Hello, Privacymu Buddies!

Have you heard of Personal Data Controllers? Or have you ever wondered who is in control of processing your data? If you haven't, let's learn together through this writing!

As time goes by, the development of information and technology is increasingly widespread. This development brings positive and negative impacts simultaneously. The presence of increasingly sophisticated information and technology also strengthens the protection of informative things contained in technology in any form. One of them that needs to be protected is personal data.

Legally, safeguarding something necessitates regulations to serve as the umbrella and milestone for its enforcement. In protecting personal data, Regulation Number 27 of 2022 concerning Personal Data Protection has been established amidst the ongoing development of Indonesian society.

Definition of Personal Data and Personal Data Controller

According to the law, personal data is a person who is identified or can be identified separately or combined with other information, either directly or indirectly, through electronic or non-electronic systems.

The processing of personal data is the activity of personal data, which includes obtaining and collecting, processing and analyzing, storing, correcting and updating, displaying, announcing, transferring, disseminating, disclosing, and deletion or destroying. In this Personal Data Protection Law, it is mandated that the Personal Data Controller carry out the processing of personal data.

A Personal Data Controller is any person, public body or international organization acting individually or jointly in determining the purposes and exercising control over the processing of personal data.

The processing of personal data is carried out by two or more Personal Data Controllers, who have met the minimum requirements under this law, including agreements between Personal Data Controllers containing roles, responsibilities and relationships between Personal Data Controllers, there are interrelated purposes and ways of processing personal data that are determined jointly, and there is a jointly appointed contact person.

Obligations Of the Personal Data Controller

As a legal entity, the Personal Data Controller is bound by various obligations, as detailed in Article 20 of Regulation 27 of 2022 concerning Personal Data Protection. Specifically, the Personal Data Controller is required to have a lawful basis for processing personal data. This includes:

Explicit lawful consent of the personal data subject for one or more specific purposes that the Personal Data Controller has communicated to the personal data subject.

1. Fulfillment of contractual obligations if the personal data subject is a party or to fulfill the request of the personal data subject at the time of agreeing;
2. Fulfillment of legal obligations of the Personal Data Controller by the provisions of laws and regulations;
3. Fulfillment of the protection of the vital interests of the personal data subject;
4. Implementation of duties in the context of public interest, public services, or the exercise of the authority of the Personal Data Controller based on laws and regulations;
5. Fulfillment of other legitimate interests by considering the objectives, needs and balance of the interests of the Personal Data Controller and the rights of the personal data subject.

Continuing with Article 21 of this law, the Personal Data Controller is tasked with conveying information regarding personal data processing. This encompasses elucidating the legality, purpose, type, and relevance of personal data to be processed, along with the retention period of documents containing personal data, specifics about the collected information, the processing period of personal data, and the rights of the personal data subject.

Furthermore, as stipulated in Articles 24 to 45 of this law, the Personal Data Controller must fulfill various other responsibilities. These include providing evidence of consent obtained from the personal data subject, engaging in limited, specific, legally valid, and transparent processing of personal data, ensuring the accuracy, completeness, and consistency of personal data by legal provisions, promptly updating and correcting errors and inaccuracies in personal data within 3 x 24 hours of receiving a request for such updates and corrections.

Moreover, the data controller must record all personal data processing activities, grant personal data subjects access to their processed personal data within the designated storage period, decline amended access requests under certain conditions outlined in Article 33 of the PDP Law, assess the impact of personal data protection for high-risk processing activities, secure and ensure the confidentiality of personal data through means specified in Article 35 of the PDP Law, oversee all parties involved in the processing of personal data under the jurisdiction of the Personal Data Controller, safeguard personal data from unauthorized processing and access, cease processing personal data upon withdrawal of consent by the data subject, and promptly delay and restrict the processing of personal data within 3 x 24 hours from the receipt of requests for such delays and restrictions, ultimately terminating the processing of personal data upon reaching the stipulated retention period. The implementation of obligations in the case of processing personal data by the Personal Data Controller is carried out based on the principles of personal data protection, which include:

1. The collection of personal data is limited and specific, legally valid and transparent;
2. the processing of personal data is carried out for its purpose;
3. The processing of personal data is carried out by guaranteeing the rights of the personal data subject;
4. The processing of personal data is accurate, complete, non-misleading, up-to-date and accountable;
5. The processing of personal data is carried out by protecting the security of personal data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or loss of personal data;
6. The processing of personal data is carried out by notifying the purpose and activity of the processing, as well as the failure of personal data protection;
7. Personal data is destroyed and/or deleted after the retention period expires or at the request of the personal data subject unless otherwise stipulated by laws and regulations;
8. The processing of personal data is carried out responsibly and can be proven.

This briefly explains the article"The Existence and Obligations of Personal Data Controllers Based on Law Number 27 of 2022". Hopefully, it can sharpen your insight.

Writer:

Alfina Nailul Maghfiroh

Source:

Regulation Number 27 of 2022 concerning Personal Data Protection.