PDP Law
Personal Data Protection Law (Law No. 27 of 2022)
Law No. 27 of 2022 (UU PDP) is Indonesia's first comprehensive, cross-sectoral personal data protection statute, enacted in October 2022 with a two-year transition period that ended in October 2024. It draws heavily on the EU GDPR, defining general and sensitive personal data, data subject rights, and obligations for controllers and processors.
Who it applies to
All public and private entities, including those outside Indonesia, that process the personal data of Indonesian data subjects with legal effects in Indonesia or on those subjects.
Identity requirements
- Obtain a valid, explicit, and informed legal basis (such as consent) before processing personal data, with stricter handling for sensitive data
- Honor data subject rights including access, rectification, erasure, objection, and withdrawal of consent
- Appoint a Data Protection Officer for large-scale, systematic monitoring, or sensitive-data processing
- Notify affected data subjects and the authority of a personal data breach within 72 hours
- Maintain accountability records and implement appropriate technical and organizational security measures
- Observe conditions for cross-border transfers, ensuring the destination has an adequate or equivalent level of protection
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Requires a lawful basis and granular, withdrawable consent for processing personal data of customers and users. |
| Breach notification | Mandates notice to affected individuals and the authority within 72 hours of a personal data breach. |
| Data residency & cross-border transfer | Transfers abroad are permitted only where the receiving jurisdiction offers adequate or equivalent protection or safeguards exist. |
| Audit, logging & accountability | Controllers must keep processing records and demonstrate accountability for compliance. |
| Identity governance (IGA) | Organizations must enforce purpose limitation and access controls over who may process which personal data. |
Penalties
Administrative sanctions include fines up to 2 percent of annual revenue, while criminal provisions for unlawful collection, disclosure, or use of personal data carry imprisonment and fines up to several billion rupiah.
PDP Law: frequently asked questions
- When did Indonesia's PDP Law take full effect?
- It was enacted in October 2022 with a two-year transition period that ended in October 2024, after which full compliance is expected.
- Which authority enforces the PDP Law?
- A dedicated Personal Data Protection Agency is still being established; in the interim the Ministry of Communication and Digital Affairs coordinates enforcement preparations.
- Does the PDP Law apply to companies outside Indonesia?
- Yes. It applies extraterritorially to processing that has legal effects in Indonesia or affects Indonesian data subjects.