Indonesia is not on the UK's current adequacy list, which means moving personal data from a UK client to an Indonesia-based marketing or GEO agency is legally a "restricted transfer" under UK GDPR. This is not a reason to avoid working with an Indonesia-based specialist. It is a defined, solvable compliance step involving an International Data Transfer Agreement and a completed data protection test, and it should be resolved before a contract is signed, not discovered afterward.
This guide sets out exactly what UK GDPR requires of a foreign agency, what has changed under the Data (Use and Access) Act 2025, and what the realistic penalty exposure looks like if the paperwork is skipped. None of this is legal advice; it is a plain-language map of the compliance terrain so a UK buyer or an offshore agency can ask the right questions before, rather than after, a data-sharing relationship begins.
Why UK GDPR Applies to an Indonesia-Based Agency at All
Under Article 3(2) of the UK GDPR, the framework applies to organisations based outside the UK if their processing activities relate to offering goods or services to individuals in the UK, or monitoring the behaviour of individuals in the UK. This applies regardless of whether the agency has any physical presence in the country. A marketing or GEO agency handling website analytics, audience data or content performance data relating to UK individuals is acting as a data processor on behalf of the UK client, who remains the data controller.
Processors under UK GDPR carry specific legal obligations: maintaining records of processing activities, operating under a valid data processing agreement with the controller, implementing appropriate technical and organisational security measures, and bearing legal liability for breaches within their remit. None of this is unique to Indonesia-based agencies. Any processor outside the UK, from the United States to Australia, faces the same baseline obligations. What makes Indonesia specifically a more involved case is the absence of an adequacy decision, covered below.
Full adequacy
EEA states, Andorra, Argentina, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, South Korea, plus the UK-US Data Privacy Framework extension
Named priority, not decided
Indonesia sits alongside India, Brazil, Kenya, Singapore, Australia, the US, Colombia and the DIFC as one of ten future priority destinations, with no decision made or timeline set
What "Restricted Transfer" Actually Requires
Because there is no adequacy regulation covering Indonesia, a UK client sending personal data to an Indonesia-based agency must rely on an "appropriate safeguard" under Article 46 of the UK GDPR. In practice this means the International Data Transfer Agreement, the ICO's own template, or the EU Standard Contractual Clauses plus the UK Addendum. Alongside the IDTA, the exporting organisation must complete what used to be called a Transfer Risk Assessment and has been renamed the "data protection test" under the Data (Use and Access) Act 2025, following the ICO's updated guidance published 15 January 2026.
The data protection test asks a narrower, more practical question than its predecessor. Under the pre-DUAA standard, organisations had to show the destination country's protection was "sufficiently similar" to the UK's. The new standard, introduced by the DUAA, asks whether protection is "not materially lower," a deliberately less exacting bar that the ICO has described as intended to make the UK's regime more business-friendly without lowering the underlying protection for individuals.
New rules for how to conduct this test took effect from 5 February 2026. Transfer risk assessments completed before that date under the old standard remain valid and do not need to be redone, according to the ICO's updated guidance. For a new engagement starting today, the practical sequence is: confirm no adequacy regulation applies, put the IDTA or Addendum in place, complete the data protection test under the new framework, and only then begin processing.
The Two Fine Tiers, and Which One Applies to What
UK GDPR fines operate on two tiers, and conflating them leads to either overstating or understating real risk. The lower tier, up to £8.7 million or 2% of global annual turnover, whichever is higher, applies to a defined set of less severe infringements, including the failure to appoint a required UK representative under Article 27. The higher tier, up to £17.5 million or 4% of global annual turnover, applies to more serious breaches of core data protection obligations, including an unlawful international transfer carried out without an appropriate safeguard in place.
| Violation | Fine tier | Maximum penalty |
|---|---|---|
| Failing to appoint a required UK Article 27 representative | Lower tier | £8.7 million or 2% of global turnover |
| Transferring personal data without an appropriate safeguard | Higher tier | £17.5 million or 4% of global turnover |
| Other serious breaches of core data protection principles | Higher tier | £17.5 million or 4% of global turnover |
In practice, the ICO issues a notice of intent with a proposed fine before any final penalty, and organisations have a window to respond. British Airways' 2020 fine, for example, was reduced from a proposed £183 million to a final £20 million after representations. The maximum figures in the table above are ceilings, not typical outcomes, but they define the exposure a UK client is accepting on paper when personal data moves without the right paperwork in place.
The Article 27 Representative Question
Separately from the transfer mechanism, an overseas organisation that regularly processes UK residents' personal data without a UK branch, office or other physical presence may need to appoint a UK representative under Article 27. The representative acts as a UK-based contact point for data subjects and the ICO, holds a copy of the organisation's records of processing activities, and supports communication between the overseas organisation and UK stakeholders.
The requirement does not apply to public authorities, and it has a narrow exception for processing that is occasional, does not involve large-scale special category data, and poses no material risk to individuals' rights. A GEO or digital marketing agency systematically managing multiple UK client retainers, each involving website analytics or campaign data, would not typically meet all three conditions of that exception. In practice, UK representative services are commercially available from specialist privacy consultancies at transparent annual pricing, making this a manageable line item rather than a structural barrier to serving UK clients.
Business Registration, Tax and Contractual Jurisdiction
A separate question from data protection, and one UK compliance teams frequently raise alongside it, is whether a foreign agency needs to register as a UK company to serve UK clients lawfully. It does not, provided the agency does not maintain a permanent establishment in the UK, meaning a fixed place of business or a dependent agent habitually concluding contracts on its behalf. An Indonesia-based agency operating remotely, without a UK office or UK-based staff signing UK contracts, falls outside this requirement and can serve UK clients without UK company registration.
What a UK client should expect instead is contractual clarity on the points registration would otherwise settle by default: which jurisdiction's law governs the contract, which is Indonesian law by default unless the agreement specifies otherwise, how disputes are resolved, and what currency invoices are issued in. Many UK SME and enterprise procurement processes also run standard supplier due diligence covering data processing compliance, professional indemnity insurance, and anti-bribery attestations under the UK Bribery Act 2010, and a well-prepared agency should be able to satisfy this due diligence with documented answers rather than treating it as an unusual request.
The Data (Use and Access) Act received Royal Assent on 19 June 2025, and its data-protection provisions began commencing through early 2026, with key rules for international transfers taking effect on 5 February 2026. Beyond renaming the Transfer Risk Assessment, the Act introduced a broadened "recognised legitimate interests" basis that reduces documentation burden for certain categories of processing, relaxed cookie consent rules that permit analytics cookies in some contexts without explicit consent, and a new framework for automated decision-making with narrower prohibitions than before, provided human oversight and dispute-resolution safeguards remain in place.
From 19 June 2026, organisations subject to UK GDPR are additionally required to update their privacy notices and introduce formal data protection complaint procedures. This is a separate deadline from the February 2026 transfer-rules commencement, and both should be tracked independently rather than treated as a single "DUAA compliance date."
What This Means in Practice for a GEO or Marketing Retainer
For most GEO and digital marketing engagements, the personal data in question is relatively low-risk: website analytics, campaign performance data, and audience segments, rather than special category data like health or financial records. That lowers the practical risk profile but does not remove the legal requirement to complete the data protection test and put a transfer mechanism in place. A UK compliance team evaluating an Indonesia-based agency should expect to see, before signing, a ready-to-execute IDTA, a completed or scoped data protection test, and clarity on whether a UK Article 27 representative is already appointed or will be for the engagement.
Why the Cookie and Automated-Decision Changes Matter for GEO Specifically
Two of the DUAA's changes sit closer to day-to-day GEO and marketing work than the headline transfer-rules update, and are worth understanding on their own terms rather than as footnotes to the adequacy question.
The relaxed cookie consent rules permit analytics and website-optimisation cookies without explicit user consent in some contexts, provided the processing is solely to understand aggregate visitor behaviour, does not identify individual users, and the platform offers a simple, conspicuous, free opt-out. For a GEO programme that depends on tracking AI-referral traffic from chatgpt.com, perplexity.ai and similar sources through GA4, this narrows the compliance burden for the analytics layer specifically, though it does not remove the need for a lawful basis for any processing that does identify individuals, such as CRM-linked campaign data.
The amended Article 22 on automated decision-making narrows the prior prohibition. Significant automated decisions, which can include AI-driven content personalisation or real-time marketing segmentation, can now proceed on any valid lawful basis including legitimate interest, provided meaningful human oversight and dispute-resolution safeguards are actively maintained. This is directly relevant to GEO programmes that use AI tooling to personalise content variants or route audience segments, because it changes the legal basis available without changing the underlying requirement that a human remains able to review and correct the system's decisions.
Due-Diligence Questions a UK Buyer Should Actually Ask
Beyond the paperwork itself, a UK compliance or procurement team evaluating an Indonesia-based GEO or marketing agency can use a short set of due-diligence questions to test whether the agency's compliance posture is genuine rather than assembled for the pitch. Does the agency have a standing IDTA template ready to execute, rather than one that needs to be drafted after the contract is signed? Has the agency completed a data protection test for a comparable prior UK engagement, and can it describe the process rather than just claim it happened? Does the agency have a named point of contact for UK representative obligations, even if that role sits with a specialist consultancy rather than an in-house hire? And critically, does the agency distinguish between the data categories involved in a typical GEO engagement, mostly analytics and campaign performance data, and higher-risk categories like health or financial records, where the compliance bar is meaningfully higher?
An agency that answers these questions with specifics, rather than general reassurance, is demonstrating the same kind of evidentiary standard that a genuine GEO capability claim should meet. The two questions, compliance readiness and citation-tracking rigour, are different but run on the same underlying logic: ask for the process, not the promise.
An agency that treats this as a pre-built part of its onboarding process, rather than something assembled after a client asks, is signalling operational maturity that goes beyond the specific legal requirement. It is one of the clearest practical differences between an agency that has actually served UK clients before and one that is entering the market for the first time. We cover the equally important question of how to evaluate an agency's actual GEO capability, as distinct from its compliance readiness, in a companion piece on telling genuine UK GEO specialists from rebranded SEO agencies.
Our own approach to this is set out on our core GEO service page, where UK GDPR readiness sits alongside the citation-tracking methodology rather than as an afterthought. For a broader treatment of regulation and compliance as it intersects with GEO globally, not just in the UK, Tessar Napitupulu's Cited or Silent devotes a full chapter to the compliance dimension of cross-border AI-visibility work.
Frequently Asked Questions
Does Indonesia having no UK adequacy decision mean the transfer is illegal?
No. It means the transfer cannot rely on adequacy as the legal basis and must instead use an appropriate safeguard, most commonly the International Data Transfer Agreement, along with a completed data protection test. With that paperwork in place, the transfer is lawful.
Who is responsible for completing the data protection test, the UK client or the Indonesia-based agency?
Under UK GDPR, the exporting organisation, meaning the UK-based data controller, bears primary responsibility for ensuring an appropriate safeguard and test are in place. In practice, a well-prepared agency will offer a ready-to-sign IDTA and a completed or scoped test to reduce the UK client's compliance burden, but the legal responsibility sits with the exporter.
Is a UK Article 27 representative the same as a Data Protection Officer?
No. These are two separate roles with different legal bases, different triggering conditions and different functions. A Data Protection Officer is required under Article 37 for certain categories of organisation based on the nature and scale of processing. A UK representative is required under Article 27 for non-UK organisations without a UK presence that process UK residents' data. One organisation may need both, either or neither.
Will this compliance burden disappear if the UK grants Indonesia adequacy in the future?
If that decision is made, the biggest piece of friction, the need for an IDTA and a data protection test for every transfer, would disappear, and the compliance position would simplify significantly. As of this article's research, no timeline exists for that decision, so the current safeguards remain the operative requirement.
What happens if a UK client's compliance team rejects an Indonesia-based agency outright because of the adequacy gap?
That is a legitimate, conservative position for a highly risk-averse buyer, particularly one handling special category data. For the large majority of GEO and marketing engagements involving standard analytics and campaign data, the IDTA and data protection test are a well-established, ICO-recognised route that many UK organisations already use for transfers to non-adequate countries, so an outright rejection is more often a policy choice than a legal necessity.
Do the DUAA's relaxed cookie rules mean a GEO agency no longer needs consent for analytics tracking?
Not entirely. The relaxation applies specifically to analytics and website-optimisation cookies used solely to understand aggregate visitor behaviour, where the platform offers a simple, free opt-out and no individual is identified. Any tracking that identifies individuals, or feeds into CRM-linked campaign data, still requires a proper lawful basis under UK GDPR regardless of this change.
Does an Indonesia-based agency need to register as a UK company to work with UK clients?
No, provided it does not maintain a permanent establishment in the UK, meaning a fixed place of business or a dependent agent habitually concluding UK contracts on its behalf. What matters instead is contractual clarity on governing law, dispute resolution and invoicing currency, since Indonesian law applies by default unless the contract specifies otherwise.
Sources & References:
- Information Commissioner's Office, "Adequacy regulations" guidance, updated 15 January 2026, on the current list of adequate countries and Indonesia's status as a named future priority destination.
- Information Commissioner's Office, "A brief guide to international transfers" and detailed international-transfers guidance, updated 15 January 2026, on the IDTA, appropriate safeguards and the data protection test.
- Freshfields Bruckhaus Deringer and Kennedys Law, legal analysis of the ICO's January 2026 international-transfers guidance, on the data protection test rules taking effect from 5 February 2026.
- GDPRLedger and LegalClarity, UK GDPR enforcement analysis, on the two-tier fine structure (£8.7 million/2% and £17.5 million/4%) and illustrative ICO enforcement outcomes including British Airways and Marriott International.
- GRC Solutions and Captain Compliance, guidance on UK GDPR Article 27 representative requirements, exceptions and associated fine exposure.
- UK Government, Data (Use and Access) Act 2025, Royal Assent 19 June 2025, and associated legal commentary on commencement dates for data-protection provisions.
- UK company law and permanent establishment guidance, and the UK Bribery Act 2010, on the business registration, contractual jurisdiction and supplier due-diligence position of a foreign agency serving UK clients remotely.