Insights
ROPA as Transparency in Personal Data Protection
Tanya W. Kusumah, Fathan Akram A._1751513394.png)
Introduction
Personal data protection constitutes a vital aspect of the State’s role in safeguarding the personal data of its citizens. Pursuant to Law Number 27 of 2022 concerning Personal Data Protection ("PDP Law"), personal data protection is defined as the entirety of efforts to secure Personal Data throughout the process of Personal Data processing, with the objective of ensuring the constitutional rights of Personal Data subjects. In this context, the subjects of personal data protection are classified into four categories, namely:
- Personal Data Subject.
- Personal Data Controller.
- Personal Data Processor.
- Personal Data Protection Institution.
In the PDP Law, the personal data controller is defined as any person, government institution, and international organization that acts individually or jointly in determining the purpose and controlling the processing of Personal Data. In this sense, the controller is the controller who is responsible for all data collected from the data subject.
While the data processor is defined in the PDP Law as any person, government institution, and international organization that acts individually or jointly in processing Personal Data on behalf of the Personal Data Controller.
Data Controllers and Data Processors are Required to Use ROPA
Record of Processing Activities (“ROPA”) constitutes a comprehensive documentation that systematically records all personal data processing activities undertaken by an organization. The definition and purpose of ROPA are to establish transparency and accountability in the management of personal data. Essential elements to be included in ROPA encompass the identity of the data controller and processor, the purposes of processing, categories of data processed, legal basis for processing, and data retention periods.
The utility of ROPA extends beyond mere documentation it serves as a critical instrument to ensure compliance with data protection regulations and facilitates both internal and external audits. Through this thorough examination, it is evident that personal data protection transcends technical considerations and embodies a fundamental respect for human rights in the digital age.
ROPA in the PDP Law explains that the Personal Data Controller is required to record all Personal Data processing activities. This recording proves that every Data Processing must be transparent and accountable in carrying out every data processing. The PDP Law explains how the arrangements and what must be done when recording personal data include among others:
- Legality of processing Personal Data;
- Purpose of processing Personal Data;
- Type and relevance of Personal Data to be processed;
- Retention period for documents containing Personal Data;
- Details about Information collected;
- Personal Data processing period; and
- Personal Data Subject Rights.
In the Draft Government Regulation on the Implementing Regulations of Law Number 27 of 2022 concerning Personal Data Protection ("Draft GR PDP"), it is explained in more detail what data controllers must do and data controllers must ensure that data processors record data in accordance with the provisions contained in Article 87 paragraph (2), including:
- Name and contact details of the Personal Data Controller, Joint Personal Data Controllers and/or Personal Data Processors;
- Contact the Personal Data Protection Officer;
- Sources of collection and purposes of transmission of Personal Data;
- Basis for processing Personal Data;
- Purpose of processing Personal Data;
- Types of Personal Data;
- Categories of Personal Data Subjects;
- Parties other than the Personal Data Controller who may access Personal Data;
- Fulfillment of the rights of Personal Data Subjects;
- Mapping of Personal Data flows;
- Retention period; and
- Technical and organizational steps to secure Personal Data.
In this case, if the data controller does not record the data during processing, administrative sanctions will be imposed as stated in Article 57 paragraph (1) of the PDP Law, while Article 57 paragraph (2) explains that administrative sanctions include:
- Written warning;
- Temporary suspension of Personal Data processing activities;
- Deletion or destruction of Personal Data; and/or
- Administrative fines.
In terms of administrative fines, it is explained in Article 57 paragraph (3) that the maximum is 2 (two) percent of annual income or annual receipts for violation variables. The imposition of these sanctions will be given by the Personal Data Protection agency which will be regulated in Government Regulation. In terms of violation variables regulated in the Draft GR PDP Article 255 paragraph (2), among others:
- Negative impacts caused by violations;
- Duration of time during which the violation occurred;
- Types of Personal Data affected;
- Number of People Affected;
- Violation discovery process;
- The level of openness and cooperation of the Personal Data Controller in the investigation process;
- Scale of business of Personal Data Controller or Personal Data Processor;
- The ability of the Personal Data Controller or Personal Data Processor to pay; and
- Other relevant considerations.
Conclusion
Every data controller and data processor is required to carry out ROPA because there are administrative sanctions if every data controller and data processor does not record data on personal data subjects. This can be detrimental to corporate institutions and government institutions as data controllers because the administrative sanction fine is quite large, namely 2 percent of annual income.
This article is intended for general informational purposes only and does not constitute legal advice. For legal assistance or inquiries specific to your situation, please contact us at info@adplaws.com.