PDP Workshop 2025: Personal Data Protection Practice in Indonesia
SKC Law participated in the two-day training “Masterclass Pelindungan Data Pribadi: Menguasai Teori, Regulasi, dan Implementasi”, held in Jakarta. The event was organized by Hukumonline and supported by APPDI (Asosiasi Praktisi Pelindungan Data Indonesia), bringing together legal practitioners, regulators, data protection officers and various stakeholders to discuss personal data protection governance under Indonesia’s Personal Data Protection (PDP) Law. Representing SKC Law were Nidya Kalangie, Co-Founder, and Adinda Nur Zahirah, Associate.
Data Protection Workshop Overview
The training focused on mastering the theory, regulatory framework, and practical implementation of PDP in Indonesia. Sessions covered:
- The historical and conceptual background of personal data privacy and personal data security.
- The structure and enforcement of the PDP Law (UU No. 27/2022) and other relevant regulations, including compliance, risk management, and operational challenges.
- The anticipated issuance of Indonesia’s Data Protection Authority, which, as of September 2025, is still pending.
- Discussions on best practice for business owners to comply with the PDP Law.
Examples of Structuring Data Sharing Agreements
The importance of accurately determining roles in data sharing arrangements was emphasized:
| Controller-to-Controller | Each party independently manages its obligations. This is typical in joint ventures or business partnerships. |
| Controller-to-Processor | Processors act strictly under the controller’s instructions. Any deviation may shift liability to the processor. |
| Joint Controller | Shared responsibility with clear role delineation is essential. Agreements must specify mutual obligations and liability. |
| Intra-Group Agreements | offer flexibility within corporate structures, but still require clarity and documentation. |
Key insights
Misclassification of roles (controller, processor, joint controller) can result in compliance failures and increased legal risk. The workshop provided real-world use cases to illustrate these distinctions.
Cross-Border Transfers
Cross-border data transfers are allowed if one of the following condition is met, in the following order: the receiving jurisdiction or controller provides an equal or higher level of personal data protection; the transfer is based on an international agreement between Indonesia and the destination country; or the personal data subject has given explicit consent after being informed of the purpose, destination, and recipient of the data.
Best Practices for Data Protection
Effective implementation starts with clear documentation and proactive governance. This means keeping thorough Records of Processing Activities (ROPA), carefully vetting third-party vendors, and making sure privacy notices are easy to find and regularly updated across all platforms. Incident Response involves preparing for data breaches with documented procedures and rapid notification protocols, including a 3×24 hour SLA for breach notification.
Risk Management and Accountability
A risk-based approach to data retention and deletion is recommended. Companies must demonstrate auditability and maintain evidence of compliance, especially when aligning with sector-specific regulations like those from OJK or the Ministry of Health.
Key Takeaways
- Contractual Clarity Is Critical: The importance of well-drafted data sharing agreements, especially in distinguishing roles between controllers, processors, and joint controllers.
- Risk-Based Compliance Is the New Standard: Data Processing Impact Assessment (DPIA)s and Transfer Impact Assessment (TIA)s are emerging as essential tools for mitigating legal and reputational risks, including in cross-border data transfers.
- Sector-Specific Nuances Matter: Industries such as finance, healthcare, and telecom face unique regulatory hurdles.
- Transparency: Privacy notices must be clear, accessible, and regularly updated across all platforms – from websites to internal systems.
Strategic Insights
Indonesian corporations should proactively prepare internal policies, training programmes, and documentation frameworks. When engaging in cross border data transfers, business owners must assess the adequacy of foreign jurisdictions and the enforceability of contractual clauses. Across the board, all clients should anticipate increased scrutiny around data sharing, especially in joint ventures and platform-based ecosystems.
Practical Tip:
Implement ROPA and DPIA for high-risk processing activities, and ensure all third-party agreements include PDP clauses. Use sectoral regulations as additional compliance benchmarks.
As the regulatory landscape evolves, SKC Law stands ready to assist with PDP compliance, data transfer advisory, and strategic risk management.
Connect with us to see how we can help your organization manage data protection in Indonesia.
- Contact SKC Law team now.
- Submit a custom inquiry via our Contact Page.
- Follow us on LinkedIn for more IP updates.
