Clarification on DPO Appointment: Constitutional Court Resolves Ambiguity in PDP Law

A recent Constitutional Court ruling in Indonesia has clarified an ambiguity in Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), particularly around the requirement to appoint a Data Protection Officer (“DPO”). Previously, it was unclear whether all listed conditions had to be met or if just one was enough. The Court, through Decision No. 151/PUU-XXII/2024, confirmed that fulfilling any one condition is sufficient to trigger the obligation.

This decision broadens the scope of who must appoint a DPO and is in line with the international practice.

Previous Reading: A Narrow and Cumulative Interpretation

Previously, Article 53 paragraph (1) of the PDP Law listed three conditions that could trigger the requirement to appoint a DPO: 

1. processing personal data for public services;
2. the core activity requires systematic and regular monitoring of personal data in large scale; and 
3. the core activity consist of large scale processing of sensitive or criminal-related personal data. 

However, because the article used the conjunction “and,” many thought this means that all three conditions had to be met before the DPO requirement applied. This created uncertainty and significantly narrowed the obligation, as only a small number of organisations fit all three criteria.

The Constitutional Court’s Intervention

Through Decision No. 151/PUU-XXII/2024, the Constitutional Court ruled that the word “and” in Article 53 paragraph (1) should be read as “and/or.” The Court found that requiring all three conditions to be fulfilled was too restrictive and undermined the very purpose of the PDP Law. The new interpretation means that a DPO must be appointed if any one of the three conditions applies. 

This clarification changes the compliance of the PDP Law. The new interpretation has larger coverage in terms of who is obligated to appoint a DPO. It ensures better security or protection over personal data processing activities.

Conclusion

The Decision represents an important change in Indonesia’s personal data protection framework. By clarifying that the DPO obligation applies when any one of the triggering conditions is present, an ambiguity has been cleared, and this strengthens the protection of personal data in Indonesia. 

As the regulatory environment keeps evolving, organisations should take this opportunity to revisit their data processing activities and ensure they have a qualified DPO in place. If you have any questions or would like assistance in assessing how this ruling impacts your organisation, please don’t hesitate to contact us at [email protected] and [email protected].