Indonesia's Personal Data Protection Law (UU PDP)

What’s the Big Deal with This Law?

UU 27/2022, known as UU PDP, is Indonesia’s personal data protection law. It took effect on October 17, 2022, with a two-year grace period — meaning all Personal Data Controllers, Processors, and anyone handling personal data had until October 17, 2024 to comply.

Think of it as a bouncer for your data: it decides who gets access and who gets shown the door.

Why Did Indonesia Need This Law?

1. Global trend — The EU’s GDPR kicked this off in 2018; Indonesia is following suit
2. Digital boom — Indonesia’s internet user base is growing rapidly, and more users means more data at risk
3. Data breaches — Tokopedia, Cermati, Lazada (2020), BPJS Kesehatan (2021), PDNS (2024) were all wake-up calls
4. Economic ambition — Indonesia wants to be a digital economic powerhouse, and that requires public trust

What Counts as Personal Data?

General Personal Data — the everyday identifiers:

• Full name, gender, citizenship, religion, marital status
• Any combination of data that identifies a person

Sensitive Personal Data — requires extra protection:

• Health records (e.g. COVID test results)
• Biometric data (fingerprints, facial recognition)
• Genetic information
• Criminal records
• Children’s data
• Financial information (bank details, credit scores)

Your Rights Under This Law

As an individual, you have the right to:

• Know what data is being collected and why
• Access and correct your own data
• Request deletion when you withdraw consent
• Be notified if your data is breached

What Companies Must Do

1. Get explicit consent before collecting or processing personal data
2. Be transparent about purpose and use
3. Implement security measures to protect stored data
4. Provide data access — let users view and correct their information
5. Delete data when no longer needed or upon request
6. Report breaches to authorities and affected individuals within 72 hours
7. Appoint a Data Protection Officer (for organizations handling large volumes of sensitive data)

Penalties for Non-Compliance

• Administrative: Warnings, fines up to 2% of annual revenue
• Civil: Lawsuits from affected individuals for damages
• Criminal: Jail time for serious violations (unauthorized disclosure, falsification)

The Road Ahead

UU PDP is still relatively new and the regulatory body is still being established. Keep an eye on implementing regulations from Kominfo for more specific technical requirements.

The bottom line: this law puts control back in your hands. Next time a website asks for your personal information — you’ve got the law on your side.