A Guide to Understanding and Complying with Data Privacy Laws in Sri Lanka

A Guide to Understanding and Complying with Data Privacy Laws in Sri Lanka

The Personal Data Protection Act (PDPA) regulates the processing of personal data and protects the rights of data subjects. This guideline aims to help you understand what some of your responsibilities will be, once the substantive provisions of the PDPA come into force somewhere between 19th September 2023 and 19th March 2025.

  1. Does it apply to you?
    The PDPA applies to the processing of personal data in Sri Lanka, whether it is wholly or partly processed within Sri Lanka or by a controller or processor who is domiciled, incorporated or established in Sri Lanka, offers goods or services to data subjects in Sri Lanka or monitors the behaviour of data subjects in Sri Lanka.

  2. What is Personal Data?
    “personal data” means any information that can identify a data subject directly or indirectly, by reference to an identifier such as a name, an identification number, financial data, location data or an online identifier.

  3. What are Special Categories of Personal Data?
    The PDPA provides for a definition of “Special Categories of Personal Data” that includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, personal data relating to offences, criminal proceedings and convictions, or personal data relating to a child.

  4. Determine Your Role as a Controller
    A controller determines the purposes and means of processing personal data. If you fall within the definition of a controller, you need to ensure compliance with the PDPA.

  5. Ensure Lawful Processing
    Processing of personal data as a controller is lawful if it complies with the conditions for lawful processing specified in Schedule I of the PDPA. The relevant conditions include obtaining consent from the data subject or processing necessary for the performance of a contract, or compliance with a legal obligation.

  6. Obtain Consent
    Consent must be freely given, specific, informed and unambiguous. Special consideration must be taken for whether the performance of a contract is conditional on consent to processing personal data that is not necessary for the performance of that contract.

  7. Inform Data Subjects
    Inform data subjects that their personal data is being processed, the purposes of processing, the recipients of the data and the rights of data subjects.

  8. Protect Personal Data
    Ensure appropriate technical and organizational measures are taken to protect personal data from unauthorized access, disclosure, destruction or alteration.

  9. Respond to Data Subjects’ Requests
    Respond to data subjects’ requests to access, rectify, erase, or restrict processing of their personal data, or to object to processing. You should inform the data subject within 21 working days whether the request was granted, whether the request was refused along with the reasons or confirmation that you have refrained from further processing of the personal data and the reasons thereof, and communicate that the data subject has a right of appeal where the request was not granted.

  10. Appoint a Data Protection Officer
    If you are a public authority or your processing activities require regular and systematic monitoring of data subjects, appoint a data protection officer.