The transfer of personal data (data transfer) refers to the processing of data by e-Commerce platforms, which must be protected against threats such as the illegal sale of data or unauthorized profiling. Legal protection for the transfer of personal data across e-Commerce platforms, in accordance with the law, requires adherence to the principle of good faith through consent and independent institutions that ensure the supervision of personal data protection.
In Indonesia, the transfer of personal data can only occur based on the provisions set forth in Articles 20 paragraph (2), 21 and 22 of Law No. 22 of 2022 concerning Personal Data Protection (the PDP Law). The legal basis for processing data must involve consent. This must align with the principles of personal data processing, as stipulated in Article 16 paragraph (2) of the PDP Law. If data transfers are not based on the legal grounds set forth in Articles 20 paragraph (2), 21, 22 and 56 of the PDP Law, they are considered unlawful, and the supervisory authority is obligated to take action against the platform as the data controller. Remedies for violations of consumers’ rights, including compensation, must be ensured.
European Business Law Review