Indonesia PDP Law 27/2022 for Laptop Rental: Compliance Checklist
Summary
Guide to Indonesia PDP Law 27/2022 for corporate laptop procurement: controller vs processor duties, DPO, 72-hour breach notification, plus a checklist.
Indonesia's Personal Data Protection Law Number 27 of 2022 — commonly called UU PDP — is a major shift in the country's data regulation landscape. Now that the transition period has ended, companies processing personal data of employees, customers, or users can no longer treat laptop rental as a procurement-only decision. Every unit that stores or accesses personal data is part of a data processing system subject to UU PDP — and the laptop rental vendor shares responsibility.
This article translates UU PDP into practical procurement language: what the company owes as a data controller, what the vendor owes as a processor, what must be in the laptop rental contract, and a concrete checklist for internal audit. The full text of UU 27/2022 is at JDIH BPK and the official summary at kominfo.go.id.
What UU PDP Is and Why It Matters for Laptop Rental
UU PDP regulates the protection of personal data of every Indonesian, from name and national ID to biometric and health data. The law adopts many principles from the EU's GDPR, including the concepts of personal data controller and personal data processor — two roles with different but related obligations.
In corporate laptop rental, the role distribution is usually: the client company is the controller — they determine the purpose and means of processing their employees' and customers' data. The laptop rental vendor is the processor when they store or process personal data on the client's behalf (for example when preparing a custom OS image containing employee data, or when performing data sanitization). When a unit returns to the vendor at end of contract, residual data remains the controller's responsibility — but the processor must ensure the data is properly deleted.
Controller vs Processor Obligations: A Split Table
| Aspect | Controller (Client) | Processor (Vendor) |
|---|---|---|
| Processing basis | Must have legal basis (consent, contract, legal obligation) | Follows the controller's instructions |
| Notice to data subjects | Required | Not (unless on controller's instruction) |
| Purpose limitation | Required | Required only per instruction |
| Technical & organizational security | Required | Required |
| Breach notification | Must report to Komdigi & data subjects within 72 hours | Must report to controller without undue delay |
| DPO appointment | Required under certain criteria (Article 53) | Required if criteria met |
| Data sanitization | Must ensure it happens | Must execute per contract |
| Penalty (administrative sanction) | Up to 2% of annual revenue | Same, as the party also responsible |
Clients who think about UU PDP for the first time during an audit usually discover one thing with a jolt: their laptop rental vendor does not have a valid Data Processing Agreement (DPA). Without a DPA, the controller-processor relationship is not legally governed, and accountability for any incident becomes ambiguous.
Data Protection Officer (DPO): Who Must Appoint One
Article 53 of UU PDP requires DPO appointment for a controller or processor meeting one of the criteria: (a) processes personal data for public services; (b) core activities require regular and systematic personal data monitoring at large scale; (c) core activities involve large-scale processing of specific personal data (health, finance, biometric, children, criminal).
Laptop rental vendors serving banks, fintechs, hospitals, or large educational institutions with thousands of active units very likely meet criterion (b) and/or (c). Clients in these industries must ask whether the vendor has appointed a registered DPO. See also vertical compliance context at bank & fintech laptop rental Jakarta and hospital & healthcare laptop rental Jakarta.
Breach Notification: The 72-Hour Rule Often Overlooked
Article 46(3) of UU PDP requires notification to Komdigi (and data subjects) within a maximum of 3x24 hours from when the controller becomes aware of a data protection failure. For the vendor as processor, the obligation is to notify the controller without undue delay — typically translated in contracts as within 24 hours of discovery.
This means a serious laptop rental contract must include:
1. Definition of a data incident: what counts as a breach (unit lost before sanitization, unauthorized access to OS image, etc.); 2. Notification channel: email + phone to a named PIC, not a generic helpdesk; 3. Notification content: categories of data affected, estimated number of subjects, impact realized so far, mitigation taken; 4. Cooperation clause: vendor must help the controller meet its own notification obligation to Komdigi.
If your vendor cannot guarantee 24-hour notification for operational reasons, you cannot meet your own 72-hour obligation — and the administrative sanction falls on you as the controller, not on the vendor.
Data Subject Rights: Access, Correction, Portability, Erasure
UU PDP grants data subjects the right to: (a) be informed about processing; (b) access and copy data; (c) update/correct; (d) erase or destroy; (e) withdraw consent; (f) object to decisions based on automated processing; (g) move data to another controller (portability).
In the laptop rental context, the right most frequently touched is the right to erasure. When an employee resigns or a customer requests deletion, the company must ensure data on the unit that employee used is also deleted — including if the unit is a rental unit already returned to the vendor. This is the technical reason why data sanitization to the NIST 800-88 standard is not optional but the basis for fulfilling data subject rights.
Practical Implications for Laptop Rental Procurement
Several UU PDP articles have direct implications for how laptop rental contracts are written — especially when selecting a UU PDP-compliant corporate laptop rental fleet:
Custom OS image containing employee data. When the vendor prepares an image for 100 new units, and that image contains employee data (pre-logged email templates, reference files containing employee names, etc.), the vendor has processed personal data on behalf of the client. A DPA is required that limits use to initial configuration only and source image deletion within a defined period (e.g., 30 days after deployment).
Data sanitization on unit return. Cryptographic erase or sanitization per NIST 800-88 Purge level is the minimum standard. The vendor must issue a Certificate of Data Destruction per unit, archived at least 3 years for audit.
Cross-border data transfer. Article 56 of UU PDP prohibits transfer of personal data abroad unless the destination has equivalent protection or adequate contractual protections are in place. If the vendor uses foreign cloud for asset management or MDM telemetry, this needs mapping in the DPA.
Sub-processors. If the laptop rental vendor uses third parties (e.g., logistics subcontractors or on-site technicians), those are sub-processors. The client has the right to consent or refuse. Make sure there is a sub-processor list in the DPA and a notification clause for additions.
Arental Compliance Status — Snapshot, May 2026
For transparency, here is Arental's compliance posture relative to UU PDP:
| Component | Status |
|---|---|
| Data Processing Agreement (DPA) template | Available, customized per client |
| DPO appointment | Done, registered |
| Breach notification protocol | 24 hours to client, channel via email + DPO mobile |
| Data sanitization standard | NIST 800-88 Purge level for all media |
| Certificate of Data Destruction | Issued per unit, archived 5 years |
| Sub-processor list | Disclosed in DPA |
| MDM audit logs | Retained 1 year, client access on request |
| Data center / cloud location | Onshore Indonesia |
This posture is appropriate for a corporate-grade laptop rental vendor — not a privilege, but a baseline. Compare with your current vendor using the checklist below.
UU PDP Compliance Checklist for Laptop Rental Procurement
Use the following checklist during RFP, vendor screening, or existing contract audit:
- Vendor provides a DPA template separate from the main contract;
- DPA contains purpose limitation, retention period, and deletion protocol;
- Vendor appoints a DPO with explicit name, email, and mobile;
- Breach notification clause is at most 24 hours to client;
- Cooperation clause: vendor helps client meet 72-hour notification to Komdigi;
- Data sanitization protocol references NIST 800-88 or equivalent;
- Certificate of Data Destruction per unit, archived for at least 3 years;
- Sub-processor list disclosed, client has veto right on new sub-processors;
- Data center / cloud onshore Indonesia (or contractual protection per Article 56);
- Audit logs (MDM, dispatch, image access) retained and client-accessible;
- Right-to-audit clause for DPA compliance inspection;
- Indemnity clause: liability split if administrative sanctions arise.
For broader procurement document context, see requirements and documents for corporate laptop rental and corporate laptop procurement guide.
Penalties: What Can Actually Happen
UU PDP empowers Komdigi to impose administrative sanctions of up to 2% of annual revenue of the offending company (Article 57). For a company with Rp 500 billion/year revenue, that means potential sanctions of Rp 10 billion — a number that makes compliance investment very worthwhile.
Beyond administrative sanctions, there are also criminal sanctions for serious violations such as unlawful data collection (Article 67) or unauthorized disclosure (Article 68). But what happens more often in practice is reputational damage — a viral data breach permanently damages client and employee trust.
Frequently Asked Questions
Does UU PDP apply to vendors that also process their own employees' data?
Yes. When the vendor processes its client's employee data (e.g., in a custom image), the vendor is processor for the client. When the vendor processes its own employee data (payroll, HRIS), the vendor is controller. The two roles can run simultaneously.
Does BYOD (Bring Your Own Device) fall under UU PDP?
Yes, if the device processes personal data on behalf of the company. In fact, BYOD is often harder to comply because the device is not fully controlled by the company. Laptop rental with MDM is easier to account for from a compliance standpoint.
Can the DPA be merged into the main contract?
Yes, as long as all mandatory elements (purpose, retention, deletion, sub-processor, breach notification, audit rights) are in the document. But the better practice is to keep the DPA as a separate annex so it can be revised without reopening the main contract.
How does UU PDP relate to GDPR?
UU PDP adopts many GDPR principles (compliance, transparency, 72-hour breach notification), but the sanctions structure and enforcement mechanism differ. Companies already GDPR-compliant are generally 80% UU PDP-compliant, with adjustments needed for document language to Indonesian and legal basis to UU 27/2022.
Closing
UU PDP is not a burden — it is a framework that tidies what a company serious about data management should already be doing. Corporate laptop rental within the UU PDP framework means choosing a vendor that treats compliance not as a checklist but as a daily way of working. For the operational treatment, see IT asset management for corporate laptops.
For a UU PDP compliance discussion specific to your company's profile, contact the Arental team via the contact page.