UU PDP (Indonesia Data Protection) Compliance
Law No. 27 of 2022 — Undang-Undang Pelindungan Data Pribadi (UU PDP) — is Indonesia's comprehensive personal data protection law. Spanning 76 articles across 16 chapters, UU PDP establishes data-subject rights, controller obligations, breach-notification requirements, and cross-border transfer rules. The two-year transition period ended on 17 October 2024, meaning all provisions are now in force.
UU PDP mandates a Data Protection Authority (DPA), but the DPA has not yet been constituted — the Presidential Regulation establishing it is pending. Until the DPA is stood up, the Ministry of Communication and Digital Affairs (MOCDA / Kominfo) holds the notification-recipient role for breach reporting and cross-border transfer notifications. This page reflects the current state; check official government channels for updates on DPA constitution.
This page is engineering guidance for teams building governed AI on AxonFlow. It is not legal advice. Validate the regulatory mapping with your legal and compliance teams before relying on it for UU PDP compliance or supervisory interactions.
Key UU PDP provisions for AI systems
Article 46 — Breach notification (3 x 24 hours)
Article 46 paragraph (1) requires data controllers to notify both the data subject and the DPA (currently MOCDA) in writing within 3 x 24 hours (72 hours) of discovering a personal data breach. The notification must include:
- what personal data was breached
- when and how the breach was discovered
- remediation steps taken or planned
This is a strict timeline. For AI systems processing Indonesian personal data (NIK, NPWP, bank accounts, phone numbers), the breach window starts at discovery — not at confirmation. Engineering teams need audit trails granular enough to reconstruct what data was exposed and when.
Article 56 — Cross-border data transfer
Article 56 establishes a tiered framework for transferring Indonesian personal data across borders:
- Adequacy: the destination country has data protection laws deemed equivalent by the DPA
- Appropriate safeguards: binding contractual clauses or other safeguards approved by the DPA
- Consent: explicit data-subject consent for the transfer
Both prior- and post-transfer notification to the DPA (currently MOCDA) is required. For AI systems that route data through foreign LLM providers or cloud infrastructure, every cross-border data movement should be logged with the transfer basis.
Cross-border transfer decision tree:
Does the destination country have UU PDP adequacy?
├── Yes → Transfer permitted (log: basis = "adequacy")
└── No → Are appropriate safeguards in place?
├── Yes → Transfer permitted (log: basis = "safeguards")
└── No → Has the data subject given explicit consent?
├── Yes → Transfer permitted (log: basis = "consent")
└── No → Transfer NOT permitted
Penalties
UU PDP penalties are substantial:
| Violation type | Administrative penalty | Criminal penalty |
|---|---|---|
| Failure to maintain reasonable security safeguards | Up to 2% of annual revenue | — |
| Failure to notify breach within 3 x 24 hours | Up to 2% of annual revenue | — |
| Unlawful personal data processing | — | Up to 5 years imprisonment + IDR 5 billion (individual) / IDR 50 billion (corporate) |
| Falsifying personal data for personal gain | — | Up to 6 years imprisonment + IDR 6 billion (individual) / IDR 60 billion (corporate) |
A concrete example: lending platform processing NIK and NPWP
A P2P lending platform (LPBBTI) processes loan applications that contain NIK (national identity number), NPWP (tax identification number), bank account details, and Indonesian phone numbers. The platform uses an AI credit-scoring model and a customer-service copilot.
What UU PDP asks the platform to demonstrate:
- Article 4 (personal data categories): NIK and NPWP are personal data; the platform must identify and protect them in every processing pipeline.
- Article 46 (breach notification): if the AI system leaks or exposes NIK/NPWP data, the platform has 3 x 24 hours (72 hours) to notify MOCDA and affected data subjects.
- Article 56 (cross-border transfer): if the credit-scoring model is hosted by a foreign cloud provider, every data transfer must be logged with the legal basis (adequacy, safeguards, or consent).
How it maps to AxonFlow tiers:
Enterprise endpoints for Indonesian compliance are served through a shared OJK compliance module at /api/v1/ojk/*, covering OJK, BI, and UU PDP frameworks through a single API surface with framework-specific parameters.
| Need | Community | Evaluation | Enterprise |
|---|---|---|---|
| NIK detection (16-digit, province-code prefixed) | System policies (sys_pii_indonesia_nik) — pattern-based, ~0.7 confidence | Same | Same + province-code validation (~0.95 confidence) |
| NPWP detection (legacy 15-digit + new 16-digit) | System policies (sys_pii_indonesia_npwp_legacy, sys_pii_indonesia_npwp_new) | Same | Same + check-digit validation |
| Indonesian mobile (+62) detection | System policies (sys_pii_indonesia_phone) | Same | Same |
| Bank-account detection (BCA, Mandiri, BRI, BNI) | System policies — context-anchored patterns | Same | Same + enhanced validation |
| Policy enforcement on every LLM + MCP call | Yes | Yes | Yes |
| Full audit trail for breach reconstruction (Art. 46) | Yes (3-day retention) | Same (14-day) | Same + 10-year retention |
| HITL on decisions involving personal data | Can emit; no queue | HITL approval queue | Production HITL queue + portal |
| Breach notification template (Art. 46 fields) | Not provided | Not provided | POST /api/v1/ojk/breach/notify — generates Art. 46 compliant notification with 72h deadline |
| Cross-border transfer logging (Art. 56) | Not provided | Not provided | data_residency + transfer_basis fields in audit logs |
| Retention posture proof | Not provided | Not provided | GET /api/v1/ojk/audit/retention — per-data-type retention status |
| OJK readiness dashboard (UU PDP framework) | Not provided | Not provided | GET /api/v1/ojk/audit/readiness with framework: "UU_PDP" |
What Community covers
Community is a credible starting point for UU PDP-relevant engineering work:
- audit logging with enough granularity to reconstruct what personal data was processed, when, and by which AI component — critical for Article 46 breach investigations
- system and tenant policy enforcement on every LLM and MCP call, providing the "reasonable security safeguards" Article 46 references
- Indonesia-relevant PII protection: NIK (16-digit, province-code prefixed), NPWP (both 15-digit legacy and 16-digit post-2024 formats), Indonesian mobile (+62), and bank-account patterns for the four major banks — 8 detection patterns total
Community PII detection is pattern-based with approximately 0.7 confidence. The patterns validate structural format (digit count, prefix ranges, context anchors for bank accounts and NPWP) but do not perform province-code lookups or check-digit validation. This is a meaningful detection layer — but it is not a substitute for application-level data classification in high-sensitivity pipelines.
UU PDP breach notification workflow
For Enterprise users, the breach notification workflow is:
- Discover — audit trail surfaces the anomaly or data exposure
- Assess — use OJK readiness check to evaluate the scope of affected data
- Generate —
POST /api/v1/ojk/breach/notifygenerates the Art. 46 notification template with all required fields and the 72-hour deadline calculated from discovery timestamp - Review — HITL approval gate for compliance and legal review before external notification
- Send — notification delivered to MOCDA (until DPA is constituted) and affected data subjects
- Evidence —
POST /api/v1/ojk/audit/exportcaptures the complete breach-response trail
Industry playbook
P2P lending platforms (LPBBTI)
The concrete flow above. Every loan application contains NIK + NPWP. AxonFlow's PII detection catches these before they reach the credit-scoring model unredacted; the audit trail captures the governance chain from application intake through scoring and disbursement.
E-commerce and marketplace platforms
Platforms processing customer orders, payment details, and delivery addresses handle NIK (for age-verified purchases) and Indonesian phone numbers at scale. UU PDP's breach-notification timeline means the platform needs granular audit logs to reconstruct exposure scope within hours, not days.
Healthtech and insurtech
Applications processing KTP-derived data (NIK), medical records, and insurance claims face stricter UU PDP requirements because health data is classified as specific personal data under Article 4 paragraph (2). AxonFlow's PII detection and audit trail provide the foundational governance layer.
Cross-border SaaS providers
Foreign SaaS providers serving Indonesian customers must comply with Article 56 cross-border transfer rules. AxonFlow's data_residency and transfer_basis audit-log fields (Enterprise) provide the transfer-logging foundation; the cross-border decision tree above is the compliance logic the engineering team implements.
