Understanding the principles

of personal data processing

On October 17, 2022, the Government of Indonesia enacted Law Number 17 of 2022 concerning Personal Data Protection (“PDP Law”). Under the PDP Law, all parties involved in the processing of personal data are required to comply with the provisions of the law within two (2) years from the date it was enacted. This was carried out to ensure that the company complies with the PDP Law in its line of business that has already been implemented “As stipulated in Law Number 17 of 2022 on Personal Data Protection (“PDP Law“) the protection of personal data is a fundamental human right aimed at safeguarding the rights of citizens. The processing of personal data often involves various parties, including individuals as data subjects and data controllers who determine the purposes and means of processing such data. 

Personal data processing includes several stages as outlined in Article 16 paragraph (1) of the PDP Law, namely:

  1. Acquisition and collection
  2. Filtering and analysis
  3. Storage
  4. Fixes and updates
  5. Display, announcement, transfer, dissemination, and/or disclosure
  6. Deletion or destruction
 
Both Data Controllers and Data Processors are legally obligated to comply with the principles of data processing as mandated by the PDP Law. There are eight fundamental principles that must be observed in the processing of personal data:
 
1. Collection of Personal Data Must Be Limited, Specific, Lawful, and Transparent

 The collection of personal data must be limited to what is necessary and directly related to the purpose for which the data is processed. Data must not be collected for purposes other than those disclosed to the data subject. Additionally, the collection must be legally justified, based on valid legal grounds as set forth in the PDP Law. Transparency is key, data subjects must be clearly informed about what data is being collected and for what purpose.

2. Personal Data Must Be Processed in Accordance with its Purpose

Data must be processed strictly in line with the original purpose communicated to the data subject. Each stage whether collection, processing, storage, disclosure, or deletion must align with the disclosed purpose. if the purpose changes, a new consent must be obtained from the data subject.

3. Personal Data Must Be Processed in Accordance with its Purpose
Data processing must uphold the rights of the data subject as provided under the PDP Law. These include:
  1.  Right to Access
  2. Right to information
  3. Right to Rectification or Update of inaccurate Data
  4. Right to Restrict Processing
  5. Right to Erasure, Termination, or Destruction of Processing
  6. Right to Withdraw Consent
  7. Right to Data Portability
  8. Right to Object
 
 4. Personal Data Must Be Accurate, Complete, Up-to-Date, Non-Misleading, and Accountable
Personal data must be processed with accuracy and integrity. The information should be current and maintained in a way that avoids any misrepresentation or misunderstanding. Data controllers must ensure ongoing data accuracy and completeness throughout its lifecycle.
 
5. Personal Data Processing Must Safeguard Against Unauthorized Access, Disclosure, Alteration, Misuse, Destruction, or Loss
All parties involved in data processing must implement robust security measures. These may include data encryption, employee training, access control systems, and routine audits to ensure data confidentiality, integrity, and availability.
 
6. Purpose and Activities of Data Processing, Including Data Breaches, Must Be Disclosed
Data controllers are required to provide clear information on the purpose and nature of data processing, typically through a Privacy Notice that is easily understood by the data subjects. If there is any change in the processing purpose or activities, data subjects must be informed.
In teh event of a personal data breach, the Data Controller must notify the data subject and the relevant supervisory authority in writing within 3 x 24 hours, as mandated by the PDP Law.
 
 7. Personal Data Must Be Deleted or Destroyed After the Retention Period or Upon Request of Data Subject, Unless Otherwise Stipulated by Laws and Regulations
Data controllers must implement a data retention policy that defines how long personal data is stored, in line with the purpose of collection. in accordance with Article 8 of the PDP Law, data subjects have the right to request the termination of processing, deletion, or destruction of their personal data, unless otherwise required by applicable laws and regulations
 
8. Personal Data Must Be Processed Responsibly and Can Be Clearly Prover
Under this principle, the Data Controller is obligated to manage personal data responsibly. This inludes ensuring the security of personal data and processing it strictly in accordance with the intended purposes of the processing activities.
Accordingly, this principle requires that:
  •  If the legal basis for processing is consent, such consent must be documented and recorded in writing;
  • A record of all personal data processing activities must be maintained;
  • A Data Protection Impact Assessment (DPIA) document must be in place.
 
 
Categories

Share:

Print
Twitter
WhatsApp
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Comprehensive law services for your constititional rights

Address
  • 18 Office Park Building, Jl. TB Simatupang No.18 Lantai 6, Suite B, Kebagusan, Pasar Minggu, South Jakarta City, Jakarta 12520
Get In Touch
  • Email: partner@grplaw.id
  • Phone: 021-50112216
Youtube Instagram Linkedin