Indonesia
Indonesia Data Privacy Laws: Complete UU PDP Compliance Guide (2026)
Indonesia's Personal Data Protection Law, Law No. 27 of 2022 (UU PDP), governs all personal data processing in Indonesia, digital and physical. The two-year transition period expired on October 17, 2024, and all organizations handling Indonesian personal data must now comply with its consent, rights, breach notification, and penalty provisions.
Indonesia's Personal Data Protection Law, known locally as Undang-Undang Pelindungan Data Pribadi (UU PDP), is the most significant privacy statute in Southeast Asia's largest economy. Law No. 27 of 2022 consolidated more than 30 fragmented regulations into a single, comprehensive framework covering all personal data processing, both digital and physical. Its two-year transition period expired on October 17, 2024, bringing full legal exposure for non-compliant organizations.
Information verified as of May 19, 2026. This article provides general legal information about Indonesian data protection law and does not constitute legal advice. Readers should consult a lawyer licensed in Indonesia for guidance on their specific situation.
Quick Answer: What the UU PDP Requires
The UU PDP requires every organization that processes the personal data of individuals in Indonesia to: identify a lawful legal basis for each processing activity; provide transparent privacy notices; honor nine enumerated data subject rights; report qualifying data breaches to affected individuals and the supervisory authority within 72 hours; appoint a Data Protection Officer (DPO) if statutory thresholds are met; and conduct Data Protection Impact Assessments for high-risk processing. Criminal and administrative penalties apply for violations. The law covers both public and private sector entities, and its extraterritorial reach captures foreign organizations serving Indonesian users or targeting the Indonesian market.
As of May 2026, enforcement sits with Komdigi's Directorate General of Digital Space Supervision. The dedicated Lembaga PDP supervisory agency, which the UU PDP mandated the President to establish, is still in the establishment process: a draft Presidential Regulation governing the agency is in harmonization at the Ministry of Law, with an operational target of 2026. Implementing Government Regulations required by the statute have been drafted but have not yet received presidential signature.
Background: Why Indonesia Enacted the UU PDP
Before 2022, Indonesia had no dedicated personal data protection statute. Privacy-related provisions were scattered across more than 30 laws and regulations, including the Electronic Information and Transactions Law (UU ITE, Law No. 11/2008, as amended by Law No. 1/2024), the Health Law, the Banking Law, the Telecommunications Law, and sectoral ministerial regulations.
The most important predecessor regulation was Ministry of Communication and Informatics Regulation No. 20 of 2016 on the Protection of Personal Data Within an Electronic System (Kominfo Reg 20/2016). That regulation, which entered full force on December 1, 2018, imposed consent and security requirements on electronic system providers but left non-digital processing unregulated and lacked enforcement mechanisms comparable to a national statute.
Several factors accelerated legislative action. High-profile data breaches affecting tens of millions of Indonesian citizens drew public and parliamentary attention. The country's rapidly growing digital economy, with over 210 million internet users as of 2024, demanded stronger and more consistent protections. International partners, particularly the European Union, increasingly required adequate data protection frameworks from countries seeking to exchange data freely.
The government first introduced a personal data protection bill in 2016. After years of revision and parliamentary debate, the Dewan Perwakilan Rakyat (DPR) passed the law unanimously on September 20, 2022. President Joko Widodo signed it as Law No. 27 of 2022 on October 17, 2022, with a two-year transition period for compliance.
The Legacy Sectoral Framework and Its Relationship to the UU PDP
Understanding Indonesia's current framework requires knowing how the UU PDP interacts with older sectoral rules.
UU ITE (Law No. 11/2008, Amended 2024)
The UU ITE provided the first statutory reference to personal data in Indonesian law. Article 26 requires consent for any use of personal data in electronic systems, but the ITE Law did not define "personal data" and contained only general provisions. Its most recent amendment, Law No. 1 of 2024, retained the privacy provisions but left sector-specific application intact.
Kominfo Regulation 20/2016
Kominfo Reg 20/2016 imposed obligations on electronic system providers: lawful collection and processing, data accuracy requirements, confidentiality obligations, notice to data subjects, and cross-border transfer conditions. Its scope was limited to electronic systems. The UU PDP's Transitional Provisions (Article 75) confirm that all existing laws and regulations on personal data remain valid to the extent they do not contradict the UU PDP. Where Kominfo Reg 20/2016 conflicts with the UU PDP, the UU PDP prevails.
Government Regulation No. 71/2019 on Electronic Systems and Transactions
GR 71/2019, which replaced GR 82/2012, governs the operation of electronic systems. It continues to impose data localization requirements for certain categories of "strategic" data managed by public electronic system operators. The UU PDP does not adopt those localization requirements broadly, but GR 71/2019 continues to apply in parallel for electronic system operators.
The practical result is a layered framework: the UU PDP sets general personal data protection principles applicable to all processing; the ITE Law and GR 71/2019 continue to govern electronic systems specifically; and Kominfo Reg 20/2016 applies as a supplementary instrument where not inconsistent with the UU PDP.
Scope and Extraterritorial Reach
The UU PDP applies to all personal data processing carried out in Indonesia, and to processing conducted outside Indonesia when it produces legal effects within Indonesian territory or affects Indonesian data subjects abroad.
This extraterritorial reach mirrors the GDPR approach. Foreign companies serving Indonesian customers, processing Indonesian employee data, or directing their activities at the Indonesian market must comply, regardless of where their servers or corporate entities are located.
The law defines a "data controller" (pengendali data pribadi) as any individual, public body, or international organization that determines the purposes and means of personal data processing. A "data processor" (prosesor data pribadi) is any party that processes data on behalf of a controller. Both bear distinct obligations under the UU PDP, and sub-processing arrangements require written controller consent under Article 51(4).
Types of Personal Data
The UU PDP distinguishes two categories of personal data, each carrying different processing requirements.
General personal data is any information that identifies or can identify a specific individual: full name, gender, nationality, religion, marital status, and data that, when combined with other information, can identify a person.
Specific personal data (data pribadi yang bersifat spesifik) receives heightened protection. Article 4(2) lists the following as specific personal data:
- Health and medical data
- Biometric data (fingerprints, facial scans, retina scans)
- Genetic data
- Criminal records
- Personal financial data
- Data concerning children
- Any other data designated by implementing regulation
Processing specific personal data generally requires a DPIA and, where statutory thresholds are met, a DPO.
Legal Bases for Processing
Article 20 of the UU PDP establishes six lawful bases for processing personal data. No single basis takes priority, mirroring the GDPR approach.
| Legal Basis | Key Requirement |
|---|---|
| Consent | Explicit, informed, specific-purpose, recorded; withdrawable at any time |
| Contractual necessity | Processing necessary to perform a contract with the data subject |
| Legal obligation | Required to fulfill a controller's obligation under Indonesian law |
| Vital interests | Necessary to protect life or safety of the data subject or another person |
| Public interest / official authority | Necessary for a public-interest task or exercise of official authority |
| Legitimate interests | Proportionate to controller's purpose; balanced against data subject rights |
Consent Requirements in Detail
Article 21 specifies that consent under the UU PDP must be:
- Explicit (not implied or assumed by silence)
- Informed (data subject receives required disclosures before consenting)
- Specific to a stated purpose
- Recorded (the controller must retain evidence of consent)
- Freely given (no duress, deception, or oversight)
Controllers must present consent requests separately from other terms or conditions, in clear and accessible language. Data subjects retain the right to withdraw consent at any time, and withdrawal does not affect the lawfulness of processing conducted before withdrawal.
Data Subject Rights
Articles 5 through 16 of the UU PDP grant nine rights to data subjects. Controllers must establish mechanisms to receive and respond to rights requests.
Right to Information
Data subjects have the right to know the identity of the controller, the legal basis for processing, the purpose of collection, and the retention period. This information must be provided clearly and in a language the data subject can understand, before or at the time of collection.
Right of Access
Individuals may request a copy of their personal data held by a controller. Controllers must respond within 3x24 hours (72 hours) of receiving the request.
Right to Rectification
Data subjects may request correction or supplementation of inaccurate, incomplete, or outdated personal data. Controllers must process rectification requests within 72 hours.
Right to Erasure
Individuals may request deletion of their personal data when: the data is no longer necessary for the purpose collected; consent is withdrawn; or processing violates the law. Controllers must comply unless a separate legal retention obligation applies.
Right to Data Portability
Data subjects may obtain their personal data in a commonly used, machine-readable format and transfer it to another controller, provided the receiving system can accept the transfer securely and in compliance with UU PDP principles.
Right to Withdraw Consent
Where consent is the legal basis for processing, the data subject may withdraw at any time. The controller must stop processing upon withdrawal.
Right to Object
Data subjects may object to processing in certain circumstances, particularly when processing is based on legitimate interest or public interest grounds.
Right to Refuse Automated Decision-Making
Data subjects may object to decisions made solely by automated processing, including profiling, that produce legal effects or significantly affect them.
Right to Sue
Article 12 expressly grants data subjects a private right of action to file civil lawsuits and seek compensation for violations of their data protection rights. This private cause of action is more explicitly articulated than the equivalent remedy under the GDPR.
Data Controller and Processor Obligations
Transparency and Notice
Controllers must inform data subjects about the collection and processing of their personal data before or at the time of collection. Required disclosures include: the controller's identity and contact details; the legal basis for processing; the purpose; the categories of data collected; the retention period; and whether data will be transferred to third parties or outside Indonesia.
Processing Records
Controllers and processors must maintain detailed records of all processing activities. These records must be available for inspection by the supervisory authority and serve as primary evidence of compliance.
Data Minimization
The UU PDP requires that personal data collected be adequate, relevant, and limited to what is necessary for the stated processing purpose. Controllers may not retain personal data beyond the period needed to fulfill that purpose.
Security Obligations
Article 35 requires controllers to implement technical and organizational security measures appropriate to the risk of processing. These measures must protect personal data from unauthorized access, disclosure, alteration, loss, or destruction. Controllers must evaluate and update security measures regularly.
Data Protection Impact Assessments
Controllers must conduct a Data Protection Impact Assessment (DPIA) whenever processing is likely to present a high risk to data subjects. High-risk processing includes:
- Automated decision-making with legal effects
- Large-scale processing of specific (sensitive) personal data
- Systematic monitoring of data subjects on a large scale
- Use of new technologies with significant privacy implications
- Processing that materially limits data subject rights
The DPIA must assess the necessity and proportionality of the processing, the risks to data subjects' rights, and the measures proposed to mitigate those risks.
Data Protection Officers
Article 53 requires organizations to appoint a DPO when any one of three conditions is met:
- Processing is carried out for a public interest purpose.
- Core activities involve regular and systematic monitoring of data subjects on a large scale.
- Core activities involve large-scale processing of specific (sensitive) personal data.
The Indonesian Constitutional Court confirmed in a widely reported ruling that the original statutory conjunction "and" between conditions must be read as "and/or," meaning a single condition is sufficient to trigger the obligation. Organizations that process health records, biometric data, financial data, or conduct systematic user profiling at scale should assess whether the DPO threshold is met.
The DPO may be an internal employee or an external consultant. Qualifications must include professional knowledge of data protection law and practice. The DPO's contact details must be published and made available to data subjects and the supervisory authority.
Processor Contracts
Where a controller engages a processor to process personal data on its behalf, the relationship must be governed by a written contract specifying the scope, nature, purpose, and duration of processing, as well as the obligations of the processor. Processors may not engage sub-processors without prior written consent from the controller.
Breach Notification
Article 46 of the UU PDP imposes strict requirements for personal data breach notification.
72-Hour Notification Window
When a controller becomes aware of a personal data breach, it must notify:
- Affected data subjects, describing the nature of the breach and its potential effects; and
- The supervisory authority (currently Komdigi's Directorate General of Digital Space Supervision), with details of the breach, the measures taken, and the controller's identity and contact information.
Both notifications must be made within 3x24 hours (72 hours) of the controller becoming aware of the breach.
Public Notification
Where a breach disrupts public services or has a significant impact on the public interest, the controller must also issue a public notification. This requirement goes beyond most other data protection regimes and reflects Indonesia's experience with large-scale government data breaches.
Processor Notification to Controller
Data processors that become aware of a breach must notify the relevant controller without undue delay. The controller then bears responsibility for notifying data subjects and the authority.
Cross-Border Data Transfers
Article 56 of the UU PDP permits international transfers of personal data subject to a three-tier framework.
Tier 1: Adequacy
A transfer is permitted if the receiving country provides an equivalent or higher level of personal data protection to that provided by the UU PDP. The assessment considers the receiving country's laws, regulations, and enforcement mechanisms. Indonesia has not yet published a formal adequacy list, meaning controllers must conduct their own adequacy assessments for each destination country until the implementing regulation provides further guidance.
Tier 2: Appropriate Safeguards
When adequacy cannot be established, transfers may proceed if binding safeguards ensure adequate protection. Recognized instruments include standard contractual clauses, binding corporate rules, and other contractual instruments that create enforceable data protection commitments in the receiving jurisdiction.
Tier 3: Explicit Consent
When neither adequacy nor appropriate safeguards can be established, the data subject must provide explicit, informed consent to the specific transfer.
No General Data Localization
The UU PDP does not impose a general data localization requirement. Unlike earlier Indonesian regulations, the UU PDP focuses on ensuring equivalent protection rather than restricting where data physically resides. GR 71/2019 continues to require local storage for certain "strategic" electronic data managed by public electronic system operators, a parallel obligation outside the UU PDP's framework.
Penalties and Enforcement
The UU PDP establishes both administrative and criminal sanctions, making it one of the more stringent data protection regimes in the Asia-Pacific region.
Administrative Sanctions
Article 57 provides for graduated administrative sanctions that can be applied individually or in combination:
- Written warning
- Temporary suspension of data processing activities
- Deletion or destruction of unlawfully processed personal data
- Administrative fines of up to 2% of annual revenue
Criminal Penalties for Individuals
Articles 65 through 68 establish criminal liability for specific violations:
| Offense | Maximum Imprisonment | Maximum Fine |
|---|---|---|
| Unlawful collection or use of personal data (Art. 65) | 5 years | IDR 5 billion (approx. USD 307,000) |
| Unlawful disclosure of personal data (Art. 66) | 4 years | IDR 4 billion (approx. USD 245,000) |
| Creating false or fraudulent personal data (Art. 68) | 6 years | IDR 6 billion (approx. USD 368,000) |
Corporate Criminal Penalties
When a criminal offense is committed by or on behalf of a corporate entity, Article 70 multiplies the individual fines:
- Unlawful collection or use: up to IDR 50 billion (approx. USD 3.07 million)
- Unlawful disclosure: up to IDR 40 billion (approx. USD 2.45 million)
- Creating false data: up to IDR 60 billion (approx. USD 3.68 million)
Additional corporate sanctions include confiscation of proceeds and assets, license revocation, temporary or permanent suspension of business operations, and dissolution of the corporate entity.
Fine Payment and Non-Payment
Convicted parties have one month from the date a decision becomes final to pay the imposed fine. If unpaid after the extension period, prosecutors may confiscate and auction assets to satisfy the judgment; remaining unpaid amounts may be converted to substitute imprisonment.
The Supervisory Authority: Current Status and Roadmap
This section addresses the establishment of Indonesia's dedicated data protection supervisory authority with precision, drawing on confirmed 2025 developments.
Interim Arrangement Under MOCD Regulation 1/2025
Pursuant to Komdigi Regulation No. 1 of 2025 on Organisation and Work Procedures of the Ministry of Communication and Digital Affairs, personal data protection supervision is currently carried out by the Directorate General of Digital Space Supervision (Direktorat Jenderal Pengawasan Ruang Digital). The Directorate General has authority to monitor compliance, receive complaints from data subjects, coordinate with law enforcement on criminal matters, and impose administrative sanctions.
This arrangement is explicitly temporary. The MOCD acknowledges it is acting in the absence of the Lembaga PDP, and its supervisory powers derive from the transitional provisions of the UU PDP and the MOCD's general mandate over digital affairs.
Presidential Regulation on the Lembaga PDP: Harmonization Stage
A draft Presidential Regulation governing the establishment, structure, and mandate of the Lembaga PDP was circulated for stakeholder discussion between March and September 2025. As of October 2025, it entered the harmonization stage at the Ministry of Law. The harmonization stage involves inter-ministerial legal review and is a prerequisite to presidential signature. The government has stated a target of 2026 for the agency to become operational, though this timeline has shifted multiple times since 2022.
The Lembaga PDP is designed to operate directly under the President, giving it institutional independence comparable to other independent regulatory bodies. Its planned functions include: formulating national data protection policy; supervising compliance; investigating complaints; imposing sanctions; facilitating dispute resolution; and representing Indonesia in international data protection forums.
Implementing Government Regulations: Still Pending
The UU PDP mandates nine implementing Government Regulations covering: personal data processing; data protection impact assessments; compensation procedures; data subject rights procedures; breach notification at corporate transactions; cross-border transfers; administrative sanction procedures; PDP Agency operational procedures; and a Presidential Regulation for the PDP Agency itself.
None of these had been enacted as of May 2026. A consolidated draft RPP PDP was last publicly circulated in August 2023. The Ministry of Law's harmonization process commenced in late 2025. The draft has been described as reaching its final stage and submitted to the President, but presidential signature had not occurred by the date of this review. Controllers should monitor jdih.komdigi.go.id and the Indonesian State Gazette (Lembaran Negara) for publication.
Enforcement Activity: 2024 to 2025
Despite the absence of the Lembaga PDP and pending implementing regulations, Komdigi has conducted active compliance monitoring. During 2024-2025, Komdigi reviewed approximately 350 digital platforms, identifying potential violations on 41% of websites and 34% of mobile applications reviewed. Through July 2025, Komdigi recorded 56 suspected UU PDP violation cases, with 20 cases identified in June 2025 alone.
A significant incident involved claims of a breach affecting approximately 58 million student records from Ministry of Education systems, prompting a joint investigation by BSSN (the National Cyber and Crypto Agency), Komdigi, and the Ministry of Education. BSSN recorded 3.64 billion cyber-attack attempts as of August 2025, underscoring the urgency driving UU PDP implementation.
How the UU PDP Compares to the GDPR
For organizations already operating under the GDPR, many structural elements of the UU PDP will be familiar. Key similarities and differences are summarized below.
| Feature | UU PDP (Indonesia) | GDPR (EU) |
|---|---|---|
| Legal bases for processing | 6 (Art. 20) | 6 (Art. 6) |
| Data subject rights | 9, including explicit right to sue | 8 (right to compensation under Art. 82) |
| Breach notification window | 72 hours | 72 hours |
| DPO requirement triggers | Any 1 of 3 conditions | Any 1 of 3 conditions |
| Maximum administrative fine | 2% of annual revenue | 4% of global annual turnover |
| Criminal penalties | Yes, up to 6 years imprisonment | No (member state discretion) |
| Data localization | No general requirement | No general requirement |
| Cross-border transfer mechanism | Adequacy / safeguards / consent | Adequacy / SCCs / BCRs / consent |
| Dedicated supervisory authority | Pending (Lembaga PDP, target 2026) | Yes (national DPAs in all member states) |
Organizations already GDPR-compliant will find their existing frameworks largely transferable to UU PDP compliance. They should pay particular attention to: the criminal liability provisions; the "and/or" DPO trigger confirmed by the Constitutional Court; Indonesian consent formalities; and cross-border transfer documentation requirements while the implementing regulation remains pending.
Business Compliance Checklist
Organizations subject to the UU PDP should prioritize the following steps:
-
Conduct a data inventory. Map all personal data processing activities involving Indonesian data subjects, whether conducted in Indonesia or abroad.
-
Identify legal bases. Document the lawful basis under Article 20 for each processing activity. Where consent is the basis, verify it meets Article 21 formality requirements.
-
Update privacy notices. Ensure all required disclosures are provided to data subjects in clear, accessible language, including in Bahasa Indonesia for Indonesian audiences.
-
Implement consent mechanisms. Where consent is relied upon, ensure it is explicit, specific, informed, recorded, and withdrawable. Remove any pre-ticked boxes or implied consent.
-
Assess DPO obligation. Determine whether processing activities trigger any of the three DPO conditions under Article 53. If so, appoint a qualified DPO and publish contact details.
-
Conduct DPIAs. For high-risk processing activities, complete a DPIA before commencing or continuing processing.
-
Establish breach response procedures. Ensure your organization can detect, assess, and report qualifying breaches to data subjects and Komdigi within 72 hours.
-
Review cross-border transfers. Document the legal basis for any outbound transfers of Indonesian personal data. Implement contractual safeguards, particularly where adequacy has not been established.
-
Update processor contracts. Ensure all processor agreements contain the obligations required by the UU PDP and address sub-processing restrictions.
-
Maintain processing records. Keep detailed records of all processing activities in a format suitable for regulatory inspection.
-
Train staff. Ensure employees involved in data processing understand UU PDP obligations, including breach reporting timelines.
-
Monitor for implementing regulations. The Government Regulation on personal data protection, once enacted, will provide additional detail on adequacy assessments, DPIA requirements, and DPO obligations. Assign responsibility for tracking its publication via jdih.komdigi.go.id.
Related Resources on This Site
For context on Indonesia's recording consent laws and how the UU PDP intersects with audio and video recording rights, see Indonesia Recording Laws.
This article presents general legal information about Indonesian data protection law as of May 19, 2026. It does not constitute legal advice and does not create a lawyer-client relationship. Readers should consult a lawyer licensed in Indonesia for advice specific to their circumstances.
Frequently Asked Questions
Is Indonesia's PDP Law currently in force and enforceable?
Yes. Law No. 27 of 2022 on Personal Data Protection (UU PDP) was signed on October 17, 2022, with a two-year transition period that expired on October 17, 2024. The law is fully in force. However, implementing Government Regulations and the dedicated supervisory agency (Lembaga PDP) have not yet been formally established as of May 2026. The Ministry of Communication and Digital Affairs (Komdigi) handles interim enforcement through its Directorate General of Digital Space Supervision under MOCD Regulation 1/2025.
Has a dedicated data protection authority been established in Indonesia?
Not yet as of May 2026. The UU PDP (Art. 58) mandates the President to establish a Personal Data Protection Agency (Lembaga PDP). A draft Presidential Regulation governing the agency's structure entered the harmonization stage at the Ministry of Law in October 2025. The government has stated a target of 2026 for the agency to become operational, but the timeline has shifted previously. Until the Lembaga PDP launches, Komdigi's Directorate General of Digital Space Supervision exercises supervisory functions.
What are the maximum penalties for violating Indonesia's PDP Law?
Administrative fines reach up to 2% of annual revenue. Criminal penalties for individuals include up to 6 years imprisonment and fines of up to IDR 6 billion (approx. USD 368,000) for creating false personal data, and up to 5 years for unlawful collection or use. For corporate entities, fines can reach IDR 60 billion (approx. USD 3.68 million), and additional sanctions include license revocation, business suspension, asset confiscation, and dissolution.
Does the UU PDP apply to foreign companies outside Indonesia?
Yes. The UU PDP has extraterritorial reach. It applies to any organization that processes personal data of Indonesian data subjects or conducts processing activities that produce legal effects within Indonesian territory. Foreign companies serving Indonesian customers, processing Indonesian employee data, or targeting the Indonesian market must comply regardless of where their servers or corporate entities are located.
How does Indonesia's PDP Law handle cross-border data transfers?
Article 56 of the UU PDP establishes a three-tier framework. Transfers are permitted where the receiving country provides equivalent or higher protection (adequacy), or where binding safeguards such as standard contractual clauses ensure adequate protection, or where the data subject provides explicit informed consent. The law does not impose general data localization requirements. A Government Regulation providing detailed adequacy and safeguard guidance has been submitted to the President but had not been signed as of May 2026.
When must a DPO be appointed under the UU PDP?
Article 53 requires a DPO when any one of three conditions is met: processing is for a public interest purpose; core activities involve regular and systematic large-scale monitoring of data subjects; or core activities involve large-scale processing of specific (sensitive) personal data. The Indonesian Constitutional Court confirmed that meeting a single condition is sufficient. Organizations processing health, biometric, financial, or children's data at scale, or conducting systematic user profiling, should assess whether they meet the threshold.
What is the breach notification deadline under the UU PDP?
Article 46 requires controllers to notify affected data subjects and the supervisory authority within 3x24 hours (72 hours) of becoming aware of a personal data breach. The notification must describe the data compromised, when and how the breach occurred, and what remedial steps have been taken. Where a breach disrupts public services or significantly affects the public interest, a public notification is also required.
Does the UU PDP supersede the older Kominfo Regulation 20/2016?
The UU PDP is the primary and superior instrument. Article 75 of the UU PDP confirms that existing laws and regulations on personal data remain valid only to the extent they do not contradict the UU PDP. Kominfo Reg 20/2016 continues to apply as a supplementary instrument for electronic systems where its provisions are consistent with the UU PDP. Where they conflict, the UU PDP prevails. The UU PDP also extended coverage beyond electronic systems to all personal data processing, digital and physical.
Are there data localization requirements under Indonesian law?
The UU PDP does not impose a general data localization requirement. However, Government Regulation No. 71 of 2019 on Electronic Systems and Transactions (GR 71/2019) continues to require local storage for certain categories of strategic data managed by public electronic system operators. Organizations operating electronic systems in Indonesia must assess obligations under both the UU PDP and GR 71/2019 in parallel, as they address related but distinct aspects of data governance.
What is the status of implementing regulations for the UU PDP?
As of May 2026, none of the nine implementing Government Regulations mandated by the UU PDP have been enacted. A consolidated draft RPP PDP was submitted to the President and reportedly reached its final stage, but presidential signature had not occurred by the time of this review. Until enacted, certain provisions of the UU PDP lack the granular procedural detail originally envisaged. Controllers should monitor the Indonesian State Gazette and jdih.komdigi.go.id for publication.
Sources and References
- Law No. 27 of 2022 on Personal Data Protection (UU PDP) — Official Text, Peraturan.go.id(peraturan.go.id).gov
- UU No. 27 Tahun 2022 — JDIH BPK RI(peraturan.bpk.go.id).gov
- Undang-Undang Nomor 27 Tahun 2022 — JDIH Komdigi(jdih.komdigi.go.id).gov
- Indonesia: Personal Data Protection Act Enters into Force — Library of Congress(loc.gov).gov
- Law No. 11 of 2008 on Electronic Information and Transactions (UU ITE) — JDIH Komdigi(jdih.komdigi.go.id).gov
- Data Protection Laws and Regulations Report 2025-2026: Indonesia — ICLG(iclg.com)
- Data Protection and Privacy 2026: Indonesia Trends and Developments — Chambers and Partners(practiceguides.chambers.com)
- Update on Implementing Regulation for Indonesia PDP Law — Makarim and Taira S.(makarim.com)
- Indonesia PDP Law Update: DPO Mandate Confirmed — Assegaf Hamzah and Partners(ahp.id)
- Highlights of Indonesia Personal Data Protection Law — Norton Rose Fulbright(nortonrosefulbright.com)
- Indonesia PDP Bill Overview — Future of Privacy Forum(fpf.org)
- Breach Notification in Indonesia — DLA Piper(dlapiperdataprotection.com)
- Transfer of Personal Data in Indonesia — DLA Piper(dlapiperdataprotection.com)
- Indonesia Personal Data and Cybersecurity Quarterly Update October 2025 — HBT Law(hbtlaw.com)
- Consequences of Breaches of Data Protection Law in Indonesia — SSEK Law Firm(ssek.com)
- Indonesia PDP Law Cross-Border Transfer Requirements — Makarim and Taira S.(makarim.com)
- Indonesia Investigates 58 Million Student Data Breach — Tempo English(en.tempo.co)
- Digital Oversight in Indonesia: Personal Data Protection Faces Rising Risks — Batam News Asia(batamnewsasia.com)
- Indonesia Data Protection and Privacy Laws 2026 Guide — SSEK Law Firm(ssek.com)