PDP LAW · UU 27/2022
·Data Protection
Indonesia's Personal Data Protection Law, decoded for HR teams.
Fully enforced since 17 October 2024. Every Indonesian employer is a Data Controller — here's what that actually means for your HR practice.
AT A GLANCE
- Law
- UU No. 27/2022
- Effective
- 17 October 2022
- Fully enforced
- 17 October 2024
- Max fine
- 2% of annual revenue
- Breach notification
- Within 72 hours
- DPO required
- Yes, for most processors
WHO IT APPLIES TO
Every Indonesian employer is a Data Controller.
The PDP Law applies to any natural person, legal entity, public body, or international organization that processes personal data of Indonesian citizens — inside or outside Indonesia. The definition is intentionally broad.
For HR teams, this means the moment you collect an employee's name, NIK, BPJS number, address, photo, or bank details, you become a Data Controller under Article 1. You are responsible for the lawful processing of that data and liable for breaches.
When you give that data to an HR platform, payroll provider, or accountant, they become a Data Processor. The controller (you) remains primarily accountable; the processor shares liability under their DPA.
The law is not theoretical. The two-year transition period ended on 17 October 2024 — every enforcement provision is now active. The Personal Data Protection Authority is being established and the Information Commissioner's Office has begun receiving complaints.
COMPLIANCE CHECKLIST
Seven controls every HR team needs in place.
Use this as a baseline audit. If you can't answer 'yes' to all seven, you have a compliance gap that needs an owner and a deadline.
Appoint a Data Protection Officer (DPO)
Mandatory for any organization that processes personal data on a large scale or handles sensitive data. The DPO can be internal or outsourced but must be reachable to data subjects.
Build a personal data inventory
Document what personal data you collect, where it lives, who has access, how long you retain it, and the legal basis for processing. This is the foundation of every other PDP control.
Implement consent and transparency flows
Collect explicit, informed consent before processing. Provide a clear privacy notice in Bahasa Indonesia. Allow data subjects to withdraw consent, request access, correction, and deletion.
Set up role-based access controls
Only staff with a business need should access personal data. Audit logs must record every read and write. Generic 'admin' accounts shared across the team are non-compliant.
Encrypt data at rest and in transit
Personal data on disk must be encrypted (AES-256 or equivalent). Data moving between systems must use TLS 1.2+. Backup copies inherit the same requirement.
Establish a 72-hour breach response process
When a breach occurs, you must notify the Personal Data Protection Authority and affected data subjects within 72 hours. Have the playbook, contact list, and templates ready before you need them.
Vendor management with DPAs
Any third party that processes personal data on your behalf (payroll providers, HR platforms, hosting, analytics) needs a signed Data Processing Agreement that mirrors your obligations.
PENALTIES
Non-compliance is expensive — and personal.
The PDP Law layers administrative fines on top of criminal penalties. Directors and DPOs can be personally liable.
Up to 2% of annual revenue
Administrative fine — repeated or serious violations of processing principles
Up to IDR 4 billion or 4 years prison
Unauthorized disclosure of personal data (Article 67)
Up to IDR 6 billion or 6 years prison
Forging personal data with intent to harm (Article 68)
Service suspension
Continued non-compliance after written warnings
RELATED FREE TOOLS
Compliance-aware payroll calculations.
FAQ
Frequently asked questions
Does the PDP Law apply to my small business?
Yes. The law applies to any 'Personal Data Controller' — defined as anyone, individual or organization, that determines the purpose and means of personal data processing. There is no employee or revenue threshold. A 5-person company holding employee BPJS numbers and addresses is a Data Controller.
Does it apply to foreign companies hiring Indonesian remote workers?
Yes, with extraterritorial reach. Article 2(2) extends the law to any entity outside Indonesia whose processing affects Indonesian data subjects. A US company hiring an Indonesian contractor must comply with PDP rules on that data.
Do we need a DPO if we only have 10 employees?
If your business is processing only employee data on a small scale, a DPO may not be mandatory — but appointing one is strongly recommended. The DPO can be a part-time role or outsourced. The requirement becomes mandatory once you process sensitive data (health, biometrics, religion, criminal history) or process at scale.
What's the difference between PDP Law and GDPR?
Conceptually similar — both are based on lawful basis, data subject rights, breach notification, DPO requirements, and severe penalties. Key differences: PDP Law has criminal penalties for individuals (GDPR is fines only), the notification window is the same (72h), and Indonesia hasn't yet finalized its independent authority (PDP Authority is being established).
What records do I need to keep for audit purposes?
At minimum: a data processing register (Article 31), consent records with timestamps, access logs, breach incident records, DPA copies for every processor, and DPIA results for high-risk processing. Retain for the longer of 2 years post-incident or the relevant statute of limitations.
How does Checkly help with PDP compliance?
Checkly is built as a PDP-compliant data processor: role-based access for HR data, audit logs on every read and write of employee records, encrypted storage, configurable retention periods, breach detection alerts, and a standard DPA you can sign at onboarding. Your obligations as a controller don't disappear, but Checkly removes the processor-side gaps.
PDP-compliant HR, out of the box.
Role-based access, audit logs, encrypted storage, configurable retention, and a standard DPA — built in. Demo it in 30 minutes.