Indonesia Personal Data Protection Laws

PDP Law defines the roles of personal data subject, personal data controller, and personal data processor.

● Personal data subject shall be entitled to confidentiality of their personal data, filing complaints in the context of personal data dispute resolution with respect to failure in the protection of their personal data, updating or correcting, having access to and deleting their personal data, the right to withdraw the consent, and etc.

● Personal data processor's basic obligations include processing personal data in accordance with the instructions of the personal data controller, maintaining the accuracy, completeness and consistency of personal data, documenting personal data processing activities, maintaining the security and confidentiality of personal data to prevent unauthorized processing and unauthorized access.

● The basic obligations of the personal data controller are more extensive than those of the data processor, including: personal data collection, personal data processing, protection of personal data subject's rights, data retention, notice of personal data rreaches, data protection impact assessment, data security, records of Processing Activities, providing a DPO, and cross-border transfer of data

There are three roles defined in EIT, MOCI 20/2016 and GR71/2019: personal data owner, electronic system user, and electronic system operator.

● The personal data owner is the owner of personal data and is entitled to confidentiality of their personal data, filing complaints in the context of personal data dispute resolution with respect to failure in the protection of their personal data, updating or correcting, having access to and deleting their personal data, the right to withdraw the consent, etc.

● Electronic system users' basic obligations include maintaining the confidentiality of the personal data acquired, collected, processed and analyzed by them, using personal data only in accordance with their needs, protecting personal data along with documents containing personal data from the act of misuse, and being responsible for personal data in their control.

● Electronic system operators' basic obligations cover the obligations of electronic system users, which include: personal data collection, personal data processing, protection of the rights of personal data owners, data retention, personal data breach notification, certification, processing activity recording, providing a contact person, data localization, and cross-border data transfer.

For further details, see Huawei Cloud Compliance with Indonesia Privacy Protection Regulations.

Personal data processed by Huawei Cloud mainly includes customers' content data and personal data provided by customers when performing operations on Huawei Cloud platform, including but not limited to registering, purchasing services, real-name authentication and service support. As customers have full control over their content data, when customers decide to use Huawei Cloud services or applications to processing personal data included in content data, Huawei Cloud is generally regarded as the personal data processor defined in PDP Law. Huawei Cloud acts as the personal data controller defined in PDP Law when Huawei Cloud collects personal data from customer for the customers' set up or management of their Huawei Cloud account.

In addition, based on the characteristics of Huawei Cloud's business, Huawei Cloud provides facilities or services based on customers' needs. For activities subject to EIT, MOCI 20/2016 and GR71/2019, in most cases, Huawei Cloud is the electronic system operator, and the customer is the electronic system user. Huawei Cloud undertakes the obligations of electronic system operators, while collects, processes, and stores personal data in compliance with legal requirements, and respond to personal data subjects' right requests. When customers use Huawei Cloud services to provide services subject to EIT, MOCI 20/2016 and GR71/2019 to other electronic system users, Huawei Cloud will help customers fulfill the corresponding obligations.

Based on the characteristics of Huawei Cloud's business and the requirements of Indonesia Law, Huawei Cloud, as a legal entity that processes personal data, assumes different roles in different scenarios and actively responds to and fulfills its obligations. Huawei Cloud has conducted in-depth analyses on the obligations of different roles and listed the specific requirements of each applicable obligation and the corresponding measures. For more details, see Huawei Cloud Compliance with Indonesia Privacy Protection Regulations.

When you use Huawei Cloud services to carry out activities within the jurisdiction of Indonesian privacy laws and regulations, you may also fall into this jurisdiction. If you are in the jurisdiction of Indonesian privacy laws and regulations, you are to assume the privacy protection responsibilities required by them. Huawei Cloud describes your privacy protection responsibilities and the corresponding service support that Huawei Cloud can provide for you based on the basic obligations of roles specified in laws and regulations.

In addition, Huawei Cloud provides you with cloud products or services that can help you comply with Indonesian privacy laws and regulations. The products and services include network products, database products, security products, and management and deployment tools. They provide functions such as data protection, data deletion, network isolation, and permission management to help you protect content data privacy. For details about specific products or services as well as the core requirements of Indonesia’s privacy laws and regulations, see Huawei Cloud Compliance with Indonesia Privacy Protection Regulations.