UU No. 27/2022 Personal Data Protection – Comprehensive Study Notes

Training Overview

• Program Name: Veda Praxis – Awareness Training on Indonesian Personal Data Protection Law (UU No. 27/2022)
• Audience / Client: ① ALVA Group employees
• Date: 30 July 2025
• Medium: Hybrid session with QR-code–based pre- & post-tests, slide deck, Q&A

Detailed Rundown

• 10 : 00–10 : 05 • Welcome Speech – HC ALVA
• 10 : 05–10 : 15 • Opening Speech – Board of Directors / Pak Budi
• 10 : 15–10 : 25 • Pre-Test (online) – all participants
• 10 : 25–11 : 25 • Lecture: “Introduction to Personal Data Protection (PDP) Law” – Veda Praxis
• 11 : 25–11 : 40 • Q & A
• 11 : 40–11 : 50 • Post-Test (online)
• 11 : 50–12 : 00 • Closing – HC ALVA

Speaker Profile – Humaira Dinda Mulyadi (Aira)

• Academic background
  • Master of Accounting ($2023$, Universitas Pancasila)
  • Bachelor of Economy – Accounting ($2021$, Universitas Negeri Semarang)
• Current Role: Senior Consultant, Reanda Bernardi ($2024– ext{present}$)
• Previous Roles:
  • Senior Auditor, Grant Thornton Indonesia ($2023–2024$)
  • Auditor, multiple assignments ($2022–2023$)
• Core Expertise
  • Data privacy & PDP compliance
  • Financial audits & ICOFR
  • Risk management, fraud investigation, independent review
• Industry Exposure: Manufacturing, banking, securities, trading, consulting, remittance, telecom, logistics, hospitality

Foundational Concepts

1. Definition of Personal Data (Pasal 1 UU PDP)

• “Data about an individual who is identified or can be identified directly or indirectly, alone or in combination with other information, through electronic or non-electronic systems.”
• Two legal categories:
  • General Data: name, gender, nationality, birth date, religion, marital status, etc.
  • Specific Data: biometrics, health/genetic info, financials, criminal records, data on children, personal history, etc.

2. Personal Data Processing Lifecycle (Pasal 16 (1))

• a. Acquisition & collection
• b. Processing & analysis
• c. Storage
• d. Correction & updating
• e. Display, disclosure, transfer, dissemination
• f. Deletion & destruction

3. Protection vs. Privacy Context

• “Pelindungan” (protection) defined as a process/effort to safeguard data (KBBI reference).
• Personal-data protection = recognition of fundamental human rights (quoted policy statement).

Why Implementation Matters (Business & Societal Drivers)

1. Customer Trust
   • ALVA stores identity, contact, vehicle, financial, location & IoT-generated data; leaks destroy brand credibility.
2. Regulatory Compliance
   • UU No. 27/2022 mandates lawful processing; non-compliance → $ext{admin fines} + ext{criminal liability}$.
3. Cyber-Security Risk Mitigation
   • IoT & MyALVA app enlarge attack surface (phishing, ransomware, data manipulation).
4. Competitive Advantage & Brand Image
   • Strong privacy posture attracts investors, facilitates global market entry.
5. Digital-Ecosystem Safety
   • Supply-chain interdependence (payments, GPS, workshops); a single weak node compromises the whole network.
6. Digital-Transformation Readiness
   • Secure IT, data-governance protocols, employee awareness, & incident-response capabilities are pre-requisites.

Illustrative Breaches & Legal Consequences

Global Cases (Pasal 39 analog)

• Didi Global 2019: >57 M users exposed; $\$1.2$ B fine – illegal collection, weak safeguards.
• Facebook/Cambridge Analytica 2018: unauthorized third-party harvesting; $\$5$ B fine.
• Instagram 2020: children <16 processed w/o parental consent; $\$444$ M fine (GDPR).
• Equifax 2019: $147$ M US clients; $\$700$ M settlement.
• Amazon 2021: $37$ M EU customers; $\$886$ M GDPR fine.

Indonesian Cases

• Tokopedia 2020: $91$ M user + $7$ M merchant records; class-action $Rp 100$ B.
• BRI Life 2021: $2$ M policyholders; $250$ GB sold for $\$7{,}000$.
• MyPertamina 2022: $44.2$ M users incl. NIK, NPWP, etc.
• BSI 2023: $1.5$ TB ransom dump (15 M credentials).

Micro-Examples (Media Stories)

• Content-creator “DA” health data leaked by insurance staff via WhatsApp status; public shaming demonstrates unauthorized disclosure.
• Job-applicant scam (27 candidates, $Rp 1.1$ B pinjol loans) underscores identity theft after data harvesting.

Legal Framework – UU No. 27/2022 Core Provisions

1. Scope (Pasal 2)

• Applies to:
  • Every Person
  • Public Bodies
  • International Organizations
• Geographic reach: onshore Indonesia and offshore processing that impacts Indonesian territory or Indonesian subjects abroad.
• Transition clause (Pasal 74): $2$-year grace period from promulgation $\rightarrow$ deadline $17\ \text{Oct}\ 2024$.

2. Six Lawful Bases for Processing (Pasal 20)

1. Consent (explicit, purpose-bound)
2. Contract / Agreement fulfilment
3. Legal obligation
4. Vital interest
5. Public task
6. Legitimate interest

3. Consent Rules (Pasal 21–26)

• Must convey: legality, purpose, data types, retention periods, collection details, processing duration, subject rights.
• Form: written or recorded; electronic or non-electronic; separate from T&C; no pre-ticked boxes; plain language.
• Special categories:
  • Children: parental / guardian approval
  • Persons with disabilities: adapted communication & consent
• Withdrawal mechanism: easy opt-out; documented & reviewable.

4. Data-Subject Rights (Pasal 5–14)

• To be informed, access, rectify, erase, and seek legal remedy.
• Exceptions (Pasal 15): defense & security, law-enforcement, public interest, financial-system oversight, statistics & research.
• Operational flow: registered request $\rightarrow$ verification $\rightarrow$ fulfilment or lawful refusal.

5. Controllers, Processors & Joint Controllers (Pasal 17–19 & RPP)

• Controller: decides purpose & means; ensures consent, security, DPO, risk-management, incident response, ROPA, DPIA.
• Processor: acts on behalf; follows controller’s instructions; cannot sub-process without written approval; shares certain duties (security, records).
• Joint Controller: $\ge 2$ controllers sharing purpose/control; require inter-party agreement (legal basis, roles, contact points).
• Mandatory contract clauses with processors (RPP Pasal 137): audit rights, same PDP standards, sub-processing consent, return/erase upon termination, mutual notification of security-policy changes, incident-response obligations, Indonesian language.

6. Data Protection Officer (DPO / PPDP) (Pasal 53–54)

• Appointment triggers:
  a. Public-service processing
  b. Large-scale, regular & systematic monitoring
  c. Large-scale processing of specific or criminal-related data
• Competencies: professionalism, legal & PDP knowledge, ability to perform duties.
• Duties (compared with ISO 27701 6.3.1.1): inform/advice, monitor compliance, liaison with regulator, privacy impact assessment guidance, PII-processing issue management.

7. Record of Processing Activities (ROPA) – Pasal 31 & RPP Pasal 87

• Mandatory elements: controller/processor IDs, DPO contacts, data sources, purposes, data types, subjects, legal bases, recipients, retention, security measures, data-flow mapping, rights-fulfilment process.
• Must be written (electronic or paper), maintained & provided upon PDP Authority request.

8. Data Protection Impact Assessment (DPIA / PD PDP) – Pasal 34

• Applies to high-risk processing: automated decisions, specific data, large scale, systematic monitoring/scoring, data matching, new tech, rights restriction.
• Components: processing description, purpose, necessity & proportionality evaluation, risk analysis (financial, reputational, legal, operational, compliance), mitigation measures.

9. Incident Response (Pasal 46–47 & Slides)

• Definition of failure: breach of confidentiality, integrity, or availability (destruction, loss, alteration, disclosure, unauthorized access).
• Categories & examples:
  • Data corruption, hardware failure, loss of backup, stolen laptop, unauthorized modification, exposure via mis-mail, credential compromise.
• Internal escalation chain:
  • Business Process Owner $\rightarrow$ DPO $\rightarrow$ Director
• External notification: written alert to data subjects and PDP Authority within $3\times24$ hours; public announcement if direct notice impossible.
• Reporting template requires chronology, data types, impact, containment actions, contact info.

10. Sanctions

• Administrative (Pasal 57):
  • Written warning
  • Processing suspension
  • Deletion/destruction order
  • Fine up to $2\%$ of annual revenue
• Criminal (selected articles):
  • Illegal collection/use causing harm: up to $5$ yrs prison + $Rp 5$ B fine
  • Unauthorized disclosure: up to $4$ yrs + $Rp 4$ B
  • Data falsification: up to $6$ yrs + $Rp 6$ B

Practical Implementation Framework

Porter Value-Chain Mapping – Personal-Data Touchpoints

• Primary Activities
  • Inbound Logistics: supplier contacts, biometrics for facility access, driver IDs
  • Operations: employee records, CCTV, IoT telemetry, quality logs
  • Outbound Logistics: recipient names/addresses, vehicle GPS
  • Marketing & Sales: customer KYC (KTP, NPWP), social-media cookies, call recordings
  • Service: maintenance history, complaint tickets, service-center CCTV
• Support Activities
  • Firm Infrastructure: board data, shareholder & strategy files
  • HR Management: CVs, psychometrics, family coverage
  • Technology: system-user logs, R&D test data
  • Procurement: vendor contracts, bank accounts, due-diligence docs

Governance–Process–Technology (PDCA) Strategy

PLAN – Data discovery, policy gap review, ROPA/DPIA scope.
DO – Deploy DPO, awareness training, contract/legal reviews, tech selection (encryption, IAM, monitoring).
CHECK – Internal audit, KPI, RoPA/DPIA periodic review.
ACT – Continuous improvement, incident-response drills, policy updates.

Stakeholders & Roles

• Board/CEO: vision, budget, ultimate accountability.
• DPO/PPDP: day-to-day compliance, authority liaison.
• Monitoring Functions: compliance, risk, internal audit, IT security.
• Operations & Staff: implement controls, report incidents, uphold awareness.

Consent-Management & Notice Best Practice

• Separate consent screen; explicit opt-in; clear opt-out path; list organization & third parties.
• Keep auditable logs: what was said, when, how collected, and current status.
• Periodically re-confirm legacy consents.
• Sample implementations:
  • SMS flow with secure links, number verification, “Saya Setuju / Tidak Setuju” buttons.
  • In-app UI offering granular channel preferences (Email, SMS, Telepon, Chat) and instant revocation.

Forms & Templates (Slides 23–26)

• Candidate-employee consent form: covers 7 mandatory info items (legality, purpose, data list & relevance, retention, info details, processing duration, subject rights).
• Under-18 internship consent: includes guardian identity, child data list, transition of authority when child reaches $18$ yrs (Pasal 150 UU 1/2023 replacement).

General Do’s & Don’ts Cheat-Sheet

• Collect only for specific lawful purposes; prohibit scooping data w/o basis.
• Store in encrypted systems; avoid personal USB/HDD.
• Process within original scope; no personal re-use.
• Transfer via secure, masked, or encrypted channels; require agreements.
• Delete data once purpose/retention ends; don’t hoard.

Examination Components

• Pre-Test: https://intip.in/PreTestALVA
• Post-Test: https://intip.in/POSTTESTALVA

Further Resources

• Veda Praxis Handbook series: http://vedapraxis.com/handbook
• Contact emails:
  • helmi.saputra@vedapraxis.com
  • humaira.dinda@vedapraxis.com
  • habieb.ridwan@vedapraxis.com

Key Take-Aways & Ethical Note

• Personal-data protection is a human-rights mandate, not merely IT hygiene.
• Compliance yields tangible business value: consumer trust, international market access, and risk reduction.
• Ethical processing underpins societal trust in emerging tech ecosystems (electric mobility, IoT, AI).
• Organizations must embed accountability & transparency—from board strategy down to daily operations—ensuring privacy-by-design & by-default.