As the compliance deadline for the PDP Law is just weeks away, it is crucial for companies to ensure their business operations fully comply with and align to the PDP Law, particularly considering the harsh administrative sanctions under the PDP Law, ranging from written warnings, suspension of personal data processing activities, deletion or destruction of personal data, to administrative fines of maximum 2% of annual revenue.
We have previously provided an overview of the PDP Law (click here) and a brief summary of its draft implementing Government Regulation (click here). Our newsletter team now highlights key responsibilities of Data Controllers and the requirement for transferring personal data offshore.
Key Obligations of Data Controllers
- Processing personal data with lawful basis.
Data Controllers must have at least one lawful basis for processing personal data. The PDP Law acknowledges 6 alternative lawful bases: (i) explicit consent; (ii) fulfilment of contractual obligations; (iii) fulfilment of legal obligations; (iv) protection of vital interest; (v) implementation of duty for public interest, public service, or implementation of authority; and (vi) legitimate interest.
- Responsible for personal data processing.
Data Controllers are accountable for all personal data processing activities, including those performed by the appointed Data Processors, provided that the processing activities align with Data Controllers’ directives and objectives.
- Documentation of personal data processing.
Data Controllers must document and maintain records of data flows related to personal data processing (ROPA – Records of Processing Activities).
- Ensuring privacy, confidentiality and security.
Data Controllers must maintain the confidentiality of the personal data and take measures to protect personal data from unauthorized access and processing.
- Written Notification of data breach.
Data Controllers are required to notify the data subject and the soon-to be established Indonesian data protection authority in writing within 72 hours of becoming aware of the occurrence of a data breach.
- Appointing Data Protection Officer (“DPO”).
Appointing a DPO is a regulatory requirement if a company: processes personal data for public services duties; handles large scale personal data that requires regular and systematic monitoring; and processes large scale specific personal data and/or personal data related to crimes.
Despite the fact that the PDP Law uses the word, “and” which suggests these conditions are cumulative in nature, yet from our reading and interpretation to the elements above, it seems that the most logical interpretation is for these conditions to be “alternative” in nature.
- Off-shore Personal Data Transfer
To transfer personal data outside of Indonesia, the PDP Law requires Data Controllers to adhere three steps process for transferring personal data overseas: (i) verify that the destination country provides an equivalent or higher level of PDP; (ii) if not, ensure that an adequate and binding PDP is in place (e.g., agreement); and (iii) if neither conditions are satisfied, obtain an explicit consent from the data subject.
Currently, the Indonesian government has not issued any implementing regulations regarding offshore personal data transfer, leaving the criteria for assessing protection levels in recipient countries unclear.
Our team will continuously and closely monitor this matter and will update you on any developments or progress.
If you have further inquiries about this newsletter, please reach out to us at info@wplaws.com or any of our lawyers.