Address
No 09-5/1, Station Road, Colombo 04, Sri Lanka
Work Hours
Monday to Friday: 8.30 AM - 5 PM
Personal Data Protection Act No.9 of 2022
What is the PDPA Act?
Personal Data Protection Act is the main piece of legislation in Sri Lanka that addresses personal data protection. Through expansion and innovation in the digital economy, this act strives to protect individual rights and guarantee consumer confidence in information privacy in online transactions and information networks. It is important to preserve data so that people may rely on its fair and responsible use. If someone gathers information about people for any purpose other than their own family, personal, or household needs, they must abide by the law.
Sri Lanka is the first country who presented PDPA in South Asia. The PDPA Act, which for the most part is compliant with international law and incorporates the General Data Protection Regulation (GDPR), fills a long-felt gap in Sri Lanka’s data privacy laws. PDPA is Implemented on a staged basis.
CASE LAW – The concept of action iniuriarum, which has been evolved by case law, defines the right to privacy in Sri Lanka as a “delict” that must be upheld. The concept of “invasion of privacy” was covered in Nadarajah v. Obeysekera [52NLR76] (1971). The existence of the right to personal space was acknowledged.
The Supreme Court of Sri Lanka has stressed the significance of the individual’s right to privacy in more recent cases involving this issue, such as Hewamanna v. Attorney General (1999) and the Sunday Times defamation case (2000).
What is the PDPA Act?
Personal Data Protection Act is the main piece of legislation in Sri Lanka that addresses personal data protection. Through expansion and innovation in the digital economy, this act strives to protect individual rights and guarantee consumer confidence in information privacy in online transactions and information networks. It is important to preserve data so that people may rely on its fair and responsible use. If someone gathers information about people for any purpose other than their own family, personal, or household needs, they must abide by the law.
Sri Lanka is the first country who presented PDPA in South Asia. The PDPA Act, which for the most part is compliant with international law and incorporates the General Data Protection Regulation (GDPR), fills a long-felt gap in Sri Lanka’s data privacy laws. PDPA is Implemented on a staged basis.
CASE LAW – The concept of action iniuriarum, which has been evolved by case law, defines the right to privacy in Sri Lanka as a “delict” that must be upheld. The concept of “invasion of privacy” was covered in Nadarajah v. Obeysekera [52NLR76] (1971). The existence of the right to personal space was acknowledged.
The Supreme Court of Sri Lanka has stressed the significance of the individual’s right to privacy in more recent cases involving this issue, such as Hewamanna v. Attorney General (1999) and the Sunday Times defamation case (2000).
Why is the PDPA Act so important?
Due to the government and business sector’s adoption of digital strategies, a personal data protection law became necessary. This Act is crucial because it will improve the governance and management of personal data and is relevant to contact tracing solutions for Sri Lanka’s digital identification effort.
Few important terms explained
- Personal data – Any information which can be used to indirectly or directly identify a data subject by referencing an identifier.
- Data subject – A living or deceased known or identifiable natural individual to whom the personal data relates.
- Controller – Any individual, whether they are a natural person or a legal entity, who chooses the objectives and means of processing personal data either alone or in collaboration with others.
- Processor — A legal person or public authority or natural or other entity established by operating under any written law that handles personal data on the controller’s behalf.
- Director General – The Chief Executive Officerof the Authority
To whom does this act apply?
The Act particularly addresses data subjects in Sri Lanka and is designed to apply to companies both inside and outside of Sri Lanka, including those providing products or services to Sri Lankans. Digital platforms that offer Sri Lankans services from outside may fall under this category. personal data processed by an individual only for domestic, personal, or household purposes is exempt from the PDPA. The PDPA defines personal data as any that can directly or indirectly identify a data subject. And data controller that provides goods or services to data subjects in Sri Lanka and specifically monitors the behavior of data subjects in Sri Lanka.
The act now establishes a legal foundation for measures to protect the personal information of Data Subjects, as described in Section 56 of the Act. The Act mandates that Controllers process data by the requirements for processing in Part I of the Act. In line with Section 12, controllers who implement “a data protection management programmer” comply with Sections 5, 6, 7, 8, 9, 10 and 11. The Act also gives data subjects several rights, referred to in Part II as “rights of data subjects.”
Data Subject Rights
THE DATA SUBJECT HAS THE FOLLOWING RIGHTS
Right of access: data subject has the right to access personal data upon request;
Right to withdrawing consent: Data subjects have the right to object to the processing of their personal information and withdraw their permission;
Right to rectification: right to have their inaccurate personal data corrected or rectified upon request.;
Right to erasure: A data subject may ask for the deletion of their personal data;
Right to Object to Automated Decision Making: they have the right to object to automate processing and decision-making that they believe will have an ongoing, irreversible impact on their rights and freedoms and to tell the data controller/processor of their objection.
The Sri Lankan PDPA, like any data protection law, attempts to modernize how both organizations gather data and give users an unheard-of level of privacy about their data within the nation.
Further information about this act can be found on the Sri Lanka Parliament’s website.
Need legal representation or advice?
Get in touch with us to learn the best way to tackle your legal requirements.
