Sri Lankan Personal Data Protection

POSTED ON SEPTEMBER 09, 2022 BY DATA SECURE

Latest Blogs

Introduction

Following multiple modifications, the Sri Lankan Parliament passed the Personal Data Protection Bill without a vote. Sri Lanka became the first South Asian country to establish comprehensive data protection law when it passed the Personal Data Protection Act, No. 9 of 2022 (the "Act" or "PDPA") on March 18th, 2022. The regulation is modelled after the EU's General Data Protection Regulations (GDPR) and places significant obligations on controllers. It aims to define and strengthen data subjects' rights, as well as provide for the Authority's designation. Legislators and others expressed worries over the proposed Data Protection Authority's influence on individuals' privacy and independence, while media organisations argued the measure might prohibit media from utilising personal data when reporting, infringing on journalists' rights. Before implementing the changes, Justice Minister Ali Sabry that the regulation was necessary, adding that "perfect legislation does not exist." The PDPA also includes measures such as the requirement to design a data protection management programme and restrictions on the use of personal data for direct marketing. The PDPA also includes a number of laws governing cross-border data transfers, which have data localization implications for all controllers and processors processing personal data outside of Sri Lanka. In this article, we attempt to make a brief note of the important provisions given out by the Sri Lankan Personal Data Protection Act, 2022.

Territorial: [Section 2]

The act will apply wherever the processing of personal data takes place wholly or partly within Sri Lanka or wherever personal data is processed by a controller or processor who is:

  • based in Sri Lanka or is habitually resident there;
  • is incorporated or constituted in Sri Lanka under any written law;
  • provides goods or services to data subjects in Sri Lanka, including goods or services targeted specifically at Sri Lankan data subjects; or
  • keeps a close eye on how data behaves in Sri Lanka, topics such as profiling with the desire to make judgments in connection to in so far as the behaviour of such data subjects are concerned in Sri Lanka, such behaviour is common.

Exclusions: [Section 3]

  • any personal data processed only for an individual's personal, domestic, or household reasons; and
  • any data which is not considered personal
  • The protection of national security, defence, public safety, public health, and economic and financial systems stability of the Republic of Sri Lanka;
  • The impartiality and independence of the judiciary;
  • The prevention, investigation and prosecution of criminal offences;
  • The execution of criminal penalties;
  • The protection of the rights and fundamental freedoms of persons, particularly the freedom of expression and the right to information.

Legal Basis:

Every controller shall ensure that personal data is processed for a—

  • specified;
  • explicit; and
  • legitimate,

purposes and such personal data shall not be processed in a way that is incompatible with the aforementioned aims. [Section 6]

Legitimate Interest: [Schedule 1(h)]

  • Processing in a situation where the data subject is a client or a controller service.
  • Whether the data subject reasonably expects, when collecting personal data, to be able to perform processing for that purpose in connection with the collection of personal data.
  • Processing of personal data is strictly necessary for the purpose of fraud prevention.
  • Processing of personal data to the extent that this is strictly necessary and proportional to ensuring the security of the network and information.

Public Interest: [Schedule 1(e)]

  • The processing of personal data is necessary for health purposes such as public health and social protection, and management of medical services.
  • Processing of personal data is necessary to combat infectious diseases and other serious health threats.
  • The processing of personal data by public institutions is necessary to achieve the purposes or purposes specified by law.

Conditions for Processing

Personal Data: [Schedule 1]

The conditions of processing data that are stipulated under the Law are the following:

  • The data subject agrees to process personal data.
  • Processing is required to fulfil the contract for which the data subject is a party or to take action at the request of the data subject before concluding the contract.
  • Processing is required to comply with the legal obligations of the administrator or processor under applicable law.
  • Processing is required to respond to emergencies that threaten the life, health or safety of the data subject or other natural persons.
  • Processing has been granted to or imposed by the controller or processor by or in accordance with written law, including notices, instructions, or the execution of tasks performed for the public good. Required to exercise authority, function, or obligation. Or the issued code has been assigned by the government.
  • Especially if the data subject is a child, the processing is required to protect the legitimate interests of the responsible person or a third party unless the interests of the data subject who need the protection of personal data overwrite these interests

Special Categories of Data: [Schedule 2]

Here are the conditions under which Special Categories of Data shall be processed:

  • the data subject has given consent, to the processing of special categories of personal data for one or more purposes specified by the controller at the time of processing, unless any other written law prohibits the processing of such personal data notwithstanding the consent of the data subject concerned. In the case of a child, consent shall mean the consent of the parent or legal guardian of such child; or
  • processing is necessary for the purposes of carrying out the obligations of the controller and exercising of the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring and public alert systems relating to impending health or other emergencies, the prevention or control of communicable diseases and other serious threats to public health and the management of public healthcare services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject; or
  • processing is necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person where the data subject is physically or legally incapable of giving consent; or
  • the processing relates to personal data which is manifestly made public by the data subject; or
  • processing is necessary for the establishment, exercise or defence of legal claims before a court or tribunal or such similar forum, or whenever courts are acting in their judicial capacity; or
  • processing is necessary for, any purpose as provided for in any written law or the public interest, which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to safeguard the rights and freedoms of the data subject; or
  • processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where such data is processed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka; or
  • processing is necessary for archiving purposes in the public interest, scientific research or historical research purposes or statistical purposes in accordance with the law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the Act or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.

Here are the conditions under which Consent would be taken from a Data Subject within the scope and ambit of the law of instance:

  • The controller must demonstrate that the data subject has consented to the processing of his or her personal data;
  • If the data subject's consent is given in the context of a written declaration that also contains other information, the request for consent must be presented in a way that is clearly distinguishable from the other information, in an intelligible and easily accessible format, and in plain language: Provided that, such a declaration shall not constitute an infringement of any provisions of the Act.
  • When determining whether consent is freely given, special consideration must be given to whether, among other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract; and
  • prior to giving consent, the data subject must be informed that consent can be withdrawn at any time under the provisions of the Act.

Notifications [Section 23]

As per the PDPA, it is the data controller/processor's responsibility to process data completely transparently. This is to be done in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form as part of the overall privacy policy. The authority is also supposed to provide for the circumstances under which the Authority must be notified of a data breach; the circumstances under which the affected data subject must be notified; and the form and manner in which such notification must be made, as well as the information that must be included in such a notification relating to the data breach of the instance in question. Rules may be promulgated accordingly.

Data Breach Requirements [Section 23]

In the event of a personal data breach, the data controller/processor must notify the Authority in the form, manner, and timeframe specified by the PDPA rules. The Authority shall establish when it must be notified of a data breach, as well as when data subjects must be told of a data breach, as well as the mode and medium of notification.

Data Transfers [Section 26]

A data controller/processor who collects or processes data in Sri Lanka cannot transfer the data to a third country unless the regulatory body determines that it is adequate. The regulatory authority will make an adequacy decision in cooperation with the Minister of Communication, subject to periodic monitoring of the third country's safeguards and privacy systems.

However, an adequacy decision may not be required if:

  • The data subject has consented to the proposed processing of personal data outside of Sri Lanka after being informed of the potential risks of such processing for the data subject due to the lack of an adequacy decision and appropriate safeguards;
  • The transfer is required for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures
  • The transfer is required for the purposes of establishing, exercising, or defending legal claims;
  • The transfer is required for public interest grounds;

Data Protection Officer [Section 20]

A Data Protection Officer has been given a statutory recognition as a mandatory position within the establishments of Data Controllers and Data Processors alike.

  • Every data controller and processor who is subject to the PDPA must appoint a DPO. To assure their professional competency for the position, the DPO must have the relevant academic qualifications and other prerequisites.
  • When the controller is a collection of entities, the controller may appoint a single DPO who is conveniently accessible to all of the entities. Similarly, whether a controller or processor is a Public Authority, a single DPO may be selected for numerous such public authorities based on their organisational structures.
  • The data controller and processor must ensure that the DPO's contact information is appropriately published on their website, and that these details are communicated to the regulatory authorities as soon as the DPO's appointment is finalised.

Functions:

  • advise the controller or processor and their employees on data processing requirements imposed;
  • ensure that the provisions of the Act are followed on behalf of the controller or processor;
  • assist in the capacity building of staff involved in data processing operations;
  • provide advice on personal data protection impact assessments; and
  • cooperate with and follow all directives and instructions issued by the ICO.

Data Rights:

The Sri Lankan PDPA offers an array of Data Rights to the Data Subjects within the scope of the legislation:

  • Right of Access - All data subjects have the right to seek access to all data that a data controller/processor has acquired on them. Once a formal written request has been made, the data controller/processor is responsible for providing the data subject with the necessary access.
  • Right to Withdraw Consent - Any data subject who has previously given consent to data gathering has the right to withdraw that consent. After receiving such a request, the data controller/processor must stop collecting data about the user. All data obtained prior to this request, on the other hand, will be fully legal to use. In such instances, every data subject has the right to request in writing that a controller desists from further processing of their personal data.
  • Right to Rectification - All data subjects have the right to request rectification of personal data acquired on them if it is outdated, erroneous, or obsolete, and the controller is required to rectify or complete the personal data without undue delay. However, when a controller is compelled to keep personal data for evidential purposes under any written law or on the order of a competent court, the controller must abstain from further processing such personal data without rectification;
  • Right to Erasure - All data subjects have the right to have all data collected on them by a data controller/processor erased if the processing of personal data is carried out in violation of legal obligations, or if the data subject withdraws their consent to which processing is based, or if the requirement to erase personal data is imposed by any written law or on an order of a competent court to which the data subject is subject. The data controller/processor is unable to process any data on the data subject after receiving this request.
  • Right to Object to Automated Decision Making- Data subjects have the right to notify the data controller/processor of their objection to automated processing and decision-making that is likely to have an irreversible and ongoing effect on their rights and freedoms.

Kindly read the complete Sri Lanka personal Data Protection Act No.9 of 2022 at PL 012913 Personal Data (Act) Cov.pmd (dpo-india.com)

We at Data Secure (DATA SECURE - Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India

PDPB 2019. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com)

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com

For downloading various Global Privacy Laws kindly visit the Resources page in Resources (dpo-india.com)

For solutions on Schrems II or Lawful Borderless Data Transfer solutions, kindly visit our website www.borderless-data.com.

Kindly write to us at info@borderless-data.com for six steps solution for Lawful Borderless Data Transfer Solution.