To print this article, simply register or connect to Mondaq.com.
Electronic direct marketing has been widely implemented in Indonesia, while at the same time, general public awareness of personal data protection has increased in recent years. Electronic direct marketing uses personal data collected by various means for the commercial and marketing purposes of certain parties. Although this practice does not contravene current regulations on the protection of personal data, certain aspects must be taken into account and the requirements must be observed, in particular with regard to data collection and consent.
Below are the Frequently Asked Questions regarding Electronic Direct Marketing which we have prepared on the basis of the laws and regulations in force in Indonesia on the protection of personal data.
1. What are the legal frameworks for data protection in Indonesia, especially on electronic direct marketing activities?
There are no specific regulations governing electronic direct marketing activities. Such activity is however subject to the regulations on the protection of personal data which are stipulated in various different regulations, such as:
- Law No. 11 of 2008 Electronic Information and Transactions, as amended by Law No. 19 of 2016 (“Law 11/2008”);
- Government regulations (“GR”) N ° 71 of 2019 on the functioning of the electronic system and the transaction
- Minister of Communication and Informatics
(“MoCI”) Regulation No. 20 of 2016 on the protection of personal data in electronic systems (“MoCI Regulation 20/2016”); and
- MoCI Regulation No. 5 of 2020 on providers of private electronic systems (“MoCI Regulation 5/2020”).
(together “Personal data protection regulations“)
In addition to the Personal Data Protection Regulations, electronic direct marketing is also subject to the following regulations:
- Consumer Protection Act No. 8 of 1999 (“Law 8/1999”);
- GR 80 of 2019 on commerce by electronic system
- Regulation of the Minister of Commerce No. 50 of 2020 on the Conditions for the Granting of Business Licenses, Advertising, Development and Monitoring of Commercial Actors in Commerce through an Electronic System
(“MoT 50/2020 Regulation”); and
- Financial Services Authority /Otoritas Jasa Keuangan
(“OJK”) Regulation No. 1 / POJK.07 / 2013 of 2013 as partially amended by OJK Regulation No. 31 / POJK.07 / 2020 of 2020 on the organization of consumer and public services by the OJK in the service sector financial (“Regulation OJK 1 / POJK.07 / 2013”).
In addition, the Indonesian government has finalized a draft law on the protection of personal data. (“PDP Bill”) in 2020, which is being finalized by the House of Representatives /Dewan Perwakilan Rakyat and it is currently planned to be adopted. The PDP Bill also contains relevant provisions for electronic direct marketing activities.
2. What is the scope of the processing of personal data in the context of direct marketing activities?
Personal data is defined as:
“any data about an individual that is identified and / or can be identified individually or in conjunction with other information both directly and indirectly through an electronic and / or non-electronic system“(Art. 1 point 29 of GR 71/2019).
The Regulation on personal data imposes any processing of personal data (including direct marketing activities) to be carried out legally on an appropriate legal basis (that is to say, the consent or for the legitimate interest of the controller and / or the data owner (Art. 14 (3) and 14 (4) (f) of GR 71/2019)). Legitimate interest of the personal data controller, in this context means that the processing of personal data carried out by a data controller can be carried out without the prior consent of the data owner. Provided that these processes are in the activities authorized under the laws and regulations in force.
Exceptions applicable for direct marketing activities: Notwithstanding the above provisions, specifically for the financial service provider, OJK strictly prohibits any financial service provider from making direct marketing communications without the prior consent of clients (art. 19 of OJK Regulation 1 / POJK.07 / 2013).
Since consent is widely emphasized with the protection of personal data and the uncertain scope of legitimate interest, it is always advisable for business owners to obtain the specific legal consent of their clients before conducting any marketing activities. direct to these customers.
3. Are there any restrictions on direct marketing electronic communications in Indonesia?
In general, any business can conduct direct electronic marketing activities as long as it complies with applicable laws and regulations. In addition, all companies must ensure that their marketing activities are valid and must not disturb the owner of the personal data in any way (art. 44 of GR 71/2019).
Moreover, art. 19 (2) of MoT 50/2020 requires that any electronic advertising meets the following conditions:
- It should not mislead consumers about the quality, quantity of material, usefulness and price of goods and / or service charges, as well as the estimated time of arrival.
- It must not mislead the warranty / guarantee of goods and / or services;
- It must not contain false, false or inaccurate information;
- It must include the risk of using the products and / or services;
- He must not exploit an event and / or a person without the consent of the party concerned;
- Provide a clear exit function (eg close or skip button) on displayed e-advertisement.
The above stipulation complies with the requirement set out in art. 17 of Law 8/1999, which further requires that all advertisers comply with the Code of Advertising Ethics
(AS) published by the Indonesian Advertising Council.
4. Does the restriction on electronic marketing also apply extraterritorial?
Yes, the applicable restrictions stated in point 2 above will apply extraterritorially to direct marketing sent from outside Indonesia due to the requirement of Law 11/2008 (Please refer to art. 2 of Law 11/2008 and its explanation).
It is important to note that Law 8/1999 applies to all companies that carry out activities (including marketing actions) in Indonesian jurisdiction, regardless of the legal presence of such companies in Indonesia.
5. Which agencies are responsible for data protection in Indonesia? Is there an authority specifically responsible for enforcing direct marketing restrictions?
In general, the authority responsible for data protection in Indonesia is the MoCI. In addition, individuals can also file a complaint for any inappropriate electronic advertising activity with the advertisers concerned and / or the order of the General Directorate of Consumer Protection and Trade under the Ministry of Commerce.
On a related note, consumers can also file complaints with the Indonesian Foundation for Consumer Protection /Yayasan Lembaga Konsumen Indonesia (YLKI) and / or the Indonesian Advertising Council for Non-Electronic Marketing Materials.
6. Are there any applicable sanctions for data protection breaches during direct marketing activities?
Any breach of data protection on direct marketing activities may be subject to administrative penalties, among others, verbal warning, written reprimand and suspension of activities. In addition, where appropriate, these may also be subject to criminal and civil liability.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.