<![CDATA[The rapid digital transformation and growth of e-commerce in Indonesia have triggered a high volume of personal data transfers between controllers. while Article 55 of the Personal Data Protection Law (UU PDP) provides only a general authorization without clear technical guidance, creating legal uncertainty and risks to data subject rights. This study analyzes the legal uncertainty of UU PDP’s regulation of controller-to-controller data transfers compared to the EU GDPR and proposes an accountable and transparent mechanism tailored to Indonesia. A normative and comparative legal method is employed, examining legislation, the principles of transparency and accountability, and a comparison between Article 55 UU PDP and Article 46 GDPR on safeguards and Standard Contractual Clauses (SCCs). The findings reveal substantial gaps in technical standards, verification mechanisms, documentation, and enforcement, in contrast to the GDPR’s modular SCCs, mandatory DPIAs, records of processing activities, and effective supervisory powers. The absence of standardized contractual clauses and an operational supervisory authority in Indonesia weakens transparency and the fulfillment of data subject rights. The study recommends adopting Indonesia-specific SCCs, strengthening an independent supervisory authority, and implementing techno-regulation through privacy by design, encryption, and Data Loss Prevention. Harmonization with GDPR standards via SCCs and institutional strengthening is essential to ensure secure, transparent, and accountable controller-to-controller transfers.]]>
