Data in Motion 2025:  Essential Strategies for Controllers and Processors under the PDP Law 

By Setyawati Fitrianggraeni and Marcel Raharja 

 Introduction  

In today’s digital economy, the constant movement of personal data across systems and borders drives innovation and efficiency but also heightens legal risks, especially regarding privacy and security. Indonesia’s Personal Data Protection Law (Law No. 27 of 2022), effective since 17 October 2022, provides a legal framework for managing these risks. It distinguishes between data controllers (who determine the purpose and means of processing and bear primary responsibility) and processors (who act under the controller’s instructions). The law also recognizes joint controllers, though further guidance is pending. Proper role identification is crucial, particularly for compliance, secure data transfers, and managing third-party risks. As the two-year transition period concluded on 17 October 2024, and enforcement mechanisms solidified alongside the anticipated implementing regulations, understanding and fulfilling the distinct roles and obligations of data controllers and processors became paramount. Failure to comply not only risks substantial financial penalties  and reputational damage but may also lead to complex litigation, regulatory actions, and even criminal sanctions for certain violations.  

 Risk Mitigation and Core Obligations in the Era of Data in Motion 

The PDP Law mandates distinct responsibilities for both data controllers and data processors to ensure the secure handling of personal data, particularly when data is in motion across systems or borders. For data controllers, the law imposes broader obligations, including determining the purpose and means of processing, obtaining valid consent, ensuring transparency, and implementing adequate safeguards for cross-border data transfers.  Controllers must also ensure that any third-party processors they engage comply purposes of processing Personal Data.

For data processors, responsibilities are more operational in nature. They must process personal data strictly on behalf of the controller, implement appropriate technical and organizational measures to protect data, and report any breaches promptly. Managing personal data in motion under Indonesia’s Personal Data Protection Law (PDP Law) requires more than technical compliance; it demands a strategic, multi-layered governance approach to effectively mitigate privacy, legal, and cybersecurity risks. First and foremost, organizations must appoint a Data Protection Officer (DPO) if their core activities involve large-scale processing or require systematic monitoring of personal data.  The DPO plays a pivotal role in overseeing compliance, advising on obligations, and acting as a point of contact with the data protection authority. 

For high-risk processing, Data Protection Impact Assessments (DPIAs) are mandatory to identify and manage risks to individuals’ rights, especially in data transfers and third-party access. Data Processing Agreements (DPAs) must clearly define processing scope, security, breach protocols, and audit rights to ensure processors follow the controller’s instructions. Internally, companies should enforce data policies, train staff, classify data, and maintain processing records (RoPA) to demonstrate accountability. Managing personal data in motion requires legal, operational, and technical safeguards to avoid regulatory and reputational risks. 

 Navigating the Evolving Landscape and Executive Takeaways 

The Personal Data Protection Body (PDP Body), which will oversee enforcement, has not yet been established but is targeted for formation by 2026 through a Presidential Regulation. In the interim, the Ministry of Communications and Informatics (Kominfo) holds supervisory authority. The PDP Body will provide guidance, address complaints, conduct investigations, enforce sanctions, approve transfer mechanisms, and shape the practical application of the law. As Indonesia’s data protection framework continues to mature, it is essential for organizations to stay informed through official government channels, regulatory announcements, and industry forums. This is especially important with the forthcoming establishment of the Personal Data Protection Supervisory Body (Badan Pengawas Perlindungan Data Pribadi), as mandated by the PDP Law.  Once operational, this authority will issue further technical guidelines, oversee enforcement, and handle administrative sanctions—making it vital for organizations to adapt quickly to new developments. Under the 2025 PDP Law, organizations handling personal data in motion must first identify their role—controller, processor, or joint controller—then map data flows, including cross-border transfers and third-party sharing. Compliance requirements such as legal bases, data subject rights, and security measures must be integrated into governance and tech systems. 

 Conclusion 

As Indonesia’s data protection landscape continues to evolve with the PDP Law, organizations must proactively address their roles as data controllers or processors, especially in managing “Personal Data in Motion.” Understanding compliance obligations, from ensuring valid legal grounds for data processing to implementing robust cybersecurity measures, is critical. Organizations must focus on governance, enforce clear contracts, and stay informed on the upcoming regulations and the establishment of the Personal Data Protection Body. By staying attuned to these developments, organizations can mitigate legal risks, safeguard data, and build trust, ensuring responsible and sustainable growth in the digital economy. 

 Bibliography 

 Joenaedi FA and Tarina DDY, ‘Cyber Insurance as a Risk Mitigation Tool and Company Compliance Instrument with Indonesia ’ s Personal Data Protection Law’ (2024) 1 UNRAM Law Review 243 

Law No. 27 of 2022 on Data Protection Law . 

Mahameru DE and others, ‘Implementasi UU Perlindungan Data Pribadi Terhadap Keamanan Informasi Identitas Di Indonesia’ (2023) 5 Jurnal Esensi Hukum 115 

DISCLAIMER :

This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:

• During the preparation of this work, the author(s) may use AI-assisted technologies for readability. After using this tool/service, the author(s) reviewed and edited the content as needed for the purposes of the publication.

• No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.

• Accuracy and Completeness: Anggraeni and Partners strive to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaim any liability for any errors or omissions in the articles.

• No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.

• No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.

• No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.

• By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.

For further information, please contact:

WWW.AP-LAWSOLUTION.COM

P: 6221. 7278 7678, 72795001

H: +62 811 8800 427

Anggraeni and Partners, an Indonesian law practice with a worldwide vision, provides comprehensive legal solutions using forward-thinking strategies. We help clients manage legal risk and resolve disputes on admiralty and maritime law, complicated energy and commercial issues, arbitration and litigation, tortious claims handling, and cyber tech law.

S.F. Anggraeni

Managing Partner

fitri@ap-lawsolution.net

Marcel Raharja

Associate

marcel.ra@ap-lawsolution.net