Definition
What is UU PDP?
UU PDP stands for Undang-Undang Perlindungan Data Pribadi, Indonesia's Personal Data Protection Law, enacted as Law Number 27 of 2022. It is the country's first comprehensive data protection statute and sets out how organisations may collect, use, store, and share the personal data of individuals.
The law gives individuals rights over their data and places clear obligations on the organisations that handle it. After a two-year transition period, its requirements and sanctions became enforceable in October 2024, which is why compliance is now a priority for any business that holds customer or employee data.
Enacted
Law 27/2022 is signed, Indonesia's first comprehensive data protection statute.
Transition
A two-year window for organisations to adapt their systems and processes.
Enforcement
The transition period ends. Obligations and sanctions become enforceable.
Ongoing
Supervision and enforcement continue under a dedicated data protection authority.
Enacted
Law 27/2022 is signed, Indonesia's first comprehensive data protection statute.
Transition
A two-year window for organisations to adapt their systems and processes.
Enforcement
The transition period ends. Obligations and sanctions become enforceable.
Ongoing
Supervision and enforcement continue under a dedicated data protection authority.
Scope
Who must comply?
UU PDP applies to any organisation that processes the personal data of individuals in Indonesia, whether the organisation is based inside the country or abroad. Answer the questions below to see whether it is likely to apply to you.
- Do you collect or process personal data of people in Indonesia?
- Does your organisation decide how that data is used, or process it for someone who does?
- Do you share personal data with vendors or transfer it across borders?
The law distinguishes between a data controller, which decides why and how data is processed, and a data processor, which processes data on the controller's behalf. Both carry obligations, and the law reaches organisations outside Indonesia whose processing affects Indonesian individuals.
Obligations
What UU PDP requires
The law sets out a set of core obligations for organisations that process personal data.
Lawful basis and consent
Process personal data only on a valid legal basis. Where consent is the basis, it must be explicit, informed, and freely given.
Data subject rights
Honour individuals' rights to access, correct, delete, and withdraw consent over their personal data, and respond within set timeframes.
Purpose limitation
Collect data only for specified, legitimate purposes and do not use it in ways incompatible with those purposes.
Security safeguards
Protect personal data with appropriate technical and organisational measures against loss, misuse, and unauthorised access.
Breach notification
Notify the authority and affected individuals within 3 times 24 hours of becoming aware of a personal data breach.
Data protection officer
Appoint a data protection officer where you process data on a large scale, monitor individuals systematically, or handle specific categories of data. Alpha Code offers DPO as a Service (DPOaaS) for organisations that need one without an in-house hire.
Cross-border transfers
Transfer personal data abroad only where the destination offers adequate protection, appropriate safeguards exist, or the individual consents.
Risk
Penalties for non-compliance
UU PDP carries administrative sanctions of up to 2 percent of an organisation's annual revenue, alongside written warnings, temporary suspension of processing, and orders to delete data. For the most serious violations, such as unlawful collection or disclosure of personal data, the law also provides for criminal liability, including fines and imprisonment of up to six years.
The size of the potential fine makes the business case for compliance clear. Use the estimator to see an illustrative maximum administrative fine for your organisation.
Illustrative penalty estimator
Maximum administrative fine
Rp 5.0 billion
Up to 2 percent of annual revenue
This is an illustrative maximum based on the 2 percent administrative ceiling, not legal advice or a prediction of any specific penalty.
Action plan
10-step UU PDP compliance checklist
Use this checklist to track your readiness. Tick each step as you complete it to see your progress. Your answers are not saved.
Your compliance readiness
0 / 10
How we help
How Alpha Code helps you comply
Alpha Code maps each UU PDP obligation to a concrete service, so compliance becomes a clear programme of work rather than a legal abstraction.
Gap assessments, data inventories, privacy impact assessments, and evidence for examinations.
Identify the security weaknesses that put personal data at risk before they are exploited.
24/7 monitoring that supports the security safeguards the law expects.
Rapid containment and the forensics needed to meet the breach-notification window.
We act as your outsourced Data Protection Officer where the law requires one, without the cost of an in-house hire.
Frequently asked questions
UU PDP stands for Undang-Undang Perlindungan Data Pribadi, Indonesia's Personal Data Protection Law. It was enacted as Law Number 27 of 2022 and is the country's first comprehensive data protection statute.