UU PDP compliance
UU PDP compliance for banking and financial services in Indonesia
In short
How UU PDP applies to banks, multifinance, fintech, and insurance in Indonesia. Financial sector-specific obligations, intersection with POJK 11, and practical implementation steps.
Indonesia's financial sector sits at the intersection of two overlapping regulatory regimes: UU PDP governing personal data protection, and POJK 11 governing the cybersecurity of financial service institutions. Both are mandatory, but their scope does not fully overlap. Banks, multifinance companies, fintech, and insurance firms must satisfy both simultaneously.
Why financial services has layered obligations
Financial service institutions process the most sensitive categories of personal data: financial data, full identity data, transaction history, and in many cases biometric data. UU PDP categorises financial data and biometric data as specific personal data with the highest level of protection.
UU PDP: customer data protection
Governs how customer data is collected, stored, processed, and deleted. Requires explicit consent, data subject rights (access, correction, deletion), and incident notification within 14 days.
POJK 11: financial system security
Governs cybersecurity standards for financial institution technology infrastructure, including mandatory penetration testing, monitoring, incident response, and OJK incident reporting.
Overlaps and gaps
24/7 monitoring (POJK 11) helps detect data breaches (UU PDP). But customer consent mechanisms, DPO appointment, and data subject rights are regulated only by UU PDP and not covered by POJK 11.
Obligation mapping for financial institutions
| Covered by POJK 11 | Covered by UU PDP (additional) | |
|---|---|---|
| Periodic penetration testing | Mandatory (Article 10) | Not specifically regulated |
| 24/7 security monitoring | Mandatory | Not specifically regulated |
| Incident reporting to OJK | Mandatory within 14 days | Not applicable (reporting to BSSN instead) |
| Customer consent for data use | Not specifically regulated | Mandatory, with valid consent criteria |
| Customer rights: access, correction, deletion | Not regulated | Mandatory to implement |
| DPO appointment | Not required | Mandatory for institutions meeting Article 53 criteria |
| Agreements with third-party processors | Partial (vendor management) | Mandatory, with specific data protection clauses |
| Incident notification to affected customers | Not required | Mandatory within 14 days |
Specific personal data in financial services
UU PDP establishes categories of data requiring higher protection. Almost all financial institutions process most of this list.
Processing specific personal data requires a stronger legal basis than ordinary business interest. Criminal sanctions for violations are higher: UU PDP Article 68 imposes up to 5 years imprisonment and IDR 5 billion fine.
Practical implementation: priority steps
- 1
Data mapping
Identify all personal data processed: where it originates, where it is stored, who accesses it, and how long it is retained. Without an accurate data map, no compliance programme can be built. This is the first and most fundamental step.
- 2
Consent mechanism audit
Review registration forms, credit agreements, and digital service terms. Is consent for marketing data use, credit scoring by third parties, and data sharing with partners obtained explicitly and separately from general terms?
- 3
Data subject rights implementation
Build mechanisms for customers to access, correct, or request deletion of their data. UU PDP requires a response within 30 days. For banks with millions of customers, this requires automated systems.
- 4
Third-party contract review
All vendors that process customer data require data protection agreement addenda under UU PDP Article 56. This includes international cloud providers that process Indonesian customer data.
- 5
DPO appointment and function establishment
Determine whether your institution is required to appoint a DPO under Article 53 criteria. If so, determine whether an internal or outsourced DPO is more appropriate for your available capacity and budget.
OJK's position on UU PDP
OJK acknowledges that financial service institutions under its supervision are subject to UU PDP in addition to OJK's own regulations. In several recent regulations, OJK is increasingly aligning its requirements with UU PDP, including in POJK 34/2025 for Rural Banks (BPR).
UU PDP compliance is not merely an additional legal obligation. It is part of the data governance that OJK expects from financial institutions operating in the digital era.
Alpha Code supports Indonesian financial service institutions in building UU PDP compliance programmes that integrate with existing POJK cybersecurity frameworks.
Frequently asked questions
No. POJK 11 focuses on cybersecurity of infrastructure and systems, while UU PDP governs the processing and protection of customer personal data. There is significant overlap, but UU PDP also covers obligations not addressed by POJK 11, including customer consent mechanisms, data subject rights, and the obligation to appoint a DPO.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.