Skip to main content

Financial services

DPO responsibilities in Indonesian financial services

In short

Banks and fintechs process financial data at scale, so a DPO is usually mandatory. The overlapping UU PDP and OJK duties a financial-sector officer coordinates.

Free consultationSee all solutions
Data protection officer

Banks and payment providers sit at one end of the spectrum when it comes to the UU PDP appointment obligation. Their core business is collecting, storing and acting on personal financial data, which Article 4 paragraph 2 of UU PDP classifies as specific personal data alongside health records, biometric data and criminal records. Large-scale processing of specific personal data is one of the three triggers in Article 53 paragraph 1. Most banks and fintechs meet it on day one. Many also meet the second trigger independently: large-scale regular and systematic monitoring of personal data. Fraud detection, credit scoring and anti-money-laundering screening all qualify. To check whether your specific processing meets any of these triggers, the DPO obligation checklist works through each condition with concrete examples.

What makes the financial sector distinctive is not just that the appointment is mandatory, but that the officer takes on a coordination role across several overlapping regulatory regimes, each carrying its own obligations on data handling, breach reporting and data placement.

The rules a financial-sector DPO must hold together

A DPO in banking or fintech does not operate only under UU PDP. The regulations below each impose their own data-related duties, and the officer is the natural point of coordination when they converge on the same processing activity.

SourceWhat the DPO coordinates
UU PDP Art 53-54Personal data protection function and duties
UU PDP Art 46Breach notice within 3x24 hours to subject and authority
POJK 11/POJK.03/2022IT risk management and onshore data placement
SEOJK 29/SEOJK.03/2022Cyber resilience, independent cyber unit, incident reporting
POJK 22/2023Consumer data confidentiality and no misuse
UU 10/1998 Pasal 40Depositor and deposit confidentiality, bank secrecy
PBI 23/6/PBI/2021 Pasal 48Onshore processing of payment transactions

The interaction between these rules is not always straightforward. UU PDP and POJK 22 of 2023 both address consumer data confidentiality, but through different enforcement tracks and with different emphasis. UU 10/1998 on banking secrecy predates UU PDP by over two decades. None of these instruments supersede the others; they sit alongside one another, and a financial-sector DPO has to hold the full picture.

Two breach clocks, not one

A security incident at a bank often triggers two separate notification obligations that run in parallel. They are not interchangeable. Each has its own recipient, its own deadline, and its own legal basis.

 UU PDP breach noticeOJK cyber-incident report
What triggers itA personal data protection failureA cyber or IT incident
Who you notifyThe data subject and the authorityOJK
DeadlineWithin 3x24 hours, that is 72 hoursInitial notice within 24 hours, full report within 5 days
Legal basisUU PDP Article 46POJK 11/POJK.03/2022

The same event, say an unauthorised access to a customer database, can engage both obligations at once. The DPO has to ensure that the bank meets both timelines, and that the notifications sent to each recipient are accurate and consistent with each other. Coordinating that response across legal, IT security, compliance and communications is one of the most time-sensitive tasks the role carries.

Data localisation the DPO has to plan around

Data placement is not a free variable for financial institutions. PP 71 of 2019 preserves the authority of financial-sector regulators to impose their own localisation requirements, separate from any general cross-border transfer rules that may follow from UU PDP. POJK 11/POJK.03/2022 sets an onshore default for commercial banks: a bank that wants to place its data offshore needs OJK approval. Bank Indonesia goes further for payment services: PBI 23/6/PBI/2021 Article 48 requires that payment-transaction processing be conducted onshore, unless Bank Indonesia specifically approves an alternative.

In practice, this means that a DPO reviewing a cloud migration, a new third-party processor arrangement, or a cross-border data flow has to map the proposed arrangement against both UU PDP's transfer controls and the sector-specific localisation rules. The two sets of constraints do not always align in scope or timing, so the assessment has to treat them separately.

What this means for the role

A financial-sector DPO operates at the intersection of privacy, IT risk, consumer protection, bank secrecy and the data generated by AML and KYC processes. The role involves more than administering a personal data protection programme. The officer regularly encounters tensions between what data minimisation requires and what AML retention duties demand. They sit across different business lines, compliance frameworks and regulatory supervisors.

For organisations deciding how to structure or staff the role, the how to appoint a DPO under UU PDP page covers the appointment process, mandate structure and how the officer relates to existing legal and compliance functions. Separately, the blog post on OJK cybersecurity requirements for Indonesian banks sets out the IT-security obligations in more detail for those working through the POJK 11 and SEOJK 29 requirements alongside the privacy framework.

This is general guidance on UU PDP and financial-sector regulation, not legal advice. Confirm your obligations against the current rules.

References

  1. 1.UU Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi
  2. 2.POJK 11/POJK.03/2022 tentang Penyelenggaraan Teknologi Informasi oleh Bank Umum
  3. 3.SEOJK 29/SEOJK.03/2022 tentang Ketahanan dan Keamanan Siber bagi Bank Umum, OJK
  4. 4.POJK 22 Tahun 2023 tentang Pelindungan Konsumen dan Masyarakat di Sektor Jasa Keuangan
  5. 5.UU Nomor 10 Tahun 1998 tentang Perbankan
  6. 6.PBI 23/6/PBI/2021 tentang Penyedia Jasa Pembayaran, Bank Indonesia

Frequently asked questions

Their core activity is large-scale processing of personal financial data, which Article 4 paragraph 2 of UU PDP classifies as specific personal data. That meets the Article 53 paragraph 1 trigger. Many also meet the monitoring trigger through fraud, credit and AML screening.

Related

Our services

SOC-as-a-Service24/7 security operations, run from JakartaPenetration TestingFind your security gaps before attackers doCompliance & GRC ConsultingMake sense of Indonesian and international regulationsDPO as a Service (DPOaaS)An outsourced Data Protection Officer for UU PDPIncident Response & Digital ForensicsFast containment and expert investigation when it matters mostCloud Security & DevSecOpsSecure your cloud and ship code with confidenceVulnerability AssessmentFind and prioritise security weaknesses across your environmentHuman Risk ManagementBuild a security-aware culture across your Indonesian workforce

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Talk to our team

Jakarta-based team. We reply within one business day.