What is a DPO under UU PDP?

UU PDP never uses the phrase "data protection officer". The statute term is pejabat atau petugas yang melaksanakan fungsi Pelindungan Data Pribadi, which translates as an official or officer who carries out the personal data protection function. The market calls that role a DPO because its triggers, duties, and positioning within an organisation closely mirror Article 37 to 39 of the GDPR. That naming gap matters in practice: the actual obligations come from the Indonesian statute, not from GDPR guidance. This page works through what the role is, when the law requires it, what the officer must do, and what happens if an organisation skips the appointment.

When the law requires a DPO

Article 53 paragraph 1 places the appointment obligation on both controllers and processors. Three conditions trigger it. First, where the processing of personal data is carried out to provide public services. Second, where the controller's or processor's core activities, by their nature, scope and/or purpose, require large-scale regular and systematic monitoring of personal data. Third, where the core activities consist of large-scale processing of specific personal data and/or personal data relating to criminal offences. Meeting any one of these is enough.

That last point follows from a Constitutional Court ruling. As originally enacted, the three conditions in Article 53 paragraph 1 were joined by "dan" (and), which read literally would have required all three to be present at once. The Constitutional Court, in Decision No. 151/PUU-XXII/2024, reinterpreted that conjunction as "dan/atau" (and/or). The result is that an organisation satisfying any single condition is required to appoint an officer. That interpretation widened the scope of the obligation considerably and brought organisations whose core activity involves large-scale systematic monitoring of individuals firmly within its reach, even if they are not processing special categories of data or providing public services.

What the officer must do

Article 54 paragraph 1 sets out the minimum duties. The officer must, at a minimum:

The first two duties are ongoing. The officer keeps the controller or processor informed of what the law requires and tracks whether the organisation is actually meeting those requirements. The third duty means the officer is involved when a data protection impact assessment is needed, which Article 34 requires before processing that is likely to pose a high risk to data subjects. The fourth duty establishes the officer as the channel through which the supervisory authority and data subjects can reach the organisation on data protection matters.

Article 54 paragraph 2 gives the role a risk-based character. When performing these duties, the officer must take into account the nature, scope, context, and purposes of the processing, as well as the associated risks. That phrasing means a large healthcare provider and a small marketing agency both need an officer if they meet the triggers, but what the officer actually does will vary with the complexity of the processing involved.

Article 54 paragraph 3 states that further detail on the officer's duties and qualifications will be set out in a Government Regulation. That implementing regulation had not been issued as of the date of this page. Until it is, Articles 53 and 54 remain the operative provisions.

Who can hold the role

Article 53 paragraph 2 requires that the appointment be based on three things: professionalism, knowledge of personal data protection law, and the ability to carry out the protection function. The statute does not name a specific certification or credential. Organisations and the market have mapped those requirements onto programmes such as the IAPP's CIPP/A or the BSN-backed Certified Data Protection Officer, but the law itself leaves the assessment of qualification to the appointing organisation, at least until the implementing regulation says otherwise.

Article 53 paragraph 3 allows the officer to come from inside and/or outside the organisation. An outsourced or contracted officer is therefore a valid arrangement under the statute, not just a market workaround. For organisations deciding between building the role in-house or engaging a provider, the cost comparison page sets out the financial and operational trade-offs. If you are still working out whether your organisation triggers the obligation at all, the DPO obligation checklist walks through the Article 53 conditions with worked examples.

Where this sits in the timeline

1. 1

   UU PDP enacted, October 2022

   The law took effect on promulgation, with a two-year transition under Article 74.

2. 2

   Full compliance required, October 2024

   The transition window closed; substantive obligations are binding.

3. 3

   Constitutional Court widens the trigger

   Decision 151/PUU-XXII/2024 read the conditions in Article 53 as and/or, so any one trigger applies.

4. 4

   Implementing regulation and agency pending

   The Government Regulation and the supervisory institution are not yet in place; the Ministry of Communication and Digital Affairs supervises in the interim.

The two-year transition period under Article 74 closed in October 2024. Controllers and processors have been subject to the full requirements of the law since then. The Constitutional Court decision confirming the and/or reading widened who is caught, so some organisations that believed they fell outside the obligation may need to revisit that assessment. Separately, the dedicated supervisory institution called for by the law has not yet been established. The Ministry of Communication and Digital Affairs (Komdigi) has been performing a supervisory function in the interim, but the formal institutional framework remains incomplete.

What it costs to get this wrong

Article 57 lists the administrative sanctions available to the supervisory authority, and failure to comply with Article 53 paragraph 1 is expressly included among the breaches it covers. The range of sanctions starts with a written warning. If the warning is not acted on, the authority may impose temporary suspension of processing activities, erasure or destruction of personal data, and an administrative fine. The fine is set at up to two percent of the annual income or revenue tied to the violation, not a flat percentage of total turnover. The scope of the fine therefore depends on the revenue stream associated with the processing that fell short of the obligation.

Beyond the administrative sanctions, Article 57 sits within a broader enforcement picture that includes criminal penalties under Articles 67 to 73 for other categories of breach, as well as civil claims from data subjects. The administrative track for failing to appoint an officer is the most direct risk, but it does not stand alone.

Appointing an officer under the law

The practical steps for meeting the Article 53 obligation are covered on the how to appoint a DPO under UU PDP page, including how to document the appointment, what to put in the officer's mandate, and how the role fits alongside existing compliance and legal functions.

This is general guidance on UU PDP, not legal advice. Confirm your obligations against the current statute and any implementing regulation before making compliance decisions.