Article 43 Indonesian Data Protection Law 2020

Instructions for designated data processor

(1) In the event that the personal Data controller designates the personal Data processor, the personal Data processor is required to process the personal Data based on the instruction or instructions of the personal Data controller unless otherwise specified pursuant to the provisions of the applicable laws.
(2) The processing of personal Data as intended in paragraph (1) shall be conducted with respect to the provisions of the personal Data under this law.
(3) The processing of personal Data as referred to in paragraph (1) shall be included in the Indonesian responsibility of thePersonal data controller.
(4) In the event that the personal Data processor does the processing of personal Data outside the instructions or orders and purposes specified by the personal Data controller, the processing of personal Data is the responsibility of the personal Data processor.