What is the maximum fine under UU PDP for a data breach?

The maximum administrative sanction is 2% of the data controller's annual revenue. For criminal violations such as unauthorised use of personal data, maximum imprisonment is 5 years and criminal fines up to IDR 5 billion per article.

When did UU PDP take full effect?

UU PDP was enacted in October 2022 with a two-year transition period. The transition period ended in October 2024, so all provisions are now fully in force and enforceable.

Enforcement is carried out by the Personal Data Protection Authority, which is still being formally established, and BSSN for technical aspects. While the dedicated authority is not yet fully operational, Kominfo and BSSN already actively receive complaints and can initiate investigations.

Do small companies face UU PDP sanctions?

Yes. UU PDP does not differentiate by company size for most of its obligations. All personal data controllers and processors are subject to UU PDP, including SMEs and startups. Limited exceptions apply to personal and household processing.

UU PDP non-compliance penalties Indonesia

Many Indonesian companies still treat UU PDP as a regulation for "later" or assume "nobody has been fined yet." Both assumptions are now incorrect. The transition period ended in October 2024, enforcement infrastructure is being built, and the sanctions are designed to be felt, not merely symbolic.

This page details the sanctions that can be imposed, how they are calculated, and the indirect costs that are often overlooked in risk assessments.

UU PDP sanction structure

UU PDP recognises three categories of sanction: administrative, civil, and criminal. All three can apply simultaneously for a single incident.

Sanction type	Provision	Authority
Administrative sanctions	Written warning, temporary processing suspension, data deletion, administrative fine up to 2% of annual revenue	Personal Data Protection Authority / BSSN
Civil lawsuit	Compensation to affected data subjects for material and immaterial losses resulting from the violation	Courts
Criminal: Article 67	Unauthorised use of personal data: maximum 4 years imprisonment and/or fine up to IDR 4 billion	Police / Prosecutor
Criminal: Article 68	Unauthorised disclosure of specific data (health, financial, biometric): maximum 5 years imprisonment and/or fine up to IDR 5 billion	Police / Prosecutor
Criminal: Article 69	Falsification of personal data for own or third-party benefit: maximum 6 years imprisonment and/or fine up to IDR 6 billion	Police / Prosecutor

Calculating the 2% revenue fine

Maximum administrative fine on annual revenue

IDR 6B

Maximum criminal fine (Article 69)

6 years

Maximum criminal imprisonment (Article 69)

A 2% fine on annual revenue looks small on paper. In practice the numbers are significant: for a company with IDR 500 billion annual revenue, the maximum fine reaches IDR 10 billion. For large corporations, this figure can affect financial statements and credit ratings.

Note that 2% is the ceiling, not a flat rate. Regulators consider the degree of intent, the impact on data subjects, and mitigation efforts when determining the fine amount.

Indirect costs that are often overlooked

Regulatory fines are the easy-to-calculate part. Indirect costs are frequently larger.

Litigation and legal fees

A single civil lawsuit from hundreds or thousands of affected data subjects can generate litigation costs far exceeding the regulatory fine. The mechanism for collective claims under UU PDP is untested but exists.

Temporary operational suspension

Regulations allow temporary suspension of data processing activities during investigation. For companies whose operations depend on customer data processing, this can mean complete service interruption.

Incident notification costs

You must notify all affected data subjects individually. For a database of 100,000 customers, the operational cost of notification alone can reach hundreds of millions of rupiah.

Reputational damage and client loss

Industry surveys show 60-70% of consumers reconsider their relationship with an organisation that experiences a public data breach. For B2B, the impact per client is far larger.

Violations most likely to trigger sanctions

No valid consent mechanism for data collectionData breach without notification within 14 daysNo DPO appointed despite being requiredCross-border data transfers without adequate safeguardsData retained longer than necessary without a clear legal basisFailure to respond to data subject rights requests within 30 days

Risk comparison: compliant vs non-compliant

	Without a UU PDP compliance programme	With an active compliance programme
Regulatory fine exposure	Up to 2% annual revenue per incident	Substantially lower due to good faith evidence
Criminal risk for executives	Articles 67-69 can target individuals, not just corporations	Compliance documentation protects individuals from personal liability
Incident response speed	No playbook, 14-day reporting deadline difficult to meet	Playbooks and templates ready, deadline achievable
Position in government and corporate tenders	Increasingly, tenders require evidence of UU PDP compliance	Certification and documentation ready for proposals
Relationship with regulators	Investigation begins from a defensive position	Evidence of proactive compliance effort influences regulator assessment

The most practical first step

For most companies, the most efficient starting point is a UU PDP gap assessment: a short audit that identifies where you stand against the main obligations and which priorities need to be addressed first.

Alpha Code provides this assessment as part of its DPO-as-a-Service offering, including a prioritised report ready for presentation to a board of directors or audit committee.

The cost of UU PDP non-compliance: fines, sanctions, and business risk

UU PDP sanction structure

Calculating the 2% revenue fine

Indirect costs that are often overlooked

Violations most likely to trigger sanctions

Risk comparison: compliant vs non-compliant

The most practical first step

Frequently asked questions

Related

Our services

Ready to strengthen your security posture?