AI Regulation Tracker / Court ruling
Indonesia Constitutional Court broadens DPO mandate: any single trigger now requires a data officer
Indonesia's Constitutional Court reinterpreted the personal data law so that meeting any one high-risk condition, not all three, forces a company to appoint a data protection officer. Banks, insurers, telcos and hospitals that relied on the old cumulative test are now caught.
Indonesia's Constitutional Court has quietly reshaped who must staff a data protection officer, and the change reaches deep into the country's largest regulated industries. In Decision No. 151/PUU-XXII/2024, decided on July 30, 2025, the court reinterpreted Article 53(1) of the Personal Data Protection Law, Law No. 27/2022. The practical result, as several law firms have reported, is that the statutory test for when a company must appoint a data protection officer now turns on a single trigger rather than three at once.
From "and" to "and/or"
The article had listed three conditions under which a controller or processor must appoint a data protection officer: processing for the public interest, large-scale regular and systematic monitoring of data subjects, and large-scale processing of sensitive or specific personal data. Because the conditions were joined by the word "dan" ("and"), some organizations read the law to require all three before the duty attached. According to alerts from Rajah & Tann Asia and Assegaf Hamzah & Partners, the court held the "and" wording to be conditionally unconstitutional and required it to be read as "dan/atau" ("and/or"). Meeting any one condition is now enough.
That reading, the firms report, rests on the court's view that the original cumulative wording contradicted the legislature's intent and weakened the personal-security protections the 1945 Constitution guarantees. In plain terms, a test that required a company to fail on all three counts before any duty attached would have let the largest data processors avoid the very obligation the law was written to impose. The court closed that gap by treating the three conditions as alternatives.
The distinction is not academic. A cumulative test is easy to defeat: an organization needed only to show it fell short on one of the three conditions to argue the DPO duty never arose. An "and/or" test reverses that logic. The burden now runs the other way, and a controller has to satisfy itself that none of the three conditions applies before concluding it has no appointment duty.
Why banks, insurers, telcos and hospitals are exposed
The organizations most affected are exactly the ones that process personal data at scale. A bank running large-scale monitoring for fraud and credit decisions, an insurer handling large volumes of health data, a telecom operator tracking subscriber behavior, or a hospital processing patient records can each satisfy one of the three triggers on its own. Under the earlier cumulative reading, some of these firms argued they fell outside the requirement. That argument no longer holds. If a single condition applies, the appointment duty applies.
It bites now, without a new regulation
A central feature of this development is timing. Constitutional Court rulings in Indonesia are final and binding, and this one is self-executing, meaning no implementing government regulation is needed for it to take effect. This matters because Indonesia's broader data-protection machinery remains incomplete: the implementing government regulation for the PDP Law and the independent data-protection authority have not yet been finalized. Companies waiting for that framework before acting should note that the DPO trigger does not wait for it. The obligation stands on the ruling alone.
What it does not do
The decision does not create a new penalty regime, and it does not define the operational detail of the DPO role, such as reporting lines, qualifications or day-to-day duties. Those procedural questions are expected to sit in the pending implementing regulation. Nor does it change the underlying three categories; it changes only how they combine. A controller that meets none of the three triggers still has no DPO appointment duty under this article.
The cross-border angle
For a US reader, the reach is direct. The PDP Law applies extraterritorially where processing targets Indonesian data subjects, so a global group with an Indonesian nexus cannot treat this as a purely local issue. A multinational that satisfies even one trigger through its Indonesian-facing operations should ensure its data protection officer coverage extends to those activities rather than assuming a regional or headquarters function is sufficient. The safer course is to localize DPO responsibility for the Indonesian footprint.
Because primary-source detail on the exact holding is best confirmed against the court's own record, professionals relying on this for a compliance decision should verify Decision No. 151/PUU-XXII/2024 directly at mkri.id and read it alongside their counsel's analysis.
Frequently Asked Questions
What exactly did Indonesia's Constitutional Court change about the DPO requirement?
In Decision No. 151/PUU-XXII/2024, the court reinterpreted Article 53(1) of Law No. 27/2022 so that its three conditions are read with "and/or" instead of "and." A controller or processor must now appoint a data protection officer if it meets any single trigger, where previously the conditions appeared to apply cumulatively.
Who has to worry about this now?
Any controller or processor that meets one of the three triggers: public-interest processing, large-scale regular and systematic monitoring, or large-scale sensitive-data processing. In practice that captures many banks, insurers, telecom operators and hospitals, including foreign groups processing Indonesian residents' data.
Is this in force, or do we wait for a regulation?
It is in force. Constitutional Court rulings are final and binding, and this one is self-executing, so it applies without a new implementing regulation. The pending PDP implementing regulation is expected to add procedural detail on the DPO role but is not required for the trigger itself to bite.
What is the single most useful thing to do first?
Run the three triggers as separate tests against your Indonesian processing activities and document the outcome for each. If any one applies, treat the DPO appointment as required and confirm the holding against the court record at mkri.id with counsel.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.