Conventus Law

Conventus Law

by

On July 16, 2025, the Indonesian Constitutional Court (the “Court”) issued Decision No. 151/PUU-XXII/2024, declaring that Article 53 (1) of Law No. 27 of 2022 regarding Personal Data Protection (“PDP Law”) is unconstitutional (“Court Decision No. 151/2024”).

In practical terms, this ruling lowers the threshold for when organizations are required to appoint a Data Protection Officer (“DPO”). Previously, all three conditions in Article 53 (1) had to be met. Now, satisfying any one of the conditions is sufficient. As a result, more data controllers and processors will now be required to appoint a DPO.

As the primary legal framework governing data protection in Indonesia, the PDP Law requires organizations engaging in certain types of personal data processing, whether acting as data controllers or data processors, to appoint a DPO. The DPO is responsible for overseeing compliance with data protection obligations and mitigating the risks of personal data protection breaches. 

Appointment of DPO under the PDP Law Prior to Court Decision No. 151/2024

Prior to the ruling, Article 53 (1) of the PDP Law required the appointment of a DPO only if the following cumulative conditions were met: 

  1. the processing of personal data for the purpose of providing public services;
  2. the core activities of the personal data controller, by their nature, scope and/or purpose, required regular and systematic large-scale monitoring of personal data; and
  3. the core activities of the personal data controller involved the large-scale processing of specific types of personal data and/or personal data related to criminal offenses.

Failure to appoint a DPO may result in administrative sanctions, which may include (i) a written warning; (ii) temporary suspension of personal data processing activities; (iii) deletion or destruction of the relevant personal data; and/or (iv) the imposition of administrative fines. Administrative fines may be imposed up to a maximum of 2% of the violator’s annual revenue or annual income, with the calculation taking into account the nature and extent of the violation. 

However, the spirit of Article 53 (1) of the PDP Law has been deemed to contradict Article 28G (1) of the 1945 Constitution of Indonesia (“Constitution”), as it potentially restricts personal data protection and infringes upon the constitutional right to personal security and privacy guaranteed therein. 

The application for the Constitutional Court review challenged the constitutionality of the conjunctive term “and,” which establishes a cumulative requirement, on the grounds that it could unduly narrow the scope of protection, particularly in cases involving high-risk personal data processing, and thereby undermine the effectiveness of the safeguards intended under the PDP Law.

High-Risk Data Processing under the PDP Law

According to Article 34 (2) of the PDP Law, both data controllers and processors that satisfy one or more of the following criteria are deemed to be engaging in high-risk data processing activities. 

These criteria are also affirmed in Article 53 (1) of the PDP Law:

  1. automated decision-making that significantly affects data subjects;
  2. processing of specific categories of personal data;
  3. large-scale personal data processing;
  4. processing for evaluation, scoring, or systematic monitoring of data subjects;
  5. data matching or combining from different sources;
  6. use of new technologies in data processing; and
  7. processing personal data that limits data subject rights.

The criteria for high-risk personal data processing under Article 34 (2) of the PDP Law closely mirror those in Article 53 (1), which was the subject of the Constitutional Court review. Both provisions emphasize that certain categories of processing are inherently high risk and, as such, require heightened safeguards.

Appointment of DPO under the PDP Law After Court Decision 

In its legal reasoning, the Court emphasized that personal data processing activities posing high risks to data subjects must be subject to stricter oversight. Citing Article 34 (2) of the PDP Law, the Court identified categories of high-risk processing, including automated decision-making with significant legal implications, the handling of sensitive data, large-scale data processing, evaluation or systematic monitoring, data matching, the use of new technologies, and any processing that restricts data subject rights.

On this basis, the Court concluded that the substance of Article 53 (1) of the PDP Law falls within the scope of high-risk processing as defined under Article 34 (2). Accordingly, the Court held that meeting even one of the three conditions under Article 53 (1) of the PDP Law is sufficient to categorize a data controller or processor as engaging in high-risk processing, thereby requiring the appointment of a DPO to ensure compliance and safeguard personal data effectively.

The Court also examined legislative drafting norms, noting that the use of “and” typically indicates a cumulative requirement. Therefore, in Court Decision No. 151/2024, the Court ruled that the use of “and” in Article 53 (1) of the PDP Law is unconstitutional and has no binding force unless it is interpreted as “and/or.” 

By adopting this alternative-cumulative interpretation through the term “and/or,” the Court sought to ensure broader and more effective protection in high-risk data processing activities. This approach affirms that personal data protection is inseparable from the right to personal security under Article 28G (1) of the Constitution.

Conclusion

In view of Court Decision No. 151/2024, business actors should carefully re-assess their personal data processing activities to determine whether they now fall within any of the conditions under Article 53 (1) of the PDP Law. As the threshold has shifted from a cumulative to an alternative requirement, organizations engaging in even a single high-risk processing activity may now be required to appoint a DPO. Companies should further consider integrating the appointment of a DPO into their broader governance and compliance frameworks as a measure to strengthen oversight to avoid potential sanctions and ensure alignment with the PDP Law. (24 September 2025)

WRITTEN BY

For further information, please contact:

Winnie Yamashita Rolindrawan – SSEK,
winnierolindrawan@ssek.com

Winnie Yamashita Rolindrawan - SSEK. Winnie Yamashita Rolindrawan holds a Bachelor of Laws in economic law from the University of Indonesia and a Master of Science in communications management. She also earned an LL.M. and a Business Law Certificate from UC Berkeley.

Winnie Yamashita Rolindrawan received her Bachelor of Laws in economic law from the University of Indonesia in 2002. In 2007, she earned her Master of Science from the Faculty of Social and Political Sciences at the same university, majoring in communications management. In 2016, Winnie received her Master of Laws (LL.M.) from the University of California, Berkeley, School of Law, where she also earned a Business Law Certificate from the Berkeley Center for Law and Business.

Winnie joined SSEK in 2007 and has represented major domestic firms and multinational companies in a variety of transactions. She has worked on numerous projects involving M&A, financial services and fintech, data privacy, pharmaceuticals and healthcare, corporate and commercial matters, foreign investment, e-commerce, and real estate and property (particularly hotels).

Her projects in the fintech sector include acting as Indonesian counsel to Didi Chuxing in the acquisition of a substantial stake in Grab Inc., a transaction valued at over US$1 billion, and acting as lead Indonesian counsel to Mastercard as the lead investor in the series B funding round of Digiasia, an Indonesian fintech startup. Winnie advises clients on all aspects of fintech and payment systems (including e-money, remittances, payment gateways and switching), from obtaining the relevant licenses to cross-border fintech M&A transactions and navigating complex regulatory, legal and commercial challenges to ensure compliance with the relevant fintech and payment system regulations of Indonesia’s Financial Services Authority (OJK) and Central Bank (Bank Indonesia).

In the healthcare sector, Winnie has represented pharmaceutical companies, including manufacturers and distributors, in providing practical solutions for their day-to-day operations, corporate and commercial contracts, and specific regulatory issues.

Prior to joining SSEK, Winnie worked at another prominent corporate law firm in Jakarta, where she was involved in various capital market transactions including IPOs, bond issues and rights issues. She helped handle several debt restructuring projects involving the Indonesian Bank Restructuring Agency (IBRA), an independent government agency established in response to the Indonesian financial crisis.

Winnie was also an associate procurement expert for an Asian Development Bank-Indonesian Ministry of National Development Planning (Bappenas) project, where she developed and drafted model national procurement documents.

Winnie is a licensed attorney and a member of the Indonesian Advocates Association (Peradi). She participated in the 2014 Academy of American and International Law, sponsored by the Southwestern Institute for International and Comparative Law in Dallas, Texas.

Having spent her childhood in Hamburg, Germany, she speaks German in addition to English and her native Indonesian.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES