DFDL Indonesia Legal Update: Constitutional Court Lowers Threshold for Appointing Data Protection Officer

In Asean UpdatesPosted

Key Development

The Constitutional Court (Decision No. 151/PUU-XXII/2024) has clarified the interpretation of Article 53(1) of Law No. 27/2022 on Personal Data Protection Law (PDP Law).

Article 53(1) of PDP Law requires the appointment of a Personal Data Protection Officer (PDPO) if:

  1. processing is carried out for public services;
  2. core activities require periodic/systematic monitoring of personal data in large scale; and
  3. core activities involve the processing specific personal data and/or criminal action related personal data in large scale.

The Constitutional Court ruled that the word “and” must be read as “and/or”, meaning each criterion now independently triggers the obligation to appoint PDPO.

 

Implications

  • Lower threshold: Meeting just one condition is sufficient to require a PDPO.
  • Broader coverage: More companies (including private businesses handling large scale personal data) are now obligated.
  • Action point: Businesses should reassess their data processing activities and prepare to appoint a PDPO where any one of the criteria applies.

This landmark decision significantly broadens the scope of businesses required to appoint a PDPO in Indonesia. Should you need further assistance in assessing your company’s obligations or in setting up compliance measures, please do not hesitate to reach out to us!

Related Posts

Deal Announcement: DFDL Advises Groundbreaking Hotel101 Investment in Cambodia
DFDL Vietnam Legal Update: Draft Amended Law on Deposit Insurance Released for Public Consultation
DFDL Vietnam Legal Update: Vietnam’s New Cybersecurity Law to Take Effect January 2026
DFDL Vietnam Legal Update: First Draft of the Law on E-Commerce Released for Public Consultation