With the implementation of Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), both personal data controllers and personal data processors are mandated to provide external notification to personal data subjects, demonstrating organizational transparency in handling personal data. This notification, commonly known as a privacy notice, is typically accessible on the personal data controller’s or personal data processor’s website, mentioned either as a privacy notice or privacy policy.
A privacy notice serves as an external document, informing visitors about the utilization of their data and outlining their data privacy rights. Meanwhile, a privacy policy functions as an internal document that governs the organization’s procedures for implementing personal data protection. This privacy policy delineates guidelines for employees on safeguarding the personal data of customers or third parties.
It is noteworthy that while there are essential differences between the functions/ purposes, as well as the information included in a privacy policy and a privacy notice, the terms can still be confused and are often used interchangeably. Despite this confusion, personal data controllers and personal data processors should still develop both documents as best practices to comply with the PDP Law and protect the data privacy rights of personal data subjects.
Requirements for privacy notices in Indonesia
As previously mentioned, the PDP Law outlines the obligations of personal data controllers and personal data processors to inform personal data subjects through the development of a privacy notice. The PDP Law specifies the minimum information that must be included in a privacy notice, comprising:
- The legality of the processing of the personal data;
- The purpose of processing personal data;
- The type and relevance of the personal data to be processed;
- The retention period for documents containing the personal data;
- Details regarding the information that is collected;
- The period in which the personal data is processed; and
- The rights of the personal data subjects.
Additionally, the Indonesian Government has drafted a Bill of Government Regulation on the implementation of the PDP Law, which further elaborates on the minimum required information in a Privacy Notice. This information includes:
- Identity of Personal Data Controller and/or Personal Data Processor;
- Source of collection and purpose of sending Personal Data;
- Basis for processing Personal Data;
- Purposes of processing Personal Data;
- Type of Personal Data;
- Legal basis for use of Personal Data;
- The period of time that Personal Data will be used;
- The period of time Personal Data will be stored; i. the period of time that Personal Data will be destroyed;
- How Personal Data is stored and managed;
- Information on the Party that will use the Data in the event that the Personal Data Controller involves the Personal Data Processor;
- The mechanism for consent and withdrawal of consent in the case of processing of Personal Data is carried out based on explicit valid consent from the Personal Data Subject and fulfillment of contractual obligations
- Mechanism for obtaining access and/or copies;
- Mechanism for submitting objections.
- Mechanisms for access, copying, verification, and correction of Personal Data;
- Security measures to protect Personal Data.
It is the responsibility of Personal Data Controllers and Processors to ensure that Privacy Notices are easily accessible to Personal Data Subjects. This obligation applies before and during the processing of Personal Data. Furthermore, in case of any changes in the information provided, the Personal Data Controller must notify the Personal Data Subject before such changes occur.
Requirements of privacy policy in Indonesia
While the PDP Law currently does not explicitly mandate the development of a Privacy Policy for Personal Data Controllers and Personal Data Processors, the current draft Bill of Government Regulation on the Implementation of the PDP Law introduced by the Indonesian Government requires both Personal Data Controllers and Personal Data Processors to develop an internal policy, procedure, and/or guideline for managing requests from Personal Data Subjects concerning their rights.
Despite the absence of a specific requirement in the PDP Law, both Personal Data Controllers and Personal Data Processors should develop a Privacy Policy. Such Privacy Policy may ensure the fulfilment of Personal Data Subject rights as stipulated by the PDP Law. Moreover, a Privacy Policy is essential for organizations seeking ISO 27701 certification which is an international standard that defines management systems and requirements for processing Personal Data.
The format of the privacy policy may vary according to organizational standards but should, at a minimum, include:
- Purpose: Clearly stating the organization’s privacy objectives and elucidating how the policy contributes to achieving them.
- Scope: Defining the boundaries of the policy and specifying the individuals or entities to which it applies.
- Risks and Responsibilities: Outlining the roles and responsibilities concerning privacy and data protection within the organization. This section should clarify the consequences of policy violations on compliance and business operations, including potential disciplinary actions for staff failing to fulfill their responsibilities.
The Privacy Policy must be published and effectively communicated within the organization to ensure that all employees and stakeholders are aware of their responsibilities and obligations outlined therein.
How to Prepare a privacy notice and privacy policy
If you are engaged in Personal Data processing activities as either a Personal Data Controller or a Personal Data Processor, there are several approaches to developing a Privacy Notice and Privacy Policy:
- Engage with External Consultants
Seeking assistance from external consultants can streamline the process of creating a legally compliant Privacy Notice and Privacy Policy. These consultants will tailor solutions to your specific needs, ensuring that the resulting documents adhere to all relevant Indonesian laws and regulations.
- Use a Template
Utilize templates provided by consultants or other reputable sources, allowing you to customize them according to your requirements. This method saves time and effort by providing a framework that aligns with legal requirements, reducing the risk of non-compliance with the PDP Law and other applicable regulations.
- DIY (Do It Yourself)
For those who prefer a hands-on approach, creating a privacy notice or policy from scratch is an option. However, it’s essential to ensure that all legally necessary information is included. This can be achieved by referencing reliable sources and staying informed about current legal requirements to avoid any inadvertent violations of the PDP Law or other regulations.
Complying with Indonesia’s Personal Data Protection Law: Essential Steps for Businesses
Webinar | Tuesday, April 30, 2024 / 3:00 PM Jakarta / 4:00 PM China / 10:00 AM CET
Join our upcoming webinar as Hardy Salim, Assistant Manager of the Business Advisory Unit, takes you through an in-depth explanation of Indonesia’s Personal Data Protection law and what steps companies need to undertake to ensure compliance.
About Us
ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.