Why This Matters to the Business Actors?

In Indonesia’s rapidly evolving data-driven economy, personal data protection compliance has become a key concern for businesses, especially for business actors operating in technology, e-commerce, and financial services sectors. The recent Constitutional Court Decision No. 151/PUU-XXII/2024, pronounced on July 16, 2025, reshapes the compliance landscape by expanding the obligation to appoint a Personal Data Protection Officer (PDPO) under the Personal Data Protection Law (“PDP Law”). This change not only affects companies’ internal governance but also increases compliance expectations for foreign investors managing large-scale or sensitive data in Indonesia.

Regulatory Summary, Key Takeaways from the Constitutional Court Decision.

The decision reviewed Article 53 paragraph (1) of the PDP Law, which originally required the appointment of a PDPO only if all three of the following conditions were met:

1. Data processing is for public service purposes;
2. Core business activities involve regular and systematic monitoring of personal data on a large scale; and
3. Core business activities involve large-scale processing of specific and/or criminal-related personal data.

The petitioners argued that the use of the word “and” (“dan”) in the above provision was too restrictive, as it meant only organizations fulfilling all three conditions were required to appoint a PDPO. In its ruling, the Constitutional Court granted the petition and decided that the conjunction “and” should be interpreted as “and/or” (“dan/atau”).
Accordingly, a PDPO must now be appointed even if a company meets only one of the above criteria.

Business Implications and Opportunities

This landmark decision has several implications for business actors:

1. Expanded Obligation Scope: Companies conducting large-scale data processing, monitoring user activities, or handling sensitive personal data—even if not all at once—are now required to appoint a PDPO.
2. Rising Compliance Demands and Costs: Organizations will need to create or strengthen internal data protection structures, prepare compliance policies, and designate a qualified PDPO. While this may increase short-term costs, it ensures long-term resilience against sanctions and reputational harm.
3. Enhanced Legal Risk Management: Companies failing to comply may face administrative and even criminal sanctions under the PDP Law. Early compliance is thus essential to mitigate exposure.
4. Strengthened Consumer and Partner Trust: The mandatory appointment of a PDPO can also be seen as an opportunity. It allows businesses to demonstrate commitment to data protection, improving trust among Indonesian consumers, regulators, and business partners.
5. Sectoral Impact: Industries most affected include technology, telecommunications, finance, healthcare, and e-commerce, where data processing is inherently large-scale. Nonetheless, other sectors—such as logistics, education, and hospitality—should also reassess their exposure under the new interpretation.

If you, a prospective client, have further inquiries about the topic discussed above, Schinder Law Firm is one of many corporate law firms in Indonesia that has handled numerous similar matters, with many experienced and professional corporate and civil lawyers in its arsenal, making it one of the top consulting firms in Indonesia. Feel free to contact us at info@schinderlawfirm.com for further consultation.

Author:
Budhi Satya Makmur