How to appoint a DPO under UU PDP

Appointing a DPO under UU PDP is a sequence of decisions, not a single signature. The law in Articles 53 and 54 sets out who must appoint, what qualifications the officer needs, whether in-house or outsourced arrangements are valid, and what the officer's duties are once in place. Working through those steps in order keeps the appointment from becoming a formality that the statute can later unpick.

The steps

Each step below corresponds to a specific statutory requirement or a practical decision that shapes whether the appointment holds up under scrutiny.

Confirm the obligation

Before anything else, test your processing against the three triggers in Article 53 paragraph 1. The obligation applies to both controllers and processors. The three conditions are: processing carried out to provide public services; core activities that, by their nature, scope, and/or purpose, require large-scale regular and systematic monitoring of personal data; and core activities consisting of large-scale processing of specific personal data or data relating to criminal offences.

The Constitutional Court, in Decision No. 151/PUU-XXII/2024, reread the conjunction linking those three conditions as "dan/atau" (and/or) rather than a plain "dan" (and). The result is that meeting any one condition is sufficient. An organisation whose core activity is large-scale systematic monitoring of individuals is subject to the obligation even if it does not process special categories of data and does not provide public services. If you are working through whether your organisation triggers the requirement, the DPO obligation checklist walks through the Article 53 conditions with worked examples.

Choose in-house or outsourced

Article 53 paragraph 3 states that the officer may come from inside and/or outside the organisation. An outsourced or contracted DPO is therefore a valid arrangement under the statute, not a workaround. The choice between building the role internally and engaging an external provider turns on cost, available expertise, and how the role needs to sit within your governance structure. The in-house vs outsourced cost comparison sets out the financial and operational trade-offs in detail.

Qualify the person

Article 53 paragraph 2 requires that the appointment be based on three things: professionalism, knowledge of personal data protection law, and the ability to carry out the protection function. The statute does not name a specific certification. Recognised credentials, such as the IAPP's CIPP/A or the BSN-backed Certified Data Protection Officer, can help an organisation demonstrate that its appointee meets the statutory standard, but the law itself leaves the competence assessment to the appointing organisation, at least until the implementing regulation provides further detail.

Set the mandate and protect independence

The appointment document should do more than name the officer. It needs to give the person the conditions they need to operate effectively. A DPO who reports into the same function they are required to oversee, or who lacks access to the processing activities they must monitor, cannot perform the Article 54 duties in any meaningful way.

The reporting line should sit at a level where the officer can raise concerns without being overruled by the function responsible for the processing. Independence does not require a separate legal entity; it requires that the officer is not instructed how to perform their data protection duties.

Wire in duties and breach notice

Article 54 sets the officer's minimum duties: inform and advise on compliance, monitor and ensure compliance, advise on and monitor data protection impact assessments, and coordinate as the contact point for the supervisory authority and data subjects. These are ongoing, not one-off.

The breach notification timeline is set separately. Article 46 requires that notice of a personal data breach be given to the relevant data subjects and to the supervisory authority within 3 times 24 hours of the breach being known. The officer should be wired into the incident response process so that the clock on that timeline starts being tracked from the moment the breach comes to light, not from when it reaches the compliance function.

What is still pending

As of 2026, two elements that the statute calls for are not yet in place. The implementing Government Regulation referenced in Article 54 paragraph 3 has not been issued. The dedicated supervisory institution that the law contemplates has also not been established. The Ministry of Communication and Digital Affairs (Komdigi) acts as the interim supervisory authority. Any registration or notification channel for DPO appointments is therefore provisional and subject to change when the formal framework is set. The right approach is to appoint the officer and build the role now, and to confirm the applicable channel when the institution and regulation are in place.

The steps against the law

Taken together, these steps move the appointment from a compliance checkbox to an arrangement that reflects what the law actually requires and that the officer can rely on to do the job.

This is general guidance on UU PDP, not legal advice. Confirm your obligations against the current statute and any implementing regulation.