Regulation

Personal Data Protection Law (DPDL)

Indonesia’s LPDP (Law No. 27 of 2022) is comprehensive, applying to every entity processing the personal data of natural persons residing in Indonesia. The law includes individual rights and obligations, such as conducting DPIAs for high-risk processing and breach notification.

Are you subject to the Indonesia LPDP?

The Indonesia LPDP applies to every person, public body, and international organizations who performs legal acts regulated in the Law if any of the following apply: (1) processing personal data in the Republic of Indonesia, or (2) processing personal data outside the Republic of Indonesia that has legal consequences either in the Republic of Indonesia or Indonesian citizens outside the Republic of Indonesia.

Obligations under Indonesia LPDP

Organizational privacy requirements

Organizations must record all personal data processing activities. The LPDP requires organizations to appoint a person in charge of processing personal data, monitor compliance, and provide advice on DPIA when applicable under the law. Organizations shall perform a privacy impact assessment in the circumstance required by the LPDP.

Individual rights

Indonesia LPDP includes data subject rights such as information access, correction, deletion, data portability, the right to object to solely automated decisions that produce legal consequences or a significant impact on the individual, and the right to sue and receive compensation for the violation of the provision of the LPDP.

Consent & transparency

Organizations must enable data subjects to provide informed and expressed consent in written or recorded form delivered electronically or non-electronically. Organizations must inform individuals using simple language in an easily accessible form that can be clearly distinguished from other matters. Organizations must keep evidence of consent.

Security

The law requires companies to implement technical measures to protect personal data from interference contrary to the requirements of the law. The level of security must be assessed, taking into account the nature and risks of the processing. There are also data breach notification requirements requiring data protection authorities and affected individuals to be notified of the breach.

Webinar

CBPR – Navigating Cross-Border Data Privacy Compliance

In this highly anticipated webinar, we explore the background the future direction and assess the potential business case for companies considering certification under the new Global CBPR System.

Watch now

Achieve compliance

FAQs

When did Indonesia LPDP take effect?

The law was enacted on October 17, 2022.
What are the requirements for vendors under Indonesia LPDP?

Limit its use only for contracted purposes under the orders of the data controller. Data Processors must obtain written authorization to engage with other processors.
What are Indonesia’s LPDP rules for international data transfers?

Organizations must ensure that the country receiving the personal data has a level of personal data protection equal to or higher than the stipulated in the LPDP. If the level of protection is inadequate, organizations must ensure adequate and binding protections or obtain consent from the individual.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.