The Association of Indonesian Law Student Writers (IPMHI) is holding a webinar, “Challenges of Implementing the PDP Law as a New Era in Personal Data Management in Indonesia,” in commemoration of IPMHI’s birthday on Wednesday (11/1/2023). One of the speakers in the webinar was a cyber law expert at the Faculty of Law, 51动漫 (FH UNAIR), Masitoh Indriani, S.H., LL.M.
Masitoh explained material regarding the “PDP Law: Getting to Know the PDP Principles & Subjects of Personal Data”. He introduced the terms in the PDP Law (Personal Data Protection Act), including Personal Data Subject, Personal Data Controller, Personal Data Processor, Data Protection Officer (DPO), and Data Protection Authority (DPA).
“Data Controller is any person, public body, and international organization acting, individually or jointly, in determining the purpose and exercising control over the processing of Personal Data. Meanwhile, Personal Data Processors are any person, public agency, and international organization that acts individually or jointly in processing Personal Data on behalf of the Personal Data Controller,” explained Masitoh.
For the processing of Personal Data, said Masitoh, at least six stages start from obtaining and collecting data, processing and analyzing data, storing data, correcting and updating data, announcing or disseminating data, and deleting or destroying data.
Apart from that, Masitoh also explained the rights of Personal Data Subjects, which are regulated in the PDP Law. He said there are a series of rights that have been regulated so that the Data Subjects have complete control over the data, and the processor has an obligation to manage the data of the subjects.
“Data Subjects’ rights are regulated in Article 5 of the PDP Law where Data Subjects have the right to obtain information regarding clarity of identity, basis of legal interest, the purpose of requesting and using Personal Data, and accountability of the party requesting Personal Data. Then, Article 6 of the PDP Law states that Data Subjects also have the right to complete, update and/or correct errors and/or inaccuracies in Personal Data about themselves following the purpose of processing Personal Data,” said the international law lecturer.
Meanwhile, Article 7 of the PDP Law states that Data Subjects also have the right to gain access to and obtain copies of Personal Data about themselves under statutory provisions. Furthermore, Articles 8 and 9 of the PDP Law explain that Data Subjects also have the right to end processing, delete and/or destroy Personal Data about themselves under laws and regulations and have the right to withdraw approval for processing Personal Data about themselves to the controller of Personal Data.
Apart from that, the rights of Data Subjects are also regulated in Article 10 and Article 11 of the PDP Law. Specifically for the rights contained in Article 10 paragraph (1) of the PDP Law, namely the right to submit objections to decision-making actions based solely on automatic data processing, including profiling, what is meant by profiling is the activity of identifying a person, including but not limited to work history, economic conditions, health, personal preferences, interests, reliability, conduct, location or electronic movement of Data Subjects.
“For the exercise of rights in Article 6 to Article 11 of the PDP Law, it can be submitted through a registered application submitted electronically and non-electronically to the data controller. In essence, the existence of the PDP Law has created developments in the world of IT as well as the potential for new professions and the formation of new institutions. The regulation regarding the rights of Data Subjects illustrates the guarantee of the right to privacy, great control of the Data Subjects, and obligations for data controllers and data processors,” concluded Masitoh.
