All Countries
Compliance
Data Controller Agreement

Data Controller Agreement Template for Indonesia

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Controller Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Controller Agreement

"I need a Data Controller Agreement for my e-commerce company based in Jakarta, which will be processing customer payment data through a third-party payment processor in Singapore, with the agreement to take effect from March 2025."

Celebrated by
Collaborations with
Investors
Document background
The Data Controller Agreement is essential for organizations operating in Indonesia that process personal data, ensuring compliance with Law No. 27 of 2022 on Personal Data Protection (PDP Law) and related regulations such as Government Regulation 71/2019. This document should be used when establishing relationships involving personal data processing, particularly when one party acts as a data controller. The agreement covers crucial aspects including data protection obligations, security measures, breach notification procedures, and data subject rights. It's particularly important given Indonesia's strict data protection requirements and potential penalties for non-compliance. The agreement needs to be tailored to specific processing activities while maintaining compliance with Indonesian data protection laws.
Suggested Sections

1. Parties: Identification of the Data Controller and the other contracting party, including their legal status and registered addresses

2. Background: Context of the agreement, relationship between parties, and purpose of data processing activities

3. Definitions: Definitions of key terms including 'Personal Data', 'Processing', 'Data Subject', 'Data Controller', 'Data Processor' as per Indonesian PDP Law

4. Scope and Purpose: Detailed description of the data processing activities covered by the agreement and their specific purposes

5. Data Controller Obligations: Core responsibilities of the Data Controller including ensuring lawful basis for processing, maintaining records, and implementing security measures

6. Data Processing Instructions: Specific instructions for processing personal data, including permitted activities and restrictions

7. Data Security: Security measures required to protect personal data as per Indonesian regulations

8. Confidentiality: Obligations regarding confidentiality of personal data and processing operations

9. Data Subject Rights: Procedures for handling data subject requests and ensuring compliance with their rights under PDP Law

10. Personal Data Breach: Procedures for handling and reporting data breaches as per Indonesian requirements

11. Term and Termination: Duration of the agreement and conditions for termination

12. Return or Deletion of Data: Obligations regarding data handling upon contract termination

13. Liability and Indemnities: Allocation of liability and indemnification obligations

14. Governing Law and Jurisdiction: Specification of Indonesian law as governing law and jurisdiction for disputes

Optional Sections

1. Cross-border Data Transfers: Required when personal data will be transferred outside Indonesia, including mechanisms for ensuring compliance with Indonesian data transfer requirements

2. Sub-processing: Required when the agreement needs to address the possibility of engaging sub-processors

3. Data Protection Impact Assessment: Required for high-risk processing activities as defined under Indonesian law

4. Audit Rights: Optional section detailing the Controller's rights to audit compliance, recommended for high-risk or complex processing activities

5. Insurance Requirements: Required when specific insurance coverage needs to be maintained by either party

6. Business Continuity: Required for critical processing activities requiring specific business continuity guarantees

Suggested Schedules

1. Description of Processing Activities: Detailed description of personal data categories, processing purposes, and processing activities

2. Technical and Organizational Security Measures: Specific security measures implemented to protect personal data

3. Authorized Sub-processors: List of approved sub-processors if applicable

4. Data Transfer Mechanisms: Details of mechanisms used for international data transfers if applicable

5. Contact Details and Escalation Procedures: Contact information for key personnel and procedures for operational and emergency communications

6. Service Level Agreement: Specific performance metrics and service levels if applicable to the processing activities

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Data Protection Laws
Authorized Personnel
Business Day
Confidential Information
Consent
Controller Processing Instructions
Cross-Border Transfer
Data Controller
Data Processor
Data Protection Impact Assessment
Data Protection Laws
Data Security Breach
Data Subject
Data Subject Rights
Effective Date
Electronic System
Indonesian PDP Law
Information Security Incident
Personal Data
Personal Data Breach
Processing
Processing Activities
Processing Location
Processing Records
Regulatory Authority
Security Measures
Sensitive Personal Data
Services
Special Categories of Personal Data
Sub-processor
Technical and Organizational Measures
Term
Third Party
Transfer Mechanisms
Relevant Industries

Technology

Healthcare

Financial Services

E-commerce

Telecommunications

Education

Insurance

Retail

Manufacturing

Professional Services

Government Services

Transportation

Hospitality

Relevant Teams

Legal

Compliance

Information Security

IT

Privacy

Risk Management

Procurement

Operations

Data Governance

Information Management

Corporate Affairs

Technology

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Legal Counsel

Compliance Manager

Information Security Manager

IT Director

Chief Information Security Officer

Privacy Manager

Risk Manager

Procurement Manager

Contract Manager

Chief Technology Officer

Operations Director

Chief Legal Officer

Data Governance Manager

Industries
Law No. 27 of 2022 on Personal Data Protection (PDP Law): Indonesia's main data protection law that establishes comprehensive requirements for personal data processing, including obligations for data controllers, data processor relationships, cross-border data transfers, and data subject rights
Government Regulation No. 71 of 2019 on Electronic Systems and Transactions: Regulates electronic system operations and transactions, including requirements for electronic system operators handling personal data and obligations regarding data storage and protection
MOCI Regulation 20 of 2016 on Personal Data Protection: Provides specific requirements for protecting personal data in electronic systems, including consent requirements, data processing procedures, and security measures
Law No. 11 of 2008 on Electronic Information and Transactions (EIT Law): Foundational law governing electronic transactions and information, providing basic framework for data protection and electronic system operations
MOCI Circular Letter No. 5 of 2016: Provides guidelines on the limitations and responsibilities of electronic system providers regarding personal data protection and management
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Joint Controller Data Processing Agreement

An Indonesian law-governed agreement defining responsibilities and obligations between joint controllers for personal data processing under Indonesia's PDP Law.

find out more

DPA Data Protection Agreement

An Indonesian law-governed Data Protection Agreement establishing terms for personal data processing between controller and processor under PDP Law 2022.

find out more

Joint Controller Data Sharing Agreement

An Indonesian law-governed agreement establishing rights and obligations between joint controllers for shared data processing activities under Indonesia's PDP Law.

find out more

Data Controller Agreement

An Indonesian law-governed Data Controller Agreement establishing framework for personal data processing activities under PDP Law requirements.

find out more

Data Privacy Contract

An Indonesian law-governed agreement establishing terms for personal data processing between controller and processor, ensuring compliance with Indonesia's PDP Law.

find out more

Supplier Data Processing Agreement

An Indonesian law-governed agreement establishing terms for personal data processing between a company and its supplier, ensuring compliance with Indonesia's PDP Law.

find out more

Non Disclosure Agreement Data Protection

An Indonesian law-governed NDA incorporating data protection requirements under UU PDP, designed for protecting both confidential information and personal data.

find out more

Data Protection Addendum

An Indonesian law-governed Data Protection Addendum that establishes data processing obligations and compliance requirements under Indonesia's PDP Law.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.