Indonesia does not have an EU adequacy decision under GDPR Article 45. This means any EU company that hires remote engineers in Indonesia — and shares HR data with an Indonesian EOR provider in the process — is conducting a cross-border personal data transfer that requires a formal legal mechanism, most commonly Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment (TIA).
Additionally, since October 17, 2024, Indonesia's own Personal Data Protection Law (UU PDP, Law No. 27/2022) is fully in force, creating a dual compliance obligation: one layer from the EU side (GDPR), one from the Indonesian side (UU PDP).
This guide explains what each layer requires, where the obligations overlap, and what an EOR partner must handle on your behalf so you are not exposed on either side.
Why This Question Is Getting More Urgent for EU Companies
EU companies in Germany, the Netherlands, Ireland, and Sweden are increasingly building remote engineering teams in Indonesia — and most of them are not asking the right legal question before they start.
The right question is not "can we hire in Indonesia?" — the answer is yes, through an EOR.
The right question is: "When our HR team in Amsterdam shares a candidate's passport copy, payslip data, and bank account with our EOR in Jakarta — is that GDPR-compliant?"
For most companies doing this without legal review: the honest answer is probably not yet.
This is not a theoretical risk. GDPR enforcement in 2026 is operating at a different intensity than 2020. Fines for cross-border data transfer violations have reached into the hundreds of millions of euros — Meta's €1.2 billion penalty in 2023 for US data transfers being the most visible example.
National data protection authorities across the EU are now issuing guidance specifically on international hiring and HR data flows. The question of whether your Indonesian EOR is a GDPR-compliant data processor is one that your DPO, if you have one, will eventually ask.
"A significant portion of our European clients come to us having already started hiring — but without a Data Processing Agreement in place," says Fatimah Hasna, Co-Founder & COO of RainTech, who brings eight years of experience in international EOR and HR compliance. "Our first step is usually helping them structure the relationship correctly so both sides are protected."
Layer 1 — The GDPR Side: What the EU Requires Before Data Leaves the EEA
Step 1: Identify the Transfer
Under GDPR, a personal data transfer occurs the moment HR data about an EU-based data controller's employee or candidate moves to a recipient outside the European Economic Area (EEA).
In the context of hiring Indonesian engineers through an EOR, this happens at multiple points:
- Sharing a candidate's CV, ID document, and contact details with the EOR for screening.
- Sending employment contract data (name, salary, bank account, tax ID) to the EOR for payroll setup.
- Giving the EOR access to HR systems where employee performance or attendance data is stored.
- Transferring payslip records or BPJS enrollment data between your HR platform and the EOR's system.
Each of these is a data transfer under GDPR, not a gray area. Even read-only access by an Indonesian party to an European HR system counts.
Step 2: Check for an Adequacy Decision — Indonesia does not Have One
The European Commission has issued adequacy decisions for 15 countries as of 2026, including the UK (renewed December 2025, valid through 2031), Switzerland, Japan, South Korea, Canada (partial), and New Zealand. Indonesia is not on this list and has no adequate decision pending.
This means transfers of personal data to Indonesia cannot rely on the Article 45 adequacy pathway. A different mechanism is required.
Step 3: Use Standard Contractual Clauses (SCCs) as Your Transfer Mechanism
For most EU companies hiring through an Indonesian EOR, the applicable mechanism under GDPR Article 46 is the Standard Contractual Clauses (SCCs) adopted by the European Commission in June 2021 (Decision EU 2021/914).
The specific SCC module that applies depends on the relationship structure:
| Transfer Scenario | Applicable SCC Module |
|---|---|
| EU company (controller) → Indonesian EOR (processor) | Module 2: Controller-to-Processor |
| EU company (controller) → Indonesian EOR (controller, e.g. for their own HR records) | Module 1: Controller-to-Controller |
| EU company using a sub-EOR or nested processor chain | Module 3: Processor-to-Processor |
In the standard RainTech scenario — where the EU company is the data controller and RainTech acts as the legal employer and payroll processor — Module 2 applies.
This means:
- RainTech processes employee personal data only on documented instructions from the EU client.
- RainTech must implement appropriate technical and organizational security measures.
- RainTech must notify the EU client of any personal data breach affecting employee data.
- Sub-processors (e.g., RainTech's payroll software, BPJS reporting system) must be listed and covered by equivalent agreements.
Step 4: Conduct a Transfer Impact Assessment (TIA)
Post-Schrems II, SCCs alone are not sufficient. EU exporters are required to conduct a Transfer Impact Assessment — a documented analysis of whether the destination country's laws allow the SCCs to be effective in practice.
For Indonesia specifically, the TIA must evaluate:
What Works in Indonesia's Favor
Indonesia's UU PDP (Law No. 27/2022), fully enforced since October 2024, creates a domestic data protection framework with principles aligned to GDPR — including lawful basis for processing, data subject rights, and data breach notification requirements. This provides a meaningful legal baseline that many non-adequate countries lack.
What the TIA Must Acknowledge
Indonesia does not yet have a fully operational independent data protection supervisory authority. The Lembaga PDP (Personal Data Protection Agency) is targeted to become operational in 2026. Until it is functioning, enforcement of UU PDP remains uneven. The TIA should document this gap and specify the technical safeguards (encryption, access controls, pseudonymization) that compensate for it.
The TIA does not need to be a lengthy document — but it needs to exist, be signed, and be retained in your records of processing activities (ROPA).
Layer 2 — The Indonesian Side: What UU PDP Requires from Your EOR
Indonesia's Personal Data Protection Law (UU PDP, Law No. 27/2022) came into full force on October 17, 2024. It is Indonesia's first comprehensive data protection law and applies to any organization — domestic or foreign — that processes personal data of Indonesian individuals.
For EU companies hiring Indonesian engineers through an EOR, this creates obligations on the Indonesian side of the equation that your EOR partner must be equipped to handle.
What UU PDP Requires of the EOR (as Data Controller/Processor in Indonesia)
Lawful Basis for Processing
RainTech must have a documented lawful basis for processing each engineer's personal data. For employment data, this basis is contractual necessity, the same primary basis used under GDPR.
Data Subject Rights
Indonesian engineers have rights under UU PDP to access their data, request corrections, and in certain circumstances request deletion. Your EOR must have a mechanism to respond to these requests within defined timeframes.
Cross-Border Transfer Requirements
UU PDP also regulates outbound transfers from Indonesia. When RainTech transfers payroll data or employment records back to the EU client, this is an outbound transfer from Indonesia — and UU PDP requires that the destination country provide an "equivalent level" of data protection. The EU clearly meets this standard, but it must be documented.
Data Breach Notification
Under UU PDP, a data breach affecting Indonesian employees must be reported to both the affected individuals and to the relevant authority within 14 days of discovery. Your EOR must have breach detection and notification procedures in place.
Where UU PDP and GDPR Differ
| Requirement | EU GDPR | Indonesia UU PDP |
|---|---|---|
| Data Protection Impact Assessment (DPIA) | Mandatory for high-risk processing | Not yet explicitly required |
| Right to data portability | Explicit right | Not included |
| Supervisory authority | Fully operational DPAs in each member state | Lembaga PDP being established (target: 2026) |
| Fine structure | Up to €20M or 4% global turnover | Up to 2% annual revenue + criminal liability |
| DPO appointment | Required in specific circumstances | Not yet mandated |
The most significant practical gap: DPIA is not explicitly required under UU PDP.
EU companies whose home DPA requires a DPIA for the Indonesian hiring arrangement (likely, if health data or performance monitoring is involved) must complete the DPIA based on GDPR requirements, even if the Indonesian side does not mirror it.
What a GDPR-Ready EOR in Indonesia Must Be Able to Show You
Not every EOR operating in Indonesia has structured their compliance framework for EU clients. Before signing a service agreement, a GDPR-aware EU company should ask their prospective EOR partner to provide:
1. A Signed Data Processing Agreement (DPA)
The DPA formalizes the controller-processor relationship and documents the purpose, scope, and duration of data processing. Without a signed DPA, the transfer itself is non-compliant regardless of whether SCCs are in place.
2. The Executed SCCs (Module 2)
These should be embedded in or annexed to the service agreement. If your EOR has not used the 2021 SCC templates (replacing legacy 2001/2004 versions), the SCCs may not be valid.
3. A Sub-Processor List
RainTech's use of any third-party systems for payroll, BPJS reporting, or HR data storage constitutes sub-processing. EU clients have the right to review and object to sub-processors before they are onboarded.
4. A TIA or Willingness to Support Your TIA
Your legal or compliance team completes the TIA, but the EOR must supply the factual basis: what data is processed, where it is stored, what security measures are in place, and what access third parties (including Indonesian government systems) may have.
5. Breach Notification Procedure
Confirm how and within what timeframe your EOR will notify you of a personal data breach involving employee data. GDPR requires you to notify your supervisory authority within 72 hours of becoming aware of a breach.
"We work with European clients to make sure the documentation layer is complete before any employee data changes hands," says Veri Ferdiansyah, Co-Founder & CEO of RainTech. "The EOR relationship has to be structured as a proper data processor arrangement — that means the DPA, the SCC annexes, and clarity on sub-processors. These are not optional for any serious EU company."
Practical Checklist: Before Your First Indonesian Hire as an EU Company
Use this as a pre-hire compliance checklist. None of these steps require Indonesian legal expertise, they are EU-side obligations that your DPO or legal counsel can execute.
- Data mapping: Identify every category of personal data you will share with the EOR (CV, passport, bank account, salary, tax ID, performance data).
- Legal basis documented: Confirm the legal basis for each data category under GDPR (typically: contractual necessity for employment data).
- DPA signed: Execute a Data Processing Agreement with RainTech before sharing any data.
- SCCs in place: Annex Module 2 SCCs to the service agreement or DPA.
- TIA completed: Document your assessment of Indonesia's data protection environment and the supplementary safeguards applied.
- Sub-processor list reviewed: Confirm which third-party systems RainTech uses for payroll, BPJS, and HR data.
- ROPA updated: Add the Indonesian EOR transfer to your Records of Processing Activities.
- Breach notification confirmed: Agree in writing on how and when RainTech will notify you of any data incident.
FAQs
Does GDPR apply to my company if we are based in the EU and hire only Indonesian employees — not EU residents?
GDPR applies to the processing of personal data by EU-established companies, regardless of where the data subjects are located. When your company processes a Jakarta-based engineer's payroll data, passport scan, or bank details, GDPR governs that processing because your company is an EU controller. The engineer being Indonesian does not exempt the processing from GDPR.
Can we avoid GDPR obligations by having the Indonesian engineer sign a consent form?
No, and this is a common mistake. Employment consent under GDPR is considered inherently unreliable because of the power imbalance between employer and employee. EU data protection authorities consistently advise using contractual necessity as the legal basis for employment data processing, not consent. Consent-based processing for HR data creates the additional risk that employees can withdraw consent at any time, making ongoing payroll and benefits administration legally fragile.
What happens if Indonesia gets an EU adequacy decision in the future?
If the European Commission grants Indonesia an adequacy decision — which would require the Lembaga PDP to be fully operational and meet EU standards — the SCCs and TIA requirements for data transfers to Indonesia would fall away. Transfers could then flow freely, as they do to the UK or Japan. Until that happens, the SCC + TIA mechanism is mandatory. EU companies should monitor this, as Indonesia's UU PDP framework is still maturing.
Does our DPO need to be involved before we engage an EOR in Indonesia?
If your company has a DPO, yes — they should review the DPA, SCCs, and TIA before any employee data is shared with the EOR. The DPO's role is precisely to assess and document compliance with international transfer obligations. If your company does not have a DPO (required only for certain categories of controllers under GDPR Article 37), your legal counsel should fill this role for the pre-hire review.
What is the biggest practical risk if we skip the DPA and SCCs?
Beyond regulatory risk — fines of up to €20 million or 4% of global annual turnover — the practical risk is that any personal data breach involving your Indonesian employees becomes significantly harder to manage. Without a DPA, it is unclear who bears responsibility, what notification timelines apply, and how remediation is structured. The DPA and SCCs are not just compliance paperwork; they are the contractual infrastructure that defines what happens when something goes wrong.
Next Step
Getting GDPR right for your Indonesian team is straightforward, provided your documentation is secure before any data moves—not after your first hire is onboarded.
Ready to secure your cross-border data flows? Here is how you can take the next step:
- Understand our framework: Discover how our EOR service works to see the exact privacy protections and onboarding documents we establish for EU clients.
- Evaluate compliance risks: Read our comprehensive breakdown of EOR vs. contractor misclassification in Indonesia to dive deeper into data and legal liabilities.
- Plan your expansion: Explore RainTech's pricing to align your compliance strategy with your budget, or schedule a free consultation to walk through our data protection checklist together.
Related articles:
- Understanding Employer of Record: An Essential Guide for Global Companies Hiring in Indonesia
- Indonesia Remote Team: 2026 HR & Payroll Compliance Guide
- BPJS Indonesia Guide: Costs, Risks, and Employer Rules (2026)
External References:
- https://www.gdprledger.com/guides/international-data-transfers-gdpr
- https://www.abhitech.co.id/blog/employer-of-record/data-privacy-law/
This article reflects general information about GDPR and Indonesia's UU PDP as of June 2026 and is not legal advice. EU companies should engage qualified legal counsel and/or their DPO to complete Transfer Impact Assessments and review Data Processing Agreements specific to their situation. Indonesian regulatory requirements are subject to change as the Lembaga PDP becomes operational.