The COVID-19 pandemic is still hitting several countries in the world, one of which is Indonesia. Various efforts have been made to prevent the spread of the COVID-19 virus by the Indonesian government. One of them is the launch of Peduli Lindungi application to track every possible transmission. The launch of this application is based on the Decree of the Minister of Communication and Informatics No. 171 of 2020 concerning the Determination of Peduli Lindungi Application in the Framework of Health Surveillance for The Handling of Corona Virus Disease 2019 (COVID-19). However, the use of this application still has the potential to jeopardize the security of users' personal data. The purpose of this research is to discover potential breaches of personal data protection and to present the concept of Privacy by Design to be applied in the protection of personal data in the Peduli Lindungi application. The research method used is the normative research method. The results showed that the use of Peduli Lindungi application has the potential to cause a breach of personal data security regulated in the ITE Act. Access to data stored in the user's mobile device data is not clear and notified to the user when starting to use this application. Besides, the application also does not explain who can access and process the data. Also, it is not yet clear whether the personal data in this application will be automatically deleted when the COVID-19 pandemic is over considering the Peduli Lindungi application is temporary. Potential violations arise because the protection of personal data has not been fully realized. To avoid potential breaches of personal data protection and realize complete protection of personal data, the government can apply the concept of Privacy by Design in regulations related to the protection of personal data both existing and future.