Data subjects are entitled to request the ESO delete their PII, and the ESO must do so accordingly. If the data subject does not request such deletion, under MoCI Regulation 20, an ESO shall comply with a five-year minimum statutory retention period or as otherwise required by the relevant supervisory authority. This retention period is calculated from the moment the data subject terminates the use of services of the ESO. 

Following the expiration of the retention period, the ESO may delete the relevant personal data, unless the ESO determines that the personal data is still required to be kept and used in accordance with the purpose for which it has been processed. For the latter, the ESO shall obtain consent from the data subject and shall provide sufficient information on why the ESO retains the relevant personal data (ie, the information on the category of personal data and the purpose of the processing).

As part of its effort to maintain the security of its electronic system, an ESO is required to implement internal guidelines or policy for the collection, processing, and transfer of personal data and implement an audit record related to the provision of its electronic system.

Related to this section, in companies that I’ve been working with, I personally advise on needs to perform following things:

1. To have an audit trail on any user activity within the platform including Human and Machine activity.
2. To have basic SIEM (Security Information and Event Management) setup
3. To have no hard-delete (physical) function on any PII related data, soft-delete (logical) is allowed. 
4. To have at least 5-years archiving retention period for PII related data with replication in Indonesia Region

*ESO : Electronic System Operators / Penyelenggara Sistem Elektronik (PSE) with MOCI on https://pse.kominfo.go.id/