Modeled after the EU’s GDPR, the PDPL governs the processing, collection, storage, and transfer of personal data within and outside Indonesia. It applies to both electronic and non-electronic systems and aims to strengthen individual privacy rights while regulating how businesses manage personal data. Is your website ready for compliance?
Indonesia's Personal Data Protection Law (PDPL), enacted in 2022 and effective from October 2024 after a two-year transition period, is the country’s first comprehensive data protection regulation.
Businesses must obtain valid consent before processing personal data, ensure data security, appoint a Data Protection Officer (DPO) under certain conditions, notify authorities and users in case of data breaches, and fulfill data subject rights including access, correction, deletion, and withdrawal of consent. Cross-border data transfers are permitted but require safeguards and coordination with Indonesia’s data protection authority.
To be in compliance with PDPL Indonesia, businesses should:
Review data practices:
Implement robust data governance policies and publish and keep up-to-date a comprehensive Privacy Policy
Implement consent management:
Obtain proper consent for collecting and processing personal data and ensure consumers can withdraw consent easily
Audit:
Audit all data collection practices, including consent mechanisms, data security, third-party data sharing
Data minimization:
Adhere to data minimization principles, collecting only what data is required and using it only for the stated purposes
Data security:
Secure data against breaches and unauthorized access
The PDPL applies to any organization—local or foreign—that processes personal data within Indonesia or targets goods and services to individuals in Indonesia. This includes companies operating websites or apps accessible by Indonesian users.
The PDPL Indonesia gives consumers various data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
File a complaint to the relevant data protection authority and seek damages for violations
Request to be free from data processing and profiling that can lead to automated decision-making
Under the PDPL, cookies are considered a form of personal data when they can be used to identify individuals, either directly or indirectly. Therefore, businesses using tracking, advertising, or analytical cookies must inform users clearly and obtain explicit, informed consent before collecting or processing such data.
Non-compliance with the PDPL can result in administrative sanctions such as warnings, suspension of data processing, fines, and even criminal penalties including imprisonment and monetary penalties up to 2% of annual revenue, depending on the severity of the violation.
Some best practices to bring your data privacy approach in line with PDPL compliance include:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly, enable users to withdraw consent at any time, and maintain consent logs
Review partner and third-party contracts:
Review third-party data-sharing practices
Train staff:
Ensure that employees have training to understand and comply with PDPL
The PDPL applies to the processing of personal data within Indonesia, as well as to Indonesian entities processing personal data abroad. It covers all sectors and governs how personal data must be collected, used, stored, and shared to protect individuals’ privacy rights.
Personal data refers to any information related to an identified or identifiable individual, either directly or indirectly. This includes names, identification numbers, location data, online identifiers, or any data that can reveal a person’s identity.
Sensitive data includes special categories of personal data that require higher protection due to their nature. This typically covers data on race, ethnicity, religion, health, genetic data, sexual orientation, political views, and other information that could lead to discrimination or harm if disclosed.
The regulatory authority overseeing the implementation and enforcement of the PDPL is the Personal Data Protection Authority (PDPA) of Indonesia.
Certain activities and entities may be exempt, such as personal data processed for personal or household activities, government intelligence or national security purposes, and some law enforcement activities. Specific exemptions are detailed within the law.
For more detailed information, you can visit the official website of Indonesia’s Personal Data Protection Authority or consult legal resources specializing in Indonesian data protection regulations.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
