Ι«»¨ΜΓ

Book a demo

Joint Control Addendum Template for Indonesia

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Joint Control Addendum?

The Joint Control Addendum is essential when two or more organizations jointly determine the purposes and means of processing personal data under Indonesian law. This document should be used when entities engage in shared data processing activities and need to clearly define their respective roles, responsibilities, and compliance obligations under Indonesia's Personal Data Protection Law (Law No. 27 of 2022). The addendum typically accompanies a main agreement and provides specific provisions for joint control arrangements, including detailed procedures for handling data subject requests, breach notifications, and security measures. It's particularly important given Indonesia's strict data protection requirements and the need for clear accountability in joint processing operations.

Frequently Asked Questions

Is a Joint Control Addendum legally binding under Indonesia's Personal Data Protection Law?

Yes, a Joint Control Addendum is legally binding in Indonesia under Law No. 27 of 2022 on Personal Data Protection. When two or more organizations jointly determine the purposes and means of personal data processing, they are required by law to establish clear agreements defining their respective roles and responsibilities. Failure to have proper joint controller arrangements can result in regulatory penalties and legal liability.

Can Indonesian authorities penalize my company if we don't have a Joint Control Addendum?

Yes, operating without a proper Joint Control Addendum when required can result in significant penalties under Indonesia's PDP Law. The Ministry of Communication and Informatics can impose administrative sanctions including warnings, temporary suspension of data processing activities, and fines. Additionally, your organization may face increased liability for data breaches or compliance violations when joint controller responsibilities are not clearly defined.

How does a Joint Control Addendum differ from a Data Processing Agreement in Indonesia?

A Joint Control Addendum is used when two or more entities jointly determine the purposes and means of data processing, making them co-controllers under Indonesian law. A Data Processing Agreement is used when one entity (controller) engages another entity (processor) to process data on their behalf. The key difference is that joint controllers share decision-making authority and compliance obligations, while processors act solely under the controller's instructions.

How long does it typically take to prepare a Joint Control Addendum in Indonesia?

Creating a comprehensive Joint Control Addendum typically takes 2-4 weeks in Indonesia, depending on the complexity of the data processing arrangement and number of parties involved. The process includes identifying joint controller responsibilities, mapping data flows, defining compliance obligations under Law No. 27 of 2022, and negotiating liability allocation. More complex multi-party arrangements or those involving sensitive personal data may require additional time for proper structuring.

Which specific Indonesian regulations must be addressed in a Joint Control Addendum?

A Joint Control Addendum must comply with Law No. 27 of 2022 on Personal Data Protection as the primary legislation, along with Government Regulation No. 71 of 2019 concerning implementation requirements. The addendum must address data subject rights, security measures, cross-border transfer restrictions, breach notification procedures, and specific obligations for processing sensitive personal data. Compliance with sector-specific regulations like those from Bank Indonesia or OJK may also be required depending on the industry.

Can foreign companies use a Joint Control Addendum for data processing activities in Indonesia?

Yes, foreign companies can enter into Joint Control Addendums for Indonesian data processing activities, but they must comply with Law No. 27 of 2022's requirements including data localization provisions for public service providers and appointing local representatives when required. The addendum must address cross-border data transfer restrictions and ensure all parties meet Indonesian regulatory obligations. Foreign entities may need additional compliance measures depending on their data processing scope and subject to Ministry of Communication and Informatics oversight.

Are there common mistakes to avoid when drafting Joint Control Addendums in Indonesia?

Common mistakes include failing to clearly define each party's decision-making authority, inadequately addressing data subject rights procedures, and not properly allocating liability for regulatory violations. Many organizations also overlook cross-border transfer restrictions, fail to establish clear data retention periods, or don't include proper breach notification procedures required under Indonesian law. Insufficient attention to Government Regulation No. 71 of 2019 implementation requirements is another frequent oversight.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

Indonesia

Reviewed by

&

Publisher

GenieAI

Category

Control Agreement

Sector

Business

Cost

Free to use

Last updated

About the Joint Control Addendum

A Joint Control Addendum is a critical legal document that governs shared data processing arrangements between two or more organizations under Indonesian law. When you're involved in collaborative data processing activities, this addendum ensures compliance with Indonesia's comprehensive Personal Data Protection Law (Law No. 27 of 2022) while clearly defining each party's obligations and responsibilities.

When do you need this document?

You need a Joint Control Addendum when your organization collaborates with other entities in determining both the purposes and means of processing personal data. This commonly occurs in business partnerships, joint ventures, shared marketing campaigns, or collaborative research projects where multiple parties have decision-making authority over data processing activities. The addendum becomes essential when you're sharing customer databases, conducting joint market research, operating shared platforms, or engaging in any activity where you jointly decide what personal data to collect, how to process it, and for what purposes. Under Indonesian law, joint controllers must have clear arrangements in place before beginning any shared processing activities.

Key legal considerations

The most critical aspect of your Joint Control Addendum is the clear allocation of responsibilities between all parties involved. You must define who handles data subject requests, manages consent mechanisms, conducts privacy impact assessments, and responds to data protection authority inquiries. The document should specify breach notification procedures, ensuring compliance with Indonesia's strict 72-hour reporting requirements to authorities and affected individuals. Security measures must be outlined comprehensively, including technical and organizational safeguards that meet Indonesian standards. You'll also need to address data transfer arrangements, particularly if data crosses borders, ensuring compliance with Indonesia's data localization requirements where applicable. The addendum must clearly establish which party serves as the primary contact point for data subjects exercising their rights under the PDP Law.

Legal requirements in Indonesia

Under Indonesia's Personal Data Protection Law (Law No. 27 of 2022), joint controllers must establish transparent arrangements that demonstrate accountability and enable effective data subject rights management. Your addendum must comply with Government Regulation No. 71 of 2019 regarding electronic systems implementation, ensuring proper technical safeguards are in place. The document should reference relevant provisions of MOCI Regulation 20 of 2016 for electronic data protection requirements. You must ensure the addendum aligns with fundamental contract law principles under the Indonesian Civil Code, including proper formation, validity, and enforceability. The arrangement must facilitate compliance with mandatory data protection officer appointment requirements where applicable, and ensure proper legal representation for foreign entities operating in Indonesia. Your addendum should also address potential regulatory changes and provide mechanisms for updating obligations as Indonesian data protection law continues to evolve.

GOVERNING LAW

Applicable law

This Joint Control Addendum is drafted to comply with Indonesia law. Key legislation includes:






Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it