From Recruitment to Offboarding: Compliance Challenges under the Personal Data Protection Law

Morales Sundusing

With the enactment of Law Number 27 of 2022 on Personal Data Protection (“PDP Law”), employers now face significant obligations to ensure lawful and transparent handling of employee data throughout the employment lifecycle, from recruitment to offboarding. As legal accountability grows, employers must move beyond surface-level approaches and adopt proactive, structured methods for data governance to minimize risks and build trust in the digital workplace. This article outlines the key data processing obligations at each stage, highlights practical compliance challenges, and emphasizes the importance of clear policies, cross-functional coordination, and effective consent management.  

---

 

A. Introduction 

PDP Law marks a major milestone in Indonesia’s legal landscape, ushering in a more structured and comprehensive framework for personal data governance. For employers, this law brings heightened responsibilities, particularly in their role as data controllers who routinely collect, process, and store employee information throughout the entire employment lifecycle. 

From the earliest stages of recruitment to the final steps of offboarding, each stage involves managing various types of personal data, often including sensitive or confidential information. The PDP Law now requires employers to move beyond surface-level compliance and adopt a more deliberate, transparent, and legally sound approach to data handling. 

This article explores how employee data is typically processed across different stages of the employment lifecycle (i.e, recruitment, active employment, and offboarding) and highlights the practical challenges employers face in complying with the PDP Law. 

Read more: Between Trends and Compliance: Managing Intellectual Property Risks in Social Media Marketing

B. Employee Data Processing in the Employment Lifecycle 

 

1. Recruitment Stage
   Personal data processing in the employment sector begins at the recruitment stage, well before any formal employment relationship is established. Even at this early stage, employers must comply with the Personal Data Protection (PDP) Law, including the obligation to obtain explicit consent from job candidates before collecting and processing their personal data during screening or assessment. 

   If a candidate is not selected or does not proceed with the recruitment process, the employer is legally required to delete and destroy any personal data collected during that stage. Retaining such data without justification or consent may constitute a violation of the PDP Law. 

   Once an employment relationship is formally established, contractual and legal obligations arise, which then serve as the legal basis for continued data processing. These legal grounds should be clearly articulated in a written Employment Agreement, which must include the employee’s explicit and valid consent. With this basis in place, employers—as data controllers—are permitted to collect and process employee data in accordance with applicable laws and regulations. 

   The PDP Law distinguishes two categories of personal data:

   General personal data	Specific personal data
   Full name;   Gender;   Nationality;   Religion;   Marital status; and/or  Any combination of personal data that can identify an individual.	Health data and information;   Biometric data;   Genetic data;   Criminal records;   Child data;   Personal financial data; and/or   Other data as stipulated by applicable laws and regulations

    

   Employers must identify the types of data that are relevant and necessary based on their obligations. If, during the course of employment, employers need to process additional categories of personal data beyond those initially agreed upon, they must notify the employee and obtain fresh, explicit consent before proceeding.

2. Employment Stage
   During the course of employment, the employer’s data processing activities must align with the consent previously granted by the employee. This may include the handling of data for purposes such as payroll administration, benefits management, performance evaluations, attendance tracking, and workplace monitoring. 

   All processing activities must be traceable and properly documented, ensuring accuracy, transparency, and accountability. Employers must also ensure that data is stored securely and processed lawfully. 

   In the event of data-related incidents, such as updates, inaccuracies, breaches, or unauthorized access, employers are required to respond promptly with appropriate, proportional actions. Documenting such responses is not only a best practice but may also be critical for demonstrating compliance in the event of an audit or complaint.

3. Offboarding Stage
   When an employment relationship ends, whether due to resignation, termination, contract expiration, or company restructuring, the employer’s purpose in processing employee personal data generally ceases as well. As such, the employer, in its capacity as Data Controller, must delete and ultimately destroy employee personal data in a lawful and accountable manner. 

   This deletion and destruction process must be well-documented, and employees must be clearly informed that their data has been deleted in compliance with the PDP Law. 

   To ensure consistent and compliant practices, employers are strongly encouraged to implement formal offboarding procedures. These procedures should include protocols for data deletion, guidance on retention and archiving (where legally permissible), and transparent communication with former employees about how their data will be handled after employment ends. 

Read More: Patent or Trade Secret

C. Challenges for Employment Compliance with the PDP Law 

 In practice, aligning employment-related data processing with the PDP Law still arguably presents a number of challenges. While the legal requirements are broad and far-reaching, many employers still face practical and organizational hurdles in ensuring full compliance. Below are some of the most common issues: 

1. Lack of Awareness
   Many employers may not be fully aware that employee records, either in digital or physical form, fall squarely within the scope of personal data governed by the PDP Law. This lack of awareness can lead to unintentional non-compliance, particularly in areas such as consent, retention, and access rights. In the long run, such oversights could expose employers to sanctions or reputational risks. 
2. Unclear or Missing Legal Basis
   Some employers continue to rely on implied consent when collecting or processing candidate data, monitoring employee activities, or using internal surveillance tools. However, under the PDP Law, implied consent is insufficient. Employers must identify and document a clear legal basis for each processing activity, especially for sensitive or high-risk data. Failure to do so may open the door to legal claims or administrative penalties.
3. Absence of a Data Retention Policy
   Many employers have yet to formalize policies on how long employee data should be retained or when it should be deleted. As a result, outdated or irrelevant personal data may be retained indefinitely, increasing the risk of non-compliance. The PDP Law requires that personal data be retained only for as long as necessary, and failure to establish retention protocols can result in fines or corrective measures.
4. Inadequate Internal Standard Operating Procedures and Documentation
   Standard Operating Procedures for managing data, such as documenting processing activities, handling data subject requests, or responding to data incidents, are often missing or incomplete. Without these internal mechanisms in place, employers may struggle to demonstrate accountability or traceability, which are core compliance principles under the PDP Law.
5. Poor System Integration and Oversight
   In many organizations, Human Resources departments manage employee data independently from legal, compliance, or IT teams. This lack of system integration can result in inconsistent implementation of data protection protocols, delayed responses to breaches, or failure to effectively process access and deletion requests. Effective PDP compliance requires cross-functional coordination and oversight, not just policy on paper. 

D. Conclusion 

As the PDP Law continues to reshape how personal data is governed in Indonesia, employers must adapt their internal processes to meet new standards of accountability. From the moment a candidate submits a CV to the day an employee leaves the company, every stage of the employment journey now carries legal responsibilities that cannot be overlooked. 

The real challenge lies not just in understanding the law, but in building a system that works in practice, one that balances operational efficiency with legal compliance. A proactive, structured approach to data governance is no longer optional; it is essential for maintaining trust, minimizing risk, and avoiding costly missteps. 

If you are unsure where to start or how to translate legal requirements into workable policies, it is advisable to consult with data protection or employment law professionals. Getting it right early on can save your company time, money, and reputation in the long run. 

***

About ADCO Law:

ADCO Law is a law firm that offers clients a wide range of integrated legal services, including commercial transactions and corporate disputes in a variety of industry sectors. Over the course of more than a decade, we have grown to understand our clients’ industries and businesses as well as the regulatory aspects. In dealing with business dynamics, we provide comprehensive, solid legal advice and solutions to minimize legal and business risks.

From Upstream to Downstream, We Understand Your Industry. In complex transactions and certain cases, we actively engage with financial, tax, and environmental specialists, accountants, and law firms from various jurisdictions to add value to our clients. Our strong relationships with Government agencies, regulators, associations, and industry stakeholders ensure that our firm has a holistic view of legal matters.

ADCO Law is a Proud Member of the Alliott Global Alliance (AGA) in Indonesia. Founded in 1979, AGA is one of the largest and fastest-growing global multidisciplinary alliances, with 215 member firms in 95 countries. As a law firm, we also believe in regeneration. To stay abreast of business changes and stay relevant, our formation of lawyers is comprised of the top graduates from Indonesian and international law schools.