Data & Privacy - Indonesia

Law No. 27 of 2022 (UU PDP) is Indonesia's first omnibus personal-data law, modeled on the EU GDPR. It covers data subject rights, lawful processing bases (including consent), special-category data, breach notification, and cross-border transfers, applying both within and beyond Indonesia.

Controllers and processors were given a two-year grace period that expired on 17 October 2024; since then full compliance is mandatory and non-compliance is enforceable.

The PDP Law requires a presidentially-established Data Protection Authority (Lembaga PDP), but it has not yet been formed. A draft Presidential Regulation to create it was made public around end-February 2026 and is awaiting presidential approval, with a target launch around mid-2026.

Pending the dedicated authority, data-protection matters are handled by the Ministry of Communication and Digital Affairs (Komdigi), specifically its Directorate General of Digital Space Supervision under Komdigi Regulation 1/2025.

The detailed implementing Government Regulation (RPP PDP, reportedly ~245 articles on data-subject rights, controller obligations and oversight) completed inter-ministerial harmonization in 2025 but had not yet been formally enacted as of early 2026; it is expected to clarify cross-border transfer adequacy and safeguard mechanisms.

Obligations include lawful basis for processing, transparency, breach notification, appointing a DPO in defined cases, and data-protection by design. Sanctions include administrative fines up to 2% of annual revenue, suspension of processing, and criminal penalties for unlawful data acquisition or disclosure.