
Life Sciences Law Update
On 30 July 2025, the Indonesian Constitutional Court (“Court”) issued a landmark ruling, Decision No. 151/PUU-XXII/2024 (“Decision 151”), which significantly broadens the scope of mandatory Data Protection Officer (“DPO”) appointments under the Law No. 27 of 2022 on Personal Data Protection (“PDP Law”).
Through the Decision 151, the Court reaffirmed that personal data is a fundamental right of every citizen and must be protected to the highest standard. It emphasised that personal data must not be treated as a commodity in ways that violate principles of protection, prudence, and confidentiality.
Prior to Decision 151, Article 53 of the PDP Law required data controllers and processors to appoint a DPO only if all of the following conditions were met:
This cumulative test meant that many organisations were exempt from the DPO requirement.
Decision 151 changes this interpretation. The Court ruled that the use of the word “and” in Article 53(1) was unconstitutional and must be read as “and/or”. This transforms the criteria into an alternative test, meaning that meeting just one of the conditions now triggers the mandatory appointment of a DPO.
Organisations must now appoint a DPO if any of the following apply:
This shift significantly expands the scope of entities subject to the DPO requirement. Organisations that previously fell outside the threshold must now reassess their compliance obligations.
Although Decision 151 has introduced a significant shift in the requirements for appointing a DPO, questions remain regarding the certification process for the DPO’s competence.
As at the date of this publication: (i) the PDP Agency, mandated under the PDP Law, has not yet been established; (ii) the Ministry of Communications and Digital is acting only as a transitional authority; and (iii) no official certification body has been designated by the government to oversee DPO competency certification.
In light of Decision 151, organisations should consider the following actions:
The Court’s ruling marks a pivotal moment in Indonesia’s data protection regime. Businesses need to act swiftly to align with the new requirements, not only to avoid regulatory exposure, but to demonstrate a proactive commitment to safeguarding personal data.
Our team stands ready to support you in navigating this evolving landscape and ensuring your compliance strategies remain robust and future-proof. Feel free to reach out to any of the authors or your usual Hogan Lovells contact if you need support in complying with these new DPO requirements.
Authored by Mochamad Kasmali, Charmian Aw, Teguh Darmawan, and Andera Rabbani.