    collected in a limited, specific, lawful, fair, and transparent manner;
-    processed in accordance with its purpose;
-    processed by guaranteeing the rights of the data subject;
-    processed in an accurate, complete, not misleading, up to date, and accountable manner;
-    processed by protecting the security of personal data against unauthorized access, unauthorized disclosure, unlawful alteration, misuse, destruction, and/or removal of the personal data;
-    processed by notifying the purpose and activity for which the data is processed, as well as the failure to protect the personal data; and
-    destroyed and/or erased upon expiry of the retention period or at the request of the data subject, unless otherwise stipulated by law and regulations.

Processing of personal data must be based on the following lawful basis of processing:
-    Consent: express valid consent from the data subject for one or several specific purposes that has been informed by the data controller to the data subject;
-    Contractual necessity: fulfillment of obligations under an agreement to which the data subject is one of the parties or fulfillments of a request made by the data subject at the time of entering into the agreement;
-    Legal obligations: fulfillment of legal obligations to which the data controller is subject under applicable Indonesian laws and regulations; 
-    Vital interest: protecting the vital interests of the data subject;
-    Public interest: performing tasks for public interests, public services, or the exercise of lawful authority by data controller under applicable Indonesian laws and regulations; and/or
-    Legitimate interest: fulfilment of other legitimate interests with regard to the purposes, needs, and balance between the data controller’s interest and the data subject’s rights.

A data controller must establish the appropriate lawful basis of processing for the intended purpose.

The PDP Law only regulates personal data retention in a broad manner, requiring personal data to be erased or destroyed when the retention period lapses or at the data subject's request, unless otherwise provided by law or regulation. The PDP Law also does not specify a minimum or maximum retention period.  Ideally, a data controller must establish a comprehensive retention policy, which sets out the applicable data retention period for each type of personal data relative to the purposes. In determining the appropriate retention policy, data controllers must consider various aspects, such as: (i) the mandatory retention period for certain data or for certain industry; and (ii) the necessity to retain the personal data.

With regard to point (i) above, there are several legally mandated retention period requirements, such as:
-    Law No. 8 of 1997 on Company Documents: companies to retain records for ten years, starting from the end of the company's financial year;
-    Law No. 6 of 1983 on General Provisions and Tax Procedures, as amended and partially revoked several times, last by Law No. 6 of 2023 on Ratification of Government Regulation in lieu of Law No. 2 of 2022 on Job Creation: documents that form the basis of books or records relating to tax, including tax documents for employment purposes, to be kept for ten years; and
-    Government Regulation No. 80 of 2019 on E-Commerce: e-commerce business undertakings to retain financial data for a minimum of ten years and non-financial data for a minimum of five years.

With regard to security, the PDP Law requires data controllers to ensure the security of personal data by:
-    preparing and taking technical and operational measures to protect personal data from disruption to the processing of personal data which is against the laws and regulations; and
determining the extent of security of personal data bearing in mind the nature and risks of the personal data duly protected in the processing of the personal data.
The PDP Law is silent on the specific security requirements and standards that must be implemented. Thus, data controllers and data processors may determine their own security measures based on the nature of their business, necessity, and acceptable industry standards; as long as the security measures allow them to comply with the PDP Law. 

The PDP Law acknowledges the following data subjects’ rights:
-    Right to obtain information; 
-    Right to rectify;
-    Right to access;
-    Right to terminate processing (including to delete and/or destroy personal data);
-    Right to withdraw consent;
-    Right to object to automated decision-making (including profiling);
-    Right to suspend or restrict processing;
-    Right to lodge a complaint and seek compensation; and
-    Right to data portability.

Consent must be expressly given (i.e., in writing or recorded), whether manually or electronically, express opt-in (cannot be made implicitly/hidden, or based on errancy (oversight), duress, or deception), and in Indonesian language (a dual language format (e.g., English and Indonesian language) is also acceptable). 

In addition, the consent form provided to the data subject form must explain: 
-    legality of the personal data processing;
-    the purpose of personal data processing;
-    the type and relevance of the personal data to be processed;
-    the retention period of documents containing personal data;
-    details regarding the information collected;
-    period of personal data processing; and
-    rights of the data subject.

Please note that with regards to children (individuals under the age of 18 and unmarried), consent shall be given by the parents and/or guardians. Similarly, with regards to processing data from persons with disabilities, regardless of the lawful basis of processing relied upon, consent must be obtained from the persons with disabilities or their guardian.

See Q2 above on the lawful basis of processing personal data. Each use case shall be based on a lawful basis of processing, which must be secured in an accountable and transparent manner. This could be achieved by:
-    providing the appropriate and compliant notice or consent form (as applicable); and
-    maintaining record of consent if the processing is based on consent; and
-    maintaining the appropriate record of processing activities.

Cross-border personal data transfer by a data controller may only be performed upon meeting the following conditions under the PDP Law:
a.    the country of domicile of the receiving data processor and/or data controller has a personal data protection level that is equal or higher than the provisions in the PDP Law (“Adequacy of Protection”);
b.    there is an adequate and binding personal data protection in place (“Appropriate Safeguard”); or
c.    data subject has provided their consent.

Points a-c above must be assessed and implemented in sequence. However, since there is no official approved list of countries which would support the implementation of Adequacy of Protection, in current practice, international data transfer should be based on Appropriate Safeguard. Should it not be possible to establish an Appropriate Safeguard, then international data transfer may be done based on the consent of the data subject.

Pursuant to PDP Law, “failure to protect personal data” means any failure to protect a person's personal data in terms of the confidentiality, integrity, and availability of personal data, including security breaches, whether intentional or unintentional, leading to destruction, loss, alteration, disclosure, or unauthorized access to personal data sent, stored or processed. 

Yes, there are notification requirements under PDP Law and GR 71 as follows:

-    PDP Law: upon ‘failure to protect personal data’, the data controller must notify both the affected data subject and the Data Protection Authority within 72 hours. The notification must at least contain: (i) the disclosed personal data; (ii) when and how the personal data was disclosed; and (iii) the handling and recovery efforts for disclosure of personal data by the data controller.

In certain cases, data controller must also notify the public of the failure of personal data protection as well. "For certain cases" includes if the failure to protect personal data affects the public services and/or poses a serious impact on the public interest. The PDP Law does not define "public service". Thus, this term could be interpreted as to include all services that are accessible to the public at large.
 
-    GR 71: an electronic system operator must: (i) report to relevant authorities and law enforcement (in this case, the MOCD) if there is a serious system failure due to third-party interference, and (ii) notify data subjects if there is a failure in protecting personal data within its system. 

Ministry of Communications and Digital (MOCD).

The PDP Law mandates the establishment of an independent data protection authority. However, this institution has not been established yet. In the meantime, the data protection authority’s tasks and functions are undertaken by the MOCD.

The PDP Law requires data controllers to ensure the security of personal data as elaborated in Q7 above. 

If the data breach was proven to be a result of the data controller’s negligence and violation of the PDP Law, the data controller will be subject to administrative sanctions as elaborated in Question No. 22 below. The data subjects may also file for civil lawsuit to demand compensation. 

Electronic marketing is subject to various regulations, including PDP Law, GR 71, Law No. 8 of 1999 on Consumer Protection (“Consumer Protection Law”) and the Indonesian Advertising Ethics (Etika Pariwara Indonesia or “EPI”). 

PDP Law
As explained in Q2 above, the PDP Law stipulates that a data controller must rely upon a lawful basis in processing personal data, including for marketing purposes. The most common lawful bases for processing of personal data for marketing purposes are consent and legitimate interest.

The MOCD has issued a Guidelines for Filling Assessment Tools in the Implementation of Personal Data Protection (“MOCD's PDP Guidelines”), which specifically stipulate that legitimate interest can be relied upon as a lawful basis for personal data processing for direct marketing purposes. The MOCD’s PDP Guidelines further provides that for direct marketing, a data controller must cease sending marketing materials to the data subjects who opt to unsubscribe.

GR 71
GR 71 requires electronic systems operators to ensure that electronic information sent to individuals is not pestering. This spam prohibition includes but is not limited to spam in the form of e-mail spam, instant message spam, newsgroup spam, web search engine spam, blog spam, news spam on mobile phones, and internet forum spam. However, GR 71 does not specify what would constitute pestering communications, either based on the content, timing, or frequency.

EPI
In general, contents that are restricted/prohibited in advertising as stated in the EPI include, among others:
-    false/misleading information regarding the goods or services;
-    exploitation of race, religion, ethnicity, or values of Indonesian culture;
-    inciting fear or promoting beliefs in myth;
-    disregard of safety;
-    hyperbole;
-    unfair comparison with competitors’ product;
-    deprecation (disparagement) of competitors products; 
-    copying or mockery of competitor’s advertisement; and 
-    pornography.

Consumer Protection Law
In addition, Article 17 paragraph (1) of Consumer Protection Law sets out a number of prohibitions that may not be carried out by advertising businesses in producing advertisements:
-    Deceiving consumers about the quality, quantity, materials, usefulness and price of goods and/or service rates as well as the timeliness of receiving goods and/or services.
-    Deceive the guarantee/warranty of goods and/or services.
-    Containing false, incorrect, or inaccurate information about goods and/or services.
-    Not containing information about the risks of using goods and/or services.
-    Exploiting an event and/or a person without the authorized permission or consent of the person concerned.
-    Violates ethics and/or the provisions of laws and regulations regarding advertising.

Advertising businesses found to have violated these provisions are prohibited from continuing the distribution of such advertisements.

The PDP Law generally applies to all industries. In addition to the PDP Law, there are several sector-specific regulations as follows:
-    Telecommunication sector: Law No. 36 of 1999 on Telecommunications as amended by Law No. 6 of 2023 on Ratification of Government Regulation in lieu of Law No. 2 of 2022 on Job Creation as a Law, which keep confidential the information transmitted and/or received by a telecommunications services subscriber through telecommunications networks and/or telecommunications services that it is providing, except for the purposes of criminal proceedings;
-    Health sector: Law No. 17 of 2023 on Health, which also regulates regarding confidentiality of patient’s personal information, and Minister of Health Regulation No. 24 of 2022 on Medical Records, which stipulates that the contents of medical records must be kept confidential by all parties involved in health services at health services facilities (e.g., health personnel providing health services, doctors and dentists, other health personnel and other parties that have access to health data and information of patients), even though the patients have passed away;
-    Financial sector: Financial Services Authority Regulation No. 22 of 2023 on Consumer and Society Protection in the Financial Services Sector, which also regulates that any financial services undertakings (banks, insurance companies, credit scoring agencies, and other institutions offering financial services) must always maintain the confidentiality of the customer’s personal data;
-    Civil administration: Law No. 24 of 2013 on Population Administration, which requires the government to always protect the confidentiality of personal data of its citizens, which includes, among others, information on physical/mental disability, fingerprint, iris, and signature; and
-    Cybersecurity: EIT Law, which stipulated the criminal sanctions for anyone who intentionally and unlawfully access a computer system and/or electronic system (hacking).

PDP Law require data controllers and data processors to appoint a DPO to serve the functions of personal data in case the following events:
-    if the personal data processing is for public interest;
-    if the main activity of the data controller has the nature, scope, and/or purpose that requires large-scale, frequent, and systematic monitoring of personal data; and/or
-    if the main activity of the data controller involves large-scale processing of specific personal data and/or personal data related to criminal offense.

The Constitutional Court Decision No. 151/PUU-XXII/2024 dated 16 July 2025 (“Decision 151/2024”) elaborated that the fulfillment of any of the listed criteria is individually sufficient to trigger the mandatory appointment of a DPO.

The Minister of Manpower issued Decree No. 103 of 2023 on National Competency Standards for Personal Data Protection also provides guidance in developing qualifications, training, and certification for DPOs. However, there is currently no requirement to register DPOs with authorities.

The PDP Law stipulates that data controller must record all personal data processing activities (Record of Processing Activities or “ROPA”).

Pursuant to PDP Law, data controller is required to perform DPIA in the event that the processing of personal data carried out has a high potential risk to the data subject. 

High-risk processing activities include:
-    automated decision making which has legal consequences or significant impact on the data subject (e.g., profiling);
-    processing of specific personal data (including health data, biometric data, genetic data, criminal records, children’s data, personal financial data);
-    processing of personal data on a large scale;
-    processing of personal data for evaluation, scoring, or systematic monitoring of data subjects;
-    processing of personal data for the activity of matching or combining a group of data;
-    usage of new technologies in the processing of personal data; and/or
-    processing of personal data which limits the exercise of the rights of the data subject.

To determine whether a DPIA is necessary, a data controller should first evaluate if the processing activity involves high-risk elements as outlined above. Input from the DPO, if available, may also be considered in this assessment.

Under the Draft GR, a DPIA should contain at least:
-    a systematic description of personal data processing activities and the purposes of personal data processing, including the interests of the data controller in this processing;
-    assessment of the need for and proportionality between the purposes and activities of the processing of personal data;
-    risk assessment for protecting the rights of data subjects; and
-    measures used by the data controller to protect data subjects from the risks of personal data processing.

In the event that the data controller appoints a third-party vendor as data processor, the data processor is obligated to process the personal data based on the orders of the data controller. The personal data processing must be carried out in accordance with the provisions of the PDP Law. 

In this instance, the data controller would still be responsible for the processing conducted by the third-party data processor, unless if the third-party data processor is acting beyond the data controller’s instruction.
Data processors may involve other data processors in processing personal data. Data processors are required to obtain written consent from the data controller before engaging other data processors. In the event that the data processor processes personal data outside the orders and purposes determined by the data controller, the processing of personal data becomes the responsibility of the data processor. When additional data processors or sub-processors are involved, the data controller must ensure that they apply a level of data protection that is equal to or higher than that established between the data controller and its primary data processor. This requirement can be formalized within the agreement between the data controller and the data processor.

A data processor, is required to comply with the following obligations:
-    verify accuracy, completeness, and consistency of personal data;
-    maintain a record of processing activities;
-    protect and ensure the security of the personal data processed by (i) preparing and taking technical and operational measures to protect personal data from disruption of processing of personal data that is against the law and regulations and (ii) determining the extent of security of personal data, by considering the nature and risks of the personal data duly protected in the processing of personal data;
-    maintain the confidentiality of personal data;
-    supervise parties involved in the processing of personal data under their control;
-    protect personal data from unauthorized access;
-    appoint a DPO, if required (please see Q18 for the requirements to appoint a DPO).

Failure to comply with PDP Law is subject to the following administrative sanctions:
-    Written warning.
-    Temporary suspension of processing activities.
-    Erasure or destruction of personal data.
-    Administrative fine.

The administrative fine shall not exceed 2% of the annual income, or annual revenue attributable to the various amounts received in breach of the regulation. “Income” is further defined as the gross inflow of economic benefits arising from the entity's normal activities during the period if the inflow results in an increase in equity that does not come from investors’ contributions. Whilst currently it is unclear whether the income refers to global income or only income generated from local activities, in our observation, the government’s intention is only to capture domestic income. 

The Draft GR further provides that the calculation of the fine further stipulates that the calculation of administrative fines will depend on various variables related to the violation, among others, the severity of its negative impact, the duration of the violation, the types of personal data affected, and the number of individuals impacted.

In addition, the PDP Law establishes a number of criminal offenses, punishable with imprisonment and/or fines, as follows:
-    Deliberately acquiring or collecting personal data of another person for the benefit of themselves or another party in an unlawful manner, or which may cause damage to the data subject, is subject to imprisonment up to 5 years and/or fine up to IDR 5 billion.
-    Deliberately and unlawfully disclosing another person’s personal data is subject to imprisonment up to 4 years and/or a fine up to IDR 4 billion.
-    Deliberately and unlawfully using other person’s personal data is subject to imprisonment up to 5 years and/or a fine up to IDR 5 billion.
-    Deliberately falsifying personal data for the benefit of themselves or another party, or which may cause damage in the loss to other person is subject to imprisonment up to 6 years and/or a fine up to IDR 6 billion.

If the criminal offense is committed by a corporation, the criminal sanction that would be imposed would be only a criminal fine, which would be up to 10 times the above values. 

If the violation is carried out by a corporation, it may also be subjected to the following additional sanctions:
-    Seizure of assets obtained or generated from the crime.
-    Freezing of all or part of the corporation’s business.
-    Permanent prohibition on carrying out certain actions.
-    Closure of all or part of the corporation’s business premises and activities.
-    An order to carry out an obligation that has been neglected.
-    Payment of compensation.
-    Revocation of license.
-    Dissolution of the corporation.

In terms of civil claim, the PDP Law also stipulated that data subjects have the right to lodge a complaint and receive compensation for violations of processing of their personal data. 

The PDP Law requires data controllers to supervise each party involved in the processing of personal data under the control of the data controllers, which include internal and external parties. However, it does not elaborate the requirements for such audit. 

•    As noted in Q2 of the Key Legislation Overview, the Draft GR PDP is expected to be issued and enforced in the near future. 

•    Furthermore, the government is also expected to complete the establishment of the independent data protection authority as mandated by PDP Law. Based on recent news, the launch of the data protection authority was initially targeted to be in August 2025. However, there have not been further updates on the timeline.   

•    On 16 July 2025, the Constitutional Court issued Decision 151/2024, which clarifies the interpretation of the PDP Law with regard to the appointment of a DPO. 

Originally, the PDP Law requires the appointment of a DPO if a data controller or a data processor is meeting the following elements:
-    if the personal data processing is for public interest;
-    if the main activity of the data controller has the nature, scope, and/or purpose that requires large-scale, frequent, and systematic monitoring of personal data; and
-    if the main activity of the data controller involves large-scale processing of specific personal data and/or personal data related to criminal offense.

From legal drafting and regulatory formulation perspective, the use of conjunctive “and” indicates a cumulative nature, where all of the above criteria must be satisfied, before the mandatory DPO appointment is triggered.

However, Decision 151/2024 clarifies that the conjunctive “and” should be interpreted as “and/or”, meaning that meeting either one of the above criteria would be sufficient to trigger the mandatory DPO appointment.

This decision would mean that stricter requirements is applied, where there will be more business undertakings that would be captured within the obligation to appoint a DPO.