Constitutional Court consideration
Before the Constitutional Court's judgement, Article 53 paragraph (1) of the PDP Law states the following:
"Data controllers and data processors are required to appoint a DPO in case that:
- The personal data processing is for the purpose of public services;
- The core activities of the data controllers have the characteristics, scope, and/or purposes that require regular and systematic monitoring of personal data on a large scale (it remains unclear as to what is deemed as "large scale"); and
- The core activities of the data controllers consist of large-scale processing of personal data that is of a specific nature and/or personal data related to criminal acts."
The use of the conjunction "and" on Article 53 paragraph (1) of the PDP Law resulted in a cumulative interpretation of the requirements for appointing a DPO, meaning that all three criteria listed in points a, b, and c must be met before the obligation was triggered. Given that each of these criteria involves high-risk data processing activities, the applicants argued that the provision must not be interpreted cumulatively. The applicants contended that this approach undermines the protection of personal data and is inconsistent with the 1945 Indonesian Constitution, which guarantees the right to personal protection.
Given the above, the applicants requested that Article 53 paragraph (1) of the PDP Law must be construed using a cumulative-alternative approach by using the term "and/or", so that the obligation to appoint a DPO arises if any one of the listed criteria is met.
The Constitutional Court fully granted the applicants' petition. The Constitutional Court determined that Article 53 paragraph (1) of the PDP Law is unconstitutional and lacks binding legal force to the extent that it is not interpreted using a cumulative-alternative approach with "and/or". As such, following the Constitutional Court judgment, Article 53 paragraph (1) of the PDP Law should be read and construed as follows:
"Data controllers and data processors are required to appoint a DPO in case that:
- The personal data processing is for the purpose of public services;
- The core activities of the data controllers have the characteristics, scope, and/or purposes that require regular and systematic monitoring of personal data on a large scale; and/or
- The core activities of the data controllers consist of large-scale processing of personal data that is of a specific nature and/or personal data related to criminal acts."
Conclusion and enforcement
Following the Constitutional Court judgment, Article 53 paragraph (1) of the PDP Law must now be interpreted to require data controllers and data processors to appoint a DPO if any one or more of the conditions in points a, b, or c are met, applying a cumulative-alternative approach rather than requiring all conditions to be fulfilled.
While we have not seen an increase in enforcement of the DPO requirement by the Ministry of Communication and Digital (or any other authorities) following the Constitutional Court judgment, the Ministry of Communication and Digital has been (and is still) asking data controllers and data processors to comply with the provisions of the PDP Law despite the absence of its implementing regulation, especially the DPO requirement. Now with the Constitutional Court judgment, this leaves less room for data controllers and data processors to argue that they do not met the triggering threshold/criteria of the DPO requirement.
* * * * *
© 2025 HHP Law Firm. All rights reserved. In accordance with a common terminology used in professional service organizations. reference to a "partner" means a person who is a partner, or equivalent in such a law firm. Similarly reference to an "office" means the office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome
