The Indonesian authorities, on 17 October 2022, handed Legislation No. 27 of 2022 concerning the Personal Information Security Legislation (the “PDPA”). This post seeks to give an overview of the 2022 Indonesian Individual Facts Safety Act (PDPA).
The Indonesian information defense legislation or PDPA is touted to be modeled soon after the EU GDPR on the other hand, there are distinctions and authorized tips should be sought when adapting privacy plan for Indonesian inhabitants.
Outline of this overview is as follows:
Principles of facts processing
Identical to the EU GDPR, Post 16 Paragraph (2) of the PDPA gives for the next principles of information protection:
• Lawfulness theory
• Reason limitation
• Data minimization
• Storage limitation
• Integrity and confidentiality
Legal foundation for knowledge processing
Write-up 20 Paragraph (2) PDPA which mirrors Article 6 of the General Knowledge Safety Regulation (GDPR) sets out likely authorized bases for information processing, namely: consent deal legal obligation essential interests public job or legitimate passions.
The vital theory is that facts can only be processed in accordance to the goal(s) to which knowledge topics have consented to. Content articles 22 – 24 PDPA deal with the need for acquiring consent.
The provision requiring consent from info subjects seems very similar to people under GDPR to some extent.
On the other hand, the PDPA does not explain no matter whether the click-wrap system of recording consent will be regarded. This can be a problem due to the fact Indonesian judges even now consider a traditional watch of valid arrangement as a doc that contains the terms of agreement with a moist ink signature on the document. Of late, polices have been passed to allow for electronic signatures the place the users have enrolled with a local certifying authority to certify this kind of signatures. The restrictions also understand uncertified signatures (Post 60, Governing administration Regulation No. 71 of 2019 on Administration of Digital Units and Transactions). As it stands now, the authorized framework acknowledges accredited digital signatures and uncertified electronic signatures (coming to mind would be DocuSign). However, there is still uncertainty in the legality of signifying assent to conditions and problems using the click-wrap process.
See this page for even further dialogue: Electronic Contract Best Techniques: Indonesia
Disclosure in consent
The disclosure vital for getting consent is set out in Posting 21 of PDPA – crucial information involves:
• The purpose of Personalized Knowledge processing
• The retention period of paperwork containing Personal Facts
• The details concerning the Info collected
• The interval of Own Knowledge processing
• The legal rights of the Individual Information Issue
The details topic demands to be notified of any change in the earlier mentioned.
Accuracy and updating
Beneath one of the principles talked over earlier mentioned, information controllers are obliged to process information “in an precise, complete, not deceptive, up-to-day and accountable manner”. Report 29 of PDPA obliges the data controller to conduct verification of info.
Knowledge controllers are needed to update and suitable faults in own info within 72 hours after obtaining the ask for for this kind of updates/corrections – Posting 30 of PDPA.
In this regard, note that the Info Controller need to provide accessibility to knowledge subjects inside 72 hrs on ask for from information topics – Posting 32 PDPA.
Data subjects are to be notified in 72 several hours of any information breach – Post 46 of PDPA Law.
See this webpage for further more discussion: Facts Controller obligation in the celebration of info breach
Whilst the PDPA acknowledges the role of info processors, knowledge controllers even now have the obligation to supervise data processors (Post 37 of PDPA). Responsibility to avert unauthorized entry continue to stays the responsibility of the data controller (Article 39 of PDPA), and this appears to be the circumstance even if a facts processor has been appointed.
Transfer of information outside Indonesia
Transfer of info out of Indonesia (Report 56) is permitted if:
a) The desired destination country has in position facts defense Regulation that is on par or impose “higher” than Indonesia’s info safety legislation or b) Info controller makes sure that “there is satisfactory and binding particular data safety” or c) Get consent of information issue. d) Presumably usually means that the information controller requires to at the very least have in position suitable assurance from the overseas entity that is acquiring the info. This need to be looked at on a scenario-by-scenario basis.
Details Defense Affect Evaluation
Knowledge Protection Impression Assessment is expected beneath Post 34 of PDPA. Although this necessity looks to be influenced by GDPR need, it looks to have gone broader in protection – impact evaluation is necessary when “processing personal knowledge on large scale” or when the processing involves “matching or combining groups of data”. These phrases look likely broader in scope – broader than the scope contemplated by the EU GDPR. Write-up 34(3) offers for more applying laws which with any luck , would explain when these kinds of assessments are needed.
Info security officer
Data controllers are essential to appoint a data defense officer – Write-up 53 of PDPA. At this position, there is no registration need of the facts officer. Nevertheless, the applicable provision gives for even further utilizing laws to be handed with regard to the appointment of facts protection officer.
The PDPA produces the next offenses that are punishable by good and/or imprisonment:
• Unlawfully obtains or collects Particular Information that does not belong to them with the intention to benefit by themselves or other people (Article 67(1) of PDPA)
• Deliberately and unlawfully discloses Personalized Facts that does not belong to them (Short article 67(2) of PDPA)
• Who intentionally and unlawfully takes advantage of Private Facts that does not belong to them (Write-up 67(3) of PDPA)
• Intentionally make false Personal Details or falsify Particular Details with the intention to reward themselves or other folks (Report 68 of PDPA)
Management and/or beneficial proprietors could also be liable below these provisions (Short article 70 Paragraph (1) of PDPA).
The specter of criminal sanction underscores the need to have to have in put the framework of proving that consent for the collection of knowledge has been secured – see the discussion over pertaining to click on-wrap and consent.
The aggrieved occasion may possibly seek out compensation from the defaulting details controller – Posting 12 of PDPA.
The court may possibly also impose sanctions these kinds of as payment of payment, suspension of small business, confiscation of revenue, partial or entire shutdown /cessation of enterprise, and dissolution of the corporation (Write-up 70 Paragraph (4)). In the circumstance of a wonderful, the quantity can be up to two (2) p.c of the corporation turnover (Write-up 57 Paragraph (3) of PDPA).
The sanction of imprisonment is a person important space where the Indonesian PDPA departs from the EU’s GDPR which gives for administrative fines, correction orders, and payment but not imprisonment.
Data controllers have two decades from the passing of the law (17 October 2022) to comply with the provision of the PDPA.
What organizations should really do?
Companies ought to right away evaluate their respective privateness plan to ensure that the privacy plan does not conflict with the PDPA.