Data Protection And Cybersecurity In Indonesia: Online Marketing.

Legal News & Analysis - Asia Pacific - Indonesia - Regulatory & Compliance - Cybersecurity

28 November, 2019


Indonesia’s Electronic Information Law, Government Regulation 82 regarding the Implementation of Electronic Systems and Transactions, and Ministry of Communication and Informatics (MOCI) Regulation 20 regarding the Pro­tection of Personal Data in Electronic Systems (jointly referred to as the PDP Regulations) are silent on the sending of unsolicited commercial or marketing communications.


While it is not explicit, the Indonesian Financial Services Authority (OJK), through its Regulation No. 1/2013, has imposed a prohibition on telemarketing telephone calls or texts by prohibiting busi­nesses in the financial services sector from making any prod­uct or service offering or marketing to consumers and/or the public through private communication facilities without the prior consent of the consumer.


Businesses in the financial services sector are defined as commercial banks, rural banks, securities companies, investment advisors, custodian banks, pension funds, insurance companies, reinsurance compa­nies, multi-finance institutions, pawn companies and guar­antee companies that operate under conventional or sharia arrangements.


The OJK regulation also specifies that the business must include and/or mention the logo and/or the name of its company and a statement that it is duly registered and supervised by the OJK. Consumers can file a complaint with the OJK if they receive telemarketing telephone calls or texts, and the OJK will proceed to investigate and stipulate any applicable sanctions for such business. The sanctions range from a written warning and fines to the limitation of busi­ness scope, suspension of business activities, and revocation of its business license.


There are no specific regulations pertaining to behavioral advertising. As such, the activity of behavioral advertising is subject to the general requirement for the obtainment of consent of the data subject.


There are no specific regulations pertaining to location-based advertising or other communications. As such, the activity of location-based advertising is subject to the gen­eral requirement for the obtainment of consent of the data subject.


This first appeared in the 2019 Chambers Data Protection and Cyber Security Guide, published by Chambers and Partners. You can find the full chapter here.


SSEK -Regulation Of Insurance And Reinsurance Contracts In Indonesia. - See more at:


For Further Information, please contact:
Denny Rahmansyah, Partner, Soewito Suhardiman Eddymurthy Kardono