Knowledge Highlights 9 September 2025
Indonesia’s Constitutional Court clarifies requirement to appoint Data Protection Officer under PDP Law
On 30 July 2025, Indonesia’s Constitutional Court (“Court”) issued its decision on the judicial review of Law No. 27 of 2022 on Personal Data Protection (“PDP Law”). The case concerned Article 53(1) of the PDP Law, which regulates the appointment of Personal Data Protection Officers (“DPOs”). The provision lists three conditions which must be fulfilled cumulatively to trigger the appointment obligation. Through Decision No. 151/PUU-XXII/2024 (“Decision 151”), the Court overturned this cumulative interpretation and clarified that satisfying any one of the three conditions would be sufficient to trigger the appointment obligation.
This article summarises the findings of the Court. For a comprehensive review of the PDP Law, please see our article “An in-depth review of Indonesia’s data protection regime”.
Background
In September 2024, the petitioners before the Court challenged the constitutionality of the word “and” in Article 53(1) of the PDP Law, which reads as follows:
Personal Data Controller and Personal Data Processor are required to appoint an official or officer to carry out the function of Personal Data Protection in the event that:
- the processing of Personal Data is for the interest of public services;
- the core activities of the Personal Data Controller have the nature, scope, and/or purpose that require regular and systematic monitoring of Personal Data on a large scale; and
- the core activities of the Personal Data Controller consist of large-scale processing of Personal Data that is specific and/or Personal Data related to criminal acts.
The petitioners contended that the use of “and” at the end of paragraph (b) of Article 53(1) implied that entities would only be required to appoint a DPO if all three conditions as set out in paragraphs (a), (b), and (c) of Article 53(1) (“Conditions”) were met simultaneously. They argued that this formulation narrowed the scope of Personal Data Controllers and Personal Data Processors required to appoint a DPO, as only a small number of them would meet all Conditions at once. The petitioners also argued that the use of “and” could undermine the constitutional protection of personal data guaranteed under Indonesia’s Constitution as under Article 34(2) of the PDP Law, each Condition constitutes a personal data processing activity categorised as posing a high potential risk to data subjects, indicating that any one of these activities on its own may endanger data subjects’ rights.
The petitioners proposed that, as a solution to the concerns expressed, the word “and” be interpreted as “and/or”, which would expand the appointment obligation, enhance oversight of compliance, and ensure greater protection of data subjects’ rights.
Decision 151
The Court granted the petitioners’ request, ruling that the word “and” in Article 53(1)(b) of the PDP Law is inconsistent with the 1945 Constitution of the Republic of Indonesia and conditionally unconstitutional unless interpreted as “and/or”. Accordingly, the word “and” in Article 53(1)(b) of the PDP Law must be read as “and/or”. As a result, meeting any one of the Conditions triggers the mandatory appointment of a DPO.
Entities must now appoint a DPO if any of the following apply (emphasis added):
- The processing of Personal Data is for the interest of public services;
- The core activities of the Personal Data Controller have the nature, scope, and/or purpose that require regular and systematic monitoring of Personal Data on a large scale; and/or
- The core activities of the Personal Data Controller consist of large-scale processing of Personal Data that is specific and/or Personal Data related to criminal acts.
This clarification significantly broadens the scope of the Personal Data Controllers and Personal Data Processors subject to the DPO requirement. Businesses and organisations that previously fell outside the threshold must now reassess their data processing activities and prepare to appoint a DPO where any one of the conditions applies.
The PDP Law has been subject to three judicial reviews. In addition to Decision 151, aspects of the PDP Law were previously reviewed in Decisions Nos. 108/PUU-XX/2022 and 110/PUU-XX/2022, both dated 14 April 2023, where the Court rejected those petitions on different issues.
