Indonesia Data Protection: What Categories And Types Of Personal Information Are Covered By The Law?
Pursuant to Law No. 27 of 2022 regarding Personal Data Protection (PDP Law), personal data is understood as all data concerning a person, whether identified or who may be identified independently or when combined with other information, either directly or indirectly, through an electronic or non-electronic system.
The PDP Law recognizes two types of personal data, namely general personal data and specific personal data, which is personal data that, if processed, may have a greater impact on the personal data subject, including discrimination and enhanced losses.
Specific personal data consists of data regarding:
- health;
- biometric data;
- genetic data;
- criminal record;
- children’s data;
- personal financial data; and
- any other data as may be applicable.
General personal data includes a person’s full name, gender, nationality, religion, marital status and personal data that may be combined to identify a person.
In addition, the Electronic Information Law (Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended by Law No. 19 of 2016) defines personal data as certain personal data that is stored or cultivated, with its accuracy maintained and confidentiality protected.
Government Regulation No. 71 of 2019 regarding the Provision of Electronic Systems and Transactions further defines personal data as any data relating to an identified or identifiable person, whether on its own or when combined with other information, directly or indirectly, through electronic and non-electronic systems.
Extraterritoriality
The PDP Law provides that it is extraterritorial in scope and extends beyond Indonesia’s borders if individuals or entities residing outside of Indonesia engage in actions that have legal implications within Indonesia’s jurisdiction or affect Indonesian personal data subjects located outside of Indonesia. Nevertheless, we are unaware of any instances where the Indonesian government has enforced or sought to enforce personal data protection regulations on entities operating beyond the borders of Indonesia.
Further reading:
What Are the Consequences of Breaches of Data Protection Law in Indonesia?
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.
For further information, please contact:
Rusmaini Lenggogeni, SSEK
rusmainilenggogeni@ssek.com