Skip to Main Content
Main Menu

Personal Data Protection Law (DPDL)

Indonesia’s LPDP (Law No. 27 of 2022) is comprehensive, applying to every entity processing the personal data of natural persons residing in Indonesia. The law includes individual rights and obligations, such as conducting DPIAs for high-risk processing and breach notification.

Are you subject to the Indonesia LPDP?

The Indonesia LPDP applies to every person, public body, and international organizations who performs legal acts regulated in the Law if any of the following apply: (1) processing personal data in the Republic of Indonesia, or (2) processing personal data outside the Republic of Indonesia that has legal consequences either in the Republic of Indonesia or Indonesian citizens outside the Republic of Indonesia.

Obligations under Indonesia LPDP

Organizational privacy requirements

Organizations must record all personal data processing activities. The LPDP requires organizations to appoint a person in charge of processing personal data, monitor compliance, and provide advice on DPIA when applicable under the law. Organizations shall perform a privacy impact assessment in the circumstance required by the LPDP.

Individual rights

Indonesia LPDP includes data subject rights such as information access, correction, deletion, data portability, the right to object to solely automated decisions that produce legal consequences or a significant impact on the individual, and the right to sue and receive compensation for the violation of the provision of the LPDP.

Consent & transparency

Organizations must enable data subjects to provide informed and expressed consent in written or recorded form delivered electronically or non-electronically. Organizations must inform individuals using simple language in an easily accessible form that can be clearly distinguished from other matters. Organizations must keep evidence of consent.


The law requires companies to implement technical measures to protect personal data from interference contrary to the requirements of the law. The level of security must be assessed, taking into account the nature and risks of the processing. There are also data breach notification requirements requiring data protection authorities and affected individuals to be notified of the breach.


CBPR – Navigating Cross-Border Data Privacy Compliance

In this highly anticipated webinar, we explore the background the future direction and assess the potential business case for companies considering certification under the new Global CBPR System.


The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top