The protection of personal data has become an increasingly important issue amid the rapid development of information technology and digital financial services. In the banking sector, customers’ personal data is not merely a matter of identity, but a valuable asset that may impact financial security and reputation if misused. Indonesia has established a legal framework through Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) to ensure that personal data is managed with prudence, transparency, and accountability, particularly within the scope of banking services.
Several laws and regulations form the foundation for the protection of bank customers’ personal data in the banking sector, including:
- Law No. 27 of 2022 on Personal Data Protection (PDP Law).
- Law No. 7 of 1992 on Banking, as amended by Law No. 10 of 1998, which obliges banks to maintain customer confidentiality.
- Financial Services Authority Regulation No. 22 of 2023 on Consumer and Public Protection in the Financial Services Sector, which requires financial service providers to protect and safeguard customers’ personal data.
- Bank Indonesia Regulation No. 12 of 2024 on Bank Indonesia Data and Information Policy.
These regulations affirm that the protection of bank customers’ personal data should not be understood merely as a legal obligation, but also as an integral part of good corporate governance practices in the banking sector, aimed at strengthening public trust in Indonesia’s banking industry today.
It is important to understand the classification of personal data under the PDP Law, as stipulated in Article 4, which distinguishes personal data into two main categories:
- General Personal Data, such as full name, gender, nationality, religion, marital status, and other general information.
- Specific Personal Data, which is considered more sensitive, including health data and information, medical record, biometric data, genetic data, criminal records, financial data, data concerning children, and other data that, if misused, could result in discrimination or serious harm.
In the banking context, customers’ financial data—such as transaction history, account balances, credit facilities, and collateral—is classified as specific personal data that must receive the highest level of protection.
Although the fundamental principle of the PDP Law is the restriction on the use and disclosure of personal data without the consent of the data subject, several exceptions are provided under the PDP Law. In banking practice, these exceptions may include:
- National defense and security, for example, where a transaction is suspected to be linked to terrorism financing or indicates money laundering activities.
- Law enforcement processes, including official requests from police investigators, public prosecutors, or judges.
- Public interest in state administration, such as transactions related to supervision and regulation, the fulfillment of legal obligations, and government programs.
- Supervision of the financial services sector, monetary system, payment systems, and financial system stability carried out in the context of state administration. In practice, this exception safeguards the authority of the Financial Services Authority (OJK), Bank Indonesia, the Financial Transaction Reports and Analysis Center (PPATK), the Ministry of Finance, and the Deposit Insurance Corporation (LPS) in exercising oversight of the financial sector.
- Statistical and scientific research purposes.
Nevertheless, the sharing of data under such exceptions must still adhere to the principle of proportionality and be used only to the extent necessary for legitimate legal purposes.
The protection of bank customers’ personal data in Indonesia is a vital foundation for maintaining public trust in the national financial system. Through the PDP Law, banks and financial institutions are required to adopt stricter, more transparent, and accountable data management policies. Ultimately, personal data protection is not merely a matter of legal compliance, but also an integral part of building a secure, trustworthy, and sustainable banking system.
For further information or legal advice on personal data protection in the financial services sector, please contact us at your earliest convenience to obtain comprehensive legal counsel.