PROTECTION OF DATA SUBJECT RIGHTS IN THE TRANSFER OF PERSONAL DATA BETWEEN DATA CONTROLLERS IN INDONESIA: A COMPARATIVE ANALYSIS OF THE PDP LAW AND THE EU GDPR
Keywords:
Data Subject, Data Controller, Personal Data Protection, Personal Data Transfer, Standard Contractual Clauses
Abstract
The rapid digital transformation and growth of e-commerce in Indonesia have triggered a high volume of personal data transfers between controllers. while Article 55 of the Personal Data Protection Law (UU PDP) provides only a general authorization without clear technical guidance, creating legal uncertainty and risks to data subject rights. This study analyzes the legal uncertainty of UU PDP’s regulation of controller-to-controller data transfers compared to the EU GDPR and proposes an accountable and transparent mechanism tailored to Indonesia. A normative and comparative legal method is employed, examining legislation, the principles of transparency and accountability, and a comparison between Article 55 UU PDP and Article 46 GDPR on safeguards and Standard Contractual Clauses (SCCs). The findings reveal substantial gaps in technical standards, verification mechanisms, documentation, and enforcement, in contrast to the GDPR’s modular SCCs, mandatory DPIAs, records of processing activities, and effective supervisory powers. The absence of standardized contractual clauses and an operational supervisory authority in Indonesia weakens transparency and the fulfillment of data subject rights. The study recommends adopting Indonesia-specific SCCs, strengthening an independent supervisory authority, and implementing techno-regulation through privacy by design, encryption, and Data Loss Prevention. Harmonization with GDPR standards via SCCs and institutional strengthening is essential to ensure secure, transparent, and accountable controller-to-controller transfers.
Downloads
Download data is not yet available.
References
Adhi Wicaksono. (2020, 06 May). 13 Juta Data Bocor Bukalapak Dijual di Forum Hacker. https://www.cnnindonesia.com/teknologi/20200506065657-185-500477/13-juta-data-bocor-bukalapak-dijual-di-forum-hacker.
Agnes Z. (2025, 25 March). Nilai Transaksi E-Commerce Indonesia Capai Rp487 Triliun pada 2024. https://goodstats.id/article/nilai-transaksi-e-commerce-indonesia-capai-rp487-triliun-pada-2024-Vqv7l.
Amirudin. (2003). Pengantar Metode Penelitian Hukum, PT Raja Grafindo, Jakarta.
Andanda, P., & Mlotshwa, L. (2024). Streamlining the ethical-legal governance of cross-border health data sharing during global health emergencies. Research Ethics, 20(4)
APJII. (2024, 07 February). APJII Jumlah Pengguna Internet Indonesia Tembus 221 Juta Orang. https://apjii.or.id/berita/d/apjii-jumlah-pengguna-internet-indonesia-tembus-221-juta-orang.
Ardika, I. W. C. (2025). Tinjauan hukum terhadap pelindungan data pribadi di era digital: Kasus kebocoran data pengguna layanan e-commerce. Indonesian Journal of Law and Justice, 2(3).
Bradford, L. (2021). Standard contractual clauses for cross-border transfers: a multi-layered risk-based approach. Journal of Data Protection & Privacy, 4(2).
Bradford, Laura, Mateo Aboy, and Kathleen Liddell. (2021) "Standard contractual clauses for cross-border transfers of health data after Schrems II." Journal of Law and the Biosciences 8, no. 1.
Cavoukian, A. (2009). Privacy by Design: The Seven Foundational Principles. Information and Privacy Commissioner of Ontario.
Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J. H., Metayer, D. L., Tirtea, R., & Schiffner, S. (2015). Privacy and data protection by design-from policy to engineering. arXiv preprint arXiv:1501.03726.
Dimitrova, D., & De Hert, P. (2024). DPA Independence and ‘Indirect’ Access—Illusory in Belgium, France and Germany? New Journal of European Criminal Law, 15(1).
DLA Piper. (2023). Indonesia: Personal Data Protection Law PDPL Now in Force.
Eberle, E. J. (2011). The methodology of comparative law. Roger Williams UL Rev., 16, 51.
Farhan Kalyara. (2024, 04 May). Data Pengguna Internet di Indonesia 2024 Meningkat Drastis. https://www.inilah.com/data-pengguna-internet-di-indonesia-2024.
Fernández, A.M. (2019). European Union ∙ EDPB Opinion 14/2019 on Standard Contractual Clauses for Processors under Article 28(8) GDPR. European Data Protection Law Review.
Greenleaf, G. (2022). Transfer Impact Assessments Under the GDPR and the SCCs: Practical Guidance and Pitfalls. Computer Law & Security Review, 43, 105692.
Gumzej, N. (2023). DPA Powers toward Effective and Transparent GDPR Enforcement: The Case of Croatia. Tribuna Juridica.
Jennifer Olomina. (2025). AI-driven compliance monitoring frameworks for automated detection and classification of data privacy violations in hybrid infrastructures, International Journal of Science and Research Archive, 2025, 16(03).
Khaira Ummah Junaedi Putri. (2025, 17 April). Data e-commerce Indonesia: panduan lengkap”, https://id.techinasia.com/data-ecommerce-indonesia-panduan-lengkap.
Leo Dwi Jamitko (2025, 23 January). Data APJII: Jumlah Pengguna Internet 2024 Tembus 225 Juta, Naik Tipis.https://teknologi.bisnis.com/read/20250123/101/1834155/data-apjii-jumlah-pengguna-internet-2024-tembus-225-juta-naik-tipis.
Lessig, L. (2000). Code and Other Laws of Cyberspace. Basic Books.
Lusa, S., Purbo, O. W., & Lestari, T. (2024). Peran e-Commerce dalam Mendukung Ekonomi Digital Indonesia. Penerbit Andi.
Marelli, M. (2024). Transferring Personal Data to International Organizations under Chapter V GDPR. International Data Privacy Law, 14(1).
Matthew, J., Rosadi, S. D., & Amalia, P. (2025). The User’s Position as Personal Data Controller in the Utilization of Electronic Systems in the Form of Messaging Applications in Review of Law Number 27 of 2022 concerning Personal Data Protection. Journal of Law, Politic and Humanities, 5(4).
Morić, Z., Dakic, V., Djekic, D., & Regvart, D. (2024). Protection of personal data in the context of e-commerce. Journal of cybersecurity and privacy, 4(3).
Murphy, M. H. (2022). Assessing the implications of schrems ii for EU–US data flow. International & Comparative Law Quarterly, 71(1).
Mutiara, U., & Maulana, R. (2020). pelindungan Data Pribadi Sebagai Bagian Dari Hak Asasi Manusia Atas pelindungan Diri Pribadi. Indonesian Journal of Law and Policy Studies, 1(1).
Nafi'ah, R. (2020). Pelanggaran Data Dan Pencurian Identitas Pada E-Commerce. Cyber Security Dan Forensik Digital, 3(1)
Nathasya, S. N., Rosadi, S. D., & Pratama, G. G. (2024). COMPARATIVE STUDY OF PERSONAL DATA PROTECTION INDONESIAN CITIZENS IN TRANSBORDER PERSONAL DATA TRANSBORDER TRANSFER BETWEEN INDONESIA AND JAPAN. Syiah Kuala Law Journal, 8(1).
Phillip Lee (2021, 7 June). The updated standard contractual clauses — A new hope?. https://iapp.org/news/a/the-updated-standard-contractual-clauses-a-new-hope.
Pradana, M. A. E., & Saragih, H. (2024). Prinsip Akuntabilitas dalam Undang-Undang Pelindungan Data Pribadi Terhadap GDPR dan Akibat Hukumnya. Innovative: Journal Of Social Science Research, 4(4).
Putri, D. A., & Suryani, T. (2020). Analisis Dampak GDPR terhadap Manajemen Keamanan Data di Sektor Bisnis: Studi Kasus Indonesia. Kohesi: Jurnal Multidisiplin Saintek, 3(10).
Putri, N. M. D. G., Mahendrawati, N. L. M., & Ujianti, N. M. P. (2024). pelindungan Hukum Terhadap Data Pribadi Warga Negara Indonesia Berdasarkan Undang-Undang Nomor 27 Tahun 2022. Jurnal Preferensi Hukum, 5(2), 240–245. https://doi.org/10.22225/jph.5.2.8087.240-245
Rahmawati, R., & Nurcahyani, N. (2024). ANALISIS PAJAK DIGITAL DI INDONESIA: KONTRIBUSI DAN TANTANGAN KE DEPAN. Jurnal Financia, 5(2).
Ramadhani, W. K. S., & Wiraguna, S. A. (2025). Implementasi pelindungan data pribadi dalam sistem informasi pada perusahaan jasa keuangan. Perspektif Administrasi Publik dan hukum, 2(2).
Rommetveit, K., & Van Dijk, N. (2022). Privacy engineering and the techno-regulatory imaginary. Social Studies of Science, 52(6).
Rosadi, S. D. (2023). Pembahasan UU Pelindungan Data Pribadi (UU RI No. 27 Tahun 2022). Sinar Grafika.
Safir Makki. (2020, 31 October). Lazada Konfirmasi Perentasan 1,1 Juta Akun RedMart. https://www.cnnindonesia.com/teknologi/20201031103811-185-564335/lazada-konfirmasi-peretasan-11-juta-akun-redmart.
Schrems, C. & Kuner, C. (2023). Maximizing the GDPR Potential for Data Transfers. The Lancet Regional Health – Europe, 18, 100369.
Sobandi, S., & Indriati, N. R. (2025). Legal Gaps in Personal Data Protection and E-Commerce Responsibilities in Indonesia. International Journal of Law Reconstruction, 9(1).
Soerjono Soekanto. (2008). Pengantar Penelitian Hukum, UI Press, Jakarta
van Laarhoven, E. (2023). Accountability and Certification in the GDPR. SSRN Electronic Journal.
Vázquez, J. L., & García-Sánchez, F. (2025). Automating data transfer compliance and dispute resolution with smart contracts. Derecho e Innovación, 16(2).
Wright, A. & Goodwin, P. (2021). Data Subject Rights under the GDPR. Oxford University Press.
Agnes Z. (2025, 25 March). Nilai Transaksi E-Commerce Indonesia Capai Rp487 Triliun pada 2024. https://goodstats.id/article/nilai-transaksi-e-commerce-indonesia-capai-rp487-triliun-pada-2024-Vqv7l.
Amirudin. (2003). Pengantar Metode Penelitian Hukum, PT Raja Grafindo, Jakarta.
Andanda, P., & Mlotshwa, L. (2024). Streamlining the ethical-legal governance of cross-border health data sharing during global health emergencies. Research Ethics, 20(4)
APJII. (2024, 07 February). APJII Jumlah Pengguna Internet Indonesia Tembus 221 Juta Orang. https://apjii.or.id/berita/d/apjii-jumlah-pengguna-internet-indonesia-tembus-221-juta-orang.
Ardika, I. W. C. (2025). Tinjauan hukum terhadap pelindungan data pribadi di era digital: Kasus kebocoran data pengguna layanan e-commerce. Indonesian Journal of Law and Justice, 2(3).
Bradford, L. (2021). Standard contractual clauses for cross-border transfers: a multi-layered risk-based approach. Journal of Data Protection & Privacy, 4(2).
Bradford, Laura, Mateo Aboy, and Kathleen Liddell. (2021) "Standard contractual clauses for cross-border transfers of health data after Schrems II." Journal of Law and the Biosciences 8, no. 1.
Cavoukian, A. (2009). Privacy by Design: The Seven Foundational Principles. Information and Privacy Commissioner of Ontario.
Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J. H., Metayer, D. L., Tirtea, R., & Schiffner, S. (2015). Privacy and data protection by design-from policy to engineering. arXiv preprint arXiv:1501.03726.
Dimitrova, D., & De Hert, P. (2024). DPA Independence and ‘Indirect’ Access—Illusory in Belgium, France and Germany? New Journal of European Criminal Law, 15(1).
DLA Piper. (2023). Indonesia: Personal Data Protection Law PDPL Now in Force.
Eberle, E. J. (2011). The methodology of comparative law. Roger Williams UL Rev., 16, 51.
Farhan Kalyara. (2024, 04 May). Data Pengguna Internet di Indonesia 2024 Meningkat Drastis. https://www.inilah.com/data-pengguna-internet-di-indonesia-2024.
Fernández, A.M. (2019). European Union ∙ EDPB Opinion 14/2019 on Standard Contractual Clauses for Processors under Article 28(8) GDPR. European Data Protection Law Review.
Greenleaf, G. (2022). Transfer Impact Assessments Under the GDPR and the SCCs: Practical Guidance and Pitfalls. Computer Law & Security Review, 43, 105692.
Gumzej, N. (2023). DPA Powers toward Effective and Transparent GDPR Enforcement: The Case of Croatia. Tribuna Juridica.
Jennifer Olomina. (2025). AI-driven compliance monitoring frameworks for automated detection and classification of data privacy violations in hybrid infrastructures, International Journal of Science and Research Archive, 2025, 16(03).
Khaira Ummah Junaedi Putri. (2025, 17 April). Data e-commerce Indonesia: panduan lengkap”, https://id.techinasia.com/data-ecommerce-indonesia-panduan-lengkap.
Leo Dwi Jamitko (2025, 23 January). Data APJII: Jumlah Pengguna Internet 2024 Tembus 225 Juta, Naik Tipis.https://teknologi.bisnis.com/read/20250123/101/1834155/data-apjii-jumlah-pengguna-internet-2024-tembus-225-juta-naik-tipis.
Lessig, L. (2000). Code and Other Laws of Cyberspace. Basic Books.
Lusa, S., Purbo, O. W., & Lestari, T. (2024). Peran e-Commerce dalam Mendukung Ekonomi Digital Indonesia. Penerbit Andi.
Marelli, M. (2024). Transferring Personal Data to International Organizations under Chapter V GDPR. International Data Privacy Law, 14(1).
Matthew, J., Rosadi, S. D., & Amalia, P. (2025). The User’s Position as Personal Data Controller in the Utilization of Electronic Systems in the Form of Messaging Applications in Review of Law Number 27 of 2022 concerning Personal Data Protection. Journal of Law, Politic and Humanities, 5(4).
Morić, Z., Dakic, V., Djekic, D., & Regvart, D. (2024). Protection of personal data in the context of e-commerce. Journal of cybersecurity and privacy, 4(3).
Murphy, M. H. (2022). Assessing the implications of schrems ii for EU–US data flow. International & Comparative Law Quarterly, 71(1).
Mutiara, U., & Maulana, R. (2020). pelindungan Data Pribadi Sebagai Bagian Dari Hak Asasi Manusia Atas pelindungan Diri Pribadi. Indonesian Journal of Law and Policy Studies, 1(1).
Nafi'ah, R. (2020). Pelanggaran Data Dan Pencurian Identitas Pada E-Commerce. Cyber Security Dan Forensik Digital, 3(1)
Nathasya, S. N., Rosadi, S. D., & Pratama, G. G. (2024). COMPARATIVE STUDY OF PERSONAL DATA PROTECTION INDONESIAN CITIZENS IN TRANSBORDER PERSONAL DATA TRANSBORDER TRANSFER BETWEEN INDONESIA AND JAPAN. Syiah Kuala Law Journal, 8(1).
Phillip Lee (2021, 7 June). The updated standard contractual clauses — A new hope?. https://iapp.org/news/a/the-updated-standard-contractual-clauses-a-new-hope.
Pradana, M. A. E., & Saragih, H. (2024). Prinsip Akuntabilitas dalam Undang-Undang Pelindungan Data Pribadi Terhadap GDPR dan Akibat Hukumnya. Innovative: Journal Of Social Science Research, 4(4).
Putri, D. A., & Suryani, T. (2020). Analisis Dampak GDPR terhadap Manajemen Keamanan Data di Sektor Bisnis: Studi Kasus Indonesia. Kohesi: Jurnal Multidisiplin Saintek, 3(10).
Putri, N. M. D. G., Mahendrawati, N. L. M., & Ujianti, N. M. P. (2024). pelindungan Hukum Terhadap Data Pribadi Warga Negara Indonesia Berdasarkan Undang-Undang Nomor 27 Tahun 2022. Jurnal Preferensi Hukum, 5(2), 240–245. https://doi.org/10.22225/jph.5.2.8087.240-245
Rahmawati, R., & Nurcahyani, N. (2024). ANALISIS PAJAK DIGITAL DI INDONESIA: KONTRIBUSI DAN TANTANGAN KE DEPAN. Jurnal Financia, 5(2).
Ramadhani, W. K. S., & Wiraguna, S. A. (2025). Implementasi pelindungan data pribadi dalam sistem informasi pada perusahaan jasa keuangan. Perspektif Administrasi Publik dan hukum, 2(2).
Rommetveit, K., & Van Dijk, N. (2022). Privacy engineering and the techno-regulatory imaginary. Social Studies of Science, 52(6).
Rosadi, S. D. (2023). Pembahasan UU Pelindungan Data Pribadi (UU RI No. 27 Tahun 2022). Sinar Grafika.
Safir Makki. (2020, 31 October). Lazada Konfirmasi Perentasan 1,1 Juta Akun RedMart. https://www.cnnindonesia.com/teknologi/20201031103811-185-564335/lazada-konfirmasi-peretasan-11-juta-akun-redmart.
Schrems, C. & Kuner, C. (2023). Maximizing the GDPR Potential for Data Transfers. The Lancet Regional Health – Europe, 18, 100369.
Sobandi, S., & Indriati, N. R. (2025). Legal Gaps in Personal Data Protection and E-Commerce Responsibilities in Indonesia. International Journal of Law Reconstruction, 9(1).
Soerjono Soekanto. (2008). Pengantar Penelitian Hukum, UI Press, Jakarta
van Laarhoven, E. (2023). Accountability and Certification in the GDPR. SSRN Electronic Journal.
Vázquez, J. L., & García-Sánchez, F. (2025). Automating data transfer compliance and dispute resolution with smart contracts. Derecho e Innovación, 16(2).
Wright, A. & Goodwin, P. (2021). Data Subject Rights under the GDPR. Oxford University Press.
Published
2026-01-16
How to Cite
Syahreza Fachran. (2026). PROTECTION OF DATA SUBJECT RIGHTS IN THE TRANSFER OF PERSONAL DATA BETWEEN DATA CONTROLLERS IN INDONESIA: A COMPARATIVE ANALYSIS OF THE PDP LAW AND THE EU GDPR. Awang Long Law Review, 8(2). https://doi.org/10.56301/awl.v8i2.1827
Section
Articles
Copyright (c) 2026 Syahreza Fachran
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
