The enactment of Law No. 27 of 2022 regarding Personal Data Protection (“PDP Law”) marked a significant step in Indonesia’s effort to strengthen personal data governance, including the requirement to appoint Data Protection Officer (“DPO”). This update will discuss on how the Constitutional Court Decision No. 151/PUU-XXII/2024 (“Decision No. 151/2024”) impacting the implementation of DPO appointment in Indonesia.
DPO: Safeguarding Compliance with Personal Data Protection
DPO gained prominence under the European Union General Data Protection Regulation (“GDPR”). As data protection obligations expanded not only in Europe, but globally, the role of the DPO evolved from a supportive function into a core element of compliance governance.
Recognizing the growing importance of the DPO role in ensuring data governance, Indonesia has incorporated similar requirements into its regulatory framework through PDP Law, following the model introduced by the GDPR. However, Indonesia adopts different circumstances that determine when a Personal Data Controller or Personal Data Processor is required to appoint a DPO. Article 53 PDP Law outlines the obligation for a Personal Data Controller and Personal Data Processor to appoint a DPO as follows:
“Personal Data Controller and Personal Data Processor must appoint DPO in the following circumstances:
1. processing of personal data for public services purpose;
2. core activities of Personal Data Controller have a nature, scope, and/or purpose that requires regular and systematic monitoring of personal data on a large scale; and
3. core activities of Personal Data Controller consist of a large-scale processing of specific persona data and/or personal data related to criminal offences.”
This cumulative nature of the conditions set forth in Article 53 above means that the obligation arises only when all criteria are fulfilled.
In contrast, Article 37 paragraph (1) GDPR sets out alternative conditions, the appointment of a DPO is required if any of the listed criteria is met. This fundamental difference underscores that the threshold for mandatory DPO appointment under Indonesian law is narrower than that under the GDPR.
Affirming the Role of DPO through Judicial Review Mechanism
The cumulative nature of Article 53 PDP Law was challenged through a judicial review mechanism at the Constitutional Court. The applicants questioned the constitutionality of the word “and” at the end of letter b in Article 53 paragraph (1) PDP Law, which sets the threshold for mandatory appointment of a DPO by requiring that all three conditions (letter a, b, and c) must be met. The petition requested that the term be revised to “and/or”, so that the fulfillment of any circumstances is sufficient to trigger the obligation.
Side Note
The DPO role is not limited to legal professionals. Individuals with an information technology or data management background may also serve as DPOs, provided they possess a strong understanding of both legal obligations and the technical aspects of personal data processing.
The Constitutional Court fully granted the petition by issuance of Decision No. 151/2024 which stipulates that Article 53 paragraph (1) letter b PDP Law must be interpreted “and/or”.
Consequently, if Personal Data Controller and/or Personal Data Processor satisfies even one of the listed criteria, the obligation to appoint a DPO arises. This interpretation reflects a more proportionate approach to the risks inherent in modern data processing and strengthens the PDP Law’s ability to ensure effective protection in today’s increasingly complex digital environment.
Following Decision No. 151/2024 and considering that the PDP Law is already in effect, a broader range of organizations is now required to DPO. For instance, an e-commerce company which has thousand consumers in which the company processes their financial data. The company can considerably conduct process a large scale of specific data. Hence, the e-commerce company would be required to appoint a DPO, as it meets the criterion under Article 53 paragraph (1) letter c PDP Law. This development highlights the increasing importance of ensuring compliance readiness, particularly for businesses engaging in high-risk or high-volume data processing activities.
Awaiting Further Regulation: What’s Next for DPO Compliance
Despite the Decision No. 151/2024 and the formal enactment of the PDP Law, Indonesia’s personal data protection framework still lacks comprehensive implementing regulations. To date, there is only a draft of Government Regulation (Rancangan Peraturan Pemerintah or “RPP”) on Personal Data Protection which lastly updated in August 2023. Nonetheless, the obligation to appoint a DPO, as clarified by the Constitutional Court and stipulated in Article 53 PDP Law, remains legally effective and enforceable. Please note that failure to appoint DPO if the company meets criteria under Article 53 PDP Law will lead to administrative sanction.
In practice, even in the absence of complete implementing regulations, having a DPO can provide significant benefits to organizations, particularly in strengthening personal data governance, ensuring Data Protection Impact Assessment (DPIA) and Record of Processing Activities (ROPA) are made and updated in accordance with PDP Law, and demonstrating accountability to both regulators and personal data subjects.
____________________________________________________________________________________________________________________________
Marieta Mauren is proud to be recognized as an Elite I Law Firm in the Data Protection category by HukumOnline. This recognition reflects our continued commitment to providing excellence in legal advisory, compliance strategy, and regulatory support in Indonesia’s evolving data protection landscape.
Any requests for personal data compliance services can be submitted to our Partner in-charge:
Windri Marieta, S.H., FCIArb., C.L.A.
Partner
(+62) 811-9201-660