Data Protection &

Privacy
2020
Contributing editors
Aaron P Simpson and Lisa J Sotto

© Law Business Research 2019

Publisher
Tom Barnes

Data Protection &

tom.barnes@lbresearch.com

Subscriptions
Claire Bagnall

Privacy
claire.bagnall@lbresearch.com

Senior business development managers

Adam Sargent
adam.sargent@gettingthedealthrough.com

Dan White
dan.white@gettingthedealthrough.com

Published by
2020
Law Business Research Ltd
87 Lancaster Road
London, W11 1QQ, UK Contributing editors
Tel: +44 20 3780 4147
Fax: +44 20 7229 6910
Aaron P Simpson and Lisa J Sotto
Hunton Andrews Kurth LLP
The information provided in this publication
is general and may not apply in a specific
situation. Legal advice should always
be sought before taking any legal action
based on the information provided. This
Lexology Getting The Deal Through is delighted to publish the eighth edition of Data Protection
information is not intended to create, nor
and Privacy, which is available in print and online at www.lexology.com/gtdt.
does receipt of it constitute, a lawyer–
Lexology Getting The Deal Through provides international expert analysis in key areas of
client relationship. The publishers and
law, practice and regulation for corporate counsel, cross-border legal practitioners, and company
authors accept no responsibility for any
directors and officers.
acts or omissions contained herein. The
information provided was verified between
Throughout this edition, and following the unique Lexology Getting The Deal Through format,
June and July 2019. Be advised that this is the same key questions are answered by leading practitioners in each of the jurisdictions featured.
a developing area. Our coverage this year includes new chapters on Hungary, Iceland, Indonesia and Malaysia.
Lexology Getting The Deal Through titles are published annually in print. Please ensure you
© Law Business Research Ltd 2019 are referring to the latest edition or to the online version at www.lexology.com/gtdt.
No photocopying without a CLA licence. Every effort has been made to cover all matters of concern to readers. However, specific
First published 2012 legal advice should always be sought from experienced local advisers.
Eighth edition Lexology Getting The Deal Through gratefully acknowledges the efforts of all the contribu-
ISBN 978-1-83862-146-9 tors to this volume, who were chosen for their recognised expertise. We also extend special
thanks to the contributing editors, Aaron P Simpson and Lisa J Sotto of Hunton Andrews Kurth
Printed and distributed by LLP, for their continued assistance with this volume.
Encompass Print Solutions
Tel: 0844 2480 112

London
July 2019

Reproduced with permission from Law Business Research Ltd 

This article was first published in August 2019
For further information please contact editorial@gettingthedealthrough.com

www.lexology.com/gtdt 1
© Law Business Research 2019
 Contents

Introduction5 Greece90
Aaron P Simpson and Lisa J Sotto Vasiliki Christou
Hunton Andrews Kurth LLP Vasiliki Christou

EU overview 9 Hungary97
Aaron P Simpson, Claire François and James Henderson Endre Várady and Eszter Kata Tamás
Hunton Andrews Kurth LLP VJT & Partners Law Firm

The Privacy Shield 12 Iceland104

Aaron P Simpson and Maeve Olney Áslaug Björgvinsdóttir and Steinlaug Högnadóttir
Hunton Andrews Kurth LLP LOGOS legal services

Australia16 India112
Alex Hutchens, Jeremy Perier and Meena Muthuraman Stephen Mathias and Naqeeb Ahmed Kazia
McCullough Robertson Kochhar & Co

Austria24 Indonesia119
Rainer Knyrim Abadi Abi Tisnadisastra, Prihandana Suko Prasetyo Adi
Knyrim Trieb Attorneys at Law and Filza Adwani
AKSET Law
Belgium32
David Dumont and Laura Léonard Italy126
Hunton Andrews Kurth LLP Rocco Panetta and Federico Sartore
Panetta & Associati
Brazil43
Fabio Ferreira Kujawski, Paulo Marcos Rodrigues Brancher Japan136
and Thiago Luís Sombra Akemi Suzuki and Tomohiro Sekiguchi
Mattos Filho Nagashima Ohno & Tsunematsu

Chile50 Korea144
Carlos Araya, Claudio Magliona and Nicolás Yuraszeck Young-Hee Jo, Seungmin Jasmine Jung and Kwangbok Kim
Magliona Abogados LAB Partners

China56 Lithuania153
Vincent Zhang and John Bolin Laimonas Marcinkevičius
Jincheng Tongda & Neal Juridicon Law Firm

Colombia66 Malaysia159
María Claudia Martínez Beltrán and Daniela Huertas Vergara Jillian Chia and Natalie Lim
DLA Piper Martínez Beltrán Abogados Skrine

France73 Malta166
Benjamin May and Farah Bencheliha Ian Gauci and Michele Tufigno
Aramis Gatt Tufigno Gauci Advocates

Germany83 Mexico174
Peter Huppertz Abraham Díaz Arceo and Gustavo A Alcocer
Hoffmann Liebs Partnerschaft von Rechtsanwälten mbB OLIVARES

2 Data Protection & Privacy 2020

© Law Business Research 2019
 Contents

Netherlands182
Inge de Laat and Margie Breugem
Rutgers Posch Visée Endedijk NV

Portugal188
Helena Tapp Barroso and Tiago Félix da Costa
Morais Leitão, Galvão Teles, Soares da Silva & Associados

Russia196
Ksenia Andreeva, Anastasia Dergacheva, Anastasia Kiseleva,
Vasilisa Strizh and Brian Zimbler
Morgan, Lewis & Bockius LLP

Serbia204
Bogdan Ivanišević and Milica Basta
BDK Advokati

Singapore212
Lim Chong Kin
Drew & Napier LLC

Sweden229
Henrik Nilsson
Wesslau Söderqvist Advokatbyrå

Switzerland236
Lukas Morscher and Nadja Flühler
Lenz & Staehelin

Taiwan245
Yulan Kuo, Jane Wang, Brian, Hsiang-Yang Hsieh
and Ruby, Ming-Chuang Wang
Formosa Transnational Attorneys at Law

Turkey252
Esin Çamlıbel, Beste Yıldızili and Naz Esen
TURUNÇ

United Kingdom 259

Aaron P Simpson, James Henderson and Jonathan Wright
Hunton Andrews Kurth LLP

United States 268

Lisa J Sotto and Aaron P Simpson
Hunton Andrews Kurth LLP

www.lexology.com/gtdt 3
© Law Business Research 2019
Indonesia
Abadi Abi Tisnadisastra, Prihandana Suko Prasetyo Adi and Filza Adwani
AKSET Law

LAW AND THE REGULATORY AUTHORITY • Law No. 7/1992 regarding Banking as amended by Law No. 10/1998
(the Banking Law);
Legislative framework • Law No. 39/1999 regarding Human Rights;
1 Summarise the legislative framework for the protection • Law No. 23/2006 regarding Resident Administration as amended
of personally identifiable information (PII). Does your by Law No. 24/2013 (the Resident Law);
jurisdiction have a dedicated data protection law? Is the data • Law No. 36/1999 regarding Telecommunications
protection law in your jurisdiction based on any international (Telecommunications Law);
instruments on privacy or data protection? • Law No. 14/2008 regarding Transparency of Public Information;
• Law No. 36/2009 regarding Health (the Health Law);
The protection of personal data in Indonesia was initially focused on the • Minister of Health Regulation No. 269/Menkes/Per/III.2008 on
protection from privacy perspective. Under the Indonesian Constitution, Medical Records (MoH Regulation 269);
the concept of privacy rights has been recognised and protected as part • MoCI Regulation No. 36 of 2014 on the Registration Procedure of
of the general concept of human rights. Electronic System Operator; and
With the need to cover the sector yet to be regulated, specifically • MoCI Regulation No. 4 of 2016 on the Information Security
that of the internet and electronic transaction related activities, Law No. Management System (MoCI Regulation 4).
11/2008 on Electronic Information and Transactions as amended by Law
No. 19/2016 (collectively, the EIT Law) was passed. Even though most of Given the need to have a dedicated data protection law in force, at the
the provisions of the EIT Law focus on electronic transactions, there is a moment, the Indonesian government and House of Representative have
notable provision that deals with personal data in the EIT Law. included a personal data protection bill (the PII Bill) in the national legis-
Similar with the individual concept in the Indonesian Constitution, lative programme.
article 26(1) of the EIT Law (along with its official elucidation) recognises
the protection of personal data as a part of privacy rights. The article Data protection authority
further mentions that privacy rights shall include, among others, the 2 Which authority is responsible for overseeing the data
right to monitor the access of information concerning private life and protection law? Describe the investigative powers of the
data. To further the effort to satisfy the need for effective protection authority.
of personal data, the Minister of Communications and Informatics (the
MoCI) issued MoCI Regulation No. 20/2016 on Protection of Personal There is no specifically dedicated national data protection authority
Data in Electronic Systems (MoCI Regulation 20). that oversees personal data protection in Indonesia. However, pursuant
MoCI Regulation 20 is issued as mandated under article 15(3) to MoCI Regulation 20, the MoCI (along with the Director General of
of Government Regulation No. 82/2012 on the Implementation of Informatics Applications or Ditjen Aptika) are responsible for ensuring
Electronic Systems and Transactions (GR 82), which requires personal compliance towards the data protection regime in Indonesia (ie, EIT Law,
data protection in electronic systems to be regulated by a Ministerial GR 82 and MoCI Regulation 20).
Regulation. MoCI Regulation 20 came into effect on 1 December 2018, The MoCI is authorised to, among others, organise governmental
and it applies only to PII stored in electronic systems, but not to PII that events related to communications and informatics; coordinate with
is stored manually. Electronic System Operators (ESOs) for transfer of personal data
It is important to note that in comparison to other jurisdictions, overseas; settle disputes related to failure or breach of PII protection;
which commonly formed their data protection regulations based supervise the implementation of personal data protection; request data
on international instruments (eg, the EU General Data Protection and information from ESOs in the framework of data protection; impose
Regulation (GDPR)), the current data protection law regime in Indonesia administrative sanctions for violations data protection regulations; and
is still less developed. MoCI Regulation 20 does not recognise a number issue Electronic System Worthiness Certificate to certify that an elec-
of concepts, such as, data controller, data processor, sensitive personal tronic system is functioning properly.
data, dedicated data protection officer, privacy by design, and automatic For certain specific matters, such as, in the event of a dispute
processing. Nevertheless, certain general principles in GDPR related related to the failure or breach of personal data protection, MoCI
to the processing of personal information have been adopted by MoCI may delegate its authority to Ditjen Aptika that is authorised to form
Regulation 20, among others, lawfulness, confidentiality, the purpose of a panel to settle the disputes and recommend certain administrative
limitation, accuracy and storage limitation. sanctions to be imposed by the MoCI on relevant ESOs. Ditjen Aptika is
Other than the above legislation, the protection of personal data also responsible for conducting public education on matters related to
is also included in several laws and regulations, though most of these personal data protection.
laws and regulations only address data protection briefly:

www.lexology.com/gtdt 119
© Law Business Research 2019
 Indonesia AKSET Law

In addition, for a specific sector (ie, financial sector), each sectoral A criminal proceeding is initiated by the Indonesian police and
supervision and regulation body has the authority to regulate the rele- prosecutors.
vant matters related to the data protection as well.
SCOPE
Cooperation with other data protection authorities
3 Are there legal obligations on the data protection authority to Exempt sectors and institutions
cooperate with other data protection authorities, or is there a 5 Does the data protection law cover all sectors and types of
mechanism to resolve different approaches?? organisation or are some areas of activity outside its scope?

Under MoCI Regulation 20, the MoCI may coordinate with the sectoral In essence, the EIT Law, GR 82 and MoCI Regulation 20 are only appli-
supervision and regulatory body to follow up on complaints lodged by cable to all processing or use of personal data in electronic form by
data subjects for failures of personal data protection committed by ESOs. an ESO, which is defined as any person, state administrator, business
These two authorities may also cooperate to supervise the imple- entity, and community that provides, manages or operates an electronic
mentation of MoCI Regulation 20, including to impose administrative system, whether individually or jointly, for the electronic system’s users’
sanctions for breaches of MoCI Regulation 20. Under MoCI Regulation own interests or the interests of other parties.
20, the MoCI delegates the authority to settle PII disputes to Ditjen For the purpose of this definition, electronic systems are defined
Aptika, which may then form a panel to settle the disputes. The MoCI broadly as series of devices and electronic procedures used to prepare,
also delegates the supervision of the implementation of MoCI Regulation collect, process, analyse, store, display, announce, deliver or dissemi-
20 to Ditjen Aptika. nate electronic information.
Particularly for cooperation with foreign authorities in certain Based on the foregoing, at the moment, although processing or
specific matters, such as transnational data transfer, at the moment, use of personal data in a manual record is excluded from the scope of
we are not aware of the existence of any cooperation entered into by the above regulations, but when it comes to the protection of personal
the MoCI with foreign authorities, nor has the Indonesian government data in the electronic system, ESOs have the responsibility to comply
published a list of persuasive countries considered to have an adequate with the relevant regulations, regardless of the sectors and type of
level of protection with respect to transnational data transfer. organisations.
As a fundamental principle, Indonesia adopts a consent regime to
Breaches of data protection obtain and process personal data through the electronic system. Prior
4 Can breaches of data protection law lead to administrative consent of the data subject is not required if obtaining or collecting
sanctions or orders, or criminal penalties? How would such personal data is mandated by law or certain personal data has been
breaches be handled? transmitted or announced publicly by electronic systems for public
services.
Breach of data protection might be subject to administrative and crim- Certain exemptions are also applicable in the banking sector. In
inal liability in Indonesia. As a rule of thumb, under MoCI Regulation principle, banks are required to maintain confidentiality of information
20, any person that collects, processes, analyses, stores, promotes, concerning savings of customers except for special circumstances –
announces, transmits or publishes personal data without the right to namely, taxation purposes, settlement claims and interbank exchange
do so will be subject to certain administrative sanctions, such as verbal of information.
warning; written warning; suspension of activities; or announcement on
the relevant website. Communications, marketing and surveillance laws
In addition, failure to comply with GR 82 will also be subject to 6 Does the data protection law cover interception of
similar administrative sanctions, comprising of written warning; communications, electronic marketing or monitoring and
administrative fines; temporary dismissal; or dismissal from the list of surveillance of individuals? If not, list other relevant laws in
registrations. this regard.
Under the EIT Law, breach of privacy is also subject to criminal
penalties, as follows: The right to privacy is considered as a basic human right. The inter-
• a fine of 600 million up to 800 million Indonesian rupiah and six to ception of communications is governed by the EIT Law and the
eight years’ imprisonment for unlawful access; Telecommunications Law, which stipulate that any illegal interception or
• a fine of 2 billion up to 5 billion Indonesian rupiah and eight to 10 wiretapping shall be subject to certain criminal sanction (see question
years’ imprisonment for alteration, addition, reduction; transmis- 4). However, exemptions apply for lawful interception or wiretapping
sion, tampering, deletion, moving or hiding electronic information in the framework of law enforcement, such as in a corruption case
or electronic records; and investigation.
• a fine of 800 million Indonesian rupiah and 10 years’ imprisonment
for interception or wiretapping of a transmission. Other laws
7 Identify any further laws or regulations that provide specific
In addition, under the Telecommunication Law, any person is prohibited data protection rules for related areas.
from wiretapping information transmitted through telecommunica-
tion networks. A person violating this prohibition may be sentenced to There are no specific regulations regarding the monitoring of employees
imprisonment of up to 15 years. specifically through electronic systems. In this regard, so long as the
Under the Resident Law, failure to protect personal data may be information of such employee falls under the definition of personal data
subject to imprisonment for up to two years or a fine of up to 25 million (see question 7), any monitoring activities shall obtain consent from the
Indonesian rupiah, or both. The Resident Law classifies the following employees.
information as protected personal data: information regarding physical For healthcare data, the processing shall comply with Health Law
and mental disabilities, fingerprints, irises, signatures, and other data No. 36 of 2009 and MOH Regulation 269. Under article 57 of the Health
that relate to a person’s crime. Law, every person is entitled to the confidentiality of his or her private

120 Data Protection & Privacy 2020

© Law Business Research 2019
AKSET Law Indonesia

health conditions that have been disclosed to healthcare providers. LEGITIMATE PROCESSING OF PII
These private health conditions, which under MOH Regulation 269 are
defined as medical records, shall be considered as personal data. Legitimate processing – grounds
While for the use of social media, although the information posted 11 Does the law require that the holding of PII be legitimised
on a user’s public profile could be considered as public information, the on specific grounds, for example to meet the owner’s legal
collection and the processing of user content are still subject to data obligations or if the individual has provided consent?
protection regulations (ie, the obtainment of consent from the user).
Particularly for data protection in the bank sector, customer’s The regulations do not provide any specific grounds for personal data
private data (ie, credit information) are considered confidential bank processing other than consent. In brief, under MoCI Regulation 20,
information. Any disclosure of such information shall be based on prior processing activities must be based on prior consent from the data
written consent from the customer. subject and the data in question have been verified, and the action
is in accordance with the purpose for which the personal data was
PII formats collected or otherwise processed. In addition, MoCI Regulation 20 does
8 What forms of PII are covered by the law? not offer common legal bases for the processing of personal data, such
as the processing of data being necessary for the vital interest or the
The current definition of personal data under MoCI Regulation 20 is very processing activities are carried out based on legitimate interest.
broad and is likely to include most of the information that is related Particularly for the consent, opposed to a common regula-
to an individual or can be used to identify a certain individual. As for tory approach, the Indonesian regulatory framework does not
the format, the applicability of the MoCI Regulation 20 applies only specifically elaborate on the requirement of valid consent – namely,
to personal data stored in electronic systems, and not applicable for whether consent should be freely given, and separate consent shall
personal data that is stored manually. be prepared.
In addition, although the current personal data regulation only
applies to inherent and identifiable information (either directly or indi- Legitimate processing – types of PII
rectly), there is no specific requirement for the data to be anonymised 12 Does the law impose more stringent rules for specific types of
before disclosure or transfer to the third party. However, any personal PII?
data to be processed must be encrypted.
The current regulations do not elaborate on the types of There is no distinction between the types of personal data in the regula-
personal data. tions. All information is regarded as personal data and has the same
protection treatment. Indonesia does not adopt the concept of sensitive
Extraterritoriality personal data either.
9 Is the reach of the law limited to PII owners and processors
of PII established or operating in the jurisdiction? DATA HANDLING RESPONSIBILITIES OF OWNERS OF PII

The EIT Law, as an umbrella regulation on data protection in Indonesia, Notification

has extraterritorial coverage and it applies to a foreign legal subject 13 Does the law require owners of PII to notify individuals whose
(with or without a legal presence) having legal effect in Indonesia. PII they hold? What must the notice contain and when must it
However, at the moment, the enforcement of the EIT Law and its imple- be provided?
menting regulations against a foreign entity on data protection related
matters is relatively remote. MoCI Regulation 20 require an ESO to notify the data subjects for the
processing of personal data, through which the ESO also obtains the
Covered uses of PII user’s consent. Other than the requirement that the consent needs to be
10 Is all processing or use of PII covered? Is a distinction made in writing (either manually or electronically) and be prepared in Bahasa
between those who control or own PII and those who provide Indonesia, MoCI Regulation 20 does not expressly regulate the content
PII processing services to owners? Do owners’, controllers’ of the consent. In practice, the notification usually covers the collected
and processors’ duties differ? information, processing purposes and activities, the possibility to share
or transfer collected information, access towards collected information,
There is no specific definition of ‘processing’ under MoCI Regulation 20. contact details of the ESO and so on.
However, for processing purpose, MoCI Regulation 20 actually adopts
reference to certain operations on personal data within the electronic Exemption from notification
system that can be regarded as processing of personal data, namely, 14 When is notice not required?
collection, analyses, processing, storage, display, announcement, trans-
mission, disclosure, access or disposal of personal data or information. See question 5.
With respect to the parties involved in the processing, unlike in
some other jurisdictions, there is no distinction is made between those Control of use
who control personal data and those who provide services to process 15 Must owners of PII offer individuals any degree of choice
personal data on behalf of the controller. Therefore, ESOs have the or control over the use of their information? In which
responsibility to comply with data protection regulations. circumstances?

There are no express provisions in the PII protection regulations that

compel ESOs to offer data subjects a degree of choice of control over
the use of their PII. However, MoCI Regulation 20 regulates that data
subjects are entitled to the confidentiality of their PII. Data subjects
may inform the ESO which of their PII must be kept confidential or

www.lexology.com/gtdt 121
© Law Business Research 2019
 Indonesia AKSET Law

non-confidential. The data subjects are also allowed to revoke their SECURITY
consent and to request that their PII be deleted.
Security obligations
Data accuracy 20 What security obligations are imposed on PII owners and
16 Does the law impose standards in relation to the quality, service providers that process PII on their behalf?
currency and accuracy of PII?
Under GR 82 and MoCI Regulation 20, an ESO has a general obligation
MoCI Regulation 20 provides that PII collection and processing must be to maintain confidentiality, implement adequate security and organisa-
confined only to relevant information in accordance with the purpose tional measure, and develop internal data protection policy. In addition,
of the collection of the PII and must be done accurately. Management, for the purpose of security measure for PII protection, MoCI Regulation
analysis and storage of PII by an ESO must be done only after the PII has 20 requires the following:
verified its accuracy. The ESO is obligated to maintain the accuracy of • an electronic system that is used for obtaining and collecting PII
PII from collection until its deletion. Further, data subjects are entitled must have the capacity of interoperability and compatibility;
to renew or amend their PII stored without distressing the PII manage- • electronic systems must use legal software;
ment system. • electronic systems used in the process must be certified;
• PII which is stored in an electronic system must be in the form of
Amount and duration of data holding encrypted data;
17 Does the law restrict the amount of PII that may be held or • storage of PII in an electronic system must be performed in accord-
the length of time it may be held? ance with the provisions regarding the procedures and facilities for
securing the electronic system;
Data subjects are entitled to request the ESO delete their PII, and the • an ESO shall use (establish or rent) a data centre and disaster
ESO must do so accordingly. If the data subject does not request such recovery centre located within the territory of Indonesia (for an
deletion, under MoCI Regulation 20, an ESO shall comply with a five-year electronic system for public purposes) and fulfil the minimum
minimum statutory retention period or as otherwise required by the standards in information technology systems, information tech-
relevant supervisory authority. This retention period is calculated from nology risk management, information technology safeguards,
the moment the data subject terminates the use of services of the ESO.  resistance to system faults and failure, and transfer of information
Following the expiration of the retention period, the ESO may delete technology system management;
the relevant personal data, unless the ESO determines that the personal • an ESO is required to notify the data subject if the ESO’s security
data is still required to be kept and used in accordance with the purpose system has been breached; and
for which it has been processed. For the latter, the ESO shall obtain • for overseas transfer of PII, in addition to the general conditions
consent from the data subject and shall provide sufficient information to obtain consent, MoCI Regulation 20 requires a party to (i) coor-
on why the ESO retains the relevant personal data (ie, the information dinate with the MOCI or authorised institutions; and (ii) implement
on the category of personal data and the purpose of the processing). relevant regulations regarding offshore transfer of PII.

Finality principle In addition, according to MoCI Regulation 4, there is a mandatory

18 Are the purposes for which PII can be used by owners certification for an electronic system having a high-level and strategic
restricted? Has the ‘finality principle’ been adopted? function (ie, related to sectoral or regional interest, public interest,
national defence and security).
Yes, the PII shall serve the purpose for which it was collected, as noti-
fied to the data subject. An ESO shall also ensure that the processing of Notification of data breach
PII shall be in line with the specific purpose that has been consented to 21 Does the law include (general or sector-specific) obligations
the data subject. to notify the supervisory authority or individuals of data
breaches? If breach notification is not required by law, is it
Use for new purposes recommended by the supervisory authority?
19 If the finality principle has been adopted, how far does the
law allow for PII to be used for new purposes? Are there With respect to data breach situation, there is no specific guidance on
exceptions or exclusions from the finality principle? the scope of a data breach (eg, accidental or unauthorised access, loss
of personal data, etc).
MoCI Regulation 20 does not recognise the concept of finality principle. As a general reference with respect to security incidents in an
There is no guidance on whether separate consent shall be prepared electronic system, article 20(3) of GR 82 specifically requires an ESO to
and obtained for multiple or new purposes of processing personal data. notify law enforcement authorities or the relevant sectoral supervisory
Ideally, to ensure legitimate processing, a separate new notice and and regulatory agency (eg, banking or other financial service sector in
consent would be required if the ESO intends to collect, use, disclose the event of failure or disturbance of an electronic system caused by
or transfer the PII for new purposes other than those for which the data outsiders, which results in a serious risk to the electronic system (eg,
subject had given consent. the system not functioning properly). Therefore, not every security inci-
dent requires notification to the authority.
In addition, a strict interpretation of a relevant provision in GR 82
implies that the obligation to notify would be limited to a security incident
that involves a third party – that is, attack from outsider to the server(s),
which may, among other matters, relate to personal data breaches.
However, in practice, breach of personal data does not necessarily result
from a security incident (ie, attack by an outsider), but could also be the
result of inadequate internal measures (eg, an accidental disclosure

122 Data Protection & Privacy 2020

© Law Business Research 2019
AKSET Law Indonesia

of personal data due to negligence of the internal staff responsible to New processing regulations
maintain the confidentiality and protection of personal data). 24 Are there any obligations in relation to new processing
Separate from the requirement under GR 82 on the notification operations?
obligation for security incidents caused by an outsider, GR 82 requires
an ESO to notify a data subject (individual) in writing, in the event of There are no obligations in the relevant regulations for an ESO to imple-
a personal data breach within its electronic system. GR 82 does not ment data protection by design and by default or to implement a privacy
require an ESO to notify law enforcement authorities or the relevant impact assessment. However, MoCI Regulation 20 does require an ESO
sector supervisory or regulatory agency about a data breach. to implement certain technical and organisational measures when
MoCI Regulation 20 requires that relevant written notification to processing personal data.
the data subject shall be made  within 14 days of the ESO becoming
aware of a data breach, and the ESO shall ensure that the data subject REGISTRATION AND NOTIFICATION
receives the notification if the data breach may potentially cause losses
to the data subject. However, there are no specific criteria for an occur- Registration
rence to be considered as a ‘loss’ under MoCI Regulation 20. 25 Are PII owners or processors of PII required to register with
Like GR 82, there is no specific provision in MoCI Regulation 20 the supervisory authority? Are there any exemptions?
that requires an ESO to also provide notification about security incidents
associated with a personal data breach situation to law enforcement Other than the obligation to obtain a registration certificate as an elec-
authorities or the relevant sectoral supervisory or regulatory agency at tronic system operator for an ESO for public purposes, there is presently
the same time as the notification to the affected data subject. no obligation under the prevailing regulations for an ESO that collects
MoCI Regulation 20 further stipulates that the notification may be and processes personal data to be registered with the MoCI.
delivered electronically to the data subject, provided that consent has
been given for such method by the data subject concerned. In light of Formalities
specific communication channel to notify the data subject, since MoCI 26 What are the formalities for registration?
Regulation 20 is silent on this matter, it is advisable for the ESO to
implement several communication channels (ie, email, direct message, See question 25.
etc) directly to the affected data subject for the purpose of ensuring that
the message is properly received by the relevant individual. Penalties
For data breach notification, MoCI Regulation 20 only provides 27 What are the penalties for a PII owner or processor of PII for
minimum mandatory information that needs to be included in the failure to make or maintain an entry on the register?
notification. In this regard, article 28 (c)(1) of MoCI Regulation 20 only
specifically requires information on the reasons for the data breach See question 25.
to be included in the notification to the data subject. Meanwhile, other
relevant information such as: Refusal of registration
• the types of personal data and approximate numbers of the affected 28 On what grounds may the supervisory authority refuse to
data subject; allow an entry on the register?
• the impact of data breach; and
• any security measures that the ESO has implemented or will See question 25.
implement to handle the data breach situation is not specifically
requested to be mentioned in the notification. Since the foregoing Public access
information is normally mentioned in the data breach notification, if 29 Is the register publicly available? How can it be accessed?
possible, it is advisable for an ESO to include that relevant informa-
tion in its standard data breach notification.  See question 25.

INTERNAL CONTROLS Effect of registration

30 Does an entry on the register have any specific legal effect?
Data protection officer
22 Is the appointment of a data protection officer mandatory? See question 25.
What are the data protection officer’s legal responsibilities?
Other transparency duties
There is no requirement for an ESO to have a dedicated data protection 31 Are there any other public transparency duties?
officer in Indonesia. However, MoCI Regulation 20 requires an ESO to
provide a contact person who is accessible to respond to any communi- There is presently no requirement for an ESO to make public statements
cation request from a data subject. related to its processing activities.

Record keeping TRANSFER AND DISCLOSURE OF PII

23 Are owners or processors of PII required to maintain
any internal records or establish internal processes or Transfer of PII
documentation? 32 How does the law regulate the transfer of PII to entities that
provide outsourced processing services?
As part of its effort to maintain the security of its electronic system, an
ESO is required to implement internal guidelines or policy for the collec- There is no specific provision under MoCI Regulation 20 that governs
tion, processing, and transfer of personal data and implement an audit outsourced processing services. In this context, a general requirement
record related to the provision of its electronic system. to obtain consent shall also be applicable to this outsourcing service.

www.lexology.com/gtdt 123
© Law Business Research 2019
 Indonesia AKSET Law

Should the outsourcing services involve transnational data transfer, entitled to obtain the history of their personal data that was shared to
certain requirements need to be complied with (see questions 34 and 35). third parties.

Restrictions on disclosure Other rights

33 Describe any specific restrictions on the disclosure of PII to 38 Do individuals have other substantive rights?
other recipients.
See question 37.
Other than a general requirement to obtain consent and to comply with
relevant provisions related to PII protection (ie, based on prior consent, Compensation
the collected data must have been verified, and the action must comply 39 Are individuals entitled to monetary damages or
with the purpose of limitation principle), there are no specific restric- compensation if they are affected by breaches of the law? Is
tions on the transfer of personal data within Indonesia. actual damage required or is injury to feelings sufficient?

Cross-border transfer MoCI Regulation 20 provides the right to claim for damages if an ESO
34 Is the transfer of PII outside the jurisdiction restricted? fails to comply with the consent regime. In addition, in the event of a
data breach, a data subject may also file a claim to Ditjen Aptika if an
Other than the general requirement of permissible data transfer as ESO fails to notify the data subject in writing about a data breach (see
mentioned in question 33 and the compliance of coordination require- question 21) or if there is a loss resulting from a data breach situation.
ment (see question 35), the transfer of PII outside Indonesia does not For the latter, although MoCI Regulation 20 does not specifically
require an ESO to implement specific regulations regarding offshore mention the criteria of loss, under the Indonesian Civil Code, liability
transfer of personal data. to compensate damages based on tort (unlawful act) can be enforced
At the time of writing, there is no restriction on transferring if certain criteria are fulfilled – namely, an unlawful act, losses (ie,
personal data to any country abroad nor a requirement that personal actual loss, reputations have been damaged or that the PII owner has
data shall be adequately protected when being transferred outside lost commercial opportunities), and causal relationship between the
Indonesia. Neither has the Indonesian government entered into any unlawful act and the losses.
arrangement with another country to set any ‘safe harbor’ scheme or
similar arrangement related to the transfer of personal data outside Enforcement
Indonesia. 40 Are these rights exercisable through the judicial system or
enforced by the supervisory authority or both?
Notification of cross-border transfer
35 Does cross-border transfer of PII require notification to or For the claim to be submitted to Ditjen Aptika, the intention is to resolve
authorisation from a supervisory authority? the claim amicably or by way of alternative dispute resolutions. In
any case, the PII owner has the rights to seek the recovery of mone-
Cross-border transfer of PII does not require prior authorisation, but it tary damages or compensation through the judicial system in a civil
does trigger a requirement to coordinate with MoCI as required under proceeding.
MoCI Regulation 20, by way of submitting a report of an overseas
transfer of personal information both before and after conducting the EXEMPTIONS, DEROGATIONS AND RESTRICTIONS
transfer. Such report shall include at least information on the desig-
nated country, recipient, date of transfer, and reason or purpose of Further exemptions and restrictions
the transfer. If necessary, an ESO may also request advocacy assis- 41 Does the law include any derogations, exclusions or
tance from the MoCI, particularly for obtaining clarity on transnational limitations other than those already described? Describe the
personal data flows before submitting the relevant report to the MoCI. relevant provisions.

Further transfer There is no additional derogation, exclusions or limitation other than

36 If transfers outside the jurisdiction are subject to restriction those already described (see question 5).
or authorisation, do these apply equally to transfers to
service providers and onwards transfers? SUPERVISION

Requirements similar to those mentioned in question 34 are applicable Judicial review

to the onward transfer of PII to service providers. 42 Can PII owners appeal against orders of the supervisory
authority to the courts?
RIGHTS OF INDIVIDUALS
Although no specific provision in MoCI Regulation 20 mentions the
Access possibility for a PII owner appeal against an order of the supervisory
37 Do individuals have the right to access their personal authority, there is no restriction for a PII owner to take necessary action
information held by PII owners? Describe how this right can (ie, appeal to a court) if the PII owner is not satisfied with the order.
be exercised as well as any limitations to this right.

MoCI Regulation 20 stipulates that the PII owner shall have the rights to
access his or her personal data, which allows the PII owner to change,
add and update his or her personal data. Additionally, the regulation
opens an opportunity for deletion of data based on the request of PII
owner who has intentionally revoked the consent. PII owner is also

124 Data Protection & Privacy 2020

© Law Business Research 2019
AKSET Law Indonesia

SPECIFIC DATA PROCESSING

Internet use
43 Describe any rules on the use of ‘cookies’ or equivalent
technology.

Specific rules on the use of ‘cookies’ are not mentioned in any regula-
tions related to data protection in Indonesia. However, the current broad
interpretation of personal data may likely include ‘cookies’ as personal
data. Hence, while there might be no expectation for an ESO or the data Abadi Abi Tisnadisastra
atisnadisastra@aksetlaw.com
subject that the information on the cookies should be treated as private
information, the use of such technology may require compliance with Prihandana Suko Prasetyo Adi
MoCI Regulation 20. pprasetyoadi@aksetlaw.com
Filza Adwani
Electronic communications marketing
fadwani@aksetlaw.com
44 Describe any rules on marketing by email, fax or telephone.

There are presently no specific rules on marketing by email in Indonesia. 29th Floor, The Plaza Office Tower
Jl M H Thamrin Kav 28-30
However, as the ITE Law acknowledges, the concept of privacy, at the
Jakarta – 10350
minimum, the general requirement to conduct marketing based on
Indonesia
consent would apply. On the other hand, there is a prohibition for a Tel: +62 21 2992 1515
telecommunications content provider or network operator to offer or www.aksetlaw.com
facilitate the offer of certain content to consumers if the consumers do
not agree to receive the content.

Cloud services type of data. Based on the current draft, there will be three possible
45 Describe any rules or regulator guidance on the use of cloud data classifications – namely, strategic data, high-risk data and low-risk
computing services. data. Low-risk data that is not regarded as strategic data or high-risk
data may be stored offshore so long as it can be accessed in Indonesia
Given the broad definition of electronic system that includes cloud (sectoral regulation may determine otherwise).
infrastructure, the processing of personal data within cloud-based infra- Note that the PII Bill and draft government regulation to amend
structure shall also be subject to the requirements to provide adequate GR 82 are still being finalised and the substance of the PII Bill and the
security measures and prevent any possible data breach. proposed amendment of GR 82 remains to be seen.
In addition, although the current legislation does not provide any
guidance on the use of cloud-based technology with respect to the
processing of personal data, as a general rule, storing personal data in
the cloud may also constitute a transfer of personal data (either national
or transnational transfer) depending on the location of the cloud’s
server. An ESO for the public purpose must maintain a data centre and
data recovery centre within Indonesia.
For data sharing or data transfer arrangements with a cloud-based
provider, there is no specific obligation under the Indonesian regulatory
framework for the data collector to have a contract for the processing of
personal data by way of a processor. In essence, when a data collector
and a cloud-based provider have an arrangement to process personal
data, the cloud-based provider would be regarded merely as an ESO
rather than a data processor acting under the instruction of a data
collector. In this case, both companies bear the responsibility to be an
ESO and will be required to meet their obligations under the EIT Law, GR
82 and MoCI Regulation 20.

UPDATE AND TRENDS

Key developments of the past year

46 Are there any emerging trends or hot topics in international
data protection in your jurisdiction?

In addition to the discussion of the PII Bill, the MoCI is in the process
of amending several provisions in GR 82, including relevant provisions
related to data localisation.
In brief, the proposed revision on the assessment of data locali-
sation requirement will not automatically require ESOs to establish a
data centre or disaster recovery centre. However, it will depend on the

www.lexology.com/gtdt 125
© Law Business Research 2019
Other titles available in this series
Acquisition Finance Distribution & Agency Islamic Finance & Markets Real Estate M&A
Advertising & Marketing Domains & Domain Names Joint Ventures Renewable Energy
Agribusiness Dominance Labour & Employment Restructuring & Insolvency
Air Transport e-Commerce Legal Privilege & Professional Right of Publicity
Anti-Corruption Regulation Electricity Regulation Secrecy Risk & Compliance
Anti-Money Laundering Energy Disputes Licensing Management
Appeals Enforcement of Foreign Life Sciences Securities Finance
Arbitration Judgments Litigation Funding Securities Litigation
Art Law Environment & Climate Loans & Secured Financing Shareholder Activism &
Asset Recovery Regulation M&A Litigation Engagement
Automotive Equity Derivatives Mediation Ship Finance
Aviation Finance & Leasing Executive Compensation & Merger Control Shipbuilding
Aviation Liability Employee Benefits Mining Shipping
Banking Regulation Financial Services Compliance Oil Regulation Sovereign Immunity
Cartel Regulation Financial Services Litigation Patents Sports Law
Class Actions Fintech Pensions & Retirement Plans State Aid
Cloud Computing Foreign Investment Review Pharmaceutical Antitrust Structured Finance &
Commercial Contracts Franchise Ports & Terminals Securitisation
Competition Compliance Fund Management Private Antitrust Litigation Tax Controversy
Complex Commercial Gaming Private Banking & Wealth Tax on Inbound Investment
Litigation Gas Regulation Management Technology M&A
Construction Government Investigations Private Client Telecoms & Media
Copyright Government Relations Private Equity Trade & Customs
Corporate Governance Healthcare Enforcement & Private M&A Trademarks
Corporate Immigration Litigation Product Liability Transfer Pricing
Corporate Reorganisations High-Yield Debt Product Recall Vertical Agreements
Cybersecurity Initial Public Offerings Project Finance
Data Protection & Privacy Insurance & Reinsurance Public M&A
Debt Capital Markets Insurance Litigation Public Procurement
Defence & Security Intellectual Property & Public-Private Partnerships
Procurement Antitrust Rail Transport
Dispute Resolution Investment Treaty Arbitration Real Estate

Also available digitally

lexology.com/gtdt

ISBN 978-1-83862-146-9

© Law Business Research 2019