Skip to main content

Indonesia Personal Data Protection Law (Law No. 27 of 2022)

Indonesia's Personal Data Protection Law (Law 27 of 2022) is the country's first comprehensive, GDPR-style privacy law. It requires a lawful basis, grants broad data subject rights, mandates 72-hour breach notification, and carries revenue-based fines and criminal penalties.

Jurisdiction
Indonesia

Indonesia Personal Data Protection Law (Law No. 27 of 2022)

Indonesia's Personal Data Protection Law, Law No. 27 of 2022, is the country's first comprehensive, cross-sectoral data protection statute. It was enacted and took effect on October 17, 2022, with a two-year transition period for organizations to achieve full compliance, putting full enforcement into effect from October 2024. The law is closely modeled on the European GDPR and replaces a patchwork of sector-specific rules.

Who It Applies To

The law applies to any person, public body, or international organization that processes the personal data of Indonesian data subjects. It has extraterritorial effect, reaching controllers and processors outside Indonesia whose processing has legal consequences within Indonesia or affects Indonesian data subjects. It distinguishes between general and specific (sensitive) personal data, with stronger protection for the latter.

Key Requirements

Processing must rest on a lawful basis, which can include consent, contract, legal obligation, vital interests, public duty, or legitimate interest. Consent must be explicit and obtained for clearly stated purposes. Data subjects have GDPR-style rights, including information, access, rectification, erasure, withdrawal of consent, objection to automated decision-making, and data portability. Controllers must notify affected data subjects and the relevant authority of a personal data breach within 72 hours. Many controllers must appoint a Data Protection Officer, conduct impact assessments for high-risk processing, and ensure adequate safeguards for cross-border transfers.

Penalties for Non-Compliance

The law provides for administrative sanctions, including written warnings, temporary suspension of processing, deletion of data, and administrative fines of up to 2 percent of a violator's annual revenue. It also establishes criminal penalties, including imprisonment and large fines, for offenses such as unlawful collection, disclosure, or use of personal data, and for falsifying data.

How to Comply

Identify lawful bases for all processing and obtain explicit consent where relied upon. Build mechanisms for the full set of data subject rights, appoint a Data Protection Officer where required, and implement 72-hour breach notification. Conduct impact assessments for high-risk activities and put safeguards in place for international data transfers.

Practical Notes

With the transition period concluded, Indonesian enforcement has moved into effect, and organizations should ensure lawful bases, consent records, and breach procedures are operational. The law contemplates a dedicated supervisory authority; until its structure fully settles, organizations should align to the statutory text and emerging guidance, prioritizing the 72-hour breach rule, DPO appointment, and impact assessments for high-risk processing.

Building a Durable Program

Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.