The failure of personal data protection is defined as a failure to protect a person’s personal data in terms of confidentiality, integrity, and availability, including security breaches, whether intentional or unintentional, leading to destruction, loss, alteration, disclosure, or unauthorized access to personal data sent, stored or processed.
This means that if there is another SIM card registration data leak, the Communications and Information Ministry, cellular operators, and the Population and Civil Registry (Dukcapil) as the customer data controller must notify all affected parties.
Read: 1,3 billion SIM card data in Indonesia believed to be breached
- Citizens can opt out and delete their personal data
Article 8 states that “Personal data subjects have the right to end processing, delete, and/or destroy their personal data in accordance with the prevailing laws and regulations.” This is confirmed by the explanation in Article 44: the controller of personal data is obliged to destroy personal data in a number of cases. First, the retention period (storage) has expired and the information is destroyed based on the archive retention schedule. There is a request from the personal data owner. It is not related to the legal process of a case and/or the personal data is obtained and/or processed in an unlawful manner. The destruction is carried out in accordance with the prevailing regulations. (rr)