Skip to content

Indonesia – Personal Data Protection Bill adopted

Lindenmann Cedric
Cedric Lindenmann

Senior Associate


View profile →

Sukirno Prasetyo
Prasetyo Sukirno

Senior Associate, Ginting & Reksodiputro in association with Allen & Overy


View profile →

Image of Agnes Guntara
Agnes Amelia Guntara



View profile →

27 September 2022

On 20 September 2022, the Parliament of Indonesia adopted the draft Law on the Protection of Personal Data (PDP Bill). Before becoming law, the PDP Bill needs to be ratified by the President and published in the Official Gazette.
The PDP Bill will modernise and harmonise Indonesia’s current data protection regulatory landscape. It provides for establishment of a personal data protection authority (the PDP Authority) which will be directly responsible to the President and have a broad range of power, ranging from enacting policy, supervising compliance to the PDP Bill and imposing administrative sanctions for breaches.  The bill also introduces familiar GDPR-like concepts, such as controller and processor roles, data protection officers, and sensitive data. The PDP Bill further creates rights of data subjects, including the right to be informed about processing of personal data, to access and rectify personal data, withdraw consent and restrict processing. It provides for various controller and processor obligations, including an obligation to report a personal data breach to the PDP Authority data subjects within 72 hours. 

Violations of the PDP Bill are subject to administrative fines of up to 2% of the company’s annual revenue and criminal sanctions of up to six years imprisonment or a fine of IDR 6 billion (approx. EUR 405,000) for certain offences.

The PDP Bill provides for a two-year period for organisations to become compliant.

The press releases are available here and here, the latest draft of the PDP Bill and the legislative file (all in Indonesian only).

Related expertise