Indonesia: Entry into force with grace period Personal Data Protection Bill outlining data subject rights

On 17 October 2022, the Personal Data Protection (PDP) Bill entered into force, with a grace period of two years on compliance. The Bill defines personal data and differentiates between “specific personal data” and “personal data of a general nature”. In particular, the Bill outlines additional protections for “specific personal data”, which includes biometric, genetic, criminal, economic and children’s data. Furthermore, it outlines the user’s rights, including the right to access and delete data, to withdraw the approval for data processing and to be informed about data processing. Finally, the Bill states that entities must obtain consent from users to collect their data. In case of non-compliance, responsible individuals and entities face five years of imprisonment and a fine of up to IRP 5 billion.