All questions

Intellectual property

i Brand search

Under the laws of Indonesia, protection of intellectual property (IP) rights, except for copyright, is obtained by way of registration (under the first-to-file principle). In a franchising structure, trademark, patent and copyright (and know-how) serve as the key elements of IP that require serious attention by the franchisor as regards protection and maintenance.

Of rights in a franchise concept that can be registered, trademarking is the first priority, primarily because the brand helps customers to first identify the relevant franchise business. Taking this into consideration, clearance trademark searches are essential for the franchisor (especially for foreign companies) prior to entering into a franchising agreement with a local party in Indonesia. This ensures that no party has filed for the same trademark. Also, because of the requirements of the franchising legal regime, the franchisor must hold the necessary trademark registrations (or at least have submitted an application to register a trademark) to carry out franchising activities and to obtain further registration with the Ministry of Trade.

A clearance trademark search can be carried out both formally or informally with the Directorate of Trademark and Geographical Indications, at the Directorate General of Intellectual Property at the Ministry of Law and Human Rights (the Indonesian Trademark Office).

Formal searches can be carried out by addressing a formal letter to the Indonesian Trademark Office enquiring whether a specific trademark has been registered at that office. The drawback to carrying out a formal search is the uncertainty as to when the Indonesian Trademark Office will carry out or complete the search. In some cases, the interested party has to follow up its enquiry letter. In such cases, an informal search is a preferable option.

Informal searches can be done by checking the online database of the Indonesian Directorate General of Intellectual Property (DGIPR). The online database provided by the DGIPR now covers information on pending applications, published trademarks, registered trademarks and pending renewals. However, the downside of the current database is, at times, inaccurate data input by DGIPR officials, which usually results in the provision of inadequate information. With this in mind, further informal searches by IP firms can be carried out at the Indonesian Trademark Office through the official non-computerised databases (i.e., manual searches). Searches should also be carried out for both identical and similar trademarks and particularly for details of goods or services that constitute the franchisor's main business interest or are used in the franchise's activities.

Note that if a franchisor has not yet registered its trademarks and the searches reveal an existing identical or similar trademark, use of the trademark by the franchisor will potentially be an infringement. The available courses of action in this situation would be to file an opposition, cancellation or deletion claim against the pre-existing registration. The two latter actions should be filed with the Indonesian Commercial Court.

ii Brand protection

As described above, the basis of trademark protection in Indonesia is a first-to-file system. An application for trademark registration is filed by completing certain forms and documentation required by the Indonesian Trademark Office, or by online application through the electronic filing system (e-filing). Upon submission of an application form, the Indonesian Trademark Office will conduct an examination to check that the supporting documents and the administrative requirements of the relevant application are complete. Theoretically, under Indonesian Trademark Law, the administrative examination must be completed within two months of the filing date of the application.

If the supporting documents are deemed complete, the Indonesian Trademark Office will publish the trademark application in the Official Trademark Gazette for a two-month period. If no opposition is filed by a third party within 30 days of the date of the expiry of the publication period, the trademark examiners will proceed to conduct a substantive examination of the application for a period of five months. If the examiners are of the view that the application is acceptable for registration, the Indonesian Trademark Office should issue a certificate of trademark registration within 30 days of the said publication.

Despite the timeline provided by the Indonesian Trademark Law, it is common for the process of trademark registration to prove lengthier as the number of trademark applications received by the Indonesian Trademark Office is higher than that for other IP registrations. This can cause trademark applications to take longer than expected.

It is important for the franchisor to ensure that all the descriptions of goods and services registered (or to be registered) under the franchisor's trademarks in Indonesia have sufficiently covered the line of services or products in which the franchise concept is being used. Specific advice is required from a qualified IP consultant to ascertain adequate information on this particular issue.

iii Licence registration

Under Indonesian law, a franchise scheme qualifies as an IP licensing scheme, which allows the franchisee to legally exploit the other party's IP. The licensing covers most IP areas, from trademarks to patents, with any of these being available for licensing.

The IP regulations contain not only various licensing provisions, each of which has its own requirements, but also provisions regarding the terms of engagement between licensor and licensee. However, licence agreements must be registered with the DGIP to have legal effect in relation to third parties, as stipulated under the Minister of Law and Human Rights Regulation No. 8 of 2016 concerning the Procedure and Requirements of Intellectual Property Licensing Agreements.

iv Enforcement

Enforcement actions in franchising matters follow the same process as actions taken by third parties against independent rights holders. The most important point is to expressly determine in the franchise agreement which party holds the rights to carry out enforcement actions, including the relevant procedures, in the event of infringement.

Enforcement actions of IP rights in the franchise business may only be exercised if the relevant IP rights have been registered. As to copyright, while registration is not compulsory, the presence of a copyright registration serves as prima facie evidence for the court.

Enforcement of IP rights can be carried out through both civil and criminal routes. For enforcement against criminal infringement, the owner of the IP rights should file a criminal complaint with the Indonesian police, giving notice of the alleged infringement of trademark or IP rights. The Indonesian Trademark Regulations provide that a trademark infringer can be sentenced to imprisonment or fine.

A civil action (specifically for trademark cases) can be initiated by filing a civil claim with the Indonesian Commercial Court. The purpose of filing a civil claim under the Indonesian Trademark Law is to get the counterparty to pay damages to the owner of the registered trademark.

v Data protection, cybercrime and social media

While there is no official separation under the Indonesian legal framework, data protection is divided into two classifications, namely general data protection and personal data protection. Despite both having same purpose, general data protection applies to data on a bigger scale, such as corporate documents and general electronic information. On the other hand, the focus of personal data protection is mainly on data owned by the individual. As both types of data are deemed relevant and important for the franchisor and franchisee, an explanation of the laws affecting each type is provided below.

General data protection

Given the broad range of data falling within the scope of protection, in theory, general data protection is regulated by the following laws:

  1. Law No. 8 of 1997 on Company Documents (Law 8/1997);
  2. Law No. 11 of 2008 on Electronic Information and Transactions as amended by Law No. 19 of 2016 on Amendment to Law No. 11 of 2008 on Electronic Information and Transactions (Law 11/2008);
  3. Government Regulation No. 82 of 2012 on the Operation of Electronic Systems and Transactions (GR 82/2012);
  4. Law No. 28 of 2014 on Copyright; and
  5. Ministry of Communications and Informatics Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (MCI 20/2016).
Protection granted under Law 8/1997

A franchisee falls under the classification of a company pursuant to Law 8/1997. Consequently, the franchisee's data may be classified as corporate documents and therefore subject to the provisions of Law 8/1997. This classification requires the franchisee as document owner to comply with retention requirements; for financial documents this is at least 10 years, while the retention period for valuable company documents other than financial documents is dependent upon the value of the document for the company.

Law 8/1997 further stipulates that any transfer, assignment and obliteration of documents shall be at the discretion of the head of the company.

Protection granted under Law 11/2008 and GR 82/2012

Given the possibility of data being electronic information, data owned or collected by a franchisee may be subject to data protection requirements under Law 11/2008 and GR 82/2012.

Protection granted under Law 28/2014

Under Article 40 Paragraph 1(p) data is protected as a form of copyrighted creation. Data may obtain protection through being declared a creation of the data owner. Where data is protected under the copyright regime, the data owner is entitled to protecting its data by filing a criminal report of copyright infringement, as stipulated under Article 113 of Law 28/2014. The data owner seeking material compensation is also further entitled to file a copyright lawsuit against the infringer.

Personal data protection

In general, the matter of personal data protection is regulated by Law 11/2008, GR 82/2012 and MCI 20/2016 (collectively the Data Protection Regulations).

While there is no specific provision regulating data protection, the Data Protection Regulations may treat the franchisee as an electronic system of organisation (ESO). The franchisee is granted recognition as an ESO because of the possibility of it carrying out personal data processing activities. Consequently, franchisees are subject to the Data Protection Regulations.

It is worth noting that despite the current legal vacuum, the Indonesian government is currently preparing a bill on personal data protection. The bill currently being discussed by the Indonesian House of Representatives is expected to see the light of the day at the end of next year. While both the final content and issue date of the draft remain unknown, the version that has been distributed publicly comprehensively regulates various personal data protection issues. Issues regarding the personal data controller and the processor, consent requirements, and personal data categorisation are among the many expected to be addressed in the draft bill.

Obligations for ESOs

Under MCI 20/2016, any franchisee regarded as an ESO is required to comply with the following obligations.

Personal data obligations

Article 28 of MCI 20/2016 stipulates that ESOs shall ensure the validity, legality, confidentiality, integrity, relevancy and appropriateness of the data for the purpose of the data collection, processing, analysis, storage, publication, announcement, transfer, distribution and obliteration. The ESO should also ensure the security and protection of personal data by enacting internal policies in accordance with the law.

Obligations for data owner

Article 28 of MCI 20/2016 requires ESOs to provide data owners with the following:

  1. audit track record of any electronic systems operated by the ESO;
  2. access or opportunity to update or amend the personal data owned by the data owner;
  3. the option to allow or to forbid the personal data of the data owner to be published, distributed, disclosed or utilised, or a combination of these, by a third party; and
  4. the right to have the personal data obliterated upon request by the data owner.
Consent obtaining requirement

Pursuant to Article 15 of GR 82/2012 in conjunction with Article 6 of MCI 20/2016, the consent of the data owner is required for any collection of personal data. Upon obtaining the consent of the data owner, the ESO is also required to inform the data owner of the purpose of the data collection. The purpose of the data collection serves as the limitation of the ESO in processing the personal data. When obtaining consent, the ESO may only obtain the consent of the personal data owner by means of an Indonesian-language consent form.

Data breach notification

Article 28 Paragraph (c) of MCI 20/2016 specifically requires the ESO to provide written or electronic notification to personal data owners in the event of a breach of personal data. This notification shall relate the cause of the breach and be provided to the data owner within 14 days of the discovery of the breach at the latest.

Contact person obligation

Article 28 Paragraph (d) of MCI 20/2016 stipulates that the ESO is required to provide a contact person who is accessible to data owners. The contact person shall be made accessible to data owners to facilitate the management of individuals' personal data.

Data localisation

Indonesian legislation prohibits the storage of personal data outside Indonesia and specifically requires data centres to be located in Indonesia, especially in the case of public service electronic system providers. This requirement particularly applies to personal data pertaining to Indonesian nationals and data on transactions conducted within the Indonesian jurisdiction or relating to Indonesian nationals.

Transfer of personal data

Article 22 of MCI 20/2016 requires that the transfer of personal data must be coordinated with the MCI. In practice, this coordination is carried out by submitting a personal data transfer implementation plan (the Transfer Plan) and report (the Transfer Report) to the MCI, as well as requesting advocacy from the MCI where necessary. The Transfer Plan must contain at least the following information: the country of the data recipient, the full name of the data recipient, the date of the transfer implementation and the background to or purpose of the transfer. Upon completion of the transfer, the ESO is required to provide a Transfer Report to the MCI, containing the result of the Transfer Plan implementation. Given that an unauthorised transfer of personal data may constitute unauthorised distribution or disclosure of personal data, which is subject to criminal punishment as stipulated under Law 11/2008, the ESO must ensure that it has obtained the consent of the data owners prior to transferring personal data.

Penalties for non-compliance

In Indonesia, the penalties for non-compliance with the law are found in the Data Protection Regulations. These take the form of administrative sanctions, fines and imprisonment. Imprisonment may be imposed for severe breaches and intentional infringement.

The applicable sanctions are as follows:

  1. Under Article 48 in conjunction with Article 32 Paragraph 2 of Law 11/2008, a maximum of nine years' imprisonment or a maximum fine of 3 billion rupiahs, or both, may be imposed on any person who knowingly and without authority, or unlawfully, accesses computers or electronic systems in any manner whatsoever with the intent to obtain electronic information or electronic records.
  2. Failure of an ESO to comply with GR 82/2012 and MCI 20/2016 would be subject to administrative sanctions (which do not eliminate any civil and criminal liability as provided under Article 84 Paragraph 6 of GR 82/2012). The relevant administrative sanctions are in the forms of:
    • a written or verbal warning;
    • administrative fines;
    • temporary suspension of current activities;
    • public online announcement; and
    • expulsion from the list of registrations (as required under the GR 82/2012). This sanction relates to the obligation to obtain an electronic certificate, a certificate of reliability and a licence for the information system by registering the electronic systems operator or electronic agent operator with the MCI.

As to cybercrime and social media, the Indonesian government has not yet passed any specific regulations, and general provisions under existing regulations apply to the extent possible and on a case-by-case basis. Although there is no specific provision regarding standard-setting or requirements for the protection of electronic information, Law 11/2008 is the most relevant of the existing regulations pertaining to cybersecurity, and it determines the following actions to be violations that may constitute cybercrime. Law 11/2008 prohibits any unauthorised action of adding, decreasing, transmitting, damaging, eliminating, obliterating, removing, transferring or hiding of electronic information or documents. Violations of these prohibitions may be subject to penalties of up to nine years' imprisonment or a fine of up to 3 billion rupiahs, or a combination of these.

Franchisors and franchisees should therefore consider having the proper terms of use, licence agreements and manuals or guidelines in place to ensure compliance with the prevailing legislation with respect to the use of data.