Indonesia PDPL

Indonesia

22 domains

39 controls

Indonesia Personal Data Protection Law (Law No. 27 of 2022, full enforcement Oct 2024).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (22)

Accountability

1 controls

Controls in the Accountability domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art37	Controller obligations and accountability	Article 37 makes controllers accountable for processing and requires demonstrable compliance with PDPL principles, inclu...

Audit

1 controls

Controls in the Audit domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art30	Logging and supervision of processing	Article 30 requires controllers to maintain processing logs and supervise processing activities for compliance with PDPL...

Breach notification

2 controls

Controls in the Breach notification domain of Indonesia PDPL — 2 controls
Code	Title	Description
PDPL-Art46	Personal data breach notification (3x24 hours)	Article 46 requires controllers to notify the Personal Data Protection Authority and affected data subjects within 3x24...
PDPL-Art47	Public disclosure of breach in certain cases	Article 47 permits the Authority to require public disclosure of a breach where it poses a high risk to data subjects or...

Children

1 controls

Controls in the Children domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art25	Processing of children's data	Article 25 requires parental or guardian consent for processing personal data of children (under 18 in Indonesia). Proce...

Consent

1 controls

Controls in the Consent domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art22	Consent requirements	Article 22 requires consent be valid, explicit, given in clear and plain language, recorded, and separable per purpose....

Cross-border transfer

1 controls

Controls in the Cross-border transfer domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art56	Cross-border personal data transfer	Article 56 permits cross-border transfer where: (a) the receiving country has equivalent or higher protection (adequacy)...

DPIA

1 controls

Controls in the DPIA domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art31	Data Protection Impact Assessment (DPIA)	Article 31 requires controllers to conduct a DPIA where processing has high risk to data subjects, including large-scale...

Data classification

1 controls

Controls in the Data classification domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art4	Specific (sensitive) personal data categories	Article 4 enumerates specific personal data: health data, biometric data, genetic data, criminal records, children's dat...

Data quality

1 controls

Controls in the Data quality domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art28	Accuracy and validity of personal data	Article 28 requires controllers to ensure personal data is accurate, complete, not misleading, up-to-date, accountable,...

Data subject rights

9 controls

Controls in the Data subject rights domain of Indonesia PDPL — 9 controls
Code	Title	Description
PDPL-Art10	Right to object to automated decision-making	Article 10 grants the right to object to automated decision-making, including profiling, that produces legal effects or...
PDPL-Art11	Right to restrict processing	Article 11 grants the right to delay and restrict processing of personal data in proportion to the purpose.
PDPL-Art12	Right to data portability	Article 12 grants the right to obtain and use personal data in a compatible format that allows interoperability with oth...
PDPL-Art13	Right to claim and receive compensation	Article 13 grants data subjects the right to sue and receive compensation for violations of personal data processing, in...
PDPL-Art5	Right to information about processing	Article 5 grants data subjects the right to obtain clear information about the identity of the controller, legal basis,...
PDPL-Art6	Right to complete, update, and rectify personal data	Article 6 grants the right to complete, update, and rectify inaccurate personal data without undue delay.
PDPL-Art7	Right of access to personal data	Article 7 grants the right to access and obtain a copy of personal data being processed, in a structured and readable fo...
PDPL-Art8	Right to terminate processing, delete, or destroy personal data	Article 8 grants the right to terminate processing, delete, or destroy personal data in accordance with the law.
PDPL-Art9	Right to withdraw consent	Article 9 grants the right to withdraw consent to processing at any time, with effect from the date of withdrawal. Withd...

Governance

3 controls

Controls in the Governance domain of Indonesia PDPL — 3 controls
Code	Title	Description
PDPL-Art35	Data Protection Officer (DPO) appointment	Article 53 (under Article 35-derived obligations) requires appointment of a DPO where processing is for public service,...
PDPL-Art40	Joint controllers	Article 40 addresses joint controllers, requiring a transparent arrangement allocating responsibilities for compliance w...
PDPL-Art58	Personal Data Protection Authority (Lembaga PDP)	Article 58-61 establish the Personal Data Protection Authority under the President via KemKomDigi (formerly Kominfo), wi...

Lawful basis

1 controls

Controls in the Lawful basis domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art20	Lawful basis for processing	Article 20 enumerates six lawful bases: explicit consent, contractual necessity, legal obligation, vital interests, publ...

Localization

1 controls

Controls in the Localization domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art57	Data localization for strategic data (sector-specific)	Article 57 and sector regulations (e.g., OJK for finance, BI for payment, Kominfo PP 71/2019 for ESPs) may impose data l...

Penalties

4 controls

Controls in the Penalties domain of Indonesia PDPL — 4 controls
Code	Title	Description
PDPL-Art57Admin	Administrative sanctions up to 2% of annual revenue	Article 57 of implementing regulation (Rancangan PP PDP) and Article 57 PDPL allow administrative sanctions: written war...
PDPL-Art65	Criminal offenses: unlawful obtaining or disclosing of personal data	Article 65 criminalizes obtaining or collecting personal data unlawfully (up to 5 years and IDR 5B), disclosing personal...
PDPL-Art66	Criminal offenses: falsifying personal data	Article 66 criminalizes falsifying personal data for self or others gain or causing loss, with up to 6 years imprisonmen...
PDPL-Art67	Criminal offenses: corporate liability and additional sanctions	Article 67-70 apply criminal sanctions to corporations at up to ten times the maximum natural-person fine (up to IDR 60B...

Processing principles

1 controls

Controls in the Processing principles domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art16	Principles of personal data processing	Article 16 sets processing principles: lawfulness, proportionality, accuracy, security, transparency, accountability, pu...

Programme

1 controls

Controls in the Programme domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-TransOct2024	Transition period and full enforcement	Article 74 provided a two-year transition from enactment (17 October 2022) to full enforcement (17 October 2024). Existi...

Retention

2 controls

Controls in the Retention domain of Indonesia PDPL — 2 controls
Code	Title	Description
PDPL-Art48	Retention and destruction of personal data	Article 48 requires personal data be retained only for the period necessary to fulfill the purpose and be destroyed or a...
PDPL-Art50	Personal data destruction procedures	Article 50 requires destruction of personal data when retention purpose is fulfilled, withdrawal of consent, expiry of c...

Scope

1 controls

Controls in the Scope domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art1	Definitions and scope of personal data	Article 1 defines personal data as any data about an identified or identifiable natural person, distinguishing general p...

Security

3 controls

Controls in the Security domain of Indonesia PDPL — 3 controls
Code	Title	Description
PDPL-Art27	Anonymization and pseudonymization	Article 27 permits processing of anonymized data outside PDPL scope. Pseudonymization is a recognized security measure b...
PDPL-Art29	Confidentiality and security of personal data	Article 29 requires controllers to maintain confidentiality of personal data through technical and organizational measur...
PDPL-Art45	Personal data breach prevention measures	Article 45 requires controllers to prevent unauthorized access, alteration, destruction, or loss of personal data throug...

Transparency

1 controls

Controls in the Transparency domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art21	Information to be provided before consent or processing	Article 21 requires controllers to provide before processing: lawful basis, purpose, types of personal data, retention p...

Vendor management

1 controls

Controls in the Vendor management domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art39	Processor obligations and controller-processor contracts	Article 39 requires processors to act only on documented instructions of the controller and to implement security measur...

Vulnerable subjects

1 controls

Controls in the Vulnerable subjects domain of Indonesia PDPL — 1 controls
Code	Title	Description
PDPL-Art26	Processing of personal data of persons with disabilities	Article 26 requires special consent procedures for processing data of persons with disabilities affecting capacity to co...

Frequently Asked Questions

What is Indonesia PDPL?

Indonesia PDPL is a compliance framework from Indonesia with 22 domains and 39 controls. Indonesia Personal Data Protection Law (Law No. 27 of 2022, full enforcement Oct 2024). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Indonesia PDPL have?

Indonesia PDPL has 39 controls organised across 22 domains. The largest domains are Data subject rights (9 controls), Penalties (4 controls), Governance (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Indonesia PDPL map to?

Indonesia PDPL does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Indonesia PDPL compliance?

Start your Indonesia PDPL compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Indonesia PDPL requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 39 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required