Data Protection in Sri Lanka

Collection and processing in Sri Lanka

Similar to the GDPR, the PDPA enshrines certain principles governing the collection and processing of personal data. Each controller must ensure that personal data is processed in compliance with such principles, which are as follows.

  • process lawfully;
  • process for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes;
  • process personal data which is adequate, relevant and limited to the purpose;
  • ensure that personal data is accurate and where necessary kept up to date;
  • keep personal data in a form which permits identification of data subjects for no longer than is necessary, for the purpose(s) for which the data are processed;
  • process in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures;
  • process in a transparent manner, providing information on such processing to data subjects; and
  • ensure accountability in processing by the implementation of internal controls and procedures that are able to demonstrate compliance with the PDPA, identified as the “Data Protection Management Programme”.

Legal Basis

In order to ensure that processing is ‘lawful’ whenever personal data is processed, such processing should be based on the most appropriate legal basis out of the following grounds provided under the PDPA:

  • consent of the data subject (consent should be freely given, specific, informed and unambiguous indication in writing or by affirmative action and capable of being withdrawn at any time);
  • necessary for the performance of a contract with the data subject in order to take steps at the request of a data subject to enter into a contract with such data subject;
  • necessary for compliance with a legal obligation to which the controller / processor is subject to under Sri Lanka law;
  • necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person;
  • necessary for the performance of a task carried out in the public interest or in the exercise of powers, functions or duties imposed under Sri Lanka law; or
  • necessary for the purposes of legitimate interests of the controller or a third party (subject to an assessment where the interests of the controller should be balanced against the rights of the data subjects and accordingly, must not override the interests of the data subject, especially when the data subject is a child).

Special Categories of Personal Data

In addition to the aforesaid lawful grounds, if processing special categories of personal data, a controller is required to satisfy one of the following additional conditions, on the objective basis of being most appropriate:

  • consent of the data subject, which in the case of a child will mean the consent of the parent or legal guardian;
  • processing is necessary for the purposes of carrying out the obligations of the controller and exercising of the rights of the data subject, in the field of employment, social security including pension and for public health purposes in so far as it is provided for in Sri Lanka Law, providing for appropriate safeguards for rights of the data subject;
  • processing is necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person who is incapable of giving consent;
  • relates to personal data which is manifestly made public by the data subject;
  • processing is necessary for the establishment, exercise or defence of legal claims;
  • processing is necessary for any purpose as provided for under any written law in Sri Lanka or public interest;
  • processing is necessary for medical purposes and where such data is processed by a health professional licensed under or authorized by any written law in Sri Lanka; or
  • processing is necessary for archiving purposes in the public interest, scientific, historical research or statistical purposes in accordance with law.

Criminal Investigations

The PDPA provides for the processing of personal data in relation to criminal investigations, only where such processing is carried out in accordance with written laws in Sri Lanka, whilst providing for appropriate safeguards for the rights and freedoms of data subjects, which may be prescribed in the future upon the PDPA becoming operative.

Transparency of Data Processing

Transparency is an important principle enshrined in the PDPA and, as stated above, it aims to ensure that data subjects are aware of how their personal data is processed and understand their rights pertaining to such data.

Accordingly, the PDPA requires controllers to provide detailed information to data subjects in a concise, transparent, intelligible and easily accessible form. Therefore, providing the following information to data subjects at the point of collection of their personal data is imperative, which can be fulfilled by the provision of a privacy notice:

  • identity and contact details of the controller;
  • contact details of the data protection officer (where there is a DPO);
  • intended purpose for collecting personal data and the legal basis for the processing;
  • legitimate interest pursued by the controller (where applicable);
  • categories of personal data collected;
  • right of data subjects to withdraw consent for processing and method of withdrawing such consent (if processing is based on consent);
  • recipients and third parties with whom personal data will be shared;
  • details of cross border data transfer;
  • period of data retention;
  • rights of data subjects with regard to their personal data and how such rights may be exercised;
  • right to file a complaint with the Data Protection Authority (“Authority”);
  • whether the provision of personal data is a statutory or contractual requirement and the consequences of failing to provide such personal data;
  • the existence of automated individual decision-making including profiling and the consequences for the data subject.

In addition, when a controller intends to process personal data for a new purpose, a data subject must be informed of such further processing, providing them with the information set out above.

If in any event personal data is collected via means other than direct collection from the data subject, the above information should be provided to the data subject within one month or at the time of the first communication to that data subject or when the personal data is first disclosed to another recipient, whichever event occurs first.

Rights of Data Subjects

The PDPA provides a series of rights for data subjects, largely similar to that of the GDPR. A controller must respond to any written request made by a data subject pertaining to his rights within 21 working days of receiving the request. 

Right to access personal data: data subjects have the right to access their personal data, be provided with confirmation as to whether such personal data has been processed and be provided a copy of such personal data by submitting a written request.

Right to withdraw consent: if processing is based on consent, the data subject has the right to withdraw such consent at any time and the right to request a controller to refrain from further processing of the data subject’s personal data, provided the processing was based on the data subject’s consent.

Right to object to processing: data subjects have the right to object to further processing beyond the original purpose for which it was collected where such processing is based on the grounds of legitimate interests or public interest.

Right to rectification or completion: data subjects have the right to request a controller to rectify or complete any personal data that is inaccurate or incomplete.

Right to request a review of automated decisions: a data subject has the right to request for a review of a decision made by a controller based solely on automated processing which is likely to create “an irreversible and continuous impact on the rights and freedoms of the data subject” under Sri Lankan law, unless such automated processing is:

  • authorized by Sri Lanka law;
  • authorized in a manner determined by the Authority;
  • based on the data subject’s consent; or
  • necessary for entering into a performance of a contract between the data subject and the controller.

Right to erasure: the data subject may, under a limited set of circumstances, request the controller to erase their personal data. This includes when a controller is in contravention of its obligations and when the erasure is mandated by a written law of Sri Lanka or order of a competent court.

A controller is permitted to refuse to a request of a data subject based on the above rights only in limited instances, having regard to the following:

  • national security;
  • public order;
  • any inquiry, investigation or procedure carried out under Sri Lanka law;
  • the prevention, investigation and prosecution of criminal offences;
  • the execution of criminal penalties;
  • the protection of the rights and fundamental freedoms of persons under Sri Lanka law;
  • where the controller is unable to establish the identity of a data subject;
  • the requirement to process personal data under any other law in Sri Lanka.

Continue reading

  • no results

Previous topic
Back to top