Hello Privasimu buddies.

Leakage of the personal data of a company is generally carried out by external parties or rivals of the company. However, what if it's the company's own employees involved? Are there legal consequences in Indonesia? Let's see the article below until the end!

Lately, there has been a resurgence in concerns surrounding personal data leaks and illicit transactions offering leaked personal information. It's crucial to recognize that data breaches may not only result from external attacks but could also involve disclosures from within the organization.

There are instances where a company owner finds it challenging to safeguard all information internally. In certain scenarios, vital company details are leaked by current or former employees. An external audit or verification from relevant authorities becomes essential to substantiate these claims.

The repercussions can be detrimental if the leaked information is sensitive and can potentially harm the company. This raises public concerns and prompts questions about the frequency of such incidents, casting doubt on the effectiveness of law enforcement. Let's explore these complexities further in the article.

Limitation of Company Confidential Data based on Regulation.

Before discussing the legal aspects of personal data leakage, Privasimu buddies. it's good first to understand the limitations of company data we discuss now.

The definition of company secrets is explained in the Explanatory Guidelines for Article 23 of Regulation 5 of 1999 concerning the Prohibition of Monopoly Practices and Unfair Business Competition. According to this guideline, company secrets encompass business information the owner doesn't disclose to anyone except those directly involved in business activities.

Although laws and regulations don't explicitly detail company secrets, they are closely tied to trade secrets. In line with Regulation Number 30 of 2000 concerning Trade Secrets, a trade secret is defined as information not known to the public in technology and/or business, possessing valuable economic worth, and maintained in confidence by the owner.

When it comes to processing personal data, covering acquisition, collection, processing and analysis, storage, correction and update, display, announcement, transfer, dissemination, disclosure, and/or deletion or destruction, it is imperative to adhere to the principles of personal data protection. Moreover, there should be a valid basis for processing personal data.

Legal basis for personal data protection.

Currently, Indonesia boasts specialized laws and regulations dedicated to safeguarding personal data. The existence of the Personal Data Protection Regulation, commonly known as the PDP Regulation, is a welcome development for Indonesians, particularly those engaged in business.

In addition, the emergence of the PDP regulation catalyzes companies to heighten their security measures, particularly in cybersecurity, when handling company data.

Data processing is a process carried out within the company in its operations. Data processing, constituting a crucial aspect of a company's operational and business activities, involves a series of procedures within the organization. This includes the processing of data that aligns with the criteria outlined for Personal Data, as stipulated in Regulation Number 27 of 2022 concerning Personal Data Protection (PDP Regulation).

Personal Data is defined in the PDP Regulation as data of individual persons who are identified or can be identified separately or combined with other information directly or indirectly through electronic or non-electronic systems. Regarding data processing carried out by the company, it can refer to Article 20 paragraph (2) of the PDP Regulation, which explains the basis for processing personal data, which includes:

1. explicit lawful consent of the personal data subject for one or more specific purposes that the personal data controller has communicated to the personal data subject.
2. fulfillment of contractual obligations if the personal data subject is a party or to fulfill the personal data subject's request at the time of agreeing.
3. fulfillment of the legal obligations of the personal data controller by the provisions of laws and regulations.
4. fulfillment of the protection of the vital interests of the personal data subject.
5. implementation of duties in the context of public interest, public services, or the exercise of the authority of the personal data controller based on laws and regulations; and/or
6. fulfillment of other legitimate interests about the objectives, needs and balance of interests of the personal data controller and the rights of the personal data subject.

In practice, the regulation of the PDP Law is important for companies in determining and regulating employee obligations and ensuring employee compliance to protect personal data.

Criminal charges for employees who leak company data.

The legal consequences for unauthorized access can be seen in Article 30, paragraphs (1) and (2), in conjunction with Article 46 of the ITE Law, which reads as follows.

1. Any person intentionally and without rights or against the law accessing other people's computers and/or electronic systems in any way shall be sentenced to imprisonment for a maximum of 6 years and/or a maximum fine of Rp600 million.
2. Any person intentionally and without rights or against the law accessing computers and/or electronic systems in any way to obtain electronic information and/or electronic documents shall be sentenced to imprisonment for a maximum of 7 years and/or a maximum fine of Rp700 million.

The PDP Law incorporates criminal penalties that can entangle individuals, including employees, who breach provisions related to personal data protection. Nonetheless, companies are counseled to explore alternative avenues before initiating a report. This is grounded in the criminal law principle of ultimum remedium, signifying that if a case can be resolved through alternative channels such as kinship, negotiation, mediation, civil, or administrative law, these avenues should be exhausted first.

This wraps up our discussion on "Company Data Leaked Due to Employee Actions, What is the Legal Basis?". Let's increase your understanding by studying further reading.

Writer:

Yanuar Ramadhana Fadhila

Source:

Regulation Number 11 of 2008 concerning Electronic Information and Transactions as amended by Regulation Number 19 of 2016 concerning Amendments to Law Number 11 of 2008 concerning Electronic Information and Transactions;

Regulation Number 27 of 2022 concerning Personal Data Protection;

LIBERA.id, "What is the Law on Leaking Company Secrets by Employees Themselves?" accessed on page: https://libera.id/blogs/hukum-pembocoran-rahasia-perusahaan/ on December 9, 2022

Kominfo.go.id, "Kominfo dan Kadin Socialization of PDP Law to Business Actors" accessed on the page: https://aptika.kominfo.go.id/2022/10/kominfo-dan-kadin-sosialisasi-uu-pdp-ke-pelaku-usaha/ on December 9, 2022

Antaranews.com, "Why do you need personal data protection?" accessed on the page: https://www.antaranews.com/berita/1607946/kenapa-perlu-perlindungan-data-pribadi- on December 9, 2022