Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Search Search
09-2022_E

Personal Data Protection Act

Arrangement of Sections

1. Short title and date of operation.

2. Application of this Act.

3. The provisions of this Act to prevail in case of any inconsistency.

PART I

PROCESSING OF PERSONAL DATA

4. Compliance with the data protection obligations.

5. Obligation to process personal data in a lawful manner.

6. Obligation to define a purpose for personal data processing.

7. Obligation to confine personal data processing to the defined purpose.

8. Obligation to ensure accuracy.

9. Obligation to limit the period of retention.

10. Obligation to maintain integrity and confidentiality.

11. Obligation to process personal data in a transparent manner.

12. Accountability in the processing of personal data.

PART II

RIGHTS OF DATA SUBJECTS

13. Right of access to personal data.

14. Right of withdrawal of the consent and the right to object to processing.

15. Right to rectification or completion.

16. Right to erasure.

17. Grant or refusal of rectification, completion, erasure or refrain from further processing.

18. Automated individual decision making.

19. Right of appeal of the data subjects to the Authority and the process of determination of such appeal.

PART III

CONTROLLERS AND PROCESSORS

20. Designation or appointment of the Data Protection Officer.

21. Additional obligations of a controller.

22. Additional obligations of the processors.

23. Personal data breach notifications.

24. Personal data protection impact assessments.

25. Measures to mitigate risks of harm and the requirement for prior consultation.

26. Cross-border data flow.

PART IV

USE OF PERSONAL DATA TO DISSEMINATE SOLICITED MESSAGES

27. Solicited messages to data subjects by controllers.

PART IV

DATA PROTECTION AUTHORITY

28. Establishment of the Data Protection Authority.

29. Constitution of the Board of Directors.

30. Chairperson of the Board.

31. Objects of the Authority.

32. Powers of the Authority.

33. Duties and functions of the Authority.

34. Authority may issue licences.

35. Directives made by the Authority.

PART VI

DIRECTOR-GENERAL AND THE STAFF OF THE AUTHORITY

36. Appointment of the Director-General.

37. Staff of the Authority.

PART VII

PENALTIES

38. Imposition of penalties.

39. Matters to consider when imposing a penalty.

40. Exemptions, restrictions or derogations.

PART VIII

FUND OF THE AUTHORITY

41. Fund of the Authority.

42. Financial year and audit of accounts.

PART IX

MISCELLANEOUS

43. Power to borrow.

44. Delegation of powers, duties and functions of the Authority.

45. Delegation of powers, duties and functions by the Director-General.

46. Expenses to be paid out of the Fund of the Authority.

47. Review of the performance of the Authority.

48. Annual report.

49. Protection of officers of the Authority from suit or prosecution.

50. All officers and employees of the Authority deemed to be public servants for the purposes of Penal Code.

51. Authority deemed to be a scheduled institution for the purposes of Bribery Act.

52. Rules.

53. Regulations.

54. Official secrecy.

55. Removal of difficulties.

PART IX

INTERPRETATION

56. Interpretation.

57. Sinhala text to prevail in case of inconsistency.

SCHEDULES

9 of 2022.

AN ACT to provide for the regulation of processing of personal data; to identify and strengthen the rights of data subjects in relation to the protection of personal data; to provide for the establishment of the Data Protection Authority; and to provide for matters connected therewith or incidental thereto.

[Date of Commencement: On Notice]

Preamble

WHEREAS it has become necessary to facilitate the growth and innovation in the digital economy in Sri Lanka whilst ensuring the protection of personal data rights of the data subjects:

AND WHEREAS it has become necessary to improve interoperability among personal data protection frameworks as well as to strengthen cross-border co-operation among personal data protection enforcement authorities:

AND WHEREAS it has become necessary for the Government of Sri Lanka to provide for a legal framework to provide for mechanisms for the protection of personal data of data subjects ensuring consumer trust and safeguarding privacy whilst respecting domestic written laws and applicable international legal instruments.

1. Short title and date of operation.

(1) This Act may be cited as the Personal Data Protection Act.

(2) The provisions of this section, shall come into operation on the date on which the certificate of the Speaker is endorsed in respect of this Act in terms of Article 79 of the Constitution.

(3) All other provisions of this Act except the provisions of Part IV and Part V, shall come into operation on such date as the Minister may, appoint by Order published in the Gazette, which shall be a date not earlier than 18 months and not later than 36 months from the date of the certificate of the Speaker referred to in subsection (2).

(4) The date of operation of the provisions of Part IV of this Act, shall be a date not earlier than 24 months and not later than 48 months from the date of certificate referred to in subsection (2).

(5) The date of operation of the provisions of Part V of this Act shall be a date appointed by the Minister by Order published in the Gazette which shall be a date not later than the date appointed by the Minister under subsection (3).

2. Application of this Act.

(1) This Act shall apply to the processing of personal data—

(a) where the processing of personal data takes place wholly or partly within Sri Lanka; or

(b) where the processing of personal data is carried out by a controller or processor who—

(i) is domiciled or ordinarily resident in Sri Lanka;

(ii) is incorporated or established under any written law of Sri Lanka;

(iii) offers goods or services to data subjects in Sri Lanka including the offering of goods or services with specific targeting of data subjects in Sri Lanka; or

(iv) specifically monitors the behaviour of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behaviour of such data subjects in so far as such behaviour takes place in Sri Lanka.

(2) For the purposes of paragraphs (iii) and (iv) of subsection (1) respectively, the Authority may, determine by way of rules made under this Act—

(a) the circumstances in which the specific targeting of the data subjects may occur; or

(b) the circumstances in which the specific monitoring of the data subjects may occur.

(3) This Act shall not apply to—

(a) any personal data processed purely for personal, domestic or household purposes by an individual; and

(b) any data other than personal data.

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.