Law No. 27 of 2022 regarding Personal Data Protection (PDP Law), the main legislation in Indonesia concerning the protection of personal information (PI), does not specify the retention period to which personal data controllers must adhere.
However, the law does stipulate that personal data shall be destroyed or deleted after the expiry of the retention period or at the request of the personal data subject, unless otherwise stipulated by laws and regulations.
Further, any data stored within an electronic system may be destroyed only after:
- the lapse of the regulatory data retention period under MOCI Regulation 20/2016 or any other regulation issued by the relevant authority; or
- upon the request of the data subject, unless otherwise governed under laws and regulations.
In addition, Minister of Communication and Informatics (MOCI) Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (MOCI Regulation 20/2016) provides that electronic service providers (ESPs) must retain personal data for a minimum of five years unless stipulated otherwise by sectoral regulations. Data may be retained beyond the five-year period if it is to be used following its initial purpose.
Consent is also required for the deletion of data, which is considered part of data processing. In practice, the form of consent that data subjects are required to provide to an ESP is worded as broadly as possible to cover all types of data processing.
For further information, please contact:
Rusmaini Lenggogeni, SSEK
rusmainilenggogeni@ssek.com
