Your company processes personal data of Indonesian citizens every day. Payroll records, candidate CVs, customer purchase histories, employee health insurance details, HR files that go back years. Under Indonesian law, every one of these data points has been subject to a comprehensive personal data protection framework since 17 October 2024. That was the date the two-year transition period under Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Pelindungan Data Pribadi or UU PDP) expired, and full enforceability began.
Most companies operating in Indonesia are aware the law exists. Fewer have a clear picture of what it actually requires from them right now, partly because of a structural peculiarity that makes the Indonesian PDP framework unusual: the law is enforceable, but the nine implementing government regulations (Peraturan Pemerintah) it mandates have not yet been issued, and the dedicated supervisory authority (Badan Pengawas Pelindungan Data Pribadi) has not yet been formally established. Companies operating in this environment are subject to real legal obligations while working inside a regulatory architecture that is still incomplete.
That is the compliance reality for mid-2026. Understanding it precisely matters more than either overstating or understating it.
What UU PDP Covers and Who It Reaches
The territorial scope of UU PDP is deliberately broad. Article 2 makes clear that the law applies to every legal action involving personal data processing, regardless of where the processing party is located, as long as the data subject is in Indonesia or the legal consequences of the processing occur in Indonesia. A company headquartered in Singapore that processes the personal data of Indonesian employees through a cloud-based HR system operated from outside Indonesia is inside the scope of UU PDP. A PT PMA that collects customer data in Jakarta through a locally-operated application is equally inside scope.
The law distinguishes between two categories of personal data:
- General personal data: Full name, gender, citizenship, religion, and combinations of data that can identify a person. This category covers the vast majority of what a company collects in normal HR and commercial operations.
- Specific personal data: Health and medical information, biometric data, genetic data, criminal records, financial data, and children’s data. Processing this category carries stricter obligations and, for any breach involving it, higher exposure.
An important clarification on what the law covers: it is the processing of personal data, not just its storage, that triggers obligations. Collecting a candidate’s CV, verifying an employee’s identity for payroll purposes, transferring HR data to a payroll processing vendor, sharing customer purchase data with a third-party marketing platform: all of these are processing activities subject to UU PDP, not just the act of maintaining a database.
The Core Obligations for Data Controllers
UU PDP places its primary obligations on the Pengendali Data Pribadi, or Personal Data Controller: the party that determines the purpose and controls the processing of personal data. This is typically the company itself. A payroll service provider or HR software vendor that processes data on behalf of the company is a Processor, not a Controller, and carries different but related obligations under the same law.
Lawful Basis for Processing
Every processing activity requires a lawful basis. UU PDP recognizes several, and the company must document which basis applies to each category of data it processes:
- Explicit consent from the data subject, given freely and specifically for the stated purpose
- Contractual necessity, where processing is required to fulfill or prepare a contract with the data subject
- Legal obligation, where processing is required to comply with statutory obligations such as payroll tax reporting or BPJS enrollment
- Vital interest, for processing necessary to protect the life of the data subject or another person
- Public interest, applicable primarily to government entities
- Legitimate interest of the controller, provided it does not override the rights of the data subject
For a foreign company operating in Indonesia, the most commonly applicable bases are contractual necessity for employee data processed in connection with the employment relationship, legal obligation for tax and social security reporting, and explicit consent for marketing and customer relationship processing. Relying on consent as the default basis for employee data is problematic in practice, because Indonesian courts have historically questioned whether consent given in an employment relationship is genuinely voluntary. Documenting the contractual or legal obligation basis for the bulk of employee data processing is the more defensible approach.
Data Subject Rights That Must Be Fulfilled
UU PDP grants eight rights to data subjects, and every company that processes Indonesian personal data must have a mechanism for receiving and responding to these requests:
- Right to access their personal data held by the controller
- Right to rectify inaccurate or incomplete data
- Right to erasure (the right to be forgotten), when the processing basis is no longer valid
- Right to restrict processing, pending dispute resolution
- Right to object to processing based on legitimate interest
- Right to data portability, to receive their data in a readable format
- Right to withdraw consent at any time, without penalty
- Right to claim compensation for damage suffered from processing violations
The practical compliance requirement is not just knowing these rights exist. It is having a documented procedure for handling requests, a response timeline that the company consistently meets, and a clear internal point of contact for data subjects who raise a request. A company that cannot demonstrate this operationalization has a compliance gap regardless of how good its data security architecture is.
Data Breach Notification
Article 46 of UU PDP requires a Personal Data Controller to notify both the supervisory authority and the affected data subjects within 14 calendar days of becoming aware of a personal data breach that is likely to cause harm to data subjects. The notification must include: a description of the breach, the categories and approximate number of affected data subjects, contact details of the Data Protection Officer (Petugas Pelindungan Data Pribadi or PPDP), likely consequences of the breach, and measures taken or proposed to address it.
This 14-day window is strict and starts from the date the controller “becomes aware,” a standard that includes the date they should have become aware had they had adequate monitoring in place. A company without breach detection processes can find itself in violation of the notification obligation before it has even identified that a breach occurred.
On the supervisory authority notification: because the dedicated PDP supervisory authority had not been formally established as of the most recent information available to this publication, notifications are currently directed to the Ministry of Communication and Digital Affairs (Kementerian Komunikasi dan Digital or Komdigi), which is acting as the de facto regulatory authority under existing electronic system regulations. This should be confirmed against current government guidance at the time a notification becomes necessary, as the institutional structure remains in transition.
Explore Our Services Regulatory Compliance in Indonesia
The Data Protection Officer Obligation
Article 53 of UU PDP, as interpreted by the Constitutional Court in its 2025 ruling on Case No. 151/PUU-XXII/2024, requires certain Personal Data Controllers and Processors to appoint a Petugas Pelindungan Data Pribadi (PPDP), the Indonesian equivalent of a Data Protection Officer (DPO). The Constitutional Court clarified that the three triggering conditions in Article 53(1) should be read as “and/or” rather than cumulatively, meaning the obligation arises when any one of the following applies:
- The processing is carried out for public services
- The core activities of the controller or processor consist of processing that requires systematic and large-scale monitoring of data subjects
- The core activities consist of large-scale processing of specific personal data
For a foreign company running a PT PMA in Indonesia with a workforce of 50 or more employees whose data is managed through a centralized HR system, the second and third conditions are likely to be relevant. The PPDP does not need to be an Indonesian citizen, but must have expert knowledge of data protection law and practice, must be accessible to data subjects, and must be able to communicate with the supervisory authority. A single individual can serve as PPDP for multiple entities within the same corporate group.
The implementing regulation that will specify more detailed requirements for the PPDP appointment process is one of the nine PP that remain pending. Until that regulation is issued, companies should document the appointment of a PPDP using the criteria and obligations in the UU PDP text itself as the baseline. Waiting for the PP before making the appointment is not a defensible compliance position, because the obligation in the parent law already applies.
Cross-Border Data Transfer
Indonesia’s personal data cross-border transfer rules sit in Article 56 of UU PDP. The requirement is that cross-border transfers may only occur to countries or international organizations whose data protection standards are “equivalent to or higher than” those under Indonesian law, or with the consent of the data subject, or under other conditions specified in the implementing regulations.
The practical challenge for foreign companies is that the regulation defining which countries qualify as having equivalent protection has not yet been issued as part of the pending PP framework. This status should be verified against current government guidance before relying on it for any specific transaction. In the meantime, this gap affects any company routinely transferring Indonesian employee data to systems hosted or managed outside Indonesia, which describes the majority of multinational companies operating here through centralized HR, payroll, or ERP platforms.
The most defensible interim approach, used by a number of compliance-conscious companies operating in Indonesia while the PP remains pending, is to document explicit and informed consent from Indonesian data subjects for each cross-border transfer, supplemented by data processing agreements with the receiving entities that mirror the protections required under UU PDP. This does not fully eliminate the regulatory uncertainty, but it creates a documented compliance effort that would be relevant in any enforcement proceeding.
For a company managing employee personal data across multiple Indonesian locations, the same cross-border transfer question arises when payroll data is processed by a provider operating from outside Indonesia. The interaction between UU PDP data transfer obligations and the day-to-day mechanics of payroll outsourcing in Indonesia is one of the practical compliance touch points that the pending PP framework is expected to clarify further.
The Enforcement Gap and What It Actually Means
The pending status of the nine implementing regulations and the supervisory authority creates a genuine enforcement gap that companies interpret in very different ways. Some use it as a reason to defer compliance work entirely. This is a miscalculation.
UU PDP is directly enforceable as a statute without implementing regulations. The absence of a dedicated supervisory authority does not mean there is no enforcement pathway. Komdigi has the authority to oversee electronic system operators, which covers most companies processing personal data through digital systems, under existing regulations that predate UU PDP. The sectoral regulators, particularly OJK for financial services under POJK No. 22 of 2023, have their own enforcement authority. And Article 56 of UU PDP explicitly allows data subjects to pursue civil claims for compensation against controllers who cause them harm through data protection violations, independent of any regulatory action.
The administrative sanction framework under Article 47 of UU PDP is also directly operative: up to 2 percent of annual revenue for processing violations, graduated depending on the severity and nature of the violation. The criminal provisions, including up to seven years of imprisonment for unlawful disclosure of sensitive personal data, and up to six years for using personal data in ways that are inconsistent with the disclosed purpose, are in the Criminal Code chapter of UU PDP and do not require implementing regulations to be enforced through the criminal justice system.
The companies most at risk are not those with sophisticated but imperfect programs. They are those that have done nothing substantive since October 2024 on the assumption that incomplete implementing regulations mean the law does not practically apply. When enforcement actions do occur, regulatory appetite for companies that made a documented compliance effort is consistently different from those that made none.
The Compliance Baseline for Foreign Companies in 2026
For a PT PMA or foreign company operating in Indonesia without an established PDP compliance program, the practical starting points are:
- Conduct a data mapping exercise to identify what personal data the company collects, processes, stores, and transfers, on behalf of employees, customers, candidates, and business partners
- Document the lawful basis for each category of processing, not just for regulatory records but to ensure the basis is actually valid
- Establish a data subject request procedure with clear internal ownership and a response timeline consistent with the law’s requirements
- Appoint a PPDP with documented authority, expertise, and accessibility
- Review vendor contracts to ensure data processors (payroll vendors, HR software providers, cloud storage providers) are operating under written data processing agreements that meet UU PDP standards
- Implement breach detection and notification procedures that can realistically meet the 14-day reporting window
- Address cross-border transfers through documented consent or data processing agreements while the PP framework remains pending
For companies with employees whose data feeds into Indonesian payroll, tax, and BPJS reporting systems, the HR function is typically the highest-volume data processing environment and the most direct compliance priority. The interaction between employee data protection obligations under UU PDP and the operational payroll compliance calendar is one area where compliance work and operational HR work need to be aligned rather than treated as separate tracks. Companies that have already undergone M&A activity in Indonesia also carry a specific UU PDP obligation: any transfer of personal data in connection with a merger, acquisition, or consolidation requires advance notification to data subjects and a formal agreement between the outgoing and incoming controllers.
XPND’s compliance practice assists foreign companies in Indonesia with PDP gap assessments, data mapping, vendor contract reviews, and PPDP appointment documentation under the current legal framework. For companies that have not yet conducted a formal review of their Indonesian data processing activities against UU PDP, the time to do so is not when the PP finally issues, but before the enforcement environment catches up with the obligations that have been in force since October 2024.
Reach out to XPND’s compliance team to assess your current data processing practices against UU PDP obligations and build a program that holds up under Indonesian regulatory scrutiny.