All questions

Data protection

i Requirements for registration

While Indonesia has enacted various laws relating to data privacy in a number of specific areas (e.g., banking and tax), currently no specific and dedicated laws have been enacted regarding the protection of an employee's privacy before, during or after employment. The laws that may be applicable are Law No. 39 of 1999 on Human Rights (the Human Rights Law) and Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions (the EIT Law).

The Human Rights Law stipulates that each individual has the right to his or her own privacy, and may not be subjected to an investigation without his or her agreement. Article 39 of the Human Rights Law provides that freedom and secrecy of communication by letter or any other electronic media may not be disturbed or interrupted except upon the instruction of a judge or other authority.

Article 26(1) of the EIT Law stipulates that, unless provided otherwise by relevant laws and regulations, use of any information through electronic media that involves an individual's personal data must be made with the consent of the person concerned. In line with the Elucidation to Article 26(1) of the EIT Law, the protection of personal data is part of privacy rights that include the following definitions: (1) the right to enjoy a personal life, free from any disturbance; (2) the right to communicate without conversations being spied on; and (3) the right of access to information to do with an individual's personal life or privacy. In relation to the above, Government Regulation No. 82 of 2012, as implementing regulation of the EIT Law, stipulates that an operator of an electronic system who manages the personal data in the electronic media, must maintain the confidentiality, integrity, authenticity, accessibility, availability, and traceability of such electronic information or documents in accordance with laws and regulations.

Based on the foregoing, considering the broad interpretation of personal data, any data or electronic documents related to employees may be considered as personal data; thus, an employer may reserve the right to routinely review all employee emails sent using the employer's email system or documents managed, maintained and held by the employee, if the employee has been granted to the employer.

ii Cross-border data transfers

The prevailing labour law and regulations do not contain restricting provisions in relation to the dissemination or exportation of data to another company in jurisdictions outside Indonesia. However, taking into account the provisions of the Human Rights Law and the EIT Law, such dissemination or exportation of employee data may be done with the employees' consent.

iii Sensitive data

The prevailing labour laws and regulations do not provide definitions of 'sensitive data', nor do they set forth restrictions on processing sensitive data.

An employer may undergo a medical screening test as long as it is carried out with the aim of obtaining information that is relevant to the position's function and duties. The employer may undergo the test by themselves or use the services of a third party.

Under the Minister of Labour and Transmigration Decision No. KEP.68/MEN/IV/2004 of 2004 on prevention and control of HIV/AIDS in the workplace, an employer is prohibited from carrying out an HIV test on an employee at any phase of the employment (or before the employment) without the written consent of the employee, except if the test is required for the purpose of the fulfilment of the employer's obligation to provide pre- and post-test counselling to the worker.

The results of an HIV test must be treated confidentially and be protected in the same manner as that of other medical information.

iv Background checks

The labour laws and their implementing regulations do not specifically regulate employee background checks; however, see subsections i and iii. In practice, an employer or prospective employer cannot do credit checks or criminal checks on its prospective employee without the employee's consent. A potential employer may only request applicants or prospective employees to provide a statement declaring no criminal record or clearance from the relevant police office, or their bank statements.