Every time someone signs up for an app, fills in an online form, completes a digital transaction, or activates a new service on their phone, personal data changes hands. Names, phone numbers, addresses, financial details, even medical records flows through systems that most people never fully see or understand. The real question has always been: who is responsible when that data is leaked, misused, or ends up in the wrong hands?
Indonesia now has a legal answer. Law Number 27 of 2022 on Personal Data Protection (“PDP Law”), has been fully in force since 17 October 2024. Its arrival is more than a regulatory formality. The law fundamentally changes how personal data must be handled in Indonesia by individuals, private companies, public institutions, and foreign entities that operate in or have legal impact within Indonesian territory.
A New Era of Personal Data Protection in Indonesia
Before the PDP Law existed, personal data protection in Indonesia was fragmented across various sectoral regulations that did not work together in any coordinated way. Rules existed in banking, telecommunications, and healthcare, but each stood on its own without a unified legal foundation. As a result, the level of protection a person received depended largely on which sector held their data, rather than on their fundamental rights as an individual.
The PDP Law changes that at its core. Spanning 16 chapters and 76 articles, the law provides a comprehensive framework governing everything from how data is collected, stored, and processed, to how it must be deleted when it is no longer needed. Its constitutional basis draws from Article 28G(1) of the 1945 Constitution, which guarantees every citizen’s right to personal protection. Personal data protection, in this sense, is not simply a matter of cybersecurity. It is a human rights issue recognised by the state.
Understanding what qualifies as personal data matters more than many people realise. It is a common misconception that personal data only means a name and address. In practice, the scope is considerably broader.
The PDP Law divides personal data into two categories:
Full name, gender, nationality, religion, and marital status.
Health data, biometric data, genetic data, criminal records, financial information, and children’s data.
The Rights of Data Subjects and Children under the PDP Law
One of the most significant contributions of the PDP Law is its clear recognition of individual rights. This is not merely a technical provision. It represents a fundamental shift in the relationship between a person and whoever holds their data.
Every data owner now has the right to:
- Right to Know
Know the purpose for which their data is being collected and used by any company or platform.
- Right to Access
Access the data held about them and request correction of inaccurate or incomplete data.
- Right to Erasure
Request deletion of their data under certain conditions set out in the law.
- Right to Withdraw Consent
Withdraw previously given consent for data processing at any time.
- Right to Compensation
Seek compensation if a violation causes real harm — including through civil claims for damages, not only regulatory complaints.
Data relating to children falls within the category of sensitive specific data and receives dedicated attention under this legal framework. Practices that might seem unremarkable, such as publishing a student’s photo, full name, or home address on a school website or social media account without parental consent, can constitute a violation of the PDP Law, which requires consent before processing a child’s data.
Beyond the PDP Law itself, the government also issued Government Regulation Number 17 of 2025 on the Governance of Electronic System Operations in Child Protection, a derivative regulation that strengthens safeguards for children in digital spaces. This reflects a deliberate policy commitment to ensuring that those most vulnerable to data exploitation are given adequate legal protection.
Key Obligations for Personal Data Processing
The PDP Law applies to any party that processes personal data within Indonesian jurisdiction, including entities based abroad that have legal impact in Indonesia or that process the personal data of Indonesian citizens. For anyone who handles other people’s personal data, whether a technology startup, a digital platform, a financial institution, a hospital, or a multinational corporation, there are core obligations that must be met.
- A lawful basis for processing data
Personal data may only be collected with a clear legal basis, one of which is the explicit consent of the data owner. Using customer data for marketing or analytics without express permission is a serious violation that frequently occurs without organisations realising it.
- Responsible processing principles
The PDP Law establishes transparency, purpose limitation, accuracy, data minimisation, and security as the foundation of lawful data processing. These principles must be embedded in actual systems and daily practices, not merely written into a privacy policy that few people read.
- Appointment of a Data Protection Officer
Organisations that process data at significant scale, or whose core activities involve the handling of sensitive data, are required to appoint a Data Protection Officer (DPO). This role serves as the operational link between management, information technology, and the fulfilment of data owners’ rights. It is not simply a compliance checkbox.
- Transparency in incident response
If a data breach occurs, the data controller is legally obligated to notify both the relevant authorities and the affected data owners within a prescribed timeframe. This transparency requirement is not merely an ethical expectation. It is a legal duty, and failing to fulfil it can significantly worsen the legal consequences faced.
Legal Consequences and Response to Data Breaches
The PDP Law sets out serious legal consequences for parties that fail to comply with personal data protection obligations. Violations may result in administrative sanctions, criminal penalties, and for corporations substantially amplified fines.
It is important to understand that legal liability does not arise only from malicious intent. Data breaches caused by technical negligence, such as weak security systems or unprotected data access, may also lead to legal consequences if the data controller or data processor fails to comply with the security obligations under Article 35 and Article 39 of the PDP Law.
Knowing your rights in theory is one thing. Knowing what to do when those rights are violated is equally important. If you suspect your personal data has been leaked or misused, the following steps apply:
- Document the evidence. Preserve screenshots, emails, notifications, or any material showing that your data has been leaked or used without authorisation.
- Contact the data holder formally. Use the right of access guaranteed by the PDP Law to find out exactly what data they hold and how it is being used.
- File a complaint with the regulator. If the response is unsatisfactory, a complaint can be submitted to the Ministry of Communication and Digital Affairs, which currently exercises supervisory functions under the PDP Law.
- Consider a civil claim. Where the breach has caused material loss, a civil claim for compensation is legally available under the law. Consulting a legal professional with expertise in data protection law is strongly advisable for complex cases.
PDP Law as a Foundation of Digital Trust
Indonesia is not the first country to take this path. The European Union has its General Data Protection Regulation (GDPR), and Singapore has the Personal Data Protection Act (PDPA). Indonesia’s PDP Law shares the same core philosophy as both: placing the individual at the centre as the owner of their data, entitled to control, transparency, and accountability from whoever processes it.
For organisations already operating within GDPR or PDPA frameworks, the PDP Law should not feel entirely unfamiliar. While technical differences exist, particularly around cross-border data transfer mechanisms governed by Article 56 of the PDP Law, the underlying principles are closely aligned. This alignment creates a genuine opportunity to build data governance systems that hold up across multiple jurisdictions, rather than requiring entirely separate compliance structures.
Compliance with the PDP Law, in this context, is more than a matter of avoiding sanctions. It is a signal to partners, users, and stakeholders that data entrusted to an organisation is managed with rigour and accountability. That kind of signal that strengthens business relationships and long-term operational credibility.
The Personal Data Protection Law was not designed to create obstacles. It was designed to establish clear standards in a digital landscape that had long operated without them. With the PDP Law now fully in force, Indonesia has entered an era where data governance is no longer a peripheral technical concern. It is a central element of legal compliance and organisational responsibility for anyone operating here.
For anyone involved in handling personal data, understanding the PDP Law is not optional. It is the baseline for legal compliance, for maintaining the trust placed in an organisation by those whose data it holds, and for contributing to a digital environment in Indonesia that is safer, fairer, and more accountable for everyone.
