August 2023

1. Governing Texts

The Personal Data Protection Act No. 9 of 2022 ('PDPA') was passed in the Parliament of Sri Lanka ('the Parliament') and was certified by the Speaker on March 19, 2022. Section 1 of the PDPA provides for the mechanism and specific periods by and on which the PDPA would gradually come into force as follows. Part V of the PDPA was given effect by Order of the Minister of Technology as empowered under the PDPA on July 21, 2023, by Gazette Extraordinary Order No. 2341/59 and accordingly, the Data Protection Authority ('the Authority') has been set up.

On January 8, 2024, Order No. 2366/08 confirmed that Parts VI, VIII, IX, and X of the PDPA entered into effect on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into effect March 18, 2025.

With regard to the provisions of Part IV of the PDPA, i.e. on the use of personal data to disseminate solicited messages), the same would enter into effect on a date not earlier than 24 months and not later than 48 months from the date of the certification by the Speaker.

In addition to the PDPA, there are also several data protection-enabled legislation that are industry-specific as fully described in the section on governing texts below.

1.1. Key acts, regulations, directives, bills

Existing legislation

Chapter III of the Constitution of the Democratic Socialist Republic of Sri Lanka 1978 does not guarantee a right to privacy as a fundamental right.

However, Article 14A of the revised Constitution of the Democratic Socialist Republic of Sri Lanka (as amended up to 15 May 2015) ('the Constitution') mentions privacy considerations within the context of restrictions to the right of access to information. Article 14A provides that every citizen must have the right to access information as provided for by law, being information that is required for the exercise or protection of a citizen's right held by persons such as the State, a ministry, or any other government department or statutory body or local authority. However, restrictions on the exercise of this right will be placed if they are prescribed by law in the interest of national security, territorial integrity, or public safety, for the prevention of disorder or crime, for the protection of health or morals, and of the reputation or rights of others, privacy, contempt of court, for the protection of parliamentary privilege, for preventing the disclosure of information communicated in confidence, or to maintain the authority and impartiality of the judiciary.

Additional laws regulating privacy and data protection include:

• Computer Crime Act No. 24 of 2007 ('the Computer Crime Act');
• Electronic Transactions Act No.19 of 2006 ('the Electronic Transactions Act');
• Right to Information Act No. 12 of 2016 ('the RTI Act');
• Banking Act No. 30 of 1988;
• Telecommunications Act No. 25 of 1991; and
• Intellectual Property Act No. 36 of 2003 ('the Intellectual Property Act').

In particular, through penal sanctions, the Computer Crime Act addresses matters that involve data that has been unlawfully obtained, the illegal interception of data, and the unauthorized disclosure of information.

Furthermore, the Electronic Transactions Act, which came into operation in Sri Lanka by Gazette Extraordinary No.1516/25 of 27 September 2007, was drafted based on the standards established by the United Nations Commission on International Trade Law ('UNCITRAL'), namely the Model Law on Electronic Commerce (1996) and the Model Law on Electronic Signatures (2001).

PDPA

The PDPA is the principal legislation that deals with personal data protection in Sri Lanka. The PDPA aims to safeguard the rights of individuals and ensure consumer trust in information privacy in online transactions and information networks resulting from growth and innovation in the digital economy.

The draft bill for the PDPA, which was released on September 24, 2019, through the website of the Ministry of Digital Infrastructure and Information Technology ('MDIIT'), was reviewed by the Attorney General ('AG') for compliance with the Constitution. Thereafter, the Drafting Committee prepared its response to the AG's observations and, pursuant to several consultations held between the Legal Drafting Department ('LDD') and the Drafting Committee, the LDD released a revised version. The revised version was reviewed again by the AG, and such observations were released on September 5, 2021.

Several changes were made to the substantive provisions of the original draft, including the re-arrangement of key provisions, based on the feedback of a number of stakeholders. As noted above, after final approval of the revised version and translation, it was submitted to the Cabinet and published as a draft bill.

Subsequently, the draft bill was passed by the Parliament on March 9, 2022 subject to several amendments. On March 19, 2022, the Speaker of the Parliament endorsed the draft bill, and the PDPA came into force on the same day, subject to the transitional provisions provided therein.

Other proposed legislation

A draft for an Act to Provide the Implementation of the National Cyber Security Strategy (2019) ('the Cybersecurity Bill') was also formulated under the National Cyber Security Strategy (2019-2023), which is being finalized by the National Centre for Cyber Security, also known as Sri Lanka Computer Emergency Readiness Team ('CERT'). The Cybersecurity Bill will provide a comprehensive framework to prevent and manage cybersecurity threats and incidents effectively and to protect critical information infrastructure.

1.2. Guidelines

Not applicable.

1.3. Case law

In Sri Lanka, the right to privacy is protected as a 'delict' within the notion of actio iniuriarum and has been developed by case law. In Nadarajah v Obeysekera [52NLR76] (1971), the notion of 'invasion of privacy' was discussed. It was recognized that the right of individuals to personal space exists. In more recent cases related to individual privacy, namely Hewamanna v Attorney General (1999) and the 2000 Sunday Times defamation case, the Supreme Court of Sri Lanka highlighted the importance of the individual's right to privacy.

2. Scope of Application

2.1. Personal scope

PDPA

The PDPA applies only with regard to the processing of personal data by controllers and processors as specified in Section 2 of the PDPA. However, the PDPA does not apply to any personal data processed purely for personal, domestic, or household purposes by an individual.

Computer Crime Act

The Computer Crime Act does not specifically provide and/or define what would qualify as being 'data'. However, Section 2 provides that, inter alia, the Computer Crime Act will be applicable to computers, computer systems, or information contained within a computer system that has been affected by an act that constitutes an offense under the Computer Crime Act. Furthermore, the Computer Crime Act will be applicable to any facility or service, including any computer storage, or data or information processing service, used in the commission of an offense recognized under the Computer Crime Act.

Electronic Transactions Act

The provisions of the PDPA will be applicable to any 'data' or 'communications' made via electronic form. See the section on material scope below for further information.

2.2. Territorial scope

PDPA

The PDPA applies to the processing of personal data where such processing:

• takes place wholly or partly within Sri Lanka; or
• is carried out by a controller or processor who:
  • is domiciled or ordinarily resident in Sri Lanka;
  • is incorporated or established under any written law of Sri Lanka;
  • is subject to any written law of Sri Lanka;
  • offers goods or services to data subjects in Sri Lanka including the offering of goods or services with specific targeting of data subjects in Sri Lanka; or
  • specifically monitors the behavior of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behavior of such data subjects in so far as such behavior takes place in Sri Lanka.

In other words, the PDPA could apply to any service that is accessed through an online platform by a data subject in Sri Lanka, even though such service may not necessarily be intended specifically for data subjects in Sri Lanka. The Authority to be established under the PDPA (see the section on the data protection authority below) may determine the circumstances in which specific targeting and specific monitoring of data subjects may occur.

Computer Crime Act

In accordance with Section 2(1) of the Computer Crime Act, its provisions apply where:

• a person commits an offense under the Computer Crime Act while being present in Sri Lanka or outside Sri Lanka;
• the computer, computer system, or information affected, or was to be affected, by an act that constitutes an offense under the Computer Crime Act was at the material time in Sri Lanka or outside Sri Lanka;
• the facility or service, including any computer storage, or data or information processing service, used in the commission of an offense under the Computer Crime Act was at the material time situated in Sri Lanka or outside Sri Lanka; and
• the loss or damage is caused within or outside Sri Lanka, by the commission of an offense under the Computer Crime Act, to the state or to a person resident in Sri Lanka or outside Sri Lanka.

Electronic Transactions Act

The objectives of the Electronic Transactions Act include, inter alia, facilitating domestic and international electronic commerce by eliminating legal barriers and establishing legal certainty. See the section on material scope below for further information.

2.3. Material scope

PDPA

The PDPA defines personal data as any information that can identify a data subject directly or indirectly, by reference to:

• an identifier such as a name, an identification number, location data, or an online identifier; or
• one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that individual or natural person.

Computer Crime Act

The Computer Crime Act regulates cases where data has been unlawfully obtained, intercepted, and disclosed. It does not specifically provide and/or define what would qualify as 'data'. However, Section 2 provides that, inter alia, the Computer Crime Act will be applicable to computers, computer systems, or information contained within a computer system that has been affected by an act that constitutes an offense under the Computer Crime Act. Furthermore, the Computer Crime Act will be applicable to any facility or service, including any computer storage, or data or information processing service, used in the commission of an offense recognized under the Computer Crime Act.

Section 38 provides the following definitions and interpretations which could be of assistance in ascertaining what kinds of 'data' and 'material' would be protected under the Computer Crime Act:

• computer means an electronic or similar device having information processing capabilities;
• storage medium means any (electronic or similar device) from which information is capable of being reproduced, with or without the aid of any other article or device;
• computer program means a set of instructions expressed in words, codes, schemes, or any other form, which is capable when incorporated in a medium that the computer can read, of causing a computer to perform or achieve a particular task;
• computer system means a computer or group of interconnected computers, including the internet;
• the document includes an electronic record;
• electronic record means information, record, or data generated, stored, received, or sent in an electronic form or microfilm, or by any other similar means;
• information includes data, text, images, sound, codes, computer programs, databases, or microfilm;
• subscriber information means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services; and
• traffic data means data that relates to the attributes of communication by means of a computer system, data generated by a computer system that is part of a service provider and which shows the origin, destination, route, time, data, size, duration, or details of subscriber information of communications.

Electronic Transactions Act

The Electronic Transactions Act recognizes and facilitates the formation of contracts in relation to electronic transactions. It provides for the appointment of a certification authority and licensing and authorizing of certification service providers and gives effect to the provisions of the United Nations Convention on the Use of Electronic Communications in International Contracts (UNTS Vol. 2898 No. 50525).

In this regard, it does not specify or define what will be recognized as 'data'. However, it provides that its provisions will be applicable to any 'data' or 'communications' made via electronic form. In relation to 'data' and 'data protection', the following definitions in the Electronic Transactions Act may assist in ascertaining what is protected under it:

• communication means any statement, declaration, demand, notice, or request, including an offer and the acceptance of an offer, that a person is required or chooses to make in connection with an electronic transaction within the meaning of the Electronic Transactions Act;
• computer means an electronic or similar device having information processing capabilities;
• data message means information generated, sent, received, or stored by electronic, magnetic, optical, or other similar means;
• electronic means information generated, sent, received, or stored by electronic, magnetic, optical, or similar capacities regardless of the medium;
• the electronic document includes documents, records, information, communications, or transactions in electronic form;
• electronic record means a written document, or other record created, stored, generated, received, or communicated by electronic means;
• electronic signature means any letters, numbers, symbols, images, characters, or any combination thereof in electronic form, applied to, incorporated in, or logically associated with an electronic document, with the intention of authenticating and/or approving an electronic document, in order to establish its authenticity and/or integrity;
• information includes text, message, data, voice, sound, database, video, signals, software, computer programs, including object codes and source codes; and
• information system means an electronic system for creating, generating, sending, receiving, storing, reproducing, displaying, recording, or processing information.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Part V of the PDPA provides for the establishment of the Authority. The Authority shall be a body corporate and shall have perpetual succession and a seal and may sue and be sued in such name.

Section 29 of the PDPA provides that the administration, management, and control of the affairs of the Authority shall be vested in a Board of Directors ('the Board'). The Board shall for the purpose of administering the affairs of the Authority exercise, perform, and discharge the functions conferred on the Authority. The PDPA specifies that the President of Sri Lanka shall appoint five to seven persons with professional expertise and experience as members of the Board and the President shall also appoint a member of the Board as the Chairperson. Inter alia, the grounds for removal, resignation, and disqualifications of such Chairperson shall be according to Schedule VI of the PDPA.

Section 36 of the PDPA specifies that the Board shall appoint a Director-General of the Authority who has achieved eminence and proven professional expertise in providing leadership to the public sector or private sector. The Director-General shall be the Chief Executive Officer of the Authority and subject to the general direction and control of the Board and be charged with the direction of the affairs and transactions of the Authority, the exercise, performance, and discharge of its powers, duties, and functions and the administration and control of the officers and employees of the Authority.

3.2. Main powers, duties and responsibilities

Sections 32(a) to 32(t) of the PDPA specify the powers vested in the Authority for the purpose of performing duties and discharging functions under the PDPA.

The Authority has the power to, inter alia, perform or carry out, whether directly or through any officer, agent, entity, or institution authorized on behalf of the Authority, all such matters as may be necessary for the implementation of the provisions of the PDPA, to take such steps to ensure that controllers and processors carry out their duties and obligations and inspect any information held by a controller or a processor in order to ensure the performance of their duties and obligations, to direct a controller or processor to take steps to comply with the provisions of the PDPA, to direct a controller or any relevant data protection officer ('DPO') to reimburse fees charged from a data subject for failure to provide the required information in a timely manner, to conduct inquiries, to receive complaints, to require any person to appear before it, to make directives and impose fines, etc.

Sections 33(a) to 33(q) of the PDPA specify the duties and the functions of the Authority, inter alia, directing controllers to comply with the provisions of Sections 11 and 13 in accordance with the information set out in Schedule V of the PDPA, monitoring the performance of and ensuring due compliance by controllers or processors of the obligations imposed which could either be on its own motion or at the request of a data subject and issuing directives to any specific controller or processor regarding any processing activity performed by such controller or processor and facilitate or undertake training based on international best practices for controllers and processors to ensure effective implementation of the provisions of the PDPA, etc.

4. Key Definitions

Data controller: Any natural or legal person, public authority, public corporation, non-governmental organization, agency, or any other body or entity which alone or jointly with others determines the purposes and means of the processing of personal data.

Data processor: A natural or legal person, public authority, or other entity established by or under any written law, which processes personal data on behalf of the controller.

Personal data: Any information that can identify a data subject, directly or indirectly, by reference to an identifier (e.g. name, identification number, financial data, location data, or online identifier) or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that individual or natural person.

Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child.

Health data: Personal data related to the physical or psychological health of a natural person, which includes any information that indicates their health situation or status.

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirms the unique identification of that natural person, such as facial images or dactyloscopic data, or iris-related data.

Pseudonymization: The processing of personal data in such a manner that the personal data cannot be used to identify a data subject without the use of additional information, and such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to a data subject.

Processing: Any operation performed on personal data including but not limited to collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on personal data.

Profiling: Processing of personal data to evaluate, analyze, or predict aspects concerning that data subject's performance at work, economic situation, health, personal preferences, interests, credibility, behavior, habits, location, or movements.

Data subject: An identified or identifiable natural person, alive or deceased, to whom the personal data relates.

Identifiable natural person: A natural person who can be identified, directly or indirectly, by reference to any personal data.

Consent: Any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data.

Child: A natural person who is below the age of 16 years.

Personal data breach: Any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.]

Financial data: Any alpha-numeric identifier or other personal data which can identify an account opened by a data subject, or card or payment instrument issued by a financial institution to a data subject, or any personal data regarding the relationship between a financial institution and a data subject, or financial status and credit history relating to such data subjects, including data relating to remuneration.

Genetic data: Personal data relating to the genetic characteristics of a natural person which gives unique information about the physiology or the health of that natural person which results from an analysis of a biological sample or bodily fluid of that natural person.

Cross-border data flow: The movement of personal data out of the territory of Sri Lanka for the purpose of processing personal data in a third country.

Data Protection Impact Assessment: The PDPA does not provide a definition of a Data Protection Impact Assessment ('DPIA'), but describes a DPIA as an assessment to ascertain the impact of the intended processing on (Section 24(1) of the PDPA):

• the obligations imposed on the controller under Part I of the PDPA; and
• the rights of data subjects under Part II of the PDPA.

5. Legal Bases

Section 5 of the PDPA provides that the processing of personal data will be lawful if a controller is in compliance with:

• any condition specified in Schedule I;
• in the case of processing special categories of personal data, any condition specified in Schedule II;
• in the case of processing personal data based on the consent of the data subject, all of the conditions specified in Schedule III; or
• in the case of processing personal data for criminal investigations, all of the conditions specified in Schedule IV.

5.1. Consent

Pursuant to Section 5 of the PDPA, the processing of personal data is lawful if the data subject has given consent to the processing of their personal data as enumerated in paragraph (a) of Schedule I and paragraph (a) of Schedule II.

Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child.

The PDPA further provides conditions and obligations on the controller regarding consent in Schedule III. The controller is required to demonstrate that the data subject has consented to the processing of the personal data relating to such data subject. In the event the consent of the data subject is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. When assessing whether consent is freely given, utmost account shall be taken on whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

5.2. Contract with the data subject

Pursuant to Schedule I(b) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

The PDPA further permits the processing of personal data outside Sri Lanka in the absence of an adequacy decision as mentioned in Section 26(2) of the PDPA or necessary safeguards as mentioned in Section 26(4) of the PDPA where such transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures taken by the controller at the request of the data subject.

5.3. Legal obligations

Ordinary types of personal data

Pursuant to Schedule I(c) of the PDPA, the processing of personal data is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject under the PDPA.

Special categories of personal data

Pursuant to Schedule II(e) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for the establishment, exercise, or defense of legal claims before a court or tribunal or such similar forum or whenever courts are acting in their judicial capacity.

5.4. Interests of the data subject

Ordinary types of personal data

Pursuant to Schedule I(d) of the PDPA, the processing of personal data is lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person.

Special categories of personal data

Schedule II(c) of the PDPA provides that with regard to the processing of special categories of data, the processing of such data would be lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.

5.5. Public interest

Ordinary types of personal data

Pursuant to Schedule I(e) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by any written law.

For the foregoing purposes, Schedule II(g) of the PDPA provides a non-exhaustive list of activities considered as 'public interests,' including:

• processing for health purposes such as public health and social protection and the management of health care services;
• processing for the control of communicable diseases and other serious threats to health; and
• processing of personal data by official authorities for achieving the purposes or objects laid down by law.

Special categories of personal data

Pursuant to Schedule II(g) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the PDPA or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.

5.6. Legitimate interests of the data controller

Pursuant to Schedule I(f) of the PDPA, the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of the data subject which require protection of personal data, in particular where the data subject is a child.

For the foregoing purposes, Schedule I(f) of the PDPA provides a non-exhaustive list of activities considered as 'legitimate interests', including:

• processing in situations where the data subject is a client or in the service of the controller;
• whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place;
• processing of personal data is strictly necessary for the purposes of preventing fraud; and
• processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.

5.7. Legal bases in other instances

In relation to the processing of special categories of personal data, Schedule II of the PDPA sets out additional legal bases. In particular, the processing of such personal data will be lawful if:

• processing is necessary for the purposes of carrying out the obligations of the controller and exercising the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to public health, and the management of public health care services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject;
• processing relates to personal data which is manifestly made public by the data subject;
• processing is necessary for reasons of substantial public interest, as prescribed by any written law which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to safeguard the rights and freedoms of the data subject; or
• where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment, or the management of health care services, and where such data is processed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka.

6. Principles

Part I of the PDPA imposes the following obligations on controllers:

• to process personal data in a lawful manner in accordance with Section 5 of the PDPA;
• to define a specified, explicit, and legitimate purpose for processing, and to confine processing to the defined purpose;
• to ensure the accuracy of personal data, and to keep such data up to date;
• to limit the period of retention of personal data;
• to process personal data in a transparent manner; and
• to ensure the integrity and confidentiality of personal data.

Furthermore, Section 12 of the PDPA also introduces accountability obligations on controllers and requires them to ensure compliance with the obligations outlined above.

7. Controller and Processor Obligations

Section 12 of the PDPA stipulates that controllers are responsible for implementing internal controls and procedures, referred to as a 'data protection management programme', in order to demonstrate the implementation of the data protection obligations imposed under the PDPA.

Section 21 of the PDPA imposes an additional obligation on the controllers where the processing of data is carried out by a processor on behalf of the controller. In such an instance, the controller shall use only processors who shall ensure the provision of appropriate technical and organizational measures to give effect to the provisions of the PDPA and ensures the protection of the rights of the data subjects under the PDPA. Furthermore, contractors are obliged to ensure such processors are bound by a contract or provisions of any written law which sets out inter alia the obligations of the controller, subject matter, duration of the processing, etc.

7.1. Data processing notification

Not applicable. 

7.2. Data transfers

Section 26 of the PDPA sets out the conditions relating to cross-border data flows. In particular, a public authority may only process categories of personal data which are permitted to be processed in a third country, prescribed by the relevant Minister pursuant to an adequacy decision.

In making an adequacy decision, the Minister shall in consultation with the Authority take into consideration the relevant written law and enforcement mechanisms relating to the protection of personal data in a third country and the application of the provisions of Part I, Part II, and Sections 20, 21, 22, 23, 24, and 25 of Part III of the PDPA, and such other prescribed criteria relating to the processing of personal data, in a third country for the purpose of cross-border data flow.

Section 53(2)(b) of the PDPA provides for the Minister with the concurrence of the Authority to make regulations in respect of the identification of third countries.

Section 26 of the PDPA further provides that a controller or processor other than a public authority may process personal data:

1. in a third country prescribed pursuant to an adequacy decision;
2. in a country, not being a third country prescribed pursuant to an adequacy decision, only where such controller or processor ensures compliance with the obligations imposed under Part I, Part II, and Sections 20, 21, 22, 23, 24, and 25 of Part III of the PDPA; or
3. in the absence of an adequacy decision mentioned in point one above or appropriate safeguards mentioned in point two above, a controller or processor other than a public authority may process personal data outside Sri Lanka in certain special instances listed in Section 26(5).

7.3. Data processing records

Section 12(1)(a) of the PDPA states that, as part of their data protection management programme, the controller must establish and maintain duly cataloged records to demonstrate the manner in which the implementation of the data protection obligations set forth by the PDPA.

7.4. Data protection impact assessment

In terms of Section 24 of the PDPA, a controller is required to carry out a Data Protection Impact Assessment ('DPIA') prior to processing where it intends to carry out the following activities:

• systematic and extensive evaluation of personal data or special categories of data including profiling;
• systematic monitoring of publicly accessible areas or telecommunication networks; or
• a processing activity as may be determined by way of rules taking into consideration the scope and associated risks of that processing.

Moreover, the controller must conduct a fresh DPIA in accordance with Section 24 of the PDPA whenever there is any change in the methodology, technology, or process adopted in the processing for which a DPIA has already been carried out (Section 24(4) of the PDPA). Such DPIA should take into consideration the nature, scope, context, and purposes of the processing, as well as the associated risks of that processing or any criteria as may be prescribed.

Prior consultation

Furthermore, according to Section 25 of the PDPA, where a DPIA carried out indicates that the processing is likely to result in a risk of harm to the rights of the data subjects, the controller must take such measures to mitigate such risk of harm, prior to any processing of personal data. Where a controller is not able to mitigate such risks of harm to the data subject, such controller must consult the Authority, prior to such processing. In addition, where the controller engages in the processing of personal data referred to in Section 24(1) of the PDPA and where such processing is carried out in relation to national security, public order, and public health, the controller must consult the Authority (Section 25(7) of the PDPA).

Upon such consultation, the Authority may issue written instructions to the controller requiring them to take additional measures to mitigate any risk of harm to the data subject or to cease such processing (Section 25(3) of the PDPA). Where the controller fails to comply with the instructions of the Authority without any reasonable cause, the controller is considered to have contravened the provisions of the PDPA (Section 25(5) of the PDPA).

7.5. Data protection officer appointment

In accordance with Section 20 of the PDPA, every controller must designate or appoint a DPO to ensure compliance with the provisions of the PDPA, in the following circumstances:

• where the processing is carried out by a ministry, government, department, or public corporation, except for judiciary acting in their judicial capacity; or
• where the core activities of processing by the controller or processor consist of the following:
  • operations which, by virtue of their nature, scope, or purpose, require regular and systematic monitoring of data subjects;
  • processing of special categories of data; or
  • processing which results in a risk of harm affecting the rights of the data subjects protected under the PDPA based on the nature of processing and its impact on data subjects.

A DPO shall possess relevant academic or professional qualifications as may be prescribed. Where a controller is a group of entities, such controller may appoint a single DPO who is easily accessible by each entity. Where a controller or a processor is a public authority, a single DPO may be designated for several such public authorities.

A controller or processor is required to publish the contact details of the DPO and communicate such details to the Authority.

The PDPA specifies the responsibilities of the DPO as follows;

• advice the controller, processor, and their employees on data processing requirements specified under the PDPA or any other written law;
• ensure on behalf of the controller or processor that the provisions of the PDPA are complied with;
• facilitate capacity building of staff involved in data processing operations;
• provide advice on DPIAs; and
• cooperate and comply with all directives and instructions issued by the Authority on matters relating to data protection.

7.6. Data breach notification

In accordance with Section 23 of the PDPA, in the event of a personal data breach, a controller shall inform the Authority regarding such personal data breach in such manner and form, and within the period of time as may be determined by rules made under the PDPA.

The Authority by way of rules shall provide for:

• the circumstances where the Authority shall be notified of such data breach;
• the circumstances in which the affected data subject shall be notified; and
• the form and manner of making such notification, and information which shall be provided in such notification relating to the data breach.

7.7. Data retention

In terms of Section 9 of the PDPA, every controller must ensure that personal data that is being processed is being kept in a form that permits the identification of data subjects for such period as may be necessary for the purposes for which such personal data is processed.

However, a controller may store personal data for longer periods for archiving purposes in the public interest or for scientific, historical, research, or statistical purposes subject to Section 10 of the PDPA.

7.8. Children's data

Section 56 of the PDPA defines 'child' as a natural person who is below the age of 16 years. In this regard, personal data relating to a child is classified as a special category of data to which additional conditions apply (e.g. Schedule II of the PDPA).

7.9. Special categories of personal data

As mentioned in the section on legal bases above, Schedule II of the PDPA provides conditions for processing special categories of personal data.

Furthermore, in terms of Schedule IV of the PDPA, the processing of personal data relating to lawful investigations of offenses or related security measures may be carried out only in accordance with applicable written laws, while providing appropriate safeguards for the rights and freedoms of data subjects. In this regard, processing of personal data may be considered lawful under this Schedule if investigations are carried out pursuant to the provisions of the Code of Criminal Procedure or provisions under any other written law.

7.10. Controller and processor contracts

As mentioned in the introductory paragraph in this section i.e., the section on controller and processor obligations, Section 21(1) of the PDPA provides that where processing is to be carried out by a processor on behalf of a controller, the controller shall ensure that such processor is bound by a contract or any written law which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of the data subjects, and the obligations and rights of the controller.

8. Data Subject Rights

8.1. Right to be informed

Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.

In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:

• the identity and contact details of the controller and where applicable of the controller's representative;
• the contact details of the DPO, where applicable;
• the intended purposes for which the personal data is processed and the legal basis for the processing;
• the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
• the categories of personal data being collected;
• where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
• recipients or third parties with whom such personal data may be shared, if applicable;
• information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
• the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
• the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
• the existence of a right to file complaints to the Authority;
• whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
• the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

8.2. Right to access

PDPA

In terms of Section 13 of the PDPA, the data subject shall have the right to access their personal data and to be provided with a confirmation as to whether such personal data has been processed and the information set out in Schedule V of the PDPA, upon a written request made by such data subject to the controller.

Section 17 states that any controller receiving such written request shall inform the data subject in writing within 21 working days from the date of such request whether:

• such request has been granted;
• such request has been refused and the reasons for thereof unless such disclosure is prohibited under any written law;
• the controller has refrained from further processing such personal data under Sections 14(2) or 15 of the PDPA and reasons thereof; and
• the availability of the right of appeal to the data subject in respect of the decisions made by the controller.

RTI Act

As mentioned above, Article 14A of the Constitution guarantees the right of access to information. In this regard, the RTI Act was enacted to foster a culture of transparency and accountability in public authorities by giving effect to the right of access to information and thereby promoting a society in which the people of Sri Lanka would be able to more fully participate in public life through combating corruption and promoting accountability and good governance. Section 3 of the RTI Act provides that every citizen shall have the right access to information that is in the possession, custody, or control of a public authority.

Information, as defined by the RTI Act, includes any material which is recorded in any form including records, documents, memos, emails, opinions, advice, press releases, circulars, orders, log books, contracts, reports, papers, samples, models, correspondence, memorandum, draft legislation, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microfilm, sound recording, videotape, machine-readable record, computer records, and other documentary material, regardless of its physical form or character, and any copy thereof.

However, a request for information made under Section 3 of the RTI Act may be denied in certain circumstances. Section 5 of the RTI Act provides that access to information shall be refused if, among other things:

• the information relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause an unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information, or the person concerned has consented in writing to such disclosure;
• the disclosure of the information would undermine the defense of the State or its territorial integrity or national security and would be, or is likely to be, seriously prejudicial to Sri Lanka's relations with any State, or in relation to international agreements or obligations under international law, where such information was given or obtained in confidence;
• the disclosure of such information would cause serious prejudice to the economy of Sri Lanka by prematurely disclosing decisions to change or continue government economic or financial policies. For instance, access may be denied to information concerning policies that relate to exchange rates or the control of overseas exchange transactions, the regulation of banking or credit, taxation, the stability, control, and adjustment of prices of goods and services, rents, and other costs and rates of wages, salaries, and other income, the entering into of overseas trade agreements;
• information that encompasses commercial confidence, trade secrets, or intellectual property is protected under the Intellectual Property Act 2003, the disclosure of which would harm the competitive position of a third party, unless the public authority is satisfied that larger public interest warrants the disclosure of such information;
• information that if disclosed could lead to the disclosure of any medical records relating to any person, unless such person has consented in writing to such disclosure;
• the information consists of any communication, between a professional and a public authority, to whom such professional provides services, which is not permitted to be disclosed under any written law, including any communication between the AG or any officer assisting the AG in the performance of their duties and a public authority;
• if the information is required to be kept confidential by reason of the existence of a fiduciary relationship;
• the disclosure of such information would cause grave prejudice to the prevention or detection of any crime or the apprehension or prosecution of offenders, or expose the identity of a confidential source of information in relation to law enforcement or national security to be ascertained;
• the information has been supplied in confidence to the public authority concerned by a third party and the third party does not consent to its disclosure;
• the disclosure of such information would be in contempt of court or prejudicial to the maintenance of the authority and impartiality of the judiciary;
• the disclosure of such information would infringe the privileges of the Parliament or of a Provincial Council as provided by law;
• disclosure of the information would harm the integrity of an examination being conducted by the Department of Examinations or by a higher educational institution;
• the information is of a Cabinet memorandum in relation to which a decision has not been taken; or
• the information relates to an election conducted by the Election Commission of Sri Lanka which is required by the relevant election laws to be kept confidential.

8.3. Right to rectification

In terms of Section 15 of the PDPA, every data subject is entitled to request the controller rectify or complete their personal data which is either inaccurate or incomplete. Upon a written request to rectify or to complete the personal data of the data subject, the controller must rectify or complete it accordingly without undue delay.

The procedures for complying with such right is further set out in Section 17 of the PDPA.

8.4. Right to erasure

In terms of Section 16 of the PDPA, every data subject has a right to make a written request to the controller to have their personal data erased, within 21 working days from the date of such request, under circumstances provided in the PDPA.

The procedures for complying with such right is further set out in Section 17 of the PDPA.

8.5. Right to object/opt-out

Section 14 of the PDPA provides that every data subject is entitled to withdraw their consent at any time if such processing is based on such consent, provided that the withdrawal of such consent shall not affect the lawfulness of any processing taken place prior to such withdrawal.

Every data subject is also entitled to request the controller to refrain from further processing if such processing is based on public interest or the legitimate interests of the controller.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

In terms of Section 18 of the PDPA, every data subject has a right to request the controller to review decisions based solely on automated processing which has created or which is likely to create an irreversible and continuous impact on the rights and freedoms of the data subject as guaranteed under any written law.

8.8. Other rights

Section 19 of the PDPA provides the data subject with the right to appeal to the Authority against certain decisions of the controller specified in the PDPA in the form and manner and within such period of time as may be prescribed.

The Authority shall determine the lawfulness of the decision of the controller and shall decide within such period as may be prescribed whether the appeal is allowed or disallowed which shall be informed to the data subject and the controller with reasons thereof. Where the Authority allows the appeal, the controller is required to take steps to give effect to the decision of the Authority, within such period as determined by the Authority, and the controller is required to inform the data subject and the Authority of the steps taken to give effect to the said decision.

Any data subject aggrieved by the decision of the Authority has the right to prefer an appeal to the Court of Appeal not later than 30 days from the date of such decision.

9. Penalties

Where on receipt of a complaint or otherwise, and the Authority has reason to believe that any controller is engaged or is about to engage in any processing activity in contravention of the PDPA or has contravened or has failed to comply with the provisions of the PDPA or any rule, regulation, guideline, or order made under the PDPA or any other written law, the Authority may, after giving an opportunity to the controller or processor of being heard, and after such inquiry as the Authority may consider necessary, issue a directive to that controller or processor (Section 35 of the PDPA). A directive may require such entity to:

• cease and refrain from engaging in the act, omission, or course of conduct related to processing;
• perform such acts as in the opinion of the Authority are necessary to rectify the situation; and
• to make a payment of such sum of money as compensation as determined by the Authority to an aggrieved person who has suffered harm, loss, or damage as a result of any contravention by a controller or processor.

Section 38 of the PDPA imposes a penalty of up to LKR 10 million (approx. $ 31,099 ) for the failure to comply with a directive issued under the provisions of Section 35 of the PDPA, taking into consideration the nature and extent of non-compliance, as well as its impact on data subjects. Where a controller or processor, who has been subjected to a penalty on a previous occasion, subsequently fails to conform to a directive on any further occasion, such person shall in addition to the penalty which may be imposed on them earlier be liable to the payment of an additional penalty consisting of twice the amount imposed as a penalty on the second and for each subsequent non-compliance.

The PDPA further prescribes a list of matters to consider when imposing a penalty which includes, inter alia:

• the nature, gravity, and duration of the contravention;
• the degree of responsibility of the controller;
• the categories of personal data affected by any contravention; and
• any action that was taken by the controller or processor to mitigate the damage suffered by data subjects.

In addition, the imposition of a penalty does not preclude the Authority from taking other regulatory measures, including, but not limited to, the suspension of business activities.

9.1 Enforcement decisions

Not applicable.