Indonesia's Personal Data Protection Law (UU PDP No. 27/2022) for Training-Participant Data: An Operational Guide to Controller–Processor Roles, DPO, Breach Notification, Retention, and Sanctions

Short answer: Training-participant data (attendance lists, assessment results, session recordings, class photos) is personal data under Law No. 27/2022 on Personal Data Protection (UU PDP), fully enforceable since 17 October 2024. The buying company is the Data Controller; the training vendor processing data on its behalf becomes the Data Processor. Primary responsibility stays with the Controller even when the breach happens at the vendor, so the vendor contract must carry nine minimum clauses: roles, purpose, retention, security, sub-processors, cross-border transfers, ≤24-hour internal incident notification, destruction evidence, and audit right. Sanctions reach 2% of annual revenue (administrative) and 6 years' imprisonment + IDR 60 billion for corporations (criminal).

Most PDP Law articles stop at a definition of personal data and a list of sanctions. A training buyer who must answer for the vendor contract needs more: the operational mapping of controller–processor roles, the DPO duty after the Constitutional Court ruling 151/2024, the consent mechanics for session recordings, retention for training data, the cross-border-transfer routes, and the contract clauses that move risk to the party that should carry it. This guide closes that gap with article-specific references.

Intended readers: HR / HC / L&D / SDM, Legal & Compliance, DPO / Privacy, and Procurement teams at private companies, BUMN/BUMD, government agencies, institutions, associations, and non-profits buying or running training for their workforce.

Quick navigation

1. Why training equals processing personal data
2. Controller and processor roles (Arts. 1, 47–51)
3. Participant data-subject rights (Arts. 5–13)
4. DPO: duty after MK Decision No. 151/PUU-XXII/2024
5. Valid consent for photos, video, and session recordings
6. Data minimisation and training-data retention
7. Incident notification: 3x24-hour deadline (Art. 46)
8. Cross-border transfers (Art. 56) for global LMS
9. Sanctions: administrative 2% and criminal up to 6 years
10. Training-vendor contract: nine mandatory clauses
11. Vendor due-diligence checklist (ready to use)
12. Worked example: multi-batch internal academy programme
13. Common mistakes and how to avoid them
14. FAQ
15. Next steps

Why training equals processing personal data

Start from the official definition. PDP Law Article 1(1) defines personal data as data about an identifiable natural person, alone or combined with other information, directly or indirectly, through electronic or non-electronic systems. Nearly every training artefact fits:

• Attendance lists (name + employee ID + work email).
• Pre/post-test results, competency assessments, 360-feedback outputs.
• Session video recordings, discussion transcripts, group photos.
• Progress reports tying performance to individuals.
• Demographic data collected for personalisation.

Some escalate to specific personal data (Article 4(2)) — health, biometric, genetic, child, political/religious views, personal financial records — which require stricter protection. Wellbeing training that records mental-health context, occupational-safety training that captures physical condition, or executive coaching touching family finances all risk hitting the specific category.

The practical consequence is single: every training programme is a personal-data processing activity, and falls under the full PDP Law at all times — independent of whether a breach occurs.

Controller and processor roles (Arts. 1, 47–51)

These two roles decide who carries what.

• Data Controller (Art. 1(4)) — the party that determines the purpose and exercises control over processing. When your company decides to run a leadership programme, selects participants, and defines what to measure, you are the Controller.
• Data Processor (Art. 1(5)) — the party processing on the Controller's behalf. A training vendor receiving the participant list, running assessments, and delivering reports is the Processor.

The consequence often missed: primary liability for breaches stays with the Controller (Arts. 47 & 51). Even if the leak happens on a vendor server, Data Subjects and the PDP Authority will look to your company first. Vendor indemnification clauses shift the financial burden, but not the reputational burden or notification duty.

Rule of thumb: Controller is accountable; Processor executes. Without a written agreement binding the Processor to the Controller's standards, the Processor mirrors the Controller — and the Processor's lapse becomes the Controller's violation.

Participant data-subject rights (Arts. 5–13)

The PDP Law grants ten rights. For training participants, the operational translation:

Article	Right	Practical implication for training
5	Information (clarity & purpose)	Provide a short privacy notice at programme start
6	Complete, update, correct data	Participants may correct an erroneous assessment result
7	Access and copy of data	Requests for an assessment copy must be honoured
8	Withdraw consent	Withdraw recording consent without losing the right to attend
9	Object to automated decisions	Automated ranking must be reviewable by a human
10	Suspend or restrict processing	Suspension requests handled while verification proceeds
11	Claim and receive compensation	Claim channel made clear in the privacy notice
12	Deletion / destruction	Timely destruction SOP in place
13	Receive data in structured format (portability)	Competency-report copies exportable
—	(Arts. 14–15) Special-scope rights & lawful exceptions	Case-by-case review

Companies must build an official channel accessible to participants (DPO email, HR portal form) with a documented internal response SLA. Vendors processing data must be contracted to forward requests within a tighter SLA (e.g. ≤2 working days) so you as Controller can meet the statutory deadline.

DPO: duty after MK Decision No. 151/PUU-XXII/2024

Article 53 of the PDP Law mandates appointing a Data Protection Officer (DPO) when any of these is met: (i) processing for public services; (ii) core activities require regular and systematic large-scale monitoring; (iii) core activities consist of large-scale processing of specific personal data or crime-related data.

On 16 July 2025, the Constitutional Court of Indonesia issued Decision No. 151/PUU-XXII/2024 striking down the conjunctive "and" in Article 53(1) as unconstitutional — the threshold dropped. Meeting any one criterion is sufficient. Implications for training buyers:

• Mid-to-large enterprises running an internal academy with routine cross-unit competency assessment likely fall within "regular and systematic large-scale monitoring".
• Government agencies and BUMN processing civil-servant or employee training data for public services automatically meet criterion (i).
• Training vendors with hundreds of participants across clients on a platform likely become Processors with their own DPO duty (Article 53(2)).

A DPO need not be a new manager — the function may be held by an existing officer (legal, compliance, or privacy) as long as independence is preserved. What cannot be combined: roles that decide purpose or means of processing (e.g. a CIO/CTO who also designs the system), as that creates a conflict of interest.

Core point: After the MK ruling, the DPO threshold dropped. If you run an active internal academy or process training data at scale, assume the duty applies — and appoint before an audit finds it.

Valid consent for photos, video, and session recordings

Many vendors still rely on a blanket clause: "by registering you consent to all documentation". Article 22 of the PDP Law closes that door. Valid consent must be:

1. Explicit — an active statement of agreement.
2. Purpose-specific — attendance consent differs from session-recording consent, group-photo consent, testimonial-publication consent, and coaching-audio consent.
3. Fully informed — the participant knows what data, for what, how long, and to whom it goes.
4. Free — refusing one type of processing does not remove the right to attend (unless that processing is inherent to the service, e.g. name for the certificate).
5. Withdrawable — withdrawal must be at least as easy as giving consent.

Healthy practice for training sessions: use a layered consent form with separate checkboxes:

• ☐ I consent to my attendance being recorded for certificate and internal-report purposes.
• ☐ I consent to the session being recorded (audio/video) for internal documentation for up to 90 days.
• ☐ I consent to group photos being used in internal organisational communications.
• ☐ I consent to my name and testimonial being used in the vendor's external/marketing communications.

Consent withdrawal must connect to operational mechanics: if a participant withdraws recording consent on day 30, the recording must be deleted within an internal deadline (e.g. ≤14 days) with destruction evidence.

Data minimisation and training-data retention

PDP Law Article 16(2) contains the processing principles, including (b) limited and specific, (c) purpose-aligned, (f) accurate and current, and (g) time limited to the necessary period (the retention-minimisation principle). Article 43 governs deletion; Article 44 governs destruction after retention ends or the purpose is fulfilled.

For training data, a healthy retention map:

Data type	Suggested retention	Basis
Attendance lists & certificates	5–10 years	HR & labour audit; procurement PMK for agencies
Final assessment results entering the competency report	Career cycle (e.g. 3–5 years)	HR need
Raw assessments (individual pre/post test answers)	30–90 days post-report	Absorbed into report; purpose fulfilled
Session video/audio recordings	60–90 days (for internal-doc purpose)	Limited purpose; higher risk
Class photos	Per consent period + max 1 year	Purpose-specific consent
Personal coaching/discussion notes	Per coaching contract, typically 30 days	Highly sensitive
Dropout/consent-refusal lists	Internal-admin minimum only	Minimisation

The vendor contract must include category-specific retention, automatic destruction at the end of the period, and written destruction evidence (statement + system log) as a precondition for releasing the final payment tranche.

Incident notification: 3x24-hour deadline (Art. 46)

Article 46 of the PDP Law requires the Controller to send written notification within 3x24 hours (72 hours) of discovery to the Data Subject and the Authority (PDP body). The notice must include: type of data exposed, time and manner, and remedial action. Where impact is wide, the public must also be informed.

The 72-hour window feels long until you run a realistic timeline:

Hour	Activity
0–6	Initial identification + incident confirmation + system isolation
6–24	Scope investigation: what data, how many subjects, vector
24–48	Drafting notice + legal review + DPO + internal communication
48–72	Dispatch to subjects + PDP Authority; prepare public communication for wide impact

This is why the vendor contract must include an internal notification deadline of ≤24 hours from vendor discovery — leaving you as Controller 48 hours to run the four phases above. "Notification within a reasonable time" is not enough; put a number on it.

Callout: An incident discovered by the vendor on Friday afternoon and reported to you Monday morning has already burned 60+ hours from your 72-hour quota. The vendor's internal-notification SLA is the Controller's primary shield.

Cross-border transfers (Art. 56) for global LMS

Many organisations use global LMS/LXP platforms (Cornerstone, Docebo, Coursera for Business, LinkedIn Learning) or clouds with servers outside Indonesia. Article 56 of the PDP Law permits cross-border transfer on one of these bases:

1. Destination country has equivalent or higher protection to the PDP Law (assessed by the PDP Authority).
2. Adequate binding safeguards exist — e.g. standard contractual clauses, privacy certifications (ISO/IEC 27701, BCR), intra-group protection policies.
3. Data Subject consent.

Healthy practice for corporate training buyers:

• Pick services with an Indonesia storage region where available (many major cloud vendors now offer a Jakarta region).
• Where unavailable, use standard contractual clauses mirroring PDP Law duties (similar in spirit to EU GDPR SCCs; consult legal).
• Document the transfer basis per data category in the processing register.
• Disclose the transfer in the participant privacy notice explicitly, including destination country.
• For regulated sectors (banking under OJK Regulation No. 11/POJK.03/2022 on the Operation of Information Technology by Commercial Banks, healthcare under Health Ministry rules on electronic medical records), add sectoral compliance.

Sanctions: administrative 2% and criminal up to 6 years

The consequences make a compliance investment economical fast.

Administrative sanctions (Article 57) escalate from light to heavy:

1. Written warning.
2. Temporary suspension of processing activities.
3. Deletion or destruction of personal data.
4. Administrative fine up to 2% of annual revenue or annual income against the violation variable.

Criminal sanctions are heavier:

Article	Violation	Imprisonment	Fine
67(1)	Unlawful data collection	max 5 years	max IDR 5 bn
67(2)	Unlawful disclosure	max 4 years	max IDR 4 bn
67(3)	Unlawful use	max 5 years	max IDR 5 bn
68	Falsifying data	max 6 years	max IDR 6 bn
69	Creating false data	max 6 years	max IDR 6 bn

Article 70 raises fines up to 10x for corporate offenders, plus additional sanctions: confiscation of profit/assets, freezing all or part of operations, temporary ban, closure, up to dissolution of the corporation.

Implication for training buyers: violations originating at the vendor (leak, use of participant data for marketing without consent, cross-border transfer without basis) can still become Controller violations. Contract clauses are the primary risk-transfer mechanism before indemnification.

Training-vendor contract: nine mandatory clauses

Treat these nine as a personal-data protection annex attached to the NDA/contract — not buried paragraphs:

1. Role confirmation — vendor is Processor; company is Controller; vendor only processes on Controller's documented instructions.
2. Purpose, types and categories of data — a limited list (e.g. name, work email, title, results of competency assessment X); prohibit other purposes (vendor marketing, AI model training, etc.).
3. Explicit duration & retention — retention period per category with automatic destruction date.
4. Technical & organisational security standards — encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, audit logs, MFA for admin access, vendor-staff PDP training.
5. Sub-processors — prohibited without written Controller consent; sub-processor list disclosed in an annex; changes notified ≥30 days in advance.
6. Cross-border transfers — Article 56 basis used, with per-category documentation.
7. Incident notification — obligation to notify Controller within ≤24 hours of discovery; including data type, estimated affected subjects, and remediation steps.
8. Destruction & evidence — at programme end, vendor destroys all participant data and delivers a destruction statement + system log as a precondition to releasing the final payment.
9. Audit right & indemnification — Controller has the right to audit (directly or via independent auditor) with reasonable notice; vendor indemnifies for breaches arising from its negligence.

For broader contract guidance (including tax and procurement dimensions), see Training PO, VAT & Tax Invoice Procedure in Indonesia.

Vendor due-diligence checklist (ready to use)

Before signing, ensure all are ticked:

• Vendor internal privacy policy received and reviewed.
• Programme data-flow diagram included.
• Sub-processor list and storage regions known.
• Written incident-response procedure included, with the ≤24-hour internal SLA committed.
• Evidence of PDP training for vendor staff handling participant data.
• ISO/IEC 27001 (ISMS) or ISO/IEC 27701 (PIMS) certification where relevant.
• Cross-border-transfer clause with a clear Article 56 basis.
• Layered participant consent (attendance/recording/photo/testimonial separated).
• Per-category retention documented.
• Destruction commitment + written evidence bound in contract.
• Explicit Controller audit right.
• Indemnification clause agreed.

A vendor that refuses to answer or returns generic answers is as severe a red flag as one that refuses to issue a tax invoice. For the broader vendor-evaluation rubric, see How to Choose a Corporate Training Vendor / Provider in Indonesia.

Worked example: multi-batch internal academy programme

Illustrative scenario (method demonstration):

A BUMN runs a Leadership Academy for 600 supervisors across 12 batches in a year. An external training vendor runs the 360 assessment, in-person sessions, and follow-up coaching. PDP Law mapping:

Roles: BUMN = Controller; vendor = Processor; the third-party 360 assessment platform = sub-processor.

Data categories: name/employee-ID/title (general); 360 feedback with manager-peer-direct-report comments (context-sensitive); coaching session recordings (highly sensitive).

DPO: Regular cross-unit large-scale processing → BUMN must appoint a DPO (Article 53 criteria). Vendor must appoint its own DPO (Art. 53(2)).

Consent: Layered — attendance (employment-contract basis), 360 feedback (consent + rater confidentiality), coaching recordings (explicit consent, opt-out without career consequence).

Retention: Attendance 10 years (per HR audit); 360 results entering the development report 3 years; raw 360 data destroyed 90 days post-report; coaching recordings 30 days post-session.

Cross-border transfer: If the 360 platform is hosted in Singapore, basis Article 56(b) with standard contractual clauses; disclosed in the privacy notice.

Incident: Vendor obliged to notify the BUMN ≤24 hours; BUMN DPO activates the 72-hour procedure.

Destruction: End of programme → destruction statement + log from the vendor + sub-processor → precondition to releasing the final 10% payment tranche.

Lesson: PDP compliance is not add-on; it re-maps five categories of programme decision (consent, retention, transfer, DPO, contract) before batch one begins.

Common mistakes and how to avoid them

Core take-aways:

• Treating training data as "not sensitive" → every training artefact is personal data; some is specific.
• Using a blanket consent clause → build layered consent per purpose (Art. 22).
• Not appointing a DPO because "too complex" → after MK 151/2024 the threshold dropped; assume duty for active academies.
• No retention and destruction mapping → violates Art. 16(2)(g) principle; design retention per category.
• Vendor notification deadline of "reasonable" → put a number on it: ≤24 hours so the 72-hour Controller deadline is protected.
• Using global LMS without a transfer basis → document Article 56 per data category.
• Relying on vendor indemnification → Controller liability remains; preventive clauses outweigh curative ones.

FAQ

Are attendance lists, assessment results, and session photos covered as personal data under the PDP Law?

Yes. Article 1(1) of Law No. 27/2022 defines personal data as data about an identifiable natural person, alone or in combination, via electronic or non-electronic systems. Names, titles, work emails, competency-assessment results, pre/post-test scores, session recordings, and group photos are all identifiable to individuals, so all fall fully under the PDP Law. When training touches health, beliefs, or child data, it escalates to specific personal data (Article 4(2)) with stricter duties.

Who is controller and who is processor when a company buys training from a vendor?

The buyer is the Data Controller because it determines the purpose and exercises control over processing (Article 1(4)). A vendor processing data on the buyer's behalf is the Data Processor (Article 1(5)). Primary responsibility stays with the Controller even when processing is performed by the Processor, so a written agreement binding the vendor to security standards, purpose, retention, and incident reporting is mandatory — not a formality.

Must our company appoint a Data Protection Officer (DPO) for training programs?

Article 53 of the PDP Law mandates a DPO when processing is for public service, when core activities require regular and systematic large-scale monitoring, or when core activities involve large-scale processing of specific personal data. Constitutional Court Decision No. 151/PUU-XXII/2024 (July 2025) struck down the conjunctive 'and' in Article 53(1), lowering the threshold — meeting any one criterion is now sufficient. Many mid-to-large enterprises with routine cross-unit training fall within this threshold, especially when running an internal academy with ongoing assessment.

Must the vendor obtain written consent to record or photograph a training session?

Yes. Valid consent under Article 22 of the PDP Law must be explicit, purpose-specific, fully informed, free, and withdrawable. A blanket clause ('by registering you consent to all forms of documentation') does not qualify. The healthy practice: separate attendance consent (contract basis) from session-recording consent, group-photo consent, testimonial-publication consent, and coaching-audio recording consent. Provide an opt-out with no consequence to training participation.

What is the breach-notification deadline and to whom must it be reported?

Article 46 of the PDP Law requires written notification within 3x24 hours (72 hours) of discovery to the Data Subject and the Authority (PDP body). The notice must include the type of data exposed, when and how the incident occurred, and remedial steps taken. Where impact is wide, the public must also be informed. The vendor contract must bind the vendor to notify the buyer far faster (ideally ≤24 hours from discovery) so the Controller still has time to meet the 72-hour external deadline.

How long may participant data be retained and when must it be destroyed?

Article 16(2)(g) sets a retention-as-needed principle; Articles 43 and 44 govern deletion and destruction once retention ends, the purpose is fulfilled, or the subject requests (subject to legal exceptions). Healthy practice for training data: keep attendance lists and certificates per audit/HR needs (typically 5–10 years per labour/audit rules); destroy session recordings and raw assessment drafts within 30–90 days post-report; absorb raw individual responses into the final report then destroy them. The contract must include category-specific retention plus a duty to deliver written destruction evidence.

How large are PDP Law sanctions and is there criminal exposure?

Administrative sanctions (Article 57) escalate: written warning, temporary suspension of processing, deletion/destruction of personal data, and an administrative fine of up to 2% of annual revenue against the violation variable. Criminal sanctions (Articles 67–69) are heavier: illegal collection up to 5 years + IDR 5 billion, illegal disclosure up to 4 years + IDR 4 billion, falsification up to 6 years + IDR 6 billion. Corporations (Article 70) face fines up to 10x plus additional sanctions (asset confiscation, freezing, dissolution). Controller responsibility remains even where the breach occurred at a Processor — so the vendor contract is the first line of defence.

Which clauses are mandatory in a training-vendor contract to align with the PDP Law?

Nine minimum clauses: (1) confirmation of Controller–Processor roles; (2) purpose, types and categories of data processed; (3) explicit processing duration and retention; (4) technical and organisational security standards (TLS-in-transit, AES-at-rest encryption, role-based access, logs); (5) no sub-processor without written consent; (6) no cross-border transfer without an Article 56 basis (country with equivalent protection, adequate binding safeguards, or subject consent); (7) internal breach notification within ≤24 hours; (8) destruction with written evidence at programme end; (9) Controller audit right plus indemnification. These are contract conditions.

May participant data be transferred to LMS or cloud vendors outside Indonesia?

Yes, with a legal basis under Article 56. Three routes: (a) destination country has equivalent or higher protection than the PDP Law; (b) adequate and binding safeguards exist (standard contractual clauses, certifications); (c) subject consent. Healthy practice: pick a cloud with an Indonesia region where available; use standard contractual clauses reflecting PDP Law duties; document the transfer basis per data category; disclose transfers in the participant privacy notice. For regulated sectors (banking, healthcare), add sectoral compliance (OJK regulations, Health Ministry rules).

How do I verify a training vendor's PDP compliance before contracting?

Run a short due diligence: ask for the vendor's internal privacy policy, the training programme data flow map, list of sub-processors and storage regions, incident response procedure, evidence of PDP training for staff, and where relevant ISO/IEC 27001 (ISMS) or ISO/IEC 27701 (PIMS) certification. Attach the answers as a contract annex so they bind. A vendor that refuses to answer or returns generic answers is as red a flag as one that refuses to issue a tax invoice.

What are training participants' rights and how does the company facilitate them?

Articles 5–13 of the PDP Law grant subjects ten rights including access, rectification, deletion, consent withdrawal, suspension/restriction of processing, portability, and compensation. For training: participants may request copies of their assessment, correction of inaccurate data, and withdrawal of recording consent without losing the right to attend. Build an official channel (DPO email or form) with an internal response SLA (e.g. ≤7 days) and a vendor SLA to forward requests within ≤2 working days.

Does the PDP Law apply to foreign companies with employees in Indonesia?

Yes. The PDP Law is extraterritorial: Article 2 binds anyone processing personal data of Indonesian citizens, regardless of controller location. A foreign company running global training for Indonesian employees remains a Controller subject to the PDP Law — including possible representative appointment in Indonesia under Article 53 criteria, transfer-basis duty under Article 56, and 3x24-hour breach notification. Cross-border training governance must map this from programme design.

Next steps

You now have an operational map of UU PDP No. 27/2022 specific to training-participant data: controller–processor roles, post-MK DPO threshold, layered consent, per-category retention, 72-hour notification with a 24-hour vendor SLA, cross-border transfer bases, nine contract clauses, and the sanction ladder. The sensible next step is to map your active training vendors against the due-diligence checklist — before the next batch runs.

Neksus designs every programme with personal-data protection embedded by design: a Controller–Processor agreement, layered consent, documented retention windows, and a commitment to internal incident notification within ≤24 hours. Discuss your team's needs and request an initial TNA via the Neksus contact page — no obligation, as a safe starting point.

Read more guides that complete your compliance decision:

• How to Choose a Corporate Training Vendor / Provider in Indonesia
• Training PO, VAT & Tax Invoice Procedure in Indonesia
• Training Needs Analysis (TNA): What, Why, and How
• Cybersecurity Awareness for Employees
• Browse the full training catalogue →

---

Last updated: 18 May 2026. This guide explains the general mechanics of Law No. 27/2022, Constitutional Court Decision No. 151/PUU-XXII/2024, and customary compliance practice; it is not final legal advice. Validate the application in your context with your Legal/Privacy team and follow the latest implementing regulations. Neksus does not publish client names or success statistics; external references are attributed as external.