When a multinational tech company in Jakarta discovered that an HR officer had shared employee medical records over unsecured email, it triggered both panic and a compliance review. What seemed like a minor slip soon became a legal risk under Indonesia’s new Personal Data Protection Law (PDP Law – Law No. 27 of 2022).

Legal Framework

The PDP Law establishes comprehensive rules for the collection, processing, storage, and transfer of personal data, including HR-related information such as ID numbers, payroll details, medical histories, and performance records.
Key employer obligations include:

• Obtaining explicit consent for data processing,
• Limiting data collection to relevant purposes,
• Ensuring secure storage and access controls,
• Reporting data breaches to the Ministry of Communication and Information (Kominfo).
  

Violations may result in administrative fines, compensation claims, and even criminal sanctions.

Real Case Example

In 2023, an Indonesian e-commerce firm faced public backlash after leaked internal documents revealed salary and disciplinary records of employees. Kominfo launched an investigation, reminding all employers that employee data is equally protected as consumer data under the PDP Law.

Best Practices for Foreign Employers

• Review HR Systems: Ensure payroll and HRIS software meet security standards.
• Employee Consent Forms: Update employment contracts and HR policies to include PDP-compliant consent clauses.
• Training & Awareness: Educate HR staff on handling sensitive data.
• Data Retention Policy: Define how long employee data is stored and when it must be deleted.
• Cross-Border Transfers: For multinational employers, ensure transfers of employee data abroad comply with PDP rules.

Conclusion

Employee data in Indonesia is no longer a simple administrative matter—it is a regulated asset. By aligning HR practices with the PDP Law, employers not only avoid penalties but also build trust with their workforce.

References

1. Law No. 27 of 2022 on Personal Data Protection (PDP Law).
2. Ministry of Communication and Information Technology (Kominfo) – https://www.kominfo.go.id.
3. ILO Jakarta – Data Protection and Privacy in Employment Contexts.
4. PwC Indonesia – Client Alert on PDP Law Compliance.