Legal Insights

Avoid Sanctions by knowing the Differences between Controller and Processor

Data Protection Law

Based on the purpose of personal data processing, Law No. 27 of Year 2022 on Personal Data Protection (PDP Law) introduces two different terms of processing activities, namely Personal Data Controller and Personal Data Processor. Each term describes different responsibilities, liabilities, and requirements. Therefore, companies must be properly informed of the terms to avoid misuse.  

As defined by Article 1 Paragraph (4) of the PDP Law, the personal data controller is any party that acts individually or jointly in determining purposes and exercising control over the processing of personal data. Meanwhile, Article 1 Paragraph (5) of the PDP Law defines the personal data processor as any party that acts individually or jointly in personal data processing on behalf of a personal data controller. Both personal data controller and personal data processor can be any public agency, person (individual or legal entity), or international organization. 

Obligations of Personal Data Controller 

The personal data controller is obliged to have at least a basis for the processing of personal data. These bases, as defined by Article 20 Paragraph (2), shall include:   

1. the explicit valid consent from the personal data subject for one or several specific purposes that has been submitted by the personal data controller to the personal data subject 

2. The fulfilment of the legal obligations of the Personal Data Controller in accordance with provisions of laws and regulations 

3. Fulfilment of the protection of vital interests of the Personal Data Subject 

4. Carrying out duties in the context of public interest, public services, or exercising the authority of the Personal Data Controller based on laws and regulations; and/or 

5. The fulfilment of other legitimate interests by taking into account the purposes, needs, and balance of interests of the Personal Data Controller and the rights of the Personal Data Subject 

Moreover, the personal data controller must record all Personal Data processing activities. There is no template required for the recording of Personal Data processing activities. Each party can determine the template based on its own processing activities and needs. However, the record shall demonstrate the potential risk of the processing activity. 

Obligations of Personal Data Processor 

As stipulated by Article 51 of the PDP Law, if the personal data controller appoints a personal data processor, the personal data processor must process personal data based on the personal data controller’s instructions and must further carry out the processing in accordance with the provisions of the PDP Law.  

The processing of personal data is ultimately the personal data controller’s responsibility. The personal data processor may involve other personal data processors. However, the personal data processor must obtain written consent from the personal data controller before involving other parties. If the Personal Data Processor performs the Personal Data processing outside of the orders and purposes set by the Personal Data Controller, the personal data processing shall be the responsibility of the Personal Data Processor  

Sanctions of PDP Law Violations 

The PDP Law introduces two types of sanctions, administrative and criminal sanctions.  

As stipulated by Article 57 paragraph (2) of the PDP Law, administrative Sanctions can be; (i)  written warning; (ii) temporary suspension of personal data processing activities; (iii) erasure or removal of personal data, or; (iv) administrative fines of up to 2% of the annual income or annual revenue.  

Meanwhile, criminal sanctions of up to 6 years of imprisonment and a fine of 6 billion Rupiah apply to; (i) data collection for unauthorized commercial purposes; (ii) unauthorized disclosure of data, and; (iii) unauthorized use of data. 

To avoid sanctions, companies should identify carefully and clearly whether they are considered as the personal data controller or the personal data processor and should comply with the obligations as mandated by the PDP Law.