INDONESIA Law and Practice Contributed by: Agus Ahadi Deradjat, Gustaaf Reerink and Adri Dharma, ABNR Counsellors at Law
The processing of personal data in Indonesia must have at least one of these lawful bases. The PDP Law applies extraterritorially to organisations that carry out legal actions, as regulated in the PDP Law, and are located: • within the jurisdiction of Indonesia; and/or • outside the jurisdiction of Indonesia but subject to legal consequences (i) in Indonesia or (ii) in con - nection with the personal data of an Indonesian citizen. The EIT Law applies to any Indonesian citizens, foreign nationals or legal entities that carry out legal actions, as stipulated in the EIT Law, both within and outside Indonesia, which have legal consequences within or outside Indonesia and harm/affect the public interest in Indonesia. The PDP Law also allows cross-border personal data transfer offshore from Indonesia, provided that it com - plies with the following requirements: • the country receiving the transfer of personal data has an equal or higher level of personal data protection than that afforded under the PDP Law (“Adequacy of Protection”); • in the absence of Adequacy of Protection, an adequate level of binding personal data protection must be available (“Appropriate Safeguards”); and • in the event that neither Adequacy of Protection nor Appropriate Safeguards are present, consent for the cross-border data transfer must be given by the data subject.
The points in the foregoing list must be assessed and implemented in sequence. To date, the list of coun - tries that meet the Adequacy of Protection require - ments has not been published. Furthermore, Minister of Communications and Infor - mation Technology (currently known as the Minister of Communications and Digital, or MOCD) Regulation No 20 of 2016 on Personal Data Protection in Elec - tronic Systems stipulates that the transfer of informa - tion containing personal data managed by an elec - tronic system operator (ESO), either private or public in scope, domiciled in Indonesia to a territory outside of Indonesia must be co-ordinated with the MOCD or the authorised official/agency. There are two types of report that must be submitted to the MOCD in relation to such cross-border transfer: (i) a cross-border per - sonal data transfer plan report and (ii) a cross-border personal data transfer implementation result report. Additionally, business undertakings in specific sec - tors, such as the banking and financial sector, may be subject to data localisation requirements. *The firm would like to thank Jacob Zwaan and Asshary Arbaa at PT Alvarez & Marsal Indonesia for their assistance in preparing responses to the ques - tions under 9. Tax in this guide.
337 CHAMBERS.COM
Powered by FlippingBook