Controller To Controller Data Processing Agreement Template for Indonesia
Generate a bespoke document
What is a Controller To Controller Data Processing Agreement?
The Controller to Controller Data Processing Agreement is essential when two organizations, each acting as independent data controllers, need to share personal data while maintaining compliance with Indonesian data protection laws. This document becomes necessary when both parties independently determine the purposes and means of processing personal data and need to establish clear guidelines for data sharing, protection, and compliance. It is particularly relevant following the enactment of Indonesia's Personal Data Protection Law (Law No. 27 of 2022), which introduces strict requirements for personal data processing and transfer. The agreement should cover all aspects of the data sharing relationship, including security measures, data subject rights management, breach notification procedures, and compliance with Indonesian regulatory requirements. It's crucial for organizations engaging in regular data sharing activities, especially those operating in regulated sectors or handling sensitive personal data.
About the Controller To Controller Data Processing Agreement
When your organization needs to share personal data with another company where both parties act as independent data controllers, you need a Controller To Controller Data Processing Agreement. This document establishes the legal framework for data sharing while ensuring compliance with Indonesia's comprehensive data protection regime.
When do you need this document?
You require this agreement when two organizations, each acting as separate data controllers, need to exchange personal data for their respective business purposes. Common scenarios include strategic partnerships where customer data is shared for joint marketing campaigns, mergers and acquisitions involving data due diligence, research collaborations between institutions sharing participant data, or business alliances where companies exchange employee information for project coordination. The agreement becomes essential when both parties independently determine how and why they process the shared personal data, distinguishing it from controller-processor relationships where one party acts on behalf of the other.
Key legal considerations
Your agreement must clearly define each controller's responsibilities and establish robust data protection measures. Critical clauses should specify the categories of personal data being shared, the purposes for which each party may use the data, and the duration of data retention. Security obligations must include technical and organizational measures to protect data integrity and confidentiality. The agreement should address data subject rights management, establishing procedures for handling access requests, corrections, and deletion demands. Breach notification protocols must outline immediate reporting requirements between controllers and to Indonesian authorities. Cross-border transfer provisions are essential if either party operates internationally, ensuring adequate protection levels are maintained.
Legal requirements in Indonesia
Under Law No. 27 of 2022 on Personal Data Protection, data controllers must obtain explicit consent from data subjects before sharing their personal data with third parties, unless specific exemptions apply. Your agreement must demonstrate lawful basis for processing under Article 16 of the PDP Law and ensure compliance with data minimization principles outlined in Article 20. Controllers must implement appropriate security measures as required by Articles 30-32, including encryption, access controls, and regular security assessments. The agreement should address obligations under Government Regulation No. 71 of 2019 regarding electronic systems, particularly if data is stored or processed through cloud services. Both parties must appoint Data Protection Officers if they process large volumes of personal data or sensitive categories of information. Cross-border data transfer provisions must comply with adequacy decisions or implement appropriate safeguards as specified in Articles 58-60 of the PDP Law.
GOVERNING LAW
Applicable law
This Controller To Controller Data Processing Agreement is drafted to comply with Indonesia law. Key legislation includes:
Law No. 11 of 2008 on Electronic Information and Transactions (EIT Law), as amended by Law No. 19 of 2016: Provides the legal framework for electronic transactions and systems, including provisions on electronic signatures, admissibility of electronic evidence, and cybercrime
Government Regulation No. 71 of 2019 on Implementation of Electronic Systems and Transactions: Implementation regulation providing detailed requirements for electronic system operations, data center locations, registration requirements, and data protection measures
Ministry of Communication and Information Technology Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems: Specific regulation on personal data protection in electronic systems, including requirements for consent, data processing, and security measures
Government Regulation No. 80 of 2019 on Electronic Commerce: Regulation governing e-commerce activities including provisions on personal data protection in online transactions and business activities
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it