š±š° Sri Lanka
Informations
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
"
The PDPA applies to the processing of personal data where such processing:
ā¢ takes place wholly or partly within Sri Lanka; or ā¢ is carried out by a controller or processor who:
ā¦ is domiciled or ordinarily resident in Sri Lanka;
ā¦ is incorporated or established under any written law of Sri Lanka;
ā¦ is subject to any written law of Sri Lanka;
ā¦ offers goods or services to data subjects in Sri Lanka including the offering of goods or services with specific targeting of data subjects in Sri Lanka; or
ā¦ specifically monitors the behavior of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behavior of such data subjects in so far as such behavior takes
place in Sri Lanka.
In other words, the PDPA could apply to any service that is accessed through an online platform by a data subject in Sri Lanka, even though such service may not necessarily be intended specifically for data subjects in Sri Lanka. The Authority to be established under the PDPA (see the section on the data protection authority below) may determine the circumstances in which specific targeting and specific monitoring of data subjects may oc- cur."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"
The PDPA applies to the processing of personal data where such processing:
ā¢ takes place wholly or partly within Sri Lanka; or ā¢ is carried out by a controller or processor who:
ā¦ is domiciled or ordinarily resident in Sri Lanka;
ā¦ is incorporated or established under any written law of Sri Lanka;
ā¦ is subject to any written law of Sri Lanka;
ā¦ offers goods or services to data subjects in Sri Lanka including the offering of goods or services with specific targeting of data subjects in Sri Lanka; or
ā¦ specifically monitors the behavior of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behavior of such data subjects in so far as such behavior takes
place in Sri Lanka.
In other words, the PDPA could apply to any service that is accessed through an online platform by a data subject in Sri Lanka, even though such service may not necessarily be intended specifically for data subjects in Sri Lanka. The Authority to be established under the PDPA (see the section on the data protection authority below) may determine the circumstances in which specific targeting and specific monitoring of data subjects may oc- cur."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Data controller: Any natural or legal person, public authority, public corporation, non-governmental organization, agency, or any other body or entity which alone or jointly with others determines the purposes and means
of the processing of personal data.
Data processor: A natural or legal person, public authority, or other entity established by or under any written law, which processes personal data on behalf of the controller."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"
The PDPA applies to the processing of personal data where such processing:
ā¢ takes place wholly or partly within Sri Lanka; or ā¢ is carried out by a controller or processor who:
ā¦ is domiciled or ordinarily resident in Sri Lanka;
ā¦ is incorporated or established under any written law of Sri Lanka;
ā¦ is subject to any written law of Sri Lanka;
ā¦ offers goods or services to data subjects in Sri Lanka including the offering of goods or services with specific targeting of data subjects in Sri Lanka; or
ā¦ specifically monitors the behavior of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behavior of such data subjects in so far as such behavior takes
place in Sri Lanka.
In other words, the PDPA could apply to any service that is accessed through an online platform by a data subject in Sri Lanka, even though such service may not necessarily be intended specifically for data subjects in Sri Lanka. The Authority to be established under the PDPA (see the section on the data protection authority below) may determine the circumstances in which specific targeting and specific monitoring of data subjects may oc- cur."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, personal data relating to offenses, criminal proceedings, and convictions, or personal data relating to a child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
Extracts :
Extract :
"5.1. Consent
Pursuant to Section 5 of the PDPA, the processing of personal data is lawful if the data subject has given consent to the processing of their personal data as enumerated in paragraph (a) of Schedule I and paragraph (a) of Schedule II.
Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child.
The PDPA further provides conditions and obligations on the controller regarding consent in Schedule III. The controller is required to demonstrate that the data subject has consented to the processing of the personal data relating to such data subject. In the event the consent of the data subject is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. When assessing whether consent is freely given, utmost account shall be taken on whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
5.2. Contract with the data subject
Pursuant to Schedule I(b) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
The PDPA further permits the processing of personal data outside Sri Lanka in the absence of an adequacy decision as mentioned in Section 26(2) of the PDPA or necessary safeguards as mentioned in Section 26(4) of the PDPA where such transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures taken by the controller at the request of the data subject.
5.3. Legal obligations
Ordinary types of personal data
Pursuant to Schedule I(c) of the PDPA, the processing of personal data is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject under the PDPA.
Special categories of personal data
Pursuant to Schedule II(e) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for the establishment, exercise, or defense of legal claims before a court or tribunal or such similar forum or whenever courts are acting in their judicial capacity.
5.4. Interests of the data subject
Ordinary types of personal data
Pursuant to Schedule I(d) of the PDPA, the processing of personal data is lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person. Special categories of personal data Schedule II(c) of the PDPA provides that with regard to the processing of special categories of data, the processing of such data would be lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.
5.5. Public interest
Ordinary types of personal data
Pursuant to Schedule I(e) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by any written law.
For the foregoing purposes, Schedule II(g) of the PDPA provides a non-exhaustive list of activities considered as 'public interests,' including:
ā¢ processing for health purposes such as public health and social protection and the management of health care services; ā¢ processing for the control of communicable diseases and other serious threats to health; and
ā¢ processing of personal data by official authorities for achieving the purposes or objects laid down by law.
Special categories of personal data
Pursuant to Schedule II(g) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or sta- tistical purposes in accordance with law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the PDPA or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.
5.6. Legitimate interests of the data controller
Pursuant to Schedule I(f) of the PDPA, the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such inter- ests are overridden by the interests of the data subject which require protection of personal data, in particular where the data subject is a child.
For the foregoing purposes, Schedule I(f) of the PDPA provides a non-exhaustive list of activities considered as 'legitimate interests', including:
ā¢ processing in situations where the data subject is a client or in the service of the controller;
ā¢ whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place; ā¢ processing of personal data is strictly necessary for the purposes of preventing fraud; and
ā¢ processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
5.7. Legal bases in other instances
In relation to the processing of special categories of personal data, Schedule II of the PDPA sets out additional legal bases. In particular, the processing of such personal data will be lawful if:
ā¢ processing is necessary for the purposes of carrying out the obligations of the controller and exercising the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to public health, and the management of public health care services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject;
ā¢ processing relates to personal data which is manifestly made public by the data subject;
ā¢ processing is necessary for reasons of substantial public interest, as prescribed by any written law which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to
safeguard the rights and freedoms of the data subject; or
ā¢ where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment, or the management of health care services, and where such data is pro-
cessed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"5.1. Consent
Pursuant to Section 5 of the PDPA, the processing of personal data is lawful if the data subject has given consent to the processing of their personal data as enumerated in paragraph (a) of Schedule I and paragraph (a) of Schedule II.
Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child.
The PDPA further provides conditions and obligations on the controller regarding consent in Schedule III. The controller is required to demonstrate that the data subject has consented to the processing of the personal data relating to such data subject. In the event the consent of the data subject is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. When assessing whether consent is freely given, utmost account shall be taken on whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
5.2. Contract with the data subject
Pursuant to Schedule I(b) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
The PDPA further permits the processing of personal data outside Sri Lanka in the absence of an adequacy decision as mentioned in Section 26(2) of the PDPA or necessary safeguards as mentioned in Section 26(4) of the PDPA where such transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures taken by the controller at the request of the data subject.
5.3. Legal obligations
Ordinary types of personal data
Pursuant to Schedule I(c) of the PDPA, the processing of personal data is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject under the PDPA.
Special categories of personal data
Pursuant to Schedule II(e) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for the establishment, exercise, or defense of legal claims before a court or tribunal or such similar forum or whenever courts are acting in their judicial capacity.
5.4. Interests of the data subject
Ordinary types of personal data
Pursuant to Schedule I(d) of the PDPA, the processing of personal data is lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person. Special categories of personal data Schedule II(c) of the PDPA provides that with regard to the processing of special categories of data, the processing of such data would be lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.
5.5. Public interest
Ordinary types of personal data
Pursuant to Schedule I(e) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by any written law.
For the foregoing purposes, Schedule II(g) of the PDPA provides a non-exhaustive list of activities considered as 'public interests,' including:
ā¢ processing for health purposes such as public health and social protection and the management of health care services; ā¢ processing for the control of communicable diseases and other serious threats to health; and
ā¢ processing of personal data by official authorities for achieving the purposes or objects laid down by law.
Special categories of personal data
Pursuant to Schedule II(g) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or sta- tistical purposes in accordance with law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the PDPA or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.
5.6. Legitimate interests of the data controller
Pursuant to Schedule I(f) of the PDPA, the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such inter- ests are overridden by the interests of the data subject which require protection of personal data, in particular where the data subject is a child.
For the foregoing purposes, Schedule I(f) of the PDPA provides a non-exhaustive list of activities considered as 'legitimate interests', including:
ā¢ processing in situations where the data subject is a client or in the service of the controller;
ā¢ whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place; ā¢ processing of personal data is strictly necessary for the purposes of preventing fraud; and
ā¢ processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
5.7. Legal bases in other instances
In relation to the processing of special categories of personal data, Schedule II of the PDPA sets out additional legal bases. In particular, the processing of such personal data will be lawful if:
ā¢ processing is necessary for the purposes of carrying out the obligations of the controller and exercising the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to public health, and the management of public health care services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject;
ā¢ processing relates to personal data which is manifestly made public by the data subject;
ā¢ processing is necessary for reasons of substantial public interest, as prescribed by any written law which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to
safeguard the rights and freedoms of the data subject; or
ā¢ where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment, or the management of health care services, and where such data is pro-
cessed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"5.1. Consent
Pursuant to Section 5 of the PDPA, the processing of personal data is lawful if the data subject has given consent to the processing of their personal data as enumerated in paragraph (a) of Schedule I and paragraph (a) of Schedule II.
Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child.
The PDPA further provides conditions and obligations on the controller regarding consent in Schedule III. The controller is required to demonstrate that the data subject has consented to the processing of the personal data relating to such data subject. In the event the consent of the data subject is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. When assessing whether consent is freely given, utmost account shall be taken on whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
5.2. Contract with the data subject
Pursuant to Schedule I(b) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
The PDPA further permits the processing of personal data outside Sri Lanka in the absence of an adequacy decision as mentioned in Section 26(2) of the PDPA or necessary safeguards as mentioned in Section 26(4) of the PDPA where such transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures taken by the controller at the request of the data subject.
5.3. Legal obligations
Ordinary types of personal data
Pursuant to Schedule I(c) of the PDPA, the processing of personal data is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject under the PDPA.
Special categories of personal data
Pursuant to Schedule II(e) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for the establishment, exercise, or defense of legal claims before a court or tribunal or such similar forum or whenever courts are acting in their judicial capacity.
5.4. Interests of the data subject
Ordinary types of personal data
Pursuant to Schedule I(d) of the PDPA, the processing of personal data is lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person. Special categories of personal data Schedule II(c) of the PDPA provides that with regard to the processing of special categories of data, the processing of such data would be lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.
5.5. Public interest
Ordinary types of personal data
Pursuant to Schedule I(e) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by any written law.
For the foregoing purposes, Schedule II(g) of the PDPA provides a non-exhaustive list of activities considered as 'public interests,' including:
ā¢ processing for health purposes such as public health and social protection and the management of health care services; ā¢ processing for the control of communicable diseases and other serious threats to health; and
ā¢ processing of personal data by official authorities for achieving the purposes or objects laid down by law.
Special categories of personal data
Pursuant to Schedule II(g) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or sta- tistical purposes in accordance with law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the PDPA or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.
5.6. Legitimate interests of the data controller
Pursuant to Schedule I(f) of the PDPA, the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such inter- ests are overridden by the interests of the data subject which require protection of personal data, in particular where the data subject is a child.
For the foregoing purposes, Schedule I(f) of the PDPA provides a non-exhaustive list of activities considered as 'legitimate interests', including:
ā¢ processing in situations where the data subject is a client or in the service of the controller;
ā¢ whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place; ā¢ processing of personal data is strictly necessary for the purposes of preventing fraud; and
ā¢ processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
5.7. Legal bases in other instances
In relation to the processing of special categories of personal data, Schedule II of the PDPA sets out additional legal bases. In particular, the processing of such personal data will be lawful if:
ā¢ processing is necessary for the purposes of carrying out the obligations of the controller and exercising the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to public health, and the management of public health care services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject;
ā¢ processing relates to personal data which is manifestly made public by the data subject;
ā¢ processing is necessary for reasons of substantial public interest, as prescribed by any written law which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to
safeguard the rights and freedoms of the data subject; or
ā¢ where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment, or the management of health care services, and where such data is pro-
cessed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"5.1. Consent
Pursuant to Section 5 of the PDPA, the processing of personal data is lawful if the data subject has given consent to the processing of their personal data as enumerated in paragraph (a) of Schedule I and paragraph (a) of Schedule II.
Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child.
The PDPA further provides conditions and obligations on the controller regarding consent in Schedule III. The controller is required to demonstrate that the data subject has consented to the processing of the personal data relating to such data subject. In the event the consent of the data subject is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. When assessing whether consent is freely given, utmost account shall be taken on whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
5.2. Contract with the data subject
Pursuant to Schedule I(b) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
The PDPA further permits the processing of personal data outside Sri Lanka in the absence of an adequacy decision as mentioned in Section 26(2) of the PDPA or necessary safeguards as mentioned in Section 26(4) of the PDPA where such transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures taken by the controller at the request of the data subject.
5.3. Legal obligations
Ordinary types of personal data
Pursuant to Schedule I(c) of the PDPA, the processing of personal data is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject under the PDPA.
Special categories of personal data
Pursuant to Schedule II(e) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for the establishment, exercise, or defense of legal claims before a court or tribunal or such similar forum or whenever courts are acting in their judicial capacity.
5.4. Interests of the data subject
Ordinary types of personal data
Pursuant to Schedule I(d) of the PDPA, the processing of personal data is lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person. Special categories of personal data Schedule II(c) of the PDPA provides that with regard to the processing of special categories of data, the processing of such data would be lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.
5.5. Public interest
Ordinary types of personal data
Pursuant to Schedule I(e) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by any written law.
For the foregoing purposes, Schedule II(g) of the PDPA provides a non-exhaustive list of activities considered as 'public interests,' including:
ā¢ processing for health purposes such as public health and social protection and the management of health care services; ā¢ processing for the control of communicable diseases and other serious threats to health; and
ā¢ processing of personal data by official authorities for achieving the purposes or objects laid down by law.
Special categories of personal data
Pursuant to Schedule II(g) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or sta- tistical purposes in accordance with law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the PDPA or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.
5.6. Legitimate interests of the data controller
Pursuant to Schedule I(f) of the PDPA, the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such inter- ests are overridden by the interests of the data subject which require protection of personal data, in particular where the data subject is a child.
For the foregoing purposes, Schedule I(f) of the PDPA provides a non-exhaustive list of activities considered as 'legitimate interests', including:
ā¢ processing in situations where the data subject is a client or in the service of the controller;
ā¢ whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place; ā¢ processing of personal data is strictly necessary for the purposes of preventing fraud; and
ā¢ processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
5.7. Legal bases in other instances
In relation to the processing of special categories of personal data, Schedule II of the PDPA sets out additional legal bases. In particular, the processing of such personal data will be lawful if:
ā¢ processing is necessary for the purposes of carrying out the obligations of the controller and exercising the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to public health, and the management of public health care services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject;
ā¢ processing relates to personal data which is manifestly made public by the data subject;
ā¢ processing is necessary for reasons of substantial public interest, as prescribed by any written law which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to
safeguard the rights and freedoms of the data subject; or
ā¢ where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment, or the management of health care services, and where such data is pro-
cessed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"5.1. Consent
Pursuant to Section 5 of the PDPA, the processing of personal data is lawful if the data subject has given consent to the processing of their personal data as enumerated in paragraph (a) of Schedule I and paragraph (a) of Schedule II.
Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child.
The PDPA further provides conditions and obligations on the controller regarding consent in Schedule III. The controller is required to demonstrate that the data subject has consented to the processing of the personal data relating to such data subject. In the event the consent of the data subject is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. When assessing whether consent is freely given, utmost account shall be taken on whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
5.2. Contract with the data subject
Pursuant to Schedule I(b) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
The PDPA further permits the processing of personal data outside Sri Lanka in the absence of an adequacy decision as mentioned in Section 26(2) of the PDPA or necessary safeguards as mentioned in Section 26(4) of the PDPA where such transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures taken by the controller at the request of the data subject.
5.3. Legal obligations
Ordinary types of personal data
Pursuant to Schedule I(c) of the PDPA, the processing of personal data is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject under the PDPA.
Special categories of personal data
Pursuant to Schedule II(e) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for the establishment, exercise, or defense of legal claims before a court or tribunal or such similar forum or whenever courts are acting in their judicial capacity.
5.4. Interests of the data subject
Ordinary types of personal data
Pursuant to Schedule I(d) of the PDPA, the processing of personal data is lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person. Special categories of personal data Schedule II(c) of the PDPA provides that with regard to the processing of special categories of data, the processing of such data would be lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.
5.5. Public interest
Ordinary types of personal data
Pursuant to Schedule I(e) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by any written law.
For the foregoing purposes, Schedule II(g) of the PDPA provides a non-exhaustive list of activities considered as 'public interests,' including:
ā¢ processing for health purposes such as public health and social protection and the management of health care services; ā¢ processing for the control of communicable diseases and other serious threats to health; and
ā¢ processing of personal data by official authorities for achieving the purposes or objects laid down by law.
Special categories of personal data
Pursuant to Schedule II(g) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or sta- tistical purposes in accordance with law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the PDPA or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.
5.6. Legitimate interests of the data controller
Pursuant to Schedule I(f) of the PDPA, the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such inter- ests are overridden by the interests of the data subject which require protection of personal data, in particular where the data subject is a child.
For the foregoing purposes, Schedule I(f) of the PDPA provides a non-exhaustive list of activities considered as 'legitimate interests', including:
ā¢ processing in situations where the data subject is a client or in the service of the controller;
ā¢ whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place; ā¢ processing of personal data is strictly necessary for the purposes of preventing fraud; and
ā¢ processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
5.7. Legal bases in other instances
In relation to the processing of special categories of personal data, Schedule II of the PDPA sets out additional legal bases. In particular, the processing of such personal data will be lawful if:
ā¢ processing is necessary for the purposes of carrying out the obligations of the controller and exercising the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to public health, and the management of public health care services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject;
ā¢ processing relates to personal data which is manifestly made public by the data subject;
ā¢ processing is necessary for reasons of substantial public interest, as prescribed by any written law which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to
safeguard the rights and freedoms of the data subject; or
ā¢ where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment, or the management of health care services, and where such data is pro-
cessed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"5.1. Consent
Pursuant to Section 5 of the PDPA, the processing of personal data is lawful if the data subject has given consent to the processing of their personal data as enumerated in paragraph (a) of Schedule I and paragraph (a) of Schedule II.
Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child.
The PDPA further provides conditions and obligations on the controller regarding consent in Schedule III. The controller is required to demonstrate that the data subject has consented to the processing of the personal data relating to such data subject. In the event the consent of the data subject is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in such a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. When assessing whether consent is freely given, utmost account shall be taken on whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
5.2. Contract with the data subject
Pursuant to Schedule I(b) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
The PDPA further permits the processing of personal data outside Sri Lanka in the absence of an adequacy decision as mentioned in Section 26(2) of the PDPA or necessary safeguards as mentioned in Section 26(4) of the PDPA where such transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of any pre-contractual measures taken by the controller at the request of the data subject.
5.3. Legal obligations
Ordinary types of personal data
Pursuant to Schedule I(c) of the PDPA, the processing of personal data is lawful if the processing is necessary for compliance with a legal obligation to which the controller is subject under the PDPA.
Special categories of personal data
Pursuant to Schedule II(e) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for the establishment, exercise, or defense of legal claims before a court or tribunal or such similar forum or whenever courts are acting in their judicial capacity.
5.4. Interests of the data subject
Ordinary types of personal data
Pursuant to Schedule I(d) of the PDPA, the processing of personal data is lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person. Special categories of personal data Schedule II(c) of the PDPA provides that with regard to the processing of special categories of data, the processing of such data would be lawful if the processing is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent.
5.5. Public interest
Ordinary types of personal data
Pursuant to Schedule I(e) of the PDPA, the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by any written law.
For the foregoing purposes, Schedule II(g) of the PDPA provides a non-exhaustive list of activities considered as 'public interests,' including:
ā¢ processing for health purposes such as public health and social protection and the management of health care services; ā¢ processing for the control of communicable diseases and other serious threats to health; and
ā¢ processing of personal data by official authorities for achieving the purposes or objects laid down by law.
Special categories of personal data
Pursuant to Schedule II(g) of the PDPA, the processing of special categories of personal data is lawful if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or sta- tistical purposes in accordance with law which shall be proportionate to the aim pursued, protecting the data protection rights enumerated in the PDPA or any other written law and provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.
5.6. Legitimate interests of the data controller
Pursuant to Schedule I(f) of the PDPA, the processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such inter- ests are overridden by the interests of the data subject which require protection of personal data, in particular where the data subject is a child.
For the foregoing purposes, Schedule I(f) of the PDPA provides a non-exhaustive list of activities considered as 'legitimate interests', including:
ā¢ processing in situations where the data subject is a client or in the service of the controller;
ā¢ whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place; ā¢ processing of personal data is strictly necessary for the purposes of preventing fraud; and
ā¢ processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.
5.7. Legal bases in other instances
In relation to the processing of special categories of personal data, Schedule II of the PDPA sets out additional legal bases. In particular, the processing of such personal data will be lawful if:
ā¢ processing is necessary for the purposes of carrying out the obligations of the controller and exercising the rights of the data subject, in the field of employment, social security including pension, and for public health purposes ensuring public safety, monitoring, and alert purposes, the prevention or control of communicable diseases, and other serious threats to public health, and the management of public health care services in so far as it is provided for in any written law providing for appropriate safeguards for rights of the data subject;
ā¢ processing relates to personal data which is manifestly made public by the data subject;
ā¢ processing is necessary for reasons of substantial public interest, as prescribed by any written law which shall be necessary and proportionate to the aim pursued whilst providing suitable and specific measures to
safeguard the rights and freedoms of the data subject; or
ā¢ where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment, or the management of health care services, and where such data is pro-
cessed by a health professional licensed under or authorized by any written law prevailing in Sri Lanka."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Where on receipt of a complaint or otherwise, and the Authority has reason to believe that any controller is engaged or is about to engage in any processing activity in contravention of the PDPA or has contravened or has failed to comply with the provisions of the PDPA or any rule, regulation, guideline, or order made under the PDPA or any other written law, the Authority may, after giving an opportunity to the controller or processor of being heard, and after such inquiry as the Authority may consider necessary, issue a directive to that controller or processor (Section 35 of the PDPA). A directive may require such entity to:
ā¢ cease and refrain from engaging in the act, omission, or course of conduct related to processing;
ā¢ perform such acts as in the opinion of the Authority are necessary to rectify the situation; and
ā¢ to make a payment of such sum of money as compensation as determined by the Authority to an aggrieved person who has suffered harm, loss, or damage as a result of any contravention by a controller or proces-
sor.
Section 38 of the PDPA imposes a penalty of up to LKR 10 million (approx. $ 31,099 ) for the failure to comply with a directive issued under the provisions of Section 35 of the PDPA, taking into consideration the nature and ex- tent of non-compliance, as well as its impact on data subjects. Where a controller or processor, who has been subjected to a penalty on a previous occasion, subsequently fails to conform to a directive on any further occa- sion, such person shall in addition to the penalty which may be imposed on them earlier be liable to the payment of an additional penalty consisting of twice the amount imposed as a penalty on the second and for each sub- sequent non-compliance.
The PDPA further prescribes a list of matters to consider when imposing a penalty which includes, inter alia:
ā¢ the nature, gravity, and duration of the contravention;
ā¢ the degree of responsibility of the controller;
ā¢ the categories of personal data affected by any contravention; and
ā¢ any action that was taken by the controller or processor to mitigate the damage suffered by data subjects.
In addition, the imposition of a penalty does not preclude the Authority from taking other regulatory measures, including, but not limited to, the suspension of business activities."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
"
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
Extracts :
Extract :
"In terms of Section 24 of the PDPA, a controller is required to carry out a Data Protection Impact Assessment ('DPIA') prior to processing where it intends to carry out the following activities:
ā¢ systematic and extensive evaluation of personal data or special categories of data including profiling;
ā¢ systematic monitoring of publicly accessible areas or telecommunication networks; or
ā¢ a processing activity as may be determined by way of rules taking into consideration the scope and associated risks of that processing.
Moreover, the controller must conduct a fresh DPIA in accordance with Section 24 of the PDPA whenever there is any change in the methodology, technology, or process adopted in the processing for which a DPIA has al- ready been carried out (Section 24(4) of the PDPA). Such DPIA should take into consideration the nature, scope, context, and purposes of the processing, as well as the associated risks of that processing or any criteria as may be prescribed."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no direct mention of this in the references.
Extracts :
Extract :
There are provisions for the Controller to notify both the Authority and data subjects in the event of a breach.
Extracts :
Extract :
There are provisions for the Controller to notify both the Authority and data subjects in the event of a breach.
Extracts :
Extract :
"In accordance with Section 23 of the PDPA, in the event of a personal data breach, a controller shall inform the Authority regarding such personal data breach in such manner and form, and within the period of time as may
be determined by rules made under the PDPA."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"In accordance with Section 23 of the PDPA, in the event of a personal data breach, a controller shall inform the Authority regarding such personal data breach in such manner and form, and within the period of time as may
be determined by rules made under the PDPA."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"In accordance with Section 23 of the PDPA, in the event of a personal data breach, a controller shall inform the Authority regarding such personal data breach in such manner and form, and within the period of time as may
be determined by rules made under the PDPA."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Section 21 of the PDPA imposes an additional obligation on the controllers where the processing of data is carried out by a processor on behalf of the controller. In such an instance, the controller shall use only processors who shall ensure the provision of appropriate technical and organizational measures to give effect to the provisions of the PDPA and ensures the protection of the rights of the data subjects under the PDPA. Furthermore, contractors are obliged to ensure such processors are bound by a contract or provisions of any written law which sets out inter alia the obligations of the controller, subject matter, duration of the processing, etc."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is a provision for this right under the reference.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
There is a provision for this right under the reference.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is a provision for this right under the reference.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Consent has been defined as any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data. With regard to the processing of special categories of personal data relating to a child, consent would mean the consent of the parent or legal guardian of such child."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is a provision for this right under the reference.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is a provision for this right under the reference.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is a provision for this right under the reference.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is a provision for this right under the reference.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
Extracts :
Extract :
"Section 26 of the PDPA sets out the conditions relating to cross-border data flows. In particular, a public authority may only process categories of personal data which are permitted to be processed in a third country, pre- scribed by the relevant Minister pursuant to an adequacy decision.
In making an adequacy decision, the Minister shall in consultation with the Authority take into consideration the relevant written law and enforcement mechanisms relating to the protection of personal data in a third country and the application of the provisions of Part I, Part II, and Sections 20, 21, 22, 23, 24, and 25 of Part III of the PDPA, and such other prescribed criteria relating to the processing of personal data, in a third country for the pur- pose of cross-border data flow.
Section 53(2)(b) of the PDPA provides for the Minister with the concurrence of the Authority to make regulations in respect of the identification of third countries. Section 26 of the PDPA further provides that a controller or processor other than a public authority may process personal data:
1. in a third country prescribed pursuant to an adequacy decision;
2. in a country, not being a third country prescribed pursuant to an adequacy decision, only where such controller or processor ensures compliance with the obligations imposed under Part I, Part II, and Sections 20,
21, 22, 23, 24, and 25 of Part III of the PDPA; or
3. in the absence of an adequacy decision mentioned in point one above or appropriate safeguards mentioned in point two above, a controller or processor other than a public authority may process personal data
outside Sri Lanka in certain special instances listed in Section 26(5)."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
The notion of data localisation is limited only to data being processed by the Governmental authorities.
Extracts :
Extract :
The notion of data localisation is limited only to data being processed by the Governmental authorities.
Extracts :
Extract :
Sri Lanka does not have such a provision for the international transfer of data.
Extracts :
Extract :
Sri Lanka does not have such a provision for the international transfer of data.
Extracts :
Extract :
The notion of data localisation is limited only to data being processed by the Governmental authorities.
Extracts :
Extract :
Sri Lanka does not have such a provision for the international transfer of data.
Extracts :
Extract :
The notion of data localisation is limited only to data being processed by the Governmental authorities.
Extracts :
Extract :
The notion of data localisation is limited only to data being processed by the Governmental authorities.
Extracts :
Extract :
The notion of data localisation is limited only to data being processed by the Governmental authorities.
Extracts :
Extract :
Extracts :
Extract :
"In accordance with Section 20 of the PDPA, every controller must designate or appoint a DPO to ensure compliance with the provisions of the PDPA, in the following circumstances:
ā¢ where the processing is carried out by a ministry, government, department, or public corporation, except for judiciary acting in their judicial capacity; or ā¢ where the core activities of processing by the controller or processor consist of the following:
ā¦ operations which, by virtue of their nature, scope, or purpose, require regular and systematic monitoring of data subjects;
ā¦ processing of special categories of data; or
ā¦ processing which results in a risk of harm affecting the rights of the data subjects protected under the PDPA based on the nature of processing and its impact on data subjects.
A DPO shall possess relevant academic or professional qualifications as may be prescribed. Where a controller is a group of entities, such controller may appoint a single DPO who is easily accessible by each entity. Where a controller or a processor is a public authority, a single DPO may be designated for several such public authorities.
A controller or processor is required to publish the contact details of the DPO and communicate such details to the Authority. The PDPA specifies the responsibilities of the DPO as follows;
ā¢ advice the controller, processor, and their employees on data processing requirements specified under the PDPA or any other written law; ā¢ ensure on behalf of the controller or processor that the provisions of the PDPA are complied with;
ā¢ facilitate capacity building of staff involved in data processing operations;
ā¢ provide advice on DPIAs; and
ā¢ cooperate and comply with all directives and instructions issued by the Authority on matters relating to data protection."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"In accordance with Section 20 of the PDPA, every controller must designate or appoint a DPO to ensure compliance with the provisions of the PDPA, in the following circumstances:
ā¢ where the processing is carried out by a ministry, government, department, or public corporation, except for judiciary acting in their judicial capacity; or ā¢ where the core activities of processing by the controller or processor consist of the following:
ā¦ operations which, by virtue of their nature, scope, or purpose, require regular and systematic monitoring of data subjects;
ā¦ processing of special categories of data; or
ā¦ processing which results in a risk of harm affecting the rights of the data subjects protected under the PDPA based on the nature of processing and its impact on data subjects.
A DPO shall possess relevant academic or professional qualifications as may be prescribed. Where a controller is a group of entities, such controller may appoint a single DPO who is easily accessible by each entity. Where a controller or a processor is a public authority, a single DPO may be designated for several such public authorities.
A controller or processor is required to publish the contact details of the DPO and communicate such details to the Authority. The PDPA specifies the responsibilities of the DPO as follows;
ā¢ advice the controller, processor, and their employees on data processing requirements specified under the PDPA or any other written law; ā¢ ensure on behalf of the controller or processor that the provisions of the PDPA are complied with;
ā¢ facilitate capacity building of staff involved in data processing operations;
ā¢ provide advice on DPIAs; and
ā¢ cooperate and comply with all directives and instructions issued by the Authority on matters relating to data protection."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"In accordance with Section 20 of the PDPA, every controller must designate or appoint a DPO to ensure compliance with the provisions of the PDPA, in the following circumstances:
ā¢ where the processing is carried out by a ministry, government, department, or public corporation, except for judiciary acting in their judicial capacity; or ā¢ where the core activities of processing by the controller or processor consist of the following:
ā¦ operations which, by virtue of their nature, scope, or purpose, require regular and systematic monitoring of data subjects;
ā¦ processing of special categories of data; or
ā¦ processing which results in a risk of harm affecting the rights of the data subjects protected under the PDPA based on the nature of processing and its impact on data subjects.
A DPO shall possess relevant academic or professional qualifications as may be prescribed. Where a controller is a group of entities, such controller may appoint a single DPO who is easily accessible by each entity. Where a controller or a processor is a public authority, a single DPO may be designated for several such public authorities.
A controller or processor is required to publish the contact details of the DPO and communicate such details to the Authority. The PDPA specifies the responsibilities of the DPO as follows;
ā¢ advice the controller, processor, and their employees on data processing requirements specified under the PDPA or any other written law; ā¢ ensure on behalf of the controller or processor that the provisions of the PDPA are complied with;
ā¢ facilitate capacity building of staff involved in data processing operations;
ā¢ provide advice on DPIAs; and
ā¢ cooperate and comply with all directives and instructions issued by the Authority on matters relating to data protection."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
"Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Extracts :
Extract :
"Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
"Section 11 of the PDPA obliges controllers to provide the information referred to in Schedule V of the PDPA and information regarding any decision taken pursuant to a request made under Part II of the PDPA in writing or by electronic means and in a concise, transparent, intelligible, and easily accessible form.
In particular, the controller must provide the following information to the data subject at the time of collecting their personal data:
ā¢ the identity and contact details of the controller and where applicable of the controller's representative;
ā¢ the contact details of the DPO, where applicable;
ā¢ the intended purposes for which the personal data is processed and the legal basis for the processing;
ā¢ the legitimate interest pursued by the controller or by a third party where processing is based on paragraph (f) of Schedule I;
ā¢ the categories of personal data being collected;
ā¢ where processing is intended to be based on consent, the existence of the right of the data subject to withdraw their consent, and the procedure for such withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal;
ā¢ recipients or third parties with whom such personal data may be shared, if applicable;
ā¢ information regarding any cross-border transfer of the personal data that the controller intends to carry out, if applicable;
ā¢ the period for which the personal data shall be retained in terms of Section 9 of the PDPA or where such period is not known, the criteria for determining such period;
ā¢ the existence of and procedure for the exercise of rights of the data subject mentioned in Part II of the PDPA;
ā¢ the existence of a right to file complaints to the Authority;
ā¢ whether the provision of personal data by the data subject is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the
personal data and of the possible consequences of failure to provide such data; and
ā¢ the existence of automated decision-making, referred to in Section 18 of the PDPA, including profiling and, at least in those cases, reasonably meaningful information about the logic involved, as well as the signifi-
cance and the envisaged consequences of such processing for the data subject."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
Extracts :
Extract :
"Section 12(1)(a) of the PDPA states that, as part of their data protection management programme, the controller must establish and maintain duly cataloged records to demonstrate the manner in which the implementation of the data protection obligations set forth by the PDPA."
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
There is no mention of this in the references.
Reference :
Sri Lanka Data protection overview | DataGuidance
Information on Sri Lanka data protection
Extracts :
Extract :
| Name | Short name | Classification | Jurisdiction | Year of creation |
|---|
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|