Newswire

For Further Information Contact:

indonesialabor@transatlanticlaw.com

Employee Data Privacy in Indonesia

There is no law or regulation in Indonesia that specifically regulates the collection, use or handling of an applicant’s personal data, including protection of the privacy of an employee’s particulars. The Indonesian Minister of Communication and Informatics (MOCI) relatively recently issued MOCI Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (MOCI Reg 20), which stipulates the protections afforded to personal data stored in an electronic system. 

While there is no regulation that stipulates the protection of non-electronic personal data, generally, everybody has a general right to privacy under the Indonesian Human Rights Law.

Retaining Personal Data of Employees

Manpower laws and regulations do not expressly deal with employee data privacy. In light of such paucity, reference shall be made to MOCI Reg 20 as well as Law No. 8 of 1997 regarding Corporate Documents (Law No. 8).

Personal data stored electronically must be stored for at least five years unless otherwise regulated (Article 15 paragraph (3) of MOCI Reg 20). The five-year period commences on the date a party ceases to be a user of an electronic system. After the five-year period has elapsed, the personal data may be erased unless the data is still used or utilized in line with the initial purpose of its obtainment and collection.

Separately, to the extent that the employee’s personal data is not encrypted in an electronic system, reference shall be made to Law No. 8 as the primary regulation on maintaining corporate documents. Articles 3 and 4 of Law No. 8 differentiate between (i) financial documents and (ii) other documents. 

Financial documents consist of records, bookkeeping documentation, and financial administration supporting data, which evidence the rights, obligations, financial affairs, and business activities of a company. “Other documents” consist of data or any writings containing information having effective value for a company even though not directly related to financial documents.

Article 4 of Law No. 8 mentions that other documents include minutes of general meetings of shareholders, a company’s deed of establishment, other authentic deeds containing specific legal interests and a company’s taxpayer registration number. 

We note that “employee personal data” is not expressly mentioned as an example of “other documents” in the elucidation. However, it is prudent to treat employee personal data as “other documents” and to apply the related rules as follows.

According to Article 11 paragraph (3) of Law No. 8, the retention term of other documents (i.e., employee files) shall be based on the usage value of such documents. The term shall be determined at the discretion of the Board of Directors.

We note that according to Article 96 of Law No. 13 of 2003 regarding Manpower, there is a two-year limitation period for employee claims. We therefore recommend that physical, non-encrypted employee personal data be retained for at least two years after termination of employment.

Offshore Transfer of the Personal Data of Employees

Under Article 22 of MOCI Reg 20, a party domiciled in Indonesia that wishes to effect the offshore transfer of personal data must coordinate with the MOCI or an authorized official/institution, which encompasses (i) reporting the planned data transfer, including at least information on the receiving state, the receiver, the date of transfer, and the purpose of such offshore transfer, (ii) requesting advocacy, if necessary, and (iii) reporting the result of the data transfer, and it must implement the regulatory provisions on offshore data transfers.

It should be noted that, as of the date of this writing, the enforcement of these requirements is unclear. No implementing regulations have been issued to clarify the requirements on coordination with the MOCI, nor is there any existing regulation that specifically regulates offshore data transfers. Under existing regulations, the only applicable regulatory provision for offshore data transfers – or any data transfer, in fact – would be the general requirement to obtain the consent of the data owner for such offshore data transfer.

Notwithstanding the above, we recommend that the employer’s right to perform offshore data transfers be clearly stipulated in the Company Regulation.

Transferring the Personal Data of Employees to Third Parties

There is no legal restriction on transferring an employee’s personal data to a third party as long as the consent of the employee is obtained by the employer. We recommend that the employer’s right to transfer employees’ personal data to a third party be stipulated in the Company Regulation.

 By SSEK, APAC, a Transatlantic Law International Affiliated Firm. 

For more information on this topic, please contact Fahrul S. Yusuf at indonesialabor@transatlanticlaw.com.

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.