<![CDATA[Law No. 27 of 2022 on Personal Data Protection mandates the establishment of an independent supervisory agency to ensure the effective implementation of data protection norms in Indonesia. However, as of the end of 2025, this agency has not yet been established, creating an institutional vacuum that has serious implications for the effectiveness of data protection officers and the accountability of data controllers. This study aims to analyse the legal impact of the absence of a supervisory agency on data protection officers and its implications for the responsibilities of data controllers and processors. Using a normative juridical approach with a legislative approach, this study shows that without a supervisory agency, data protection officers are in a vulnerable position: they are operationally responsible but not legally protected. They are burdened with strict normative obligations but do not have formal protection mechanisms in the event of data breaches. On the other hand, the obligations of data controllers as stipulated in Article 47 of the PDP Law become immeasurable and declarative because there are no effective verification, enforcement, or dispute resolution mechanisms. The findings indicate that the legal architecture of the PDP Law is incomplete without an independent supervisory agency. Furthermore, the absence of a supervisory agency hinders the development of professional standards, technical guidelines, and non-litigation dispute resolution forums. The research recommendations include accelerating the establishment of a supervisory agency and issuing a Government Regulation that guarantees independence, competence, and legal protection for the data protection officer as a key actor in national personal data governance.]]>
Copyrights © 2026
