Overview of Sri Lanka’s Personal Data Protection Act

The past couple of years have seen data privacy gain a significant degree of importance. Due to several political, social, and ethical factors, data protection now occupies a highly critical place in any country's strategic lawmaking related to its citizens. Hence, it is no surprise that most countries have been incredibly active in drafting data protection laws.

Sri Lanka is another such country, with its Personal Data Protection Act (PDPA), No. 9 Of 2022, passed on 19 March 2022. It covers all the bases that a data protection regulation is expected to cover related to data subject rights. Additionally, it states the responsibilities of data processors/controllers and penalties for those that fail to comply with the PDPA.

So, to make compliance more accessible and the finer details of the regulation more comprehensible, here's a rundown of all the significant bits to know about the Personal Data Protection Act:

Who Needs to Comply with the Law

Here's how the PDPA shall apply to organisations in terms of their geographical location as well as the sort of data they processor on residents in Sri Lanka:

Material Scope

As far as the material scope of the PDPA is concerned, the law explicitly states that it shall apply to the processing of personal data. However, any data collected by an individual for personal, domestic, or household use or any other data apart from personal data,is also not subject to the PDPA.

The PDPA also lays down exemptions which are necessary and proportionate measures where the PDPA sections will not apply:

• The protection of national security, defense, public safety, public health, economic and financial systems stability of the Republic of Sri Lanka;
• The impartiality and independence of the judiciary;
• The prevention, investigation and prosecution of criminal offences;
• The execution of criminal penalties;
• The protection of the rights and fundamental freedoms of persons, particularly the freedom of expression and the right to information.

Territorial Scope

The PDPA shall apply to all organisations that fall under the following categories:

• Processing of personal data takes place wholly or partly within Sri Lanka;
• Processing of personal data is carried out by a data controller/processor domiciled or ordinarily resident in Sri Lanka;
• Processing of personal data is carried out by a data controller/processor that is incorporated or established under any written law of Sri Lanka;
• Processing of personal data is carried out by a data controller/processor that offers goods or services to data subjects in Sri Lanka, including the offering of goods or services with specific targeting of data subjects in Sri Lanka, subject to the determination of the Authority of the circumstances in which the specific targeting of the data subjects occurs;
• Processing of personal data is carried out by a data controller/processor that specifically monitors the behavior of data subjects in Sri Lanka, including profiling with the intention of making decisions subject to the determination of the Authority of the circumstances in which the specific monitoring of the data subjects occurs;

Obligations for Organizations Under the PDPA

The Sri Lankan PDPA, like all other major data protection laws, places several obligations upon all data controllers/processors. These obligations ensure that the organisation adheres to strict rules and regulations in its data collection. These obligations include:

General Principles of Processing

Every controller shall ensure that personal data is processed in a manner that is compatible with the PDPA such that:

• Data is processed for a specified, explicit, and legitimate purpose;
• Personal data that is processed is adequate, relevant, and proportionate to the extent of the purpose for which that data was collected;
• Processed personal data is accurate and kept up to date, with every reasonable step being taken to erase or rectify any inaccurate or outdated personal data without undue delay;
• Personal data that is being processed shall be kept in a form that permits identification of data subjects only for the necessary or required period as per the Law. However, the controller may store the personal data for longer periods if this act is pertinent for archiving purposes in the public interest, scientific research, historical research, or statistical purposes;
• Every controller shall ensure integrity and confidentiality of personal data that is being processed, by using appropriate technical and organizational measures including but not limited to encryption, pseudonymisation, anonymisation or access controls, so as to prevent unauthorized or unlawful processing, or loss, destruction or damage of personal data;
• Where two or more controllers jointly determine the purposes and means of processing, such controllers shall be referred to as “joint controllers” who shall be jointly responsible for discharging the obligations stipulated under PDPA.

Lawful Basis Requirements

As per Schedule I of the PDPA, explicit conditions are set for the lawful processing of data.

These include the following:

• The data subjects' explicit consent for data processing;
• Processing is necessary for the performance of a contract to which the data subject is a party;
• Processing is necessary for compliance with a legal obligation to which the controller or processor is subject to;
• Processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of powers, functions or duties conferred, imposed, or assigned on the controller or processor by or under any written law in the instances of:
  • processing of personal data is necessary for health purposes such as public health and social protection and the management of health care services;
  • processing of personal data is necessary for the control of communicable diseases and other serious threats to health;
  • processing of personal data is necessary by official authorities for achieving the purposes or objects laid down by law.
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of the data subject, which include:
  • processing in situations where the data subject is a client or in the service of a controller;
  • whether a data subject reasonably expects at the time and in the context of the collection of the personal data that processing for that purpose may take place;
  • processing of personal data is strictly necessary for the purposes of preventing fraud;
  • processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.

Consent Requirements

The PDPA follows a run-of-the-mill attitude towards consent. Organisations can only begin collecting data on their users once the user has explicitly consented to the collection. Additionally, users will have the right to withdraw this consent at any moment.

However, the most noteworthy part of the PDPA regarding consent requirements is undoubtedly Section 27, which deals with unsolicited messages. It stipulates that organisations sending out messages, usually for marketing purposes, by electronic means or through the post, need the consent of the data subject to receive them.

Moreover, when obtaining consent the controller shall, at the time of collecting contact information and each time where a message is sent, provide to the data subject details on how to opt-out of receiving solicited messages free of charge.

Privacy Notification/ Privacy Policy Requirements

As per the PDPA, it is the data controller/processor's responsibility to process data completely transparently. This is to be done in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form as part of the overall privacy policy.

Data Breach Requirements

In case of a personal data breach, the data controller/processor must inform the Authority in such form, manner and within such period of time as per the rules made under PDPA.
The Authority will determine the circumstances it has to be notified of a data breach, as well as circumstances where data subjects are to be notified of a data breach and the manner and medium of this communication.

Data Protection Officer Requirement

Every data controller and processor subject to the PDPA has to ensure the appointment of a Data Protection Officer (DPO). The DPO must have the relevant academic qualifications and other necessary requirements to ensure their professional competency for the job.

In instances where the controller is a group of entities, such controllers may appoint a single Data Protection Officer who is easily accessible by each entity. Likewise, where a controller or a processor is a Public Authority, a single Data Protection Officer may be designated for several such public authorities, taking into account their organizational structures.

The data controller and processor must ensure they properly publish the contact details of the DPO on their website while communicating these details to the regulatory authorities as soon as the appointment of the DPO is finalized.

Data Protection Impact Assessment

Data controllers are required to carry out extensive personal data protection impact assessments. These will be required when there is processing involving:

• A systematic and extensive evaluation of personal data or special categories of personal data including profiling;
• A systematic monitoring of publicly accessible areas or telecommunication networks;
• A processing activity taking into consideration the scope and associated risks of that processing.

The personal data protection impact assessment shall contain such information and particulars, including any measures and safeguards taken by the controller to mitigate any risk of harm caused to the data subject by the processing. The controller must seek assistance from the DPO when carrying out assessments. Additionally, a new assessment must be carried out at every instance the data controller decides to alter any kind of their data collection, storage, and protection methodologies. The controller must also submit to the Authority the assessment, and also oblige any written requests made by the Authority for further information on compliance of the processing and of any risks of harm associated with the protection of the personal data of the data subject.

Where a personal data protection impact assessment carried out, indicates that the processing is likely to result in a risk of harm to the rights of the data subjects guaranteed under this Act or any written law, a controller shall take such measures to mitigate such risk of harm, prior to any processing of personal data. In case of not being able to mitigate such risks, the controller can consult the Authority for further guidance.

Record of Processing Activities

All data controllers/processors must keep a detailed record of their data collection and processing activities in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form that can be made available to a data subject whenever they request access to this data.

Moreover, it is the duty of every controller to implement internal controls and procedures referred to as the Data Protection Management Programme ( in line with the guidelines issued by the Authority) that:

• establishes and maintains duly cataloged records to demonstrate the implementation of data protection obligations carried out by the controller;
• is designed on the basis of structure, scale, volume, and sensitivity of processing activities of the controller;
• provides for appropriate safeguards based on data protection impact assessments;
• is integrated into the governance structure of the controller;
• establishes internal oversight mechanisms;
• has a mechanism to receive complaints, conduct of inquiries, and to identify personal data breaches;
• is updated based on periodic monitoring and assessments;
• facilitates the exercise of rights of data subjects.

Vendor Assessment/Third Party Processing Requirements

In special circumstances, where processing is done by a vendor or any third party, there are some requirements on that front as well.

Firstly, the third party must have demonstrated that they have adequate technical and organisational measures in place to ensure compliance with the PDPA within their data collection practices.

Secondly, their contract with the data controller must set out details such as the duration of the processing, the nature and purpose of the processing, the type of personal data, categories of the data subjects, and the obligations of the controller.

The third-party or processor also has more obligations in case of data processing activities including to:

• Ensure that processing activities are carried out only on the written instructions of the controller;
• Ensure that its personnel are bound by contractual obligations on confidentiality and secrecy by the implementation of appropriate technical and organizational measures;
• Facilitate the controller to carry out compliance audits, including inspections upon the written request of the controller, taking into account the nature of processing and the information available to the processor;
• Upon the written instructions of the controller, erase existing copies of personal data or return all personal data to the controller after the completion of the provisions of services relating to processing.

Cross border data transfer Requirements

A data controller/processor that collects or processes data in Sri Lanka cannot be transferred to any third country unless the regulatory authority makes an adequacy decision.

An adequacy decision by the regulatory authority will be made in consultation with the Minister of Communication, subject to periodic monitoring of the safeguards and privacy mechanisms in place in the third country.

However, the need for an adequacy decision may not be necessary if;

• The data subject has consented to the proposed processing of personal data outside Sri Lanka after having been informed of the possible risks of such processing for the data subject due to the absence of an adequacy decision and appropriate safeguards;
• The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures;
• The transfer is necessary for the establishment, exercise, or defense of legal claims;
• The transfer is necessary for reasons of public interest;
• The transfer is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another person and where the data subject or his legal guardian is physically or legally incapable of giving consent.

Data Subject Rights

Like almost any other major data protection regulation, the Sri Lankan PDPA also lays down the rights of users online, better known as data subject rights. These rights are not only essential to ensure users online retain control over their data but ensure that data controllers and processors cannot employ excessive tactics to collect users' data. These rights include:

• Right of Access - All data subjects have the right to request access to all the data that has been collected on them by a data controller/processor. It is incumbent upon the data controller/processor to provide the data subject with the necessary access once a formal written request has been made;
• Right of Withdrawal of Consent - All data subjects have the right to withdraw any prior given consent to data collection. Once such a request is made, the data controller/processor must cease any data collection on the user. However, all data collected before this request will remain perfectly legal to use. In such cases, every data subject shall have the right to request a controller in writing, to refrain from further processing of personal data relating to such data subject;
• Right to Rectification - All data subjects have the right to request rectification of data collected on them if it is outdated, incorrect, or obsolete and the controller is to rectify or complete the personal data without undue delay. However there lies an exception whereby when a controller is required to maintain personal data for the evidentiary purposes under any written law or on an order of a competent court, the controller shall refrain from further processing such personal data without rectifying;
• Right to Erasure - All data subjects have the right to request that all data collected on them by a data controller/processor be erased under the circumstances where the processing of personal data is carried out in contravention of the obligations referred to in the law, or when the data subject withdraws their consent upon which processing is based, or the requirement to erase personal data is required by any written law or on an order of a competent court to which the data subject or controller is subject to. Once this request is made, the data controller/processor cannot continue processing any data on the data subject;
• Right to Object to Automated Decision Making - Data subjects have the right to inform the data controller/processor of their objection to automated processing and decision-making that is likely to create an irreversible and continuous impact on their rights and freedoms.

Where a controller receives a written request from a data subject, such controller shall inform the data subject in writing, within twenty-one (21) working days from the date of such request. However, it is to be noted that the controller may, refuse to act on a data subject request made under this Act, in case of

• The national security;
• Public order;
• Any inquiry conducted, investigation or procedure carried out under any written law;
• The prevention, detection, investigation or prosecution of criminal offenses;
• The rights and freedoms of other persons under any written law;
• The technical and operational feasibility of the controller to act on such request;
• The inability of the controller to establish the identity of the data subject;
• The requirement to process personal data under any written law.

Regulatory Authority

The Sri Lankan PDPA establishes the Data Protection Authority of Sri Lanka (referred to as the Authority within the legislation). This Authority will exercise, perform, and discharge the powers, duties, and functions prescribed by the PDPA.

The Authority will be led by a Board of Directors, consisting of no less than five members and no more than seven persons. Each of these members will be appointed by the President of Sri Lanka, having experience and knowledge in regulatory matters, privacy and data protection, information security or related fields The President will appoint a Chairperson responsible for leading the regulatory body among these members. All members must have the necessary qualifications and credentials to be fit for the role.

Penalties for Non-compliance

The Sri Lankan PDPA is comparatively strict when it comes to imposing penalties related to non-compliance. In case of non-compliance, the Authority shall take into consideration the following:

• The nature, gravity and duration of the contravention;
• Any mitigating actions taken by the controller;
• The effectiveness of the data protection management programme;
• The degree of cooperation with the Authority in order to remedy the contravention and mitigate the possible adverse effects of such contravention;
• The categories of personal data affected by any contravention;
• The manner in which a contravention became known to the Authority, in particular whether, and if so to what extent, the controller or processor notified the contravention to the Authority;
• The previous non - compliances by such controller or processor under this Act;
• Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, arising out of or in relation to the contravention of this Act by a controller or processor as the case may be.

Any organisation found in non-compliance with any of the PDPA's provisions can be fined for up to 10 million rupees for each instance of non-compliance. In the case of repeat offenders, the offender in addition to the penalty amount for the current non-compliance will also be liable to pay an additional penalty consisting of twice the amount imposed as a penalty on the second and for each subsequent non-compliance. After making appropriate compensation to the affected data subjects, the Authority will collect these fines and deposit them in the Consolidated Fund.

In the case of an organisation failing to pay the fine within the time frame stipulated by the Authority, it may face legal action by the Authority before the Magistrate Court of Colombo. The offender can also be subjected to the suspension of its commercial activities within Sri Lanka.

Moreover, a controller or processor who is aggrieved by the imposition of an administrative penalty under PDPA, may appeal against such decision to the Court of Appeal within twenty-one working days, from the date of the notice of the imposition of such administrative penalty was communicated to such person.

How an Organization Can Operationalize the Law

Like all data protection regulations, the Sri Lankan PDPA aims to evolve the way both organisations collect data and provide users with an unprecedented degree of privacy related to their data in the country.

However, a major roadblock in successfully implementing this legislation is likely to be the fact that organisations may not know where to begin. After all, compliance with data protection regulations needs to be thorough, leaving no room for half-measures.

Fortunately, some steps can prove to be helpful in laying a proper foundation for the compliance efforts related to the Sri Lanka PDPA. Some of these include the following:

• Make sure your privacy policy is easily comprehensible and communicates all your obligations and data subject rights effectively;
• Hire a DPO that is well-versed in the PDPA to ensure your compliance efforts are up-to-par while also taking their input related to data collection mechanisms into account;
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the law;
• Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts;
• Notify the relevant authorities of a data breach as soon as possible.

How can Securiti Help

There was a time, not so long ago, when data collection was considered one of the easier parts of an organisation's digital strategy. And why not. Legislations related to online data protection were scarce and, in most cases, terribly outdated to deal with just how much the internet and data collection techniques had evolved.

That is no longer the case. The past few years have seen data privacy become a highly controversial topic, with legislations being drafted in almost all countries to ensure organisations can only collect only the most essential data, and that too with the explicit, informed consent of the users. Such a paradigm shift has required organisations to turn towards automation to meet their data compliance requirements.

Securiti is a market leader in providing enterprise solutions related to data governance, data privacy, and data compliance. Its artificial intelligence and machine-learning-based tools ensure that organisations can meet their due obligations under any data protection regulation effectively without compromising on their users' browsing experience.

Request a demo today to see how Securiti can help your organisation's compliance efforts related to the PDPA.