Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

There are no limitations on the collection, storage and processing of personal data, as long as proper consent from the personal data owner has been obtained beforehand.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There is no limitation period for retaining personal data that is stored in an electronic system.

Do individuals have a right to access personal information about them that is held by an organisation?

There is no express provision conferring on an individual the right to access his or her personal data. The Government Regulation Concerning Electronic Systems and Transaction Providers stipulates that an electronic system provider must maintain the confidentiality, integrity and availability of personal data, but it is unclear whether this can be interpreted to mean that individuals have the right to access their personal data. 

Do individuals have a right to request deletion of their data?

There is no express provision that confers on an individual the right to delete his or her personal data.  In the absence of any prohibition, individuals should be able to request the deletion of their personal data.

Consent obligations
Is consent required before processing personal data?

Consent must be obtained from the personal data owner for the purpose of – among other things – the collection and use of personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

In principle, consent from the personal data owner is required unless determined otherwise by applicable laws and regulations. One example where consent is not required is when the personal data is collected as part of a legitimate request from an authorised authority for law enforcement purposes.

What information must be provided to individuals when personal data is collected?

The Government Regulation Concerning Electronic Systems and Transaction Providers requires an electronic system provider to ensure that the use and disclosure of data is based on the personal data owner’s consent and is in accordance with the purpose conveyed to the personal data owner at the time of collection. A broad interpretation of this provision implies that an electronic system provider must convey the collection purpose to the personal data owner at the time of collection.

In addition, the regulation also requires an electronic system provider to provide an electronic system user with:

  • its identity;
  • the object of the electronic transaction;
  • details of the electronic system’s security;
  • a user manual;
  • the contractual terms and conditions for the electronic transaction;
  • the procedures for reaching a transaction agreement; and
  • a privacy guarantee or personal data protection guarantee.

Article 1(9) of the regulation defines an ‘electronic system user’ as any person, state administrator, business entity or society that utilises the goods, services, facilities or information provided by an electronic system provider.

The scope of this requirement is broad and covers more than just personal data.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

The Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers include no specific rules pertaining to the transfer of data outside the Indonesian jurisdiction. Specifically for personal data, consent from the personal data owner must be obtained before the data transfer.

Are there restrictions on the geographic transfer of data?

There are no restrictions on the geographic transfer of data under the Law Concerning Electronic Information Technology or the Government Regulation Concerning Electronic Systems and Transaction Providers.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Consent must be obtained from the personal data owner before personal data is transferred to a third party. Once the personal data is transferred, the receiving party will become an electronic system provider and will therefore be subject to the requirements set out in the Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers. 

Click here to view the full article.