Indonesia lowers threshold for mandatory Data Protection Officer appointment

Key change: from cumulative to alternative criteria

Prior to Decision 151, Article 53 of the PDP Law required data controllers and processors to appoint a DPO only if all of the following conditions were met:

1. the processing is conducted for public services;
2. the core activities involve regular and systematic monitoring of personal data on a large scale; and
3. the core activities involve large-scale processing of specific (sensitive) personal data or personal data related to criminal acts.

This cumulative test meant that many organisations were exempt from the DPO requirement.

Decision 151 changes this interpretation. The Court ruled that the use of the word “and” in Article 53(1) was unconstitutional and must be read as “and/or”. This transforms the criteria into an alternative test, meaning that meeting just one of the conditions now triggers the mandatory appointment of a DPO.

Implications for organisations

Organisations must now appoint a DPO if any of the following apply:

1. the processing is conducted for public services;
2. the core activities involve regular and systematic monitoring of personal data on a large scale; or
3. the core activities involve large-scale processing of specific (sensitive) personal data or personal data related to criminal acts.

This shift significantly expands the scope of entities subject to the DPO requirement. Organisations that previously fell outside the threshold must now reassess their compliance obligations.

Update on DPO certifications

Although Decision 151 has introduced a significant shift in the requirements for appointing a DPO, questions remain regarding the certification process for the DPO’s competence.

As at the date of this publication: (i) the PDP Agency, mandated under the PDP Law, has not yet been established; (ii) the Ministry of Communications and Digital is acting only as a transitional authority; and (iii) no official certification body has been designated by the government to oversee DPO competency certification.

Next steps for organisations

In light of Decision 151, organisations should consider the following actions:

• Assess: Conduct and document a fresh assessment of your data processing activities against the revised criteria.
• Appoint: Where required, and pending further regulation on the DPO competency certification process, businesses need to appoint a DPO internally and ensure that the role is properly resourced and integrated into their governance framework.
• Update: Review and revise internal data protection policies, procedures, and privacy notices to reflect the new compliance landscape.
• Revisit: Once further clarity is provided regarding the competency certification process by the authorised authority, businesses may wish to revisit their DPO appointment to ensure that the appointed DPO’s qualifications align with the requirements to be established by the government.

The Court’s ruling marks a pivotal moment in Indonesia’s data protection regime. Businesses need to act swiftly to align with the new requirements, not only to avoid regulatory exposure, but to demonstrate a proactive commitment to safeguarding personal data.

Our team stands ready to support you in navigating this evolving landscape and ensuring your compliance strategies remain robust and future-proof. Feel free to reach out to any of the authors or your usual Hogan Lovells contact if you need support in complying with these new DPO requirements.

Authored by Mochamad Kasmali, Charmian Aw, Teguh Darmawan, and Andera Rabbani.