There are several main obligations that must be fulfilled by an electronic system provider (ESP) under Indonesian Minister of Communication and Informatics (MOCI) Regulation No. 20 of 2016 regarding Personal Data Protection in Electronic Systems (MOCI Regulation 20) to ensure personal data is processed properly.

These obligations include:

  • Conducting certification of the electronic system managed by the ESP and ensuring the electronic system:
    • has interoperability and compatibility capabilities; and
    • uses legal software.
  • Having internal regulations related to the protection of personal data.
  • Obtaining sufficient consent from the data subject by providing a consent form.
  • Ensuring that the personal data acquired and collected is restricted to only the relevant information and pursuant to its purpose. The data must also be acquired and collected accurately.
  • Respecting the confidentiality of the personal data by providing options to the data subject regarding:
    • whether the personal data is confidential; and
    • the amendment, addition, or update of the personal data.
  • Verifying the accuracy of the personal data.
  • Only processing the personal data in accordance with the ESP's requirements, which have been clearly stated during the acquisition and collection of such personal data.
  • Ensuring the personal data stored in the electronic system is in an encrypted form.
  • Ensuring the storage of the personal data in the electronic system has been done in accordance with the procedures and facility of electronic system security.
  • Providing a contact person who can be easily contacted by the data subject relating to the management of their personal data.

Consent for Processing Personal Data

Personal data can only be processed if the proper prior consent of the data subject is obtained, as under Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended by Law No. 19 of 2016 (Electronic Information Law), Government Regulation No. 82 of 2012 regarding Implementation of Electronic Systems and Transactions (Government Regulation 82) and MOCI Regulation 20 (together, the PDP Regulations). 

MOCI Regulation 20 specifically stipulates that the consent must be in writing and can be provided manually or electronically. The consent should be in the Indonesian language, although there is no prohibition in having it in a bilingual format. In any case, the PDP Regulations do not state that the consent must be in the form of a separate stand-alone document.

If the data subject is a minor, consent can be provided by the parents or guardian, in accordance with the applicable laws and regulations. The parents must be either the biological father or mother, while the guardian must be the person who has a lawful obligation to take care of such minor.

An Organisation's Legal Obligations in Relation to Personal Data

For the time being, it is not necessary for an organization to appoint a specific designated individual to oversee the organization’s legal obligations in relation to personal data, considering that the PDP Regulations are silent on this matter, procedural guidelines have not been issued and a number of requirements are not enforceable. The principal requirement that must be fulfilled under the PDP Regulations is to obtain consent from the data subject prior to the processing of the personal data.

The Ministry of Law and Human Rights (MOLHR) and the MOCI are finalizing a draft law on Personal Data Protection (PDP Draft Law), which was initially targeted to be issued in 2017. The enactment of the PDP Draft Law would result in the first comprehensive law in Indonesia that specifically deals with the protection of personal data.

The MOCI is also preparing a draft amendment to Government Regulation 82 (GR 82 Draft Amendment), in coordination with Indonesia’s central bank, Bank Indonesia, the Financial Services Authority (Otoritas Jasa Keuangan or OJK), the MOLHR and the National Agency for Food and Drug Supervision (Badan Pengawas Obat dan Makanan or BPOM). It is rumoured that the GR 82 Draft Amendment is in the finalization stage and will be ready for issuance in the near future.

There might be a change in an organization’s legal obligations in relation to personal data when the PDP Draft Law, the GR 82 Draft Amendment and other procedural regulations are enacted.