The enactment of Law Number 27 of 2022 on Personal Data Protection Law (PDP Law) has significant implications for the authority of the Audit Board (BPK) to obtain audit documents. This study employs a normative legal analysis to examine the legal implications of the PDP Law for BPK’s authority, drawing on statutory and comparative legal analysis. The findings indicate that the principle of the “Right to Be Forgotten,” which grants data subjects the right to request data controllers to erase, deactivate, or remove their personal data from electronic systems, is not absolute, as it is subject to statutory limitations and exceptions. This study argues that, although the BPK has attributive authority stemming from the constitution, audit activities related to the management and accountability of state finances are not explicitly covered by the PDP Law's exceptions. Through comparative analysis and case law, this article proposes key suggestions, including the reconceptualization of exception frameworks and the development of a regulatory roadmap, to ensure the effectiveness of audit functions while safeguarding data subjects’ rights.
Copyrights © 2025