Key Development
The Constitutional Court (Decision No. 151/PUU-XXII/2024) has clarified the interpretation of Article 53(1) of Law No. 27/2022 on Personal Data Protection Law (PDP Law).
Article 53(1) of PDP Law requires the appointment of a Personal Data Protection Officer (PDPO) if:
- processing is carried out for public services;
- core activities require periodic/systematic monitoring of personal data in large scale; and
- core activities involve the processing specific personal data and/or criminal action related personal data in large scale.
The Constitutional Court ruled that the word “and” must be read as “and/or”, meaning each criterion now independently triggers the obligation to appoint PDPO.
Implications
- Lower threshold: Meeting just one condition is sufficient to require a PDPO.
- Broader coverage: More companies (including private businesses handling large scale personal data) are now obligated.
- Action point: Businesses should reassess their data processing activities and prepare to appoint a PDPO where any one of the criteria applies.
This landmark decision significantly broadens the scope of businesses required to appoint a PDPO in Indonesia. Should you need further assistance in assessing your company’s obligations or in setting up compliance measures, please do not hesitate to reach out to us!
The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.
