Mayapada Tower I, 12th and 14th Floor
Jl. Jend. Sudirman Kav. 28
Jakarta, 12920
Indonesia
The main legal and regulatory framework governing data protection in Indonesia is Law No. 27 of 2022, dated October 17, 2022, regarding Personal Data Protection (“PDP Law”). The PDP Law applies both domestically and extraterritorially. It provides the general principles governing the processing of personal data in Indonesia and the legal bases for the collection of personal data.
Following the enactment of the PDP Law, the Indonesian Government, through the Ministry of Communication and Digital Affairs (formerly the Ministry of Communication and Information) (“MOCDA”) and the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara or “BSSN”), is drafting several new regulations addressing data protection, privacy, and the broader cybersecurity landscape.
A key focus is the Draft Government Regulation on the Implementation of the PDP Law (“Draft GR on PDP”). This will be the first implementing regulation for the PDP Law and will provide detailed provisions on various aspects of personal data protection, including the obligations of personal data controllers, the role of personal data protection officers, and further clarification on consent requirements. As of the date of this writing, it has been reported that the Government is finalizing the Draft GR on PDP.
In addition, the Indonesian Government is planning to establish a National Data Center, primarily aimed at enhancing cybersecurity within the public sector. This initiative may also affect certain private sector entities, particularly those handling data related to public interests, such as health data. Several additional regulations are also being drafted to further strengthen the country’s cybersecurity protections.
Registration Requirements for Electronic System Providers
Foreign companies should be aware of registration and licensing requirements under Indonesian regulations. Specifically, MOCDA Regulation No. 5 of 2020 and MOCDA Regulation No. 5 of 2025 require Electronic System Providers (“ESPs”) in both the public and private sectors to register with the MOCDA. Registration is evidenced by the issuance of an ESP registration certificate.
Private ESPs refer to individuals, business entities, or community groups operating electronic systems, while Public ESPs refer to electronic systems operated by state administrative agencies or institutions appointed by such agencies. Essentially, ESPs that meet certain criteria, including those that operate any online portal, site, or application accessible via the internet that is used for the offering or trading of goods and services, are subject to these registration requirements.
In practice, private ESPs that are directly accessible to end users are generally required to register. Private ESPs that operate backend systems, such as those supporting payment system infrastructure, are typically not subject to the registration requirement.
Data Retention and Record-Keeping
With respect to data retention, personal data stored in an electronic system must be retained for a minimum of five years, starting from the point at which the data subject ceases to use the system. This five-year period is often applied as a general benchmark for personal data retention.
In practice, compliance with the record-keeping obligation under the PDP Law is generally fulfilled through a Record of Data Processing Activities (“ROPA”), which tracks all personal data processing activities within an organization.
Data Protection Impact Assessments and Data Protection Officers
Under the PDP Law, a Data Protection Impact Assessment (“DPIA”) is required to assess potential risks associated with the processing of personal data. The DPIA also identifies the measures that must be taken to mitigate these risks, safeguard the rights of data subjects, and ensure compliance with the PDP Law. A data controller is required to conduct a DPIA if the processing of personal data carries a high potential risk to the data subject.
In certain types of personal data processing, organizations, whether acting as a data controller or data processor, may be required to appoint a Data Protection Officer (“DPO”) to oversee compliance with data protection obligations.
Cross-Border Data Transfers
The PDP Law allows the transfer of personal data outside of Indonesia under certain conditions. The transfer is permitted if one of the following requirements is met:
- The recipient country has an equal or higher level of personal data protection than Indonesia;
- There are adequate and binding personal data protection safeguards in place; or
- The data subject has given consent to the transfer.
The above requirements are not yet fully in effect, mainly because there is no Data Protection Authority (“DPA”) in place. For now, in cases of cross-border data transfers involving electronic systems, ESPs must notify the MOCDA both before and after the transfer. The MOCDA has provided an internal template for the notification letter to help guide the process.
Security Breaches and Mandatory Notification
In the event of a "security breach", the PDP Law requires data controllers to notify both the competent authorities and the affected data subjects within 3×24 hours of discovering the breach. The notification must include, at a minimum: (i) details of the personal data that was compromised; (ii) when and how the data was disclosed; and (iii) the measures taken by the data controller to address and rectify the breach.
In certain circumstances, the data controller is also required to inform the public if the breach disrupts public services or has a serious impact on the public interest.
Separately, ESPs shall also immediately report any serious system failures or disruptions caused by external actions to the relevant ministries or institutions, as well as to law enforcement authorities.
Lastly, consultation is required or encouraged in several situations, including prior to conducting cross-border personal data transfers, in carrying out a DPIA, in the event of a failure in personal data protection within an electronic system, and for the facilitation of out-of-court dispute resolution.
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.
