The officer is appointed based on their legal knowledge, personal data protection practices, professionalism, and capability to fulfil this role. If the data controller or processor is processing personal data for the interest of the public, supervising personal data on a large scale, or processing personal data related to criminal activities, then they must appoint a data protection officer. In the event neither of the above provisions can be satisfied, the data controller must obtain the consent of the data subject to transfer their personal data abroad.In the event that the above provision can be satisfied, the data controllers must ensure there is adequate personal data protection, and which is binding in nature or.The country which the data controller is receiving the personal data has an equal or higher personal data protection mechanisms to Indonesia.The new law permits data controllers to transfer personal data to data controllers located outside of Indonesia if: Outside the jurisdiction of Indonesia but has a legal impact on the jurisdiction of Indonesia or data subjects who are Indonesian citizens located outside of the country’s jurisdiction.Within the jurisdiction of Indonesia or.The PDP Law applies to any person, public body, or international organization carrying out activities within the scope of the PDP Law, and located: The supervision of the financial services sector.Public interest in the context of state administration or.National defense and security purposes.Furthermore, other exemptions for the processing of personal data include for: The PDP Law is not applicable for the processing of personal data for personal or household activities. Public task: The implementation of tasks in the context of public interest or services, carried out by the data controller in accordance with Indonesian laws and regulations.ĭata controllers are required to present evidence of the consent being granted by the data subject when processing the personal data.Legitimate interest: The fulfillment of other legitimate interests by observing the balance between the data controller’s interest and the rights of the data subject or.Consent: An explicit consent obtained from the data subject which relates to one or more of the purposes that has been explained to the data subject.Vital interest: Protection of the data subject’s vital interest.Legal obligation: The satisfaction of a legal obligation in accordance with Indonesian laws and regulations.Contract: The obligation in an agreement where the personal data subject is a party to or to satisfy the requirement for personal data when entering into an agreement.The PDP Law has broadened the legal alternatives for processing personal data. Under previous prevailing laws, consent from owners was the only recognized legal basis for obtaining personal data. Personal data processorsĭata processors is any person, public body, or organization acting to exercise control over the processing of personal data on behalf of data controllers.ĭata controllers and processors must ensure the accuracy and security of the processed personal data. Personal data controllersĭata controllers is any person, public body, or organization acting to exercise control over the processing of personal data. They can also request that any incorrect personal data be corrected and can withdraw their consent for the processing of their personal data. Data subjects are entitled to information as to why their personal data is being requested and how it will be utilized.
The PDP Law introduces the term ‘personal data subject’ which is defined as a person to whom the personal data belongs to. What are the key features of Indonesia’s Personal Data Protection Law? Personal data subjects, controllers, and processors Data subjects Furthermore, according to a report by Interpol, Indonesia experienced more ransomware attacks than any other country in Southeast Asia.īefore the PDP Law, rules governing the use of personal data were scattered across different laws which made it difficult for consumers to hold businesses accountable for misusing their personal data. The number of cyberattacks against Indonesian citizens and institutions in the first quarter of 2022 alone was recorded at 11.8 million, an increase of 22 percent from the same period in 2021. The law imposes corporate fines of up to two percent of a company’s annual revenue for cases of data leaks, and individuals can also face a fine of up to 6 billion rupiah (US$400,000).
Under Indonesia’s new Personal Data Protection Law, local businesses as well as international companies will be liable for the way they handle the data of Indonesian consumers.
0 kommentar(er)
