For insight into the scope of application and the general processing principles under the PDPA, see part one here. For insight into the obligations of controllers and processors under the PDPA, see part two here.

Rights of data subjects (Section 11 and Part II)

Right to be informed

Controllers are required to provide data subjects with the information referred to in Schedule V of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form (Section 11(a) of the PDPA).

In performing this obligation, and like the General Data Protection Regulation (Regulation (EU) 2016/679), the PDPA distinguishes between data subjects whose personal data has been collected directly and indirectly. In general, however, the following information must always be provided where applicable (Schedule I, Item 1 of the PDPA):

• the identity and contact details of the controller and of the controller's representative and the DPO;
• the purposes and legal basis for the processing;
• the legitimate interest pursued by the controller or by a third party;
• the categories of personal data being collected;
• the existence of the right to withdraw consent;
• the recipients or third parties with whom such personal data may be shared;
• information regarding any cross-border transfers of personal data;
• the period of retaining personal data;
• the existence of and procedure for the exercise of data subject rights;
• whether the provision of personal data by the data subject is a statutory or contractual requirement; and
• the existence of automated decision-making.

Right of access

Upon a written request, data subjects have the right to access their personal data and to be provided with (Section 13 of the PDPA):

• confirmation as to whether such personal data has been processed; and
• the information referred to in Schedule V of the PDPA.

Right to object and withdraw consent

Upon a written request, data subjects have the right to withdraw their consent, provided that the withdrawal of such consent does not affect the lawfulness of any processing taken place prior to such withdrawal (Section 14(1) of the PDPA).

Separately, data subjects also have the right to request a controller refrain from further processing if such processing is based on public or legitimate interests (Section 14(1) of the PDPA).

Right to rectification

Upon a written request, data subjects have the right to request a controller to rectify or complete their personal data where it is either inaccurate or incomplete (Section 15 of the PDPA).

However, this right should not impose any obligation on a controller to collect and process any additional personal data that is not required for the purpose of processing. Likewise, where a controller is required to maintain personal data for evidentiary purposes as provided by written law or an order of a competent court, the controller should instead refrain from further processing such personal data without rectifying (Section 15 of the PDPA).

Right to erasure

Upon a written request, data subjects have the right to request the controller erase their personal data where (Section 16 of the PDPA):

• the processing of personal data contravenes the obligations referred to in Part I of the PDPA;
• the data subject withdraws their consent; or
• the requirement to erase personal data is required by law or on an order of a competent court.

Automated decision-making

Data subjects have the right to request a controller to review a decision based solely on automated processing, which has created or which is likely to create an irreversible and continuous impact on the rights and freedoms of the data subject (Section 18(1) of the PDPA).

However, this right does not apply where the decision is (Section 18(2) of the PDPA):

• authorised by law;
• authorised by the Authority;
• based on the consent of the data subject; or
• necessary for entering into or performance of a contract between the data subject and the controller.

Unsolicited messaging and direct marketing (Part IV)

The PDPA establishes that a controller may use postal and telecommunication services, electronic means, or any similar means, for the purposes of disseminating messages where a data subject has consented to such purposes (Section 27(1) of the PDPA). Consent to such solicited messages must fall under the prescribed requirements found under Schedule III of the PDPA.

The legislation defines 'message' as any written, electronic, oral, pictorial, or video message, that is intended to the promote goods or services of a controller or any third party, person, entity, or organisation, other than internet-based advertisements to which a data subject has consented to obtain a service free of charge from the controller.

Furthermore, Section 27 of the PDPA sets out specific direct marketing requirements when reaching out to data subjects.

Please note that the provisions of Part IV of the PDPA is subject to a longer transition period than the rest of the PDPA, due to come into operation on a date not earlier than 24 months and not later than 48 months from the date of certificate (Section 1(4) of the PDPA).

Enforcement (Parts V, VI, and VII)

The Authority

One of the main purposes of the PDPA is to provide for the establishment of the Data Protection Authority of Sri Lanka ('the Authority'). Compared to other privacy legislation, the provisions governing the Authority – its constitution, powers, duties, and functions – are rather extensive, spanning Parts V and VI and Schedule VI of the PDPA.

In short, the administration, management, and control of the affairs of the Authority is vested in a Board of Directors appointed by the President of Sri Lanka, who in turn are empowered to exercise, perform, and discharge the powers, duties, and functions conferred by the PDPA (Section 29 of the PDPA).

While the Authority is generally charged with regulating the processing of personal data, its objectives also include setting up data protection mechanisms for digital transactions and communications, in addition to ensuring regulatory compliance to facilitate for the growth and innovation in digital economy (Section 31 of the PDPA).

The powers of the Authority are further outlined in Section 32 of the PDPA, while its duties and functions are defined in Section 33 of the PDPA. Similar to other data protection bodies, such powers allow the Authority to, among other things:

• inspect and seize information held by a controller or processor;
• direct a controller or processor to take steps to comply with the PDPA;
• carry out periodical examinations;
• appoint advisory committees;
• recognise certification and certifying bodies; and
• establish standards, as well as make rules and issue guidelines and directives.

Notably, under the PDPA, the Authority is also granted the power to issue licences to data controllers or processors. The licence mechanism under the PDPA may be further clarified under supplementary rules or guidelines.

Complaints to the Authority

Where a complaint is submitted to the Authority, or the Authority has reason to believe, that controller or processor is engaged in, or is about to engage in any processing activity in contravention of the PDPA, or has contravened or failed to comply with or is likely to contravene or, fails to comply with the PDPA, then the Authority may conduct an inquiry.

The Authority may, after giving an opportunity to the controller or processor to be heard at any inquiry, issue a directive to the controller or processor requiring such controller or processor to (Section 35 of the PDPA):

• cease and refrain from engaging in the act, omission, or course of conduct related to processing;
• to perform actions that in the opinion of the Authority are necessary to rectify the situation; or
• request a payment of such sum of money, as compensation, to an aggrieved person who has suffered harm, loss, or damage as a result of any contravention by a controller or processor.

During inquiries or investigations, the Authority may among other things, examine a person under oath or affirmation and require such person where necessary to produce any information relating to the processing of functions of a controller or processor, and enter into the premises of any controller or processor and inspect or seize records and carry out investigations, where the Authority has reasonable grounds to believe that processing poses an imminent risk to the rights of the data subjects (Section 32(f) and (g) of the PDPA).

Penalties

Where a controller or processor fails to comply with a directive issued under the provisions of Section 35, as supplied above, then the Authority may by notice; require such controller or processor to pay a penalty, which shall not exceed a sum of LKR 10 million (approx. €31,760) for each non-compliance (Section 38(1) of the PDPA), with subsequent failures to comply a directive issued by the Authority, a controller or processor may be liable to the payment of an additional penalty consisting of twice the amount imposed, for each subsequent non-compliance (Section 38(2) of the PDPA). A controller or processor who is aggrieved by the imposition of an administrative penalty, may appeal against such decision to the Court of Appeal of Sri Lanka, within 21 working days from the date of the notice of such decision.

Further regulations and rules

While the PDPA establishes an extensive framework for the protection of personal data, further supplementary regulations can be expected on the following matters (see also Section 53 of the PDPA):

• technical and organisational measures;
• the exercise of data subject rights by a person other than the data subject;
• fees applicable to data subject rights requests;
• conditions which require the appointment of a data protection officer;
• the form and manner in which a Data Protection Impact Assessments ('DPIA') must be carried out; and
• third countries that are deemed adequate, as well as the criteria for making an adequacy decision.

The Authority is also empowered to issue rules to clarify, among other things (see also Section 33 of the PDPA):

• the circumstances in which specific targeting or monitoring of data subjects may occur;
• the measures and criteria applicable to automated decision-making;
• the form and manner for notifying personal data breaches, and the circumstances where affected data subjects should be notified; and
• the types of processing activities subject to a DPIA.

What's next?

With the exception of Parts IV and V of the PDPA, the majority of provisions are due to come into operation on a date notified by the relevant Minister. This should be no earlier than 18 months, and no later than 36 months, from the date of certification (Section 1(3) of the PDPA).

Accordingly, the PDPA is expected to come into force sometime between September 2023 and March 2025.

Karan Chao Senior Privacy Analyst
[email protected]
Theo Stylianou Privacy Analyst
[email protected]