There are several main obligations that must be fulfilled by an electronic system provider (ESP) in Indonesia under Minister of Communication and Informatics Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems (MOCI Regulation 20) to ensure that personal data is processed properly. These obligations include:
- Conducting certification of the electronic system managed by the ESP and ensuring the electronic system:
- has interoperability and compatibility capabilities; and
- uses legal software.
- Having internal regulations related to the protection of personal data.
- Obtaining sufficient consent from the data subject by providing a consent form.
- Ensuring that the personal data acquired and collected is restricted to only the relevant information and pursuant to its purpose. The data must also be acquired and collected accurately.
- Respecting the confidentiality of the personal data by providing options to the data subject regarding:
- whether the personal data is confidential; and
- the amendment, addition, or update of the personal data.
- Verifying the accuracy of the personal data.
- Only processing the personal data in accordance with the ESP's requirements, which have been clearly stated during the acquisition and collection of such personal data.
- Ensuring the personal data stored in the electronic system is in an encrypted form.
- Ensuring the storage of the personal data in the electronic system is done in accordance with the procedures and facilities of the electronic system security.
- Providing a contact person who can be easily contacted by the data subject relating to the management of their personal data.
Consent and Processing Personal Data
Personal data can only be processed if the proper prior consent of the data subject is obtained, as under personal data protection regulations. MOCI Regulation 20 specifically stipulates that the consent must be in writing and can be provided manually or electronically. The language of the consent should be Indonesian, although there is no prohibition on having it in a bilingual format. In any case, Indonesia’s personal data protection regulations do not state that the consent must be in the form of a separate stand-alone document.
If the data subject is a child, consent can be provided by a parent or guardian, in accordance with the applicable laws and regulations. The parent must be either the biological father or mother, while the guardian must be the person who has a lawful obligation to take care of the child.
If consent is not given, there are no other grounds to enable the processing of personal data.