Joint Controller Agreement Template for Indonesia

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Joint Controller Agreement?

Joint Controller Agreements have become increasingly important in Indonesia following the implementation of the Personal Data Protection Law (Law No. 27 of 2022). This document type is essential when two or more organizations jointly determine why and how personal data will be processed, requiring them to formally establish their respective roles and responsibilities. The agreement must comply with Indonesian data protection requirements while providing clear guidelines on operational matters such as data security, breach management, and data subject rights. A Joint Controller Agreement is particularly crucial in collaborative projects, shared platforms, or joint ventures where multiple parties have control over data processing activities. The document should reflect the specific requirements of Indonesian law while incorporating international best practices in data protection.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

Indonesia

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Joint Controller Agreement

A Joint Controller Agreement is a legal contract that defines the relationship between two or more organizations that jointly determine the purposes and means of processing personal data under Indonesian law. Under the Personal Data Protection Law (Law No. 27 of 2022), when multiple entities collaborate in data processing activities, they must establish clear roles and responsibilities through a formal agreement to ensure compliance with Indonesian data protection regulations.

When do you need this document?

You need a Joint Controller Agreement whenever your organization collaborates with other entities in processing personal data where both parties have decision-making authority over the processing activities. This commonly occurs in technology partnerships where companies share user databases, financial institutions collaborating on loan processing systems, healthcare providers exchanging patient information for treatment purposes, or educational institutions sharing student data for research projects. The agreement is also essential when government agencies work with private companies on public services that involve citizen data, or when retail companies partner with logistics providers for customer order fulfillment. Without this agreement, joint controllers risk regulatory penalties and unclear liability allocation in case of data breaches or compliance violations.

Key legal considerations

The agreement must clearly define each party's specific responsibilities for data protection compliance, including data security measures, breach notification procedures, and handling of data subject requests. You should establish detailed protocols for responding to individual rights requests such as data access, rectification, deletion, and portability under the PDP Law. The document must specify how personal data will be shared between controllers, including technical and organizational measures to protect data during transfer and storage. Consider including provisions for liability allocation, indemnification clauses, and dispute resolution mechanisms to address potential conflicts between joint controllers. The agreement should also address data retention periods, deletion procedures, and what happens to shared data when the collaboration ends.

Legal requirements in Indonesia

Under Indonesia's Personal Data Protection Law (Law No. 27 of 2022), joint controllers must ensure their agreement complies with fundamental data protection principles including lawfulness, limitation of purpose, data minimization, accuracy, storage limitation, and accountability. The agreement must demonstrate that you have obtained proper consent from data subjects for the joint processing activities or establish another lawful basis for processing under Article 12 of the PDP Law. You must implement appropriate technical and organizational security measures as required by Government Regulation No. 71 of 2019, including encryption, access controls, and regular security assessments. The document should address cross-border data transfer requirements if either controller plans to transfer data outside Indonesia, ensuring compliance with adequacy decisions or implementing appropriate safeguards. Additionally, both controllers must designate data protection officers if required under the PDP Law and establish procedures for cooperating with the Ministry of Communication and Informatics during regulatory investigations or audits.

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it