Joint Controller Data Sharing Agreement Template for Indonesia
Generate a bespoke document
What is a Joint Controller Data Sharing Agreement?
This Joint Controller Data Sharing Agreement is essential when two or more organizations jointly determine how personal data will be processed and shared. The agreement is specifically designed to comply with Indonesian data protection requirements, particularly Law No. 27 of 2022 on Personal Data Protection (PDP Law) and related regulations. It should be used whenever organizations engage in collaborative data processing activities where they share decision-making authority over the purposes and means of processing. The document includes detailed provisions on roles and responsibilities, security measures, data subject rights management, breach notification procedures, and liability allocation. It's particularly relevant in scenarios such as joint ventures, shared services arrangements, or collaborative research projects where multiple parties need to access and process the same sets of personal data while maintaining compliance with Indonesian data protection laws.
About the Joint Controller Data Sharing Agreement
When organizations collaborate on data processing activities in Indonesia, a Joint Controller Data Sharing Agreement becomes legally essential under the Personal Data Protection Law No. 27 of 2022. This agreement establishes clear responsibilities between parties who jointly determine the purposes and means of personal data processing, ensuring compliance with Indonesian data protection regulations while facilitating legitimate business collaborations.
When do you need this document?
You need this agreement when your organization shares decision-making authority over personal data processing with other entities. Common scenarios include joint ventures between technology companies and financial institutions for fintech solutions, healthcare providers collaborating with research institutions on patient data studies, or educational institutions partnering with government agencies for student information systems. The agreement is also crucial when telecommunications providers work with retail companies on customer analytics projects, or when insurance companies collaborate with professional services firms on risk assessment data. Any arrangement where multiple organizations jointly control how personal data is collected, used, or shared requires this legal framework to ensure compliance with Indonesian law.
Key legal considerations
The agreement must clearly define each party's role as joint controllers and allocate specific responsibilities for PDP Law compliance. Critical clauses include data subject consent management, as both controllers must ensure proper legal basis for processing under Article 16 of the PDP Law. You must establish procedures for handling data subject rights requests, including access, rectification, and deletion rights guaranteed under Articles 31-34. Security measures must meet the standards outlined in Government Regulation No. 71 of 2019, including data encryption, access controls, and breach notification procedures within 72 hours to KOMINFO. The agreement should address cross-border data transfer restrictions and localization requirements for certain data categories. Liability allocation between joint controllers is crucial, as both parties can be held jointly and severally liable for violations. Include termination clauses that address data deletion or return obligations and ongoing compliance responsibilities.
Legal requirements in Indonesia
Under Indonesian law, joint controllers must register their data processing activities with the Ministry of Communication and Information Technology (KOMINFO) and maintain detailed processing records as required by Article 65 of the PDP Law. Both parties must appoint Data Protection Officers if they process large volumes of personal data or sensitive personal data categories defined in Article 4. The agreement must comply with data localization requirements under KOMINFO Regulation 20 of 2016, ensuring that Indonesian citizens' personal data is stored and processed within Indonesian territory. Consent mechanisms must meet the specific requirements of Article 16, including being freely given, specific, informed, and unambiguous. For sensitive personal data processing, explicit written consent is mandatory under Article 26. The agreement must establish audit rights and compliance monitoring procedures to demonstrate ongoing adherence to Indonesian data protection standards. Both controllers are required to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as outlined in Article 58 of the PDP Law.
GOVERNING LAW
Applicable law
This Joint Controller Data Sharing Agreement is drafted to comply with Indonesia law. Key legislation includes:
Government Regulation No. 71 of 2019 on Electronic Systems and Transactions: Regulates electronic system operations and transactions, including requirements for electronic system operators and data center localization
Indonesian Civil Code (KUHPerdata): Provides the basic framework for contract formation and validity, essential for ensuring the agreement is legally binding
KOMINFO Regulation 20 of 2016 on Personal Data Protection: Specific regulations regarding the protection of personal data in electronic systems, including consent requirements and data transfer protocols
Minister of Communication and Information Technology Regulation No. 5 of 2020: Regulates private electronic system operators, including requirements for registration and compliance with Indonesian regulations
Law No. 11 of 2008 on Electronic Information and Transactions (ITE Law): Framework law for electronic transactions and systems that provides legal basis for electronic contracts and digital signatures
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it