PDPA 2022 Information Series: Sri Lanka’s Personal Data Protection Act (PDPA)

May 10, 2022

Share on facebook
Share on google
Share on twitter
Share on linkedin

PDPA 2022 BASICS1

What is the PDPA 2022 and how will it impact background screening services received from First Advantage?

What is the PDPA 2022?

The PDPA was introduced as a bill in the Official Gazette on 25 November 2021. Following three readings in the Parliament of Sri Lanka, the PDPA was passed with amendments on 9 March 2022 and subsequently endorsed on 19 March 2022.

The PDPA establishes a comprehensive regulatory framework for the protection of personal data, the first of its kind in Sri Lanka. It seeks to identify and strengthen the rights of data subjects and provide for the designation of the authority.

When will the PDPA 2022 take effect in Sri Lanka?

All provisions except part IV (use of personal data for solicited messaging) and part V (establishment of the data protection authority) will come into effect on a date notified between 18-36 months from March 19, 2022.

Who does PDPA 2022 apply to?

The Act applies to any processing of personal information that takes place in Sri Lanka. It also applies to controllers or processors that are domiciled in, incorporated in or offer goods or services to persons in Sri Lanka. Notably, the Act applies to businesses and does not apply to personal information processed “purely for personal, domestic or household purposes” by an individual. Like the GDPR, the PDPA applies to all businesses, small or large alike.

What will PDPA require in the context of background screening?

The PDPA relies heavily on GDPR principles of legitimate purpose, proportionality, and transparency, among others. Specifically, under PDPA controllers must ensure that processing of personal information follows principles such as legitimacy, proportionality, accuracy, limited Retention, integrity, transparency, and accountability.

What rights does PDPA 2022 provide for Data Subjects?

Under PDPA, data  subject to the Act have rights such as access, withdrawal of consent, rectification and erasure.

Controllers shall have twenty-one (21) business days from the request to notify data subjects whether their requests have been granted or denied. Thus, companies subject to the Act should consider the necessary infrastructure and systems support needed in order to comply with a limited response window.

What about the appointment of a DPO?

Under certain conditions where an organization requires regular and systemic monitoring and processing of special categories of personal data, on a scale or magnitude that results in  risk of harm affecting the data subject, a processor or controller must appoint a data protection officer (DPO). Businesses will need to prepare to appoint a suitably qualified data protection officer with specified academic and professional qualifications in the event they are subject to this provision.

And what about transfer of personal data out of Sri Lanka?

To determine data transfer compliance, the PDPA establishes an adequacy analysis which shall be subject to periodic monitoring. For private businesses, processing of data outside of Sri Lanka is allowed if they pass the adequacy analysis condition or fall under the given set of exceptions, including consent to processing abroad and performance of a contract.

What about data breach notification?

In the event of a security breach, businesses must notify the newly established Data Protection Authority and data subjects according to the means set forth by the Data Protection Authority.

1 Wilmerhale Blog Privacy and Cybersecurity Law- Sri Lanka- March 30th, 2022

Are You a Small Business?

Get started now with easy-order
background checks