What Are the Rights of Data Subjects?

One of the key aspects of the Personal Data Protection Law (PDP Law) is the protection of data subjects. These rights give data subjects control over their personal data that is collected, stored, and used by other parties.
The rights of personal data subjects include:

1. Right to Access

The data subject has the right to access and obtain a copy of their personal data in accordance with applicable laws and regulations.

2. Right to Information

The data subject has the right to receive clear information regarding the identity of the requesting party, the legal basis, the purpose of the data request, and how the personal data will be used.

3. Right to Rectification

The data subject has the right to complete, update, and/or correct any errors or inaccuracies in their personal data, in accordance with the purpose of the personal data processing. 

4. Right to Restrict Processing

The data subject has the right to suspend or restrict the processing of their personal data proportionally, in line with the intended purpose of the processing.

5. Right to Terminate the Processing, deletion, and/or destruction of their Personal data

The data subject has the right to terminate the processing, deletion, and/ or destruction of their personal data in accordance with the provisions of the Prevailing laws and regulations.

6. Right to Withdraw Consent

The data subject has the right to withdraw previously given consent for the processing of their personal data by the data controller.

7. Right to Data Portability

The data subject has the right to transfer their personal data to another party, as long as the systems used are capable of securely communicating with each other in accordance with the principles of personal data protection.

8. Right to Object

The data subject has the right to object to decision-making processes that are based solely on automated processing, including profiling, especially when such decisions have legal consequences or significantly affect the data subject.

What Are the Sanctions for Violations of the Personal Data Protection Law (PDP Law) ? 

A. Criminal Sanctions

Violations of the Personal Data Protection Law (PDP Law) may result in both criminal and administrative sanctions. Criminal sanctions may be imposed for the following actions:

1. Intentionally and unlawfully obtaining or collecting personal data that does not belong to them, with the intent to benefit themselves or others, which may cause harm to the data subject.
2. Intentionally and unlawfully disclosing personal data that does not belong to them.
3. Intentionally and unlawfully using personal data that does not belong to them.
4. Intentionally creating or falsifying personal data with the intent to benefit themselves or others, which may cause harm to others.

Criminal sanctions for the above violations may include imprisonment ranging from four (4) to six (6) years and/or a fine of up to IDR 6 billion.

If the above criminal acts are committed by a corporation, sanctions may be imposed on its directors, controllers, those giving orders, beneficial owners, and/or the corporation itself. Additional criminal sanctions that may be imposed on corporations include:

a. Fines of up to ten (10) times the maximum stipulated fine.
b. In addition to the fine, corporations may also be subject to the following penalties:

1. Consfiscation of profits and/or assets obtained;

2. Partial or total suspension of business operations;

3. Permanent prohibition from carrying out certain activities;

4. Closure of part or all of the business premises and/or corporate activities;

5. Fulfillment of previously neglected obligations;

6. Compensation payment to affected parties;

7. Revocation of licenses;

8. Dissolution of the corporation.

B. Administrative Sanctions

b. Failure of the data controller to comply with the orders of the authorized data protection authority