| |

Liability for Customer Data in the Hands of Third Parties in the Insurance Sector

ADCO Law

hands-holding-paper-people-close-up

The growing digitalization of Indonesia’s insurance industry has expanded the flow of customer data across insurance companies, brokers, vendors, and digital platforms, increasing exposure to privacy and security risks. Under Law Number 27 of 2022 on Personal Data Protection (“PDP Law”), insurance companies, as data controllers, remain legally responsible for any processing carried out by third-party processors, making robust vendor management and clear contractual safeguards essential. As customer data changes hands more frequently, transparency and accountable data-sharing practices become critical to maintaining trust. Against this backdrop, the article examines a question for the sector: who bears the responsibility when customer data is compromised? 

 

The digitalization of Indonesia’s insurance industry has expanded data flows across multiple entities, including insurance companies, brokers, claims administrators, and insurtech providers, thereby increasing exposure to data privacy and security risks. This transformation has fostered a more connected insurance ecosystem, enabling faster services and more integrated processes. 

At the same time, the involvement of third parties poses potential risks in customer data management. Customer data is now often processed across multiple entities, including identity verification providers, claims administrators, and digital platforms operating on behalf of insurance companies. This raises an important question: where does the line of responsibility lie when a data breach or misuse occurs? 

A recent example is the data breach incident affecting Allianz Life in mid-2025, which demonstrated that the source of the breach does not always originate from an insurance company’s core system, but may instead stem from third parties connected to its broader ecosystem.1  Such cases highlight the need for enhanced vendor management, robust contractual arrangements, and adherence to data protection obligations. 

vendor data

Vendor and Partner Management under the Personal Data Protection Law 

In the increasingly digitalized insurance industry, the role of third parties, including technology infrastructure providers, digital claims platforms, and cloud service operators, has become indispensable. The Financial Services Authority (Otoritas Jasa Keuangan or “OJK”), through the Roadmap for the Development and Strengthening of the Insurance Industry 2023–2027, highlights that digital transformation has significantly reshaped consumer preferences and the way insurance companies operate. While the use of information technology increases efficiency and expands service reach, it also introduces cybersecurity risks, including data breaches and operational disruptions.2

Against this backdrop, PDP Law provides a legal foundation for determining liability in the event of a data breach or leak. Under the principles set out in the PDP Law, data controllers remain responsible for any processing of personal data carried out by other parties on their behalf. The law explicitly states that data controllers must be accountable for personal data processing activities and demonstrate compliance with the principles of personal data protection.3  Accordingly, even when processing is delegated to third parties, the primary legal responsibility remains with the data controller, in this case, the insurance company. 

This responsibility includes ensuring that vendors maintain adequate security standards and compliance mechanisms aligned with the principles of the PDP Law. In practice, in our view, this should be reflected in cooperation agreements that clearly stipulate, but are not limited to, the scope of processing, confidentiality obligations, minimum security standards, and incident reporting procedures. This view aligns with that of several legal practitioners who emphasize that the responsibility of the data controller does not automatically transfer to another party, and that due diligence principles must always apply in all forms of data partnerships.4

Nevertheless, the challenge in implementing these principles lies not only in the readiness of insurance companies as data controllers but also in that of their vendors and business partners acting as data processors. Many technology providers in the insurance sector still lack robust data security policies or internal compliance frameworks consistent with the PDP Law’s requirements. 

data

Managing Customer Trust Amid Expanding Data Flows 

With increasing digitalization and collaboration amongst insurance companies, customer data is now changing hands more frequently than ever. In practice, external service providers such as identity verification vendors, digital claims administrators, or infrastructure providers can access and process customer personal data on behalf of insurance companies. However, most customers remain unaware of the extent to which their data is shared or for what purposes. This creates a new challenge for the industry: how can insurance companies maintain customer trust amid such a complex data ecosystem? 

The PDP Law affirms that data subjects have the right to obtain clear information regarding personal data processing activities5 , as well as the right to terminate data processing and/or to request the deletion of their data.6  This means that insurance companies are obligated to ensure that every instance of data sharing is conducted on a transparent and legally accountable basis. 

For industry players, the principle of transparency can be implemented through clear and easily accessible privacy policies, explicit notification when data is used beyond its initial purpose, and mechanisms that allow customers to access or update their information. These measures, while simple, are highly effective in reducing the uncertainty that often leads to customer complaints or potential legal exposure. 

In this context, the role of legal consultants is crucial. Beyond ensuring compliance with the PDP Law, legal consultants can assist companies in drafting privacy policies, structuring agreements with partners, and establishing transparent communication procedures for customers. By striking the right balance between legal compliance and business practicality, insurance companies can strengthen their data governance framework while maintaining the trust of both regulators and customers. 

As the insurance ecosystem grows increasingly complex, collaboration with multiple parties demands more cautious and measurable data governance. Compliance with data protection regulations is not merely about meeting legal requirements; it also involves ensuring that business processes remain secure, accountable, and sustainable. 

To learn more about compliance and data protection strategies in the financial sector, visit the Personal Data Protection Team at ADCO Law. 

***

About ADCO Law:

ADCO Law is a law firm that offers clients a wide range of integrated legal services, including commercial transactions and corporate disputes in a variety of industry sectors. Over the course of more than a decade, we have grown to understand our clients’ industries and businesses as well as the regulatory aspects. In dealing with business dynamics, we provide comprehensive, solid legal advice and solutions to minimize legal and business risks.

From Upstream to Downstream, We Understand Your Industry. In complex transactions and certain cases, we actively engage with financial, tax, and environmental specialists, accountants, and law firms from various jurisdictions to add value to our clients. Our strong relationships with Government agencies, regulators, associations, and industry stakeholders ensure that our firm has a holistic view of legal matters.

ADCO Law is a Proud Member of the Alliott Global Alliance (AGA) in Indonesia. Founded in 1979, AGA is one of the largest and fastest-growing global multidisciplinary alliances, with 215 member firms in 95 countries. As a law firm, we also believe in regeneration. To stay abreast of business changes and stay relevant, our formation of lawyers is comprised of the top graduates from Indonesian and international law schools.