← Back to Blog
Industry5 min read

Indonesia's PDP Law and Biometric Data: What Builders Need to Know

A developer's guide to UU PDP (Law No. 27 of 2022) — how Indonesia's data protection law treats face recognition, consent rules, and compliance architecture.

Indonesia Now Has a GDPR-Style Data Law

Indonesia's Personal Data Protection Law — Undang-Undang No. 27 Tahun 2022 (UU PDP) — is the country's first comprehensive data protection statute. After a two-year transition period, it is now fully enforceable, and it directly governs how applications may collect and process face data for Indonesia's 270+ million people.

If you build KYC, attendance, access control, or any identity feature for the Indonesian market, UU PDP is your baseline. This guide covers what the law says about biometric data and how to architect for it.

Biometric Data Is "Specific" Personal Data

UU PDP divides personal data into two tiers. Specific personal data (data pribadi yang bersifat spesifik) receives heightened protection, and the law explicitly lists biometric data in this category, alongside health data, financial data, and criminal records.

That means face embeddings, fingerprints, and any data generated by face recognition processing sit in the most protected tier of Indonesian data law — similar in spirit to GDPR's Article 9 special categories, which we cover in our GDPR compliance guide.

Practical consequences of the "specific" classification:

  • • Processing generally requires explicit consent from the data subject
  • • A data protection impact assessment is required, because biometric processing is considered high risk
  • • Organizations processing specific personal data at scale must appoint a data protection officer
  • • Breaches involving specific personal data carry the law's heavier sanctions
  • UU PDP requires consent to be explicit, informed, and documented — delivered in Bahasa Indonesia where the data subject requires it. For face recognition flows this means:

  • State the purpose precisely. "Kami memproses foto wajah Anda untuk verifikasi identitas" beats a vague "data processing" clause buried in terms of service.
  • Separate biometric consent from general terms. Bundled consent is exactly what the law is designed to reject.
  • Record the consent event — timestamp, version of the notice, and the choice made.
  • Honor withdrawal. Users can revoke consent, which obliges you to stop processing and delete the biometric record.
  • Like GDPR, UU PDP grants data subjects rights of access, correction, deletion, and objection. Your face recognition integration needs a working deletion path — with ARSA Face API that is a single call to the delete_face endpoint, which removes the user's embedding from your isolated database.

    Penalties Are Real

    UU PDP provides administrative sanctions (written warnings, processing suspension, deletion orders, and fines of up to 2% of annual revenue) and criminal penalties for intentional unlawful collection or disclosure, with imprisonment of up to six years for the most serious offenses. Corporate offenders face multiplied fines and possible license revocation.

    For startups, the more immediate risk is operational: a deletion order against your face database, or suspension of processing, can halt an identity product entirely.

    Data Residency and Cross-Border Transfers

    UU PDP permits cross-border transfers when the receiving country provides an equal or higher level of protection, when adequate safeguards exist, or with the data subject's consent. Sector rules add stricter requirements — Indonesian financial services regulation (OJK and Bank Indonesia rules) can require certain systems and data to be operated onshore.

    Design options, in increasing order of control:

  • Cloud API with disclosed processing locations and consent covering the transfer
  • Self-hosted deployment inside Indonesia, which sidesteps transfer analysis entirely — see our self-hosted vs. cloud comparison for the trade-offs
  • ARSA Technology is an Indonesian company, and the ARSA Face SDK is available for on-premise deployment for organizations with strict residency requirements, while the cloud API offers the fastest integration path.

    Why This Matters for KYC in Indonesia

    Indonesia's digital economy runs on remote identity verification: digital banks, e-wallets, P2P lending, and crypto exchanges all onboard customers with a selfie plus ID document flow. Regulators expect that flow to be robust against fraud, which is why liveness detection is now standard in Southeast Asian KYC.

    A UU PDP-aligned KYC pipeline looks like this:

  • Show a Bahasa Indonesia consent screen that names biometric processing
  • Capture the selfie and run passive liveness detection to reject photos, screens, and masks
  • Verify the live selfie against the ID document photo with 1:1 face verification
  • Store only the face embedding if ongoing re-verification is needed — never the raw images
  • Delete the biometric record when the customer relationship ends or consent is withdrawn
  • Our guide to face verification for KYC covers the verification mechanics in more depth.

    Compliance Checklist for UU PDP

  • • Map where face data flows through your system and who touches it
  • • Classify face embeddings and face images as specific personal data
  • • Build an explicit, separate, Bahasa-Indonesia-capable consent flow
  • • Conduct and document a data protection impact assessment
  • • Appoint a data protection officer if you process biometric data at scale
  • • Implement access and deletion rights end to end
  • • Verify your vendor's storage model — embeddings only, transient image processing, isolated per-tenant databases
  • • Decide cloud vs. on-premise based on your sector's residency rules
  • • Prepare a breach response plan — UU PDP requires notification within 72 hours (3×24 hours)
  • Building Compliant Face Recognition in Indonesia

    ARSA Face Recognition API gives Indonesian builders a local-first option: per-user isolated face databases, embedding-only storage, one-call deletion, and built-in passive and active liveness detection — from a company that operates under the same law you do.

    Start free with 100 API calls/month, read the API documentation, or review our security overview when preparing your vendor assessment.

    This article is general information, not legal advice. Consult qualified Indonesian counsel for your specific obligations.

    Ready to get started?

    Try ARSA Face Recognition API free with 100 API calls/month.

    Start Free Trial