Data subjects are entitled to request the ESO delete their PII, and the ESO must do so accordingly. If the data subject does not request such deletion, under MoCI Regulation 20, an ESO shall comply with a five-year minimum statutory retention period or as otherwise required by the relevant supervisory authority. This retention period is calculated from the moment the data subject terminates the use of services of the ESO.Continue reading
Note that this document created in mid-2020 where on 24 January 2020, President Joko Widodo signed the Personal Data Protection (PDP) Bill which is currently being finalized by the Indonesian House of Representatives (DPR). Upon finalization of this PDP Bill, Indonesia will become the fifth country in ASEAN to implement regulations regarding Personal Data Protection.
For the existing Personal Data Controller, there will be a two-year period before the PDP Bill is fully effective and achieves full compliance.
The protection of personal data in Indonesia was initially focused on protection from a privacy perspective. Under the Indonesian Constitution, the concept of privacy rights has been recognized and protected as part of the general concept of human rights. With the need to cover the sector yet to be regulated, specifically, that of the internet and electronic transaction-related activities, Law No. 11/2008 on Electronic Information and Transactions as amended by Law No. 19/2016 (collectively, the EIT Law) was passed. Even though most of the provisions of the EIT Law focus on electronic transactions, there is a notable provision that deals with personal data in the EIT Law.Continue reading