Article 53(1) of the Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”) stipulates that personal data controllers and personal data processors must appoint a Data Protection Officer (“DPO”) if:
- processing of personal data is for the benefit of public services;
- the personal data controller's core activities are of a nature, scope, and/or purpose that require regular and systematic monitoring of personal data on a large scale; and
- the personal data controller's core activities consist of large-scale processing of personal data for specific personal data (i.e., information that may have a significant impact on the individual, such as health information, biometric information, genetic information, information relating to children, information concerning an individual’s assets, etc.) and/or personal data related to criminal acts.
From a literal reading of Article 53(1) of the PDP Law, an organisation or company acting as a personal data controller or personal data processor would be required to appoint a DPO only if all the criteria listed under Article 53(1) are met. The use of the coordinating conjunction “and” implies that the three criteria are cumulative, and therefore all must be met to trigger the obligation to appoint a DPO.
However, on 30 July 2025, the Indonesian Constitutional Court issued Decision No. 151/PUU-XXII/2024, which clarified that the obligation to appoint a DPO is triggered if any one of the three criteria under Article 53(1) is met. The decision resulted from a petition filed by a group of practitioners who challenged Article 53(1) of the PDP Law, arguing that each criterion under Article 53(1) constitutes a high-risk activity and should therefore independently trigger the obligation to appoint a DPO. The petitioners sought to replace “and” with “and/or” so that the obligation to appoint a DPO would apply upon the fulfilment of any of the criteria listed under Article 53 (1) of the PDP Law, thereby strengthening and aligning the provision with the constitutional right to personal security under Article 28G (1) of the amended 1945 Constitution. This Constitutional Court decision is final and binding.
The Constitutional Court decision noted the government position that using the coordinating conjunction “and” in Article 53(1) of the PDP Law creates legal uncertainty and undermines the PDP Law’s objective of ensuring adequate personal data protection. The Constitutional Court sided with the petitioners and decided that Article 53(1) of the PDP Law should be interpreted as using the coordinating conjunctions “and/or”, making each of the listed criteria sufficient to trigger the obligation to appoint a DPO.
This means organisations now need a DPO if they meet any one of the three conditions: providing public services, conducting large-scale monitoring of personal data or processing large-scale sensitive data. This ruling requires organisations operating in Indonesia to promptly assess their data processing activities against the DPO appointment requirement. Failure to appoint a DPO leaves organisations vulnerable to penalties under the PDP Law and significantly increases their risk when facing data privacy issues. The DPO’s duties include advising the personal data controller or personal data processor on compliance with the PDP Law, monitoring and ensuring such compliance, providing advice on data protection impact assessments, and serving as the liaison for matters related to personal data processing.
Additionally, PDP Law stipulates that a DPO must be appointed based on professionalism, legal knowledge, personal data protection practice, and ability to fulfil their duties.
The PDP Law allows the data controller or data processor to appoint a DPO from within and/or outside of the organisation. Currently in Indonesia, the Indonesian Data Privacy Professionals Association (APPDI) provides the certification for such a profession.
It is important that for organisations operating in Indonesia to seek expert advice on privacy governance to ensure compliance with the PDP Law. Proactive measures, including DPO appointment, strengthened data protection standards now in effect in Indonesia. As we have the Indonesian lawyer who has the DPO qualification, please feel free to contact us if your company requires to appoint a DPO.
TMI Indonesia Practice Group