Part 2 - Understanding Personal Data Controller: Securing the Individual Privacy
By Even Alex Chandra & Inka Aita Putri / 27 July 2023

Gain a preliminary understanding of personal data processing based on the PDP Law, including the roles of Personal Data Controller, Personal Data Processor, and the fundamentals of processing personal data to safeguard the security and privacy of personal data.
Key Points
- In addition to providing a clear regulatory framework regarding personal data subjects, the PDP Law also regulates the roles and responsibilities of Personal Data Controller, and Personal Data Processor.
- Personal Data Controller plays a central role in determining the purposes and controlling the processing of personal data, as well as ensuring compliance with applicable laws.
- There are several bases for processing personal data, such as explicit consent, fulfillment of contractual obligations, compliance with legal obligations, protection of vital interests, performance of tasks in the public interest, and other legitimate interests.
- Personal Data Controller is responsible for providing clear and detailed explanations to personal data subjects regarding the processing of personal data, the retention period, the rights of personal data subjects, and implementing appropriate security measures to protect the processed personal data.
- Personal Data Processor should process data by the instructions of the personal data controller, implemented by the provisions of the PDP Law.
Background
The processing of personal data has become common among various entities such as companies, organizations, and government agencies. To address these risks and protect individuals’ privacy rights, the Indonesian Government has enacted Law No. 27 of 2022 on Personal Data Protection (“PDP Law”).
In addition to providing an understanding of the personal data subjects, PDP Law also aims to govern how personal data is obtained, collected, processed, analyzed, stored, corrected, updated, used, shared, deleted, and destroyed by the personal data controller.
In addition to providing an understanding of the personal data subjects, PDP Law also aims to govern how personal data is obtained, collected, processed, analyzed, stored, corrected, updated, used, shared, deleted, and destroyed by the personal data controller.
Responsibility of Personal Data Controller
Personal Data Controller is entitiy, whether individual, public agency, or international organization, who is responsible for and has control over the processing of personal data. Personal Data Controller carry out their tasks based on the basis of personal data processing, such as:
The basis of processing must consider legitimate interests and respect the rights of the personal data subjects. If consent does not meet the requirements, it is considered legally void.
With a valid basis of personal data processing, Personal Data Controller can carry out the processing with legal certainty and maintain a balance between the protection of personal data and the interests of the Personal Data Controller. This is essential to ensure that the processing of personal data is done in good faith and in accordance with the principles of personal data protection.
- Personal Data Controller may process personal data based on explicit and valid consent (either recorded electronically or non-electronically) from the personal data subject.
- If the personal data subject is a party to an agreement or if processing is necessary to fulfill the personal data subject's request related to the performance of the agreement, Personal Data Controller may process personal data based on the contractual obligations.
- Personal Data Controller may process personal data to fulfill legal obligations as regulated in the applicable laws and regulations.
- Personal Data Controller may process personal data to protect the vital interests of the personal data subject.
- Personal data processing can also be carried out in the performance of tasks related to public interests, public services, or the exercise of authority vested in the Personal Data Controller based on the laws and regulations.
- Personal Data Controller may process personal data based on other legitimate interests, considering the purposes, needs, and balance between the interests of the Personal Data Controller and the rights of the personal data subjects.
The basis of processing must consider legitimate interests and respect the rights of the personal data subjects. If consent does not meet the requirements, it is considered legally void.
With a valid basis of personal data processing, Personal Data Controller can carry out the processing with legal certainty and maintain a balance between the protection of personal data and the interests of the Personal Data Controller. This is essential to ensure that the processing of personal data is done in good faith and in accordance with the principles of personal data protection.
The Obligations of Personal Data Controller
Personal Data Controller has an obligation to provide clear and transparent information and ensure that the personal data subjects are aware of the legality of the processing of their personal data, the purposes of such processing, as well as the types and relevance of the personal data to be processed.
Furthermore, the Personal Data Controller must also inform about the retention period of documents containing personal data, provide details about the information requested by the personal data subjects, and convey information about the duration of personal data processing and the rights held by the personal data subjects. Not limited to that, Personal Data Controller is also required to protect and secure the confidentiality of personal data from misuse and assess the impact of processing personal data that may have a high-risk potential.
Furthermore, the Personal Data Controller must also inform about the retention period of documents containing personal data, provide details about the information requested by the personal data subjects, and convey information about the duration of personal data processing and the rights held by the personal data subjects. Not limited to that, Personal Data Controller is also required to protect and secure the confidentiality of personal data from misuse and assess the impact of processing personal data that may have a high-risk potential.
The Role of Personal Data Processor
Personal Data Processor is any individual, public agency, or international organization that processes personal data on behalf of a Personal Data Controller. Personal Data Processor are obliged to process personal data according to the instructions of the personal data controller, carried out in accordance with the provisions of the PDP Law, and if other Personal Data Processor are involved, they must obtain written consent from the personal data controller.
Personal Data Processor also has a responsibility to protect the personal data and not process data beyond the instructions or purposes of the personal data controller.
Personal Data Processor also has a responsibility to protect the personal data and not process data beyond the instructions or purposes of the personal data controller.
Conclusion
Personal Data Controller and Personal Data Processor play significant roles and have responsibilities in safeguarding and respecting the rights of personal data subjects. When carrying out the processing of personal data, they are expected to act in good faith, transparency, and in accordance with the principles of personal data protection.
Personal data subjects also need to be cautious when giving consent for the processing of personal data and ensure that consent is given with clear understanding. Furthermore, personal data subjects must always be wise in sharing personal information, especially in the digital environment that is vulnerable to security threats.
Personal data subjects also need to be cautious when giving consent for the processing of personal data and ensure that consent is given with clear understanding. Furthermore, personal data subjects must always be wise in sharing personal information, especially in the digital environment that is vulnerable to security threats.