There is no law or regulation in Indonesia that specifically regulates the collection, use or handling of an applicant’s personal data, including protection of the privacy of an employee’s particulars. The Indonesian Minister of Communication and Informatics (MOCI) relatively recently issued MOCI Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (MOCI Reg 20), which stipulates the protections afforded to personal data stored in an electronic system.
While there is no regulation that stipulates the protection of non-electronic personal data, generally, all persons have a general right to privacy under the Indonesian Human Rights Law.
Retaining Personal Data of Employees
Manpower laws and regulations do not expressly deal with employee data privacy. In light of such paucity, reference shall be made to MOCI Reg 20 as well as Law No. 8 of 1997 regarding Corporate Documents (Law No. 8).
First, Article 15 paragraph (3) of MOCI Reg 20 requires personal data stored in electronic systems to be stored for at least five years unless otherwise regulated. The five-year period commences on the date a party ceases to be a user of an electronic system. After the five-year period has elapsed, the personal data may be erased unless the data is still used or utilized in line with the initial purpose of its obtainment and collection.
Separately, to the extent that the employee’s personal data is not encrypted in an electronic system, reference shall be made to Law No. 8 as the primary regulation on maintaining corporate documents. Articles 3 and 4 of Law No. 8 differentiate between (i) financial documents and (ii) other documents.
Financial documents consist of records, bookkeeping documentation and financial administration supporting data, which evidence the rights, obligations, financial affairs, and business activities of a company. “Other documents” consist of data or any writings containing information having effective value for a company even though not directly related to financial documents.
The elucidation of Article 4 of Law No. 8 mentions that other documents include minutes of general meetings of shareholders, a company’s deed of establishment, other authentic deeds containing specific legal interests and a company’s taxpayer registration number.
We note that “employee personal data” is not expressly mentioned as an example of “other documents” in the elucidation. However, it is prudent to treat employee personal data as “other documents” and to apply the related rules as follows.
Pursuant to Article 11 paragraph (3) of Law No. 8, the retention term of other documents (i.e., employee files) shall be based on the usage value of such documents. The term shall be determined at the discretion of the Board of Directors.
We note that pursuant to Article 96 of Law No. 13 of 2003 regarding Manpower, there is a two-year limitation period for employee claims. We therefore recommend that physical, non-encrypted employee personal data be retained for at least two years after termination of employment.
Offshore Transfer of the Personal Data of Employees
Under Article 22 of MOCI Reg 20, a party domiciled in Indonesia that wishes to effect the offshore transfer of personal data must coordinate with the MOCI or an authorized official/institution, which encompasses (i) reporting the planned data transfer, including at least information on the receiving state, the receiver, the date of transfer, and the purpose of such offshore transfer, (ii) requesting advocacy, if necessary, and (iii) reporting the result of the data transfer, and it must implement the regulatory provisions on offshore data transfers.
It should be noted that, as of the date of this writing, the enforcement of these requirements is unclear. No implementing regulations have been issued to clarify the requirements on coordination with the MOCI, nor is there any existing regulation that specifically regulates offshore data transfers. Under existing regulations, the only applicable regulatory provision for offshore data transfers – or any data transfer, in fact – would be the general requirement to obtain the consent of the data owner for such offshore data transfer.
Notwithstanding the above, we recommend that the employer’s right to perform offshore data transfers be clearly stipulated in the Company Regulation.
Transferring the Personal Data of Employees to Third Parties
There is no legal restriction on transferring an employee’s personal data to a third party as long as the consent of the employee is obtained by the employer. We recommend that the employer’s right to transfer employees’ personal data to a third party be stipulated in the Company Regulation.