Indonesia's Personal Data Protection (PDP) Law establishes a comprehensive framework for safeguarding personal data and ensuring accountability for those who process it. The law, officially enacted on October 17, 2022, came into full effect on October 17, 2024, marking a significant step in enhancing data protection in Indonesia.

The PDP Law outlines administrative sanctions for non-compliance, including written notices, temporary suspension of data processing, deletion of data, and fines. These penalties serve as important enforcement tools to ensure organizations adhere to data protection principles and respect individuals' privacy rights.

This article provides an overview of the administrative sanctions under the PDP Law, detailing specific violations that may result in penalties. Understanding these sanctions is essential for businesses and data controllers to ensure compliance and avoid legal repercussions.

In addition to administrative penalties, the law also introduces criminal sanctions for more serious violations, applying to both individuals and corporations. These measures underscore the importance of safeguarding personal data and the serious consequences for non-compliance.

Administrative Sanctions

The PDP Law empowers designated institutions to impose administrative sanctions for non-compliance. These sanctions include:

1. Written notice

2. Temporary suspension of Personal Data processing activities

3. Deletion or destruction of Personal Data

4. Administrative fines, up to 2% of the annual income or revenue for violations, with specific details to be regulated in a Government Regulation.

   
   

According to Article 57 of the PDP Law, administrative sanctions may be imposed for the following violations:

• Lack of lawful basis for processing

  • If the Personal Data Controller (PDC) lacks the required basis for processing (Article 20(1)).

• Failure to inform Personal Data Subjects

  • If the PDC does not notify the data subject about the processing details, such as purpose, retention, or rights (Article 21(2)).

• Proof of consent

  • If the PDC cannot provide proof of consent from the data subject (Article 24).

• Failure to obtain parental/guardian consent

  • For processing data of children or individuals with disabilities without proper consent (Article 25(2), Article 26(3)).

• Non-compliance with limited and transparent processing

  • If the PDC does not follow lawful, transparent, and specific processing guidelines (Article 27).

• Failure to ensure data accuracy

  • If the PDC or Processor does not ensure the completeness, accuracy, or consistency of the Personal Data (Article 29(1)).

• Failure to update or correct errors

  • If the PDC does not update or correct inaccuracies within 3 x 24 hours upon receiving the request (Article 30(1)).

• Failure to provide access

  • If the PDC does not grant access to the Personal Data Subject (Article 32(1)).

• Failure to assess high-risk processing activities

  • If the PDC does not carry out an impact assessment for high-risk data processing (Article 34(1)).

• Failure to ensure security

  • If the PDC or Processor does not take adequate measures to secure the Personal Data (Article 37).

• Failure to notify breaches

  • If the PDC does not notify the data subject or relevant institutions of data breaches within 3 x 24 hours (Article 46).

    
    

The above violations are subject to potential sanctions such as suspension, fines, and the deletion of non-compliant Personal Data. Additional violations may include failure to notify data subjects about data processing, failure to protect data security, and non-compliance with international data transfer regulations.

Criminal Sanctions

In addition to administrative sanctions, the PDP Law imposes criminal penalties on individuals and corporations that violate its provisions. Criminal sanctions include:

For Individual

• Unlawfully obtaining or collecting Personal Data for personal gain or causing harm to the data subject (Article 65(1)):

  • Imprisonment: Up to 5 years

  • Fines: Up to IDR 5 billion

• Disclosing Personal Data without authorization (Article 65(2)):

  • Imprisonment: Up to 4 years

  • Fines: Up to IDR 4 billion

• Using Personal Data unlawfully for personal gain (Article 65(3)):

  • Imprisonment: Up to 5 years

  • Fines: Up to IDR 5 billion

• Falsifying Personal Data (Article 66):

  • Imprisonment: Up to 6 years

  • Fines: Up to IDR 6 billion

    
    

Additional penalties include confiscation of profits and/or assets from criminal acts, and the obligation to pay compensation to affected parties.

For Corporation

Corporations can face similar sanctions as individuals, with additional penalties tailored for corporate entities:

• Fines

  • 10 times the maximum fine for individuals, e.g., up to IDR 50 billion for unlawful collection of data.

• Other corporate penalties include:

  • Suspension of business activities

  • Prohibition from performing certain actions

  • Closure of business premises

  • License revocation

  • Dissolution of the corporation

Criminal sanctions for corporations can also be extended to management, controllers, and other responsible parties. In case of non-compliance, these entities may face both direct and indirect penalties.

Conclusion

The Personal Data Protection (PDP) Law in Indonesia, which came into full effect on October 17, 2024, represents a major shift in how personal data is managed and protected. With its clear set of administrative sanctions for non-compliance, including fines, data suspension, and deletion, the law aims to enforce accountability and ensure that organizations respect individuals' privacy rights.

The law’s comprehensive framework not only emphasizes the importance of securing personal data but also outlines strict penalties for violations, signaling the government’s commitment to protecting personal data in an increasingly digital world. Additionally, the introduction of criminal sanctions for serious offenses highlights the gravity of non-compliance, both for individuals and corporations.

As businesses and organizations adjust to the requirements of the PDP Law, understanding and implementing proper data protection measures is essential to avoid legal consequences and build consumer trust. With the law now in full force, organizations must prioritize compliance to safeguard personal data and align with global standards of privacy protection.

For more detailed advice or assistance regarding Corporate Compliance and Personal Data Protection under Indonesian law, our Lawyers are ready to assist you.