Indonesia Data Privacy Laws: PDP Law Compliance Guide (2026)

Indonesia's Personal Data Protection Law, known locally as Undang-Undang Pelindungan Data Pribadi or UU PDP, represents the most significant privacy legislation in Southeast Asia's largest economy. Law No. 27 of 2022 consolidated what had previously been a fragmented landscape of more than 30 regulations touching on personal data into a single, comprehensive framework.

The law applies to every organization, public or private, that processes the personal data of individuals in Indonesia. It also reaches beyond Indonesian borders, covering processing activities outside the country that produce legal effects within Indonesian jurisdiction or affect Indonesian data subjects abroad.

This guide covers what the PDP Law requires, how enforcement works in practice, and what organizations need to do to comply as of 2026.

Background: Why Indonesia Enacted the PDP Law

Before 2022, Indonesia had no dedicated personal data protection statute. Privacy-related provisions were scattered across dozens of laws, including the Electronic Information and Transactions Law (UU ITE, Law No. 11/2008), the Health Law, the Banking Law, and the Telecommunications Law. This patchwork approach created inconsistencies and enforcement gaps.

Several factors pushed Indonesia toward comprehensive legislation. High-profile data breaches affecting millions of Indonesian citizens drew public attention. The country's rapidly growing digital economy, with over 210 million internet users as of 2024, demanded stronger protections. International trade partners, particularly the European Union, increasingly required adequate data protection frameworks from countries seeking to exchange data.

The drafting process took years. The government first introduced a personal data protection bill in 2016. After extensive revisions and parliamentary debate, the Dewan Perwakilan Rakyat (DPR, Indonesia's legislature) passed the law unanimously on September 20, 2022. President Joko Widodo signed it into law on October 17, 2022, as Law No. 27 of 2022 on Personal Data Protection.

The law included a two-year transition period, giving organizations until October 17, 2024, to bring their data processing activities into compliance.

Scope and Extraterritorial Reach

The PDP Law applies broadly. It covers all personal data processing carried out by data controllers and data processors, whether they are located in Indonesia or abroad. The law's extraterritorial provisions mirror the approach taken by the GDPR.

Specifically, the law applies to processing activities outside Indonesia when they have legal consequences within Indonesian territory, or when they affect Indonesian data subjects located outside the country. This means foreign companies serving Indonesian customers, processing Indonesian employee data, or targeting the Indonesian market must comply.

The law defines a "data controller" (pengendali data pribadi) as any individual, public body, or international organization that determines the purposes and means of personal data processing. A "data processor" (prosesor data pribadi) is any party that processes data on behalf of a controller.

Types of Personal Data Under the PDP Law

The PDP Law divides personal data into two categories, each with different processing requirements.

General Personal Data

General personal data includes any information that identifies or can identify an individual. Common examples include full name, gender, nationality, religion, and marital status. This category also covers data that, when combined with other information, can identify a specific person.

Specific (Sensitive) Personal Data

Instead of using the term "sensitive data," the PDP Law refers to "specific personal data" (data pribadi yang bersifat spesifik). This category receives heightened protection and includes:

• Health data and medical records
• Biometric data (fingerprints, facial recognition, retina scans)
• Genetic data
• Criminal records
• Data about children
• Personal financial data
• Any other data designated by regulation

Processing specific personal data triggers additional obligations, including mandatory data protection impact assessments and, in many cases, the appointment of a Data Protection Officer.

Six Legal Bases for Processing Personal Data

Article 20 of the PDP Law establishes six legal bases for processing personal data. These apply to both general and specific categories. No single basis takes priority over the others, an approach consistent with the GDPR.

Consent. The data subject provides explicit consent for one or more specific purposes. Consent must be informed, meaning the controller must explain the purpose of processing before obtaining it. Data subjects retain the right to withdraw consent at any time.

Contractual necessity. Processing is necessary to perform obligations under a contract between the controller and the data subject.

Legal obligation. Processing is required to fulfill the controller's legal obligations under Indonesian law.

Vital interests. Processing is necessary to protect the vital interests of the data subject or another person.

Public interest. Processing is needed to carry out a task in the public interest or in the exercise of official authority.

Legitimate interest. Processing serves the legitimate interests of the controller, balanced against the rights and interests of the data subject. This basis requires a case-by-case assessment of proportionality.

Data Subject Rights

The PDP Law grants nine rights to data subjects, outlined primarily in Articles 5 through 16. These rights are modeled closely on the GDPR framework but include some provisions unique to Indonesia.

Right to Information

Data subjects have the right to know the identity of the data controller, the legal basis for processing, the purposes of collection, and the period of data retention. Controllers must provide this information clearly and in a language the data subject can understand.

Right of Access

Individuals may access their personal data held by a controller and obtain a copy. The controller must respond to access requests within 3 x 24 hours (72 hours).

Right to Rectification

Data subjects can request correction or supplementation of inaccurate or incomplete personal data. Controllers must process these requests within 72 hours.

Right to Erasure

Individuals may request deletion of their personal data when it is no longer necessary for the purpose it was collected, when consent is withdrawn, or when processing violates the law. The controller must comply unless legal retention obligations apply.

Right to Data Portability

Data subjects may obtain and transfer their personal data to another controller, provided the receiving system can communicate securely and in accordance with PDP Law principles.

Right to Withdraw Consent

Where consent serves as the legal basis for processing, the data subject may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing conducted before the withdrawal.

Right to Object

Data subjects may object to the processing of their personal data in certain circumstances, particularly when processing is based on legitimate interest or public interest grounds.

Right to Refuse Automated Decision-Making

The law allows data subjects to object to decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect them.

Right to Sue

Article 12 grants data subjects a private right of action. Individuals may file civil lawsuits and seek compensation for violations of their personal data protection rights.

Data Controller and Processor Obligations

The PDP Law places extensive obligations on both data controllers and data processors.

Transparency Requirements

Controllers must inform data subjects about the collection and processing of their personal data before or at the time of collection. This notice must include the legal basis, purpose, type of data processed, and retention period.

Processing Records

Controllers and processors must maintain detailed records of all personal data processing activities. These records serve as evidence of compliance and must be available for inspection by the supervisory authority.

Data Protection Impact Assessments

Controllers must conduct a Data Protection Impact Assessment (DPIA) whenever processing presents a high risk to data subjects. High-risk processing includes automated decision-making with legal effects, large-scale processing of specific (sensitive) data, systematic monitoring or evaluation, use of new technologies, and processing that limits data subject rights.

The DPIA must assess the necessity and proportionality of processing, the risks to data subjects, and the measures in place to mitigate those risks.

Data Protection Officers

Article 53 of the PDP Law requires organizations to appoint a Data Protection Officer (DPO) when any of the following conditions apply:

• The processing is for a public interest purpose
• The core activities involve regular and systematic monitoring of data subjects on a large scale
• The core activities involve large-scale processing of specific (sensitive) personal data

The Indonesian Constitutional Court clarified in a notable ruling that meeting any one of these three conditions triggers the DPO requirement. The original statutory text used "and" between the conditions, but the Court held this should be read as "and/or," meaning a single condition is sufficient.

The DPO may be an internal employee or an external appointee. They must have professional knowledge of data protection law and practice, and their contact details must be made available to data subjects and the supervisory authority.

Data Retention and Deletion

Controllers must delete personal data once the purpose of processing has been fulfilled, the data subject requests deletion, or the retention period specified in the privacy notice expires. Exceptions apply when data must be retained under other legal obligations.

Breach Notification Requirements

The PDP Law imposes strict timelines for reporting data breaches, codified in Article 46.

Timeline

Data controllers must notify affected data subjects and the supervisory authority within 3 x 24 hours (72 hours) of becoming aware of a personal data breach. This timeline is consistent with the GDPR's 72-hour requirement.

Required Content

The breach notification must include:

• A description of the personal data that was compromised
• When and how the breach occurred
• The remedial measures taken or planned to address the breach and mitigate its effects

Public Notification

When a breach disrupts public services or has a significant impact on the public interest, the controller must also issue a public notification. This requirement goes beyond what many other data protection laws mandate.

Processor Obligations

Data processors who become aware of a breach must notify the data controller without undue delay. The controller then bears responsibility for notifying data subjects and the authority.

Cross-Border Data Transfers

The PDP Law permits international transfers of personal data but imposes conditions designed to ensure that data remains protected at a level equivalent to Indonesian standards.

Three-Tier Framework

Article 56 establishes a tiered system for cross-border transfers:

Tier 1: Adequacy. Transfer is permitted if the receiving country provides an equivalent or higher level of personal data protection than Indonesia. The assessment considers the receiving country's laws, regulations, and enforcement mechanisms.

Tier 2: Appropriate Safeguards. When adequacy cannot be established, transfers may proceed if binding contractual safeguards ensure adequate protection. These may include standard contractual clauses, binding corporate rules, or other instruments that create enforceable data protection commitments.

Tier 3: Consent. When neither adequacy nor appropriate safeguards exist, the data subject must provide explicit, informed consent to the transfer.

Practical Implications

The implementing regulation (still being finalized as of early 2026) is expected to provide detailed guidance on adequacy assessments and approved safeguard mechanisms. Until the regulation is issued, controllers relying on cross-border transfers should document their legal basis carefully and consider implementing contractual safeguards as a precautionary measure.

The framework does not impose data localization requirements. Unlike some earlier Indonesian regulations that mandated local data storage, the PDP Law focuses on ensuring equivalent protection rather than restricting where data physically resides.

Penalties and Enforcement

The PDP Law establishes both administrative and criminal penalties, making it one of the more punitive data protection frameworks in the Asia-Pacific region.

Administrative Sanctions

Article 57 provides for graduated administrative sanctions:

• Written warning
• Temporary suspension of data processing activities
• Deletion of unlawfully processed personal data
• Administrative fines of up to 2% of annual revenue

These sanctions can be applied individually or in combination, depending on the severity and nature of the violation.

Criminal Penalties for Individuals

The criminal provisions in Articles 67 through 69 target specific violations:

Unlawful collection or use of personal data (Article 67): Up to 5 years in prison and/or a fine of up to IDR 5 billion (approximately USD 307,000).

Unlawful disclosure of personal data (Article 67): Up to 4 years in prison and/or a fine of up to IDR 4 billion (approximately USD 245,000).

Creating false or fraudulent personal data (Article 68): Up to 6 years in prison and/or a fine of up to IDR 6 billion (approximately USD 368,000).

Corporate Penalties

When criminal offenses are committed by or on behalf of a corporation, the penalties are significantly amplified. Corporate fines can reach up to 10 times the individual fine amounts:

• Up to IDR 50 billion (approximately USD 3.07 million) for unlawful collection or use
• Up to IDR 40 billion (approximately USD 2.45 million) for unlawful disclosure
• Up to IDR 60 billion (approximately USD 3.68 million) for creating false data

Additional corporate sanctions include asset confiscation, license revocation, suspension of business operations, and even dissolution of the corporate entity.

Confiscation of Proceeds

Article 69 authorizes courts to confiscate profits or assets obtained through personal data crimes, ensuring that violators cannot benefit financially from their offenses.

Enforcement Authority: Current and Future

The PDP Law mandates the creation of a dedicated Personal Data Protection Agency (Lembaga Pelindungan Data Pribadi) to serve as Indonesia's data protection authority. However, the agency's establishment has faced delays.

Current Interim Enforcement

Until the Lembaga PDP is operational, the Ministry of Communication and Digital Affairs (Komdigi) handles enforcement responsibilities through its Directorate General of Digital Space Supervision. The ministry has the authority to issue administrative sanctions and coordinate with law enforcement on criminal matters.

Planned Data Protection Agency

The Lembaga PDP is designed to operate directly under the President, giving it significant institutional authority. Its planned responsibilities include:

• Formulating policies and strategies for personal data protection
• Supervising compliance with data protection obligations
• Investigating complaints and enforcing sanctions
• Facilitating alternative dispute resolution
• Representing Indonesia in international data protection cooperation

As of early 2026, the government has submitted a draft Presidential Regulation for the agency's establishment to the Ministry of State Secretariat for presidential approval. The target launch date is mid-2026, though the timeline has shifted multiple times since the law's enactment.

Implementing Regulation Status

The Government Regulation (Peraturan Pemerintah or PP) that will provide detailed implementation guidance for the PDP Law has completed its harmonization process as of October 2025. The draft has been passed to the State Secretary for presidential approval. Until this regulation is finalized, certain aspects of the law, particularly around cross-border transfer assessments and DPO appointment details, lack the granular guidance that organizations need.

How the PDP Law Compares to the GDPR

The PDP Law draws heavily from the GDPR, but several differences are worth noting for organizations already compliant with European standards.

Similar elements. Both laws establish six legal bases for processing, grant comparable data subject rights, require DPO appointments under similar conditions, mandate breach notification within 72 hours, and permit cross-border transfers subject to adequacy or safeguard requirements.

Key differences. The PDP Law includes criminal penalties with imprisonment, which the GDPR does not. Indonesia's maximum administrative fine (2% of annual revenue) is lower than the GDPR's 4% of global annual turnover. The PDP Law grants data subjects an explicit right to sue for compensation, creating a private right of action that is more clearly articulated than the GDPR's equivalent. Indonesia does not have an established adequacy list, whereas the EU maintains formal adequacy decisions for specific countries.

Practical implication. Organizations already GDPR-compliant will find much of their existing framework transferable to PDP Law compliance. However, they should pay particular attention to the criminal liability provisions, the specific consent requirements, and the forthcoming implementing regulation, which may introduce Indonesia-specific obligations.

Compliance Checklist for Organizations

Organizations subject to the PDP Law should prioritize the following steps:

1. Conduct a data inventory. Map all personal data processing activities involving Indonesian data subjects.

2. Identify legal bases. Document the legal basis for each processing activity under Article 20.

3. Update privacy notices. Ensure transparency requirements are met with clear, accessible privacy policies in Bahasa Indonesia.

4. Implement consent mechanisms. Where consent is the legal basis, ensure it is explicit, informed, specific, and withdrawable.

5. Appoint a DPO if required. Assess whether your processing activities trigger the DPO requirement under Article 53.

6. Conduct DPIAs. Perform data protection impact assessments for high-risk processing activities.

7. Establish breach response procedures. Ensure your organization can detect, assess, and report breaches within the 72-hour window.

8. Review cross-border transfers. Document the legal basis for any transfers of Indonesian personal data outside the country.

9. Maintain processing records. Keep detailed records of all processing activities for regulatory inspection.

10. Train staff. Ensure employees involved in data processing understand their obligations under the PDP Law.