On 17 October 2022, Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) was enacted by the government. Prior to the enactment, provisions on personal data protection were scattered in a number of laws and regulations which result in discrepancies and inconsistencies of definition and scope of persona data. Hence, the enactment of PDP Law has become a comprehensive legal ground in providing protection, regulation and imposition of sanction against the misuse of personal data. Additionally, the PDP Law is expected to better regulate and protect personal data, especially in the current situation where massive data leaks of users on business platforms and personal data are intentionally leaked to the public on social media. The PDP Law requires companies which are engaged in digital economy industries, particularly those companies collecting, acquiring, processing, analyzing, and storing personal data of data subjects to adjust their practice to the provisions of the PDP Law within 2 (two) years from its promulgation.
In connection with the foregoing, PDP Law requires personal data controllers and personal data processors to appoint a Data Protection Officer(s) (“DPO”) that protects Personal Data in the case that:
- the processing of personal data is in the public interest;
- the core activity of the personal data controller has characteristics, scope and/or purposes in which large-scale regular and systematic monitoring of personal data is necessary; and
- the core activity of the personal data controller comprises large-scale processing of personal data in special categories, and/or personal data relating to criminal offenses.
DPO must be appointed solely on the basis of their professionalism, legal knowledge, personal data protection practice, and capability to complete their tasks. Where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.
A DPO has duties, i.e.:
- to inform and advise the personal data controller or personal data processor on compliance with the PDP Law;
- to monitor and ensure compliance with the PDP Law and the policies of the personal data controller or the personal data processor;
- to offer advice on the assessment of the impact of personal data protection and to monitor performance of the personal data controller and the personal data processor; and
- to ensure coordination and act as a contact person in respect of issues relating to the processing of personal data.
Based on the aforesaid, it is clear that a DPO plays important roles in ensuring and monitoring compliance of a personal data controller and personal data processor with the PDP Law. The appointment of DPO is also vital to mitigate the risks resulting from personal data leaks.
