Indonesian Fintech Association Issues Personal Data Protection Guidance

In November 2024, the Indonesian Fintech Association (Asosiasi Fintech Indonesia or AFTECH) released its Guidance on Personal Data Protection in the Financial Technology Industry (Guidance). 

BACKGROUND

The Guidance had been prepared with the support of a few partners, namely the Institute for Technology Law Studies Faculty of Law of University of Indonesia, PT GoTo Gojek Indonesia Tbk, Information Systems Audit and Control Association (ISACA) Indonesia, and the Bill & Melinda Gates Foundation.

The Guidance references three main sources of law on data protection – EU’s General Data Protection Regulation (GDPR), Indonesia’s Law No. 27 of 2022 on Personal Data Protection (the Personal Data Protection Law), and OJK Regulation No. 22 of 2023 on Consumer and Public Protection in the Financial Services Sector (the OJK Consumer Protection Regulation). It gives fintech companies a comprehensive guide to meeting their data protection responsibilities and shares industry best practices. It also addresses the importance of education and raising employee awareness of personal data protection issues, and provides guidelines on the appropriate technology and procedures to prevent data breaches.

WHAT THE GUIDANCE COVERS

The Guidance summarises the main data protection obligations set out in the Personal Data Protection Law and the OJK Consumer Protection Regulation, and the sanctions for breaching these obligations. Helpfully, it also sets out some practical guidance on complying with data protection obligations, including (i) preparatory steps; (ii) steps to demonstrate compliance; and (iii) follow-up actions.

In highlighting industry best practices, the Guidance includes suggestions for fintech companies in areas not explained in detail under the existing regulations. It points out that personal data protection for certain categories of data subjects is not fully addressed by the existing regulations, with industry practices varying. These categories include children, people with disabilities, and the deceased. 

DATA PROTECTION OBLIGATIONS 

Some key points covered by the Guidance are set out below.

Processing data based on consent 

The Guidance provides an example of how privacy notices could be drafted. It also sets out different methods to obtain consent (click-through, opt-in check box, pop-up notification, scroll consent, banner) and strategies to ensure that data subjects have read and understood the privacy notice. The Guidance also touches upon two follow-up actions in relation to this obligation – how consent could be documented, and how withdrawal of consent could be facilitated.

Verification of personal data

The chosen verification method must be in line with the level of risk inherent in the electronic transaction. Fintech services such as payments, fund withdrawals, applications for and disbursements of loans, and remittances all entail substantial risk, and therefore require more accurate verification of individual identities. 

The Guidance provides examples of liveness detection (anti-spoofing) measures that can be deployed to verify an individual’s identity. It notes that fintech companies can cooperate with third parties that (i) can facilitate comparison with the government data and/or (ii) have obtained an Electronic Certification Operator (Penyelenggara Sertifikasi Elektronik or PSrE) licence from the Ministry of Communication and Digital Affairs. 

Fulfilling data subject requests

Fintech companies must have a standard operating procedure (SOP) for responding to requests from data subjects. These SOP should be periodically reviewed. The Guidance also includes correspondence templates for fintech companies to adapt and use in responding to these requests.

Data Protection Impact Assessment (DPIA)

The Personal Data Protection Law requires data controllers to carry out a Data Protection Impact Assessment (DPIA) before doing any high-risk personal data processing. However, as the Guidance acknowledges, there has been no further guidance on how the DPIA should be carried out. 

The Guidance suggests that various criteria be considered in the DPIA – including the types of personal data collected, potential risks and their causes, the impact of the risks, and mitigation efforts. It also looks at how ‘large scale’ data processing is defined in other jurisdictions, noting that this is one scenario where a DPIA is required, but that the assessment criteria for ‘large scale’ have not yet been regulated.

Appointment of data processor

Before appointing a data processor, fintech companies must conduct due diligence and prepare a data processing agreement with clear scope and instructions. This agreement should at least cover personal data processing instructions, confidentiality, data security, appointment of sub-processors, data subject requests, compliance and audits.  

Appointment of data protection officer (DPO)

A data protection officer (DPO) may be appointed either internally or externally (eg from a law firm). Three different working models for the DPO are available – centralised, decentralised, and hybrid. Based on the scope of responsibilities of the DPO, the minimum requirements for the role are (i) legal knowledge, (ii) understanding of the relevant processes, (iii) ability to prepare and assess the documentation, and (iv) coordination.

Transfer of personal data

The Guidance acknowledges that the Indonesian government has not issued a list of countries considered as having the “same level” of personal data protection as Indonesia. While awaiting this determination, fintech companies must ensure that any transfer of personal data to outside Indonesia must be carried out either (a) after ensuring that there is adequate binding personal data protection (ie contractual clauses or a personal data transfer agreement imposing data protection obligations on an overseas data transferee) or (b) with the data subject’s prior consent. 

The Guidance also puts forward recommended content for personal data transfer agreements, such as data security, rights of data subjects, audits and inspections.

CONCLUSION

The Guidance issued by AFTECH on personal data protection is a crucial resource for companies operating in the financial technology industry. It not only provides a comprehensive explanation of key obligations under the relevant regulations but also offers practical advice on how to comply with these requirements. The inclusion of templates in the Guidance is particularly helpful, enabling fintech companies to implement best practices efficiently and effectively – making it an essential tool for ensuring data protection and fostering trust in the fintech industry. 

The AFTECH Guidance (Indonesian language) can be downloaded here.