The Indonesian government has just revealed a draft Government Regulation to implement the Personal Data Protection Law or PDP Law (“Implementing Regulation”). To access our newsletter on the PDP Law, please click here.
The Implementing Regulation is expected to bring clarity on numerous aspects of the PDP Law, including notification procedures on personal data breaches and minimum requirements for personal data processing in various related documents.
We anticipate that the Implementing Regulation will be issued in 2024.
Below are a few salient points from the Implementing Regulation:
- More Specific Obligations of Controllers
Unlike the PDP Law, which is more general in nature, the Implementing Regulation lays out detailed obligations of Personal Data Controllers (“Controllers”) throughout each stage of personal data processing, including collecting, storing, analysing, updating, announcing, transferring, and removing personal data.
For example, when it comes to personal data storing, the Implementing Regulation specifically requires Controllers, among other things, to (i) conduct data encryption and/or masking, create backup copies, apply data encryption and/or masking to backup copies, and (ii) record and/or document the storage location of the personal data.
To enhance the security and convenience of personal data subjects, Controllers are obliged to set up a communication line that allows personal data subjects to directly communicate with Controllers.
- Specific Guidelines for Obtaining Consent
The Implementing Regulation provides more details on how a Controller can obtain consent from personal data subjects, including by way of electronic measures (such as columns or other approval features), which are not specifically addressed in the PDP Law. This clarifies the question that has been left unanswered thus far.
- Personal Data Breach Notification
The Implementing Regulation clarifies the requirement for Controllers to promptly notify data subjects of any personal data breach within a maximum period of 3 x 24 hours as of the Controllers becoming aware of the breach. However, this notification requirement is not applicable if the breach does not result in the disclosure of Personal Data.
- Personal Data Transfer to Offshore Locations
The PDP Law permits the transfer of personal data to other countries insofar as the transferor ensures that the designated country at least has the same level of data protection laws as the PDP Law. However, the PDP law does not specify the criteria for assessing the adequacy of such offshore regulations. The Implementing Regulation fixes the loophole by providing the following specific benchmarks:
- the designated country has regulations in place to protect personal data;
- the designated country has a supervisory commission for personal data protection; and
- the designated country has made international commitments or is subject to an international treaty or convention on personal data protection.
- Standard Clauses in Personal Data Agreements and Documents
To improve the protection of personal data subjects, the Implementing Regulation establishes standard forms and clauses for mandatory agreements and documents in personal data processing activities, which include standard forms and clauses in (i) an agreement between Controllers and personal data processors, (ii) a cooperation agreement for joint Controllers, and (iii) a notification on personal data protection failures.
Our team will continuously and closely monitor this matter and will update you on any developments or progress. If you have further inquiries about this newsletter, please reach out to us at email@example.com or any of our lawyers.