How Blancco Helps Organizations Comply with Indonesia’s PDP Law

Download Solution Brief

Indonesia’s Personal Data Protection Law (PDP Law) is also known as Law No. 27 of 2022.

The law safeguards Indonesian citizens’ rights by ensuring that data controllers, data processors, and other related parties, meet strict guidelines.

Following a two-year transitional period, which ended on October 17, 2024, the PDP Law is now in full effect.

This guide provides insights on the PDP Law and how Blancco can help you comply with several aspects of it

Who does the PDP Law apply to?

The law has a wide scope, with some exemptions for personal or household data processing.

Broadly, the PDP Law applies to individuals, companies, public institutions, and international organizations processing Indonesian citizens’ personal data. Because the law is extra-territorial, it may still apply if data processed outside of the country has legal consequences
in Indonesia.

It is another important law that compliant international companies must recognize.

What you should know about the PDP Law

Personal data here means information relating to an identified or identifiable individual, processed via electronic or non-electronic means. This includes general identifiers such as name and gender and specific data like biometrics.

It’s worth noting that processing specific data entails stricter compliance due to higher risks. Organizations must conduct data protection impact assessments (DPIAs) where there is a risk of a serious impact. And high-risk activities can include things like mass data processing and the use of new technologies.

The PDP Law is similar to the EU GDPR because of key principles such as data minimization, data accuracy, and retention limits. Data subjects also have similar rights as under the GDPR. This includes the right to access, correct, and erase personal data.

Enforcement and penalties

The Personal Data Protection Committee (PDPC) enforces the law and publishes guidelines. Breaking the PDPA can lead to criminal, civil, or administrative penalties. Serious violations, like leaking sensitive data, could lead to prison time or fines.

For example, in November 2024, an online sales company was fined 7 million baht ($204,000 USD) for not following the rules. The company was fined for several issues, including not appointing a data protection ofÏcer or having proper security measures.

Data disposal under the PDPA

Failure to comply with the PDP Law can result in criminal and administrative penalties. The most serious violations involving sensitive personal data and unauthorized disclosure are punishable by prison terms of up to five years and fines up to Rp5 billion ($300,000 USD).

Administrative sanctions will include written warnings, suspension of processing activities, and fines of up to 2% of annual revenue.

Download our solution brief to learn more about the PDP Law, including data destruction requirements and how Blancco can help.

Completely erase end-of-life data to comply with global regulations such as Indonesia’s PDP Law.

You may be interested in: