Personal Data Subject’s Rights

The person who is pertained on a personal data is called personal data subject as per Art. 1 number 6 PDP Law. Personal data subject is subjected to rights which stipulated on Art. 5 until Art. 13 PDP Law. In summary, they have the rights to information transparency, data accuracy updates, access and copies of their data, deletion requests, consent withdrawal, objection to automated decisions, and data processing restrictions. Moreover, they can seek compensation for violations, transfer data securely to other controllers, and ensure compliance with data protection principles. Each stakeholder who conducts activity relating or using personal data must ensure the fulfilment of those rights.

Personal Data Controller and Personal Data Processor

On PDP Law, there are what is called Personal Data Controller and Personal Data Processor. Personal Data Controller refers to any individual, public body, or international organization that independently or jointly determines the purposes and controls the processing of Personal Data. On the other hand, Personal Data Processor refers to any individual, public body, or international organization that independently or jointly processes Personal Data on behalf of the Personal Data Controller. To put it simply, the roles of Personal Data Controller and Personal Data Processor are distinct but interconnected. The Controller has authority over how personal data is used and processed, while the Processor handles the data according to the Controller's instructions.

Data Protection Officer under Indonesian PDP Law

Due to concerns about the protection of personal data and to ensure personal data subject rights are respected, as per Art. 53 par. 1 PDP Law, Personal Data Controllers and Personal Data Processors are required to appoint an official or officer who performs Personal Data Protection functions in accordance with the PDP Law. The Personal Data Protection Officer is appointed based on professionalism, knowledge of the law, Personal Data Protection practices, and ability to perform his/her duties.

The Personal Data Protection function includes processing Personal Data for the purpose of public services. In addition, they also carry out core activities as Personal Data Controllers which require regular and systematic monitoring of Personal Data on a large scale. They are also responsible for large-scale processing of Personal Data for Personal Data that is specific and/or related to criminal offenses.

The Function of Data Protection Officer

To perform their functions, Officers or personnel who carry out the Personal Data Protection function have several main tasks. First, they inform and advise Personal Data Controllers or Personal Data Processors to comply with the provisions of this Law. The advice provided includes the implementation of adequate security measures to protect Personal Data, the development and implementation of appropriate privacy policies, notification of the rights of personal data subjects, as well as the procedures to be followed in the case of a data breach. In addition, they also provide recommendations on best practices in data management, including anonymization and encryption, and ensuring that data processing is conducted with a clear and legitimate legal basis.

Secondly, they monitor and ensure compliance with this Law and the policies of the Personal Data Controller or Personal Data Processor. For example, they check and ensure that all processes of collecting, storing, processing, and deleting Personal Data are conducted in accordance with the applicable provisions. They also verify that the rights of data subjects, such as the right to access, correct and delete personal data, are respected and fulfilled. In addition, they monitor compliance with the obligation to report data breaches to the competent authority and the data subject within the prescribed time.

Thirdly, they advise on Personal Data Protection impact assessments and monitor the performance of Personal Data Controllers and Personal Data Processors. They ensure that data protection impact assessments are conducted regularly and that effective mechanisms are in place to handle complaints and incidents related to personal data.

Lastly, they coordinate and act as a contact person for issues relating to the processing of Personal Data. In performing these duties, the officer or officers performing the Personal Data Protection function must pay attention to the risks associated with the processing of Personal Data by considering the nature, scope, context and purpose of the processing.

This article is intended for general informational purposes only and does not constitute legal advice. For legal assistance or inquiries specific to your situation, please contact us at info@adplaws.com.