Last modified 10 January 2025

Data Protection in Sri Lanka

Data protection laws in Sri Lanka

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Sri Lanka

Sri Lanka until recently did not have legislation pertaining to protection of data and privacy, although different sector specific laws such as the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016 and the Telecommunications Act No. 25 of 1991 recognize the need for privacy and confidentiality. Identifying this lacuna, the Personal Data Protection Bill was first published as a draft bill in 2019. It was subject to several rounds of revisions, and subsequently was passed by the Parliament of Sri Lanka on 19 March, 2022 as the Personal Data Act No. 9 of 2022 (“PDPA”).

Although certified by the Speaker of Parliament, the PDPA t is yet to become fully operative as it provides for different time periods within which certain parts of the law would come into force, allowing controllers and processors a much-needed grace period. Accordingly, the dates on which the parts of the PDPA have been/ are to be brought into operation as per the PDPA and the gazette notifications published thereunder are as follows:

Part I, II and III and VII (Data Protection Principles, Rights and Obligations of the Controllers and Processors, Rights of the Data Subjects and Penalties) – 18th of March 2025.
Part IV (Use of Personal Data to Disseminate Unsolicited Messages) – latest by 18th of March 2026.
Part V (Data Protection Authority) – 17th July 2023 (accordingly, the Data Protection Authority being the regulator under the PDPA has now been established)
Part VI, VIII, IX and X (Director General, Staff and Fund of the Data Protection Authority, Miscellaneous and Interpretation Provisions) – 1st of December 2023.

The PDPA is primarily inspired by the European Union's General Data Protection Regulation (“GDPR”) and, therefore, shares many similarities with the GDPR.

The PDPA applies both territorially to the processing of personal data where such processing takes place wholly or partly within Sri Lanka, or by a person or entity within Sri Lanka; and extraterritorially, in so far as a person or entity outside Sri Lanka provides goods or services to individuals within Sri Lanka or monitors the behaviour of individuals within Sri Lanka.

Whilst the PDPA is the primary law that governs the protection of personal data in Sri Lanka, the following regulations / directions, which have been promulgated under the relevant sector specific laws, contain detailed provisions on data protection which are as follows:

The Financial Consumer Protection Regulations No. 1 of 2023 (the “FCPR”), published on the 9 August, 2023, promulgated under the Monetary Law Act, No.58 of 1949 (now replaced by the Central Bank of Sri Lanka Act, No. 16 of 2023), provides obligations substantially similar to the PDPA in relation to the protection of personal information of financial consumers. The FCPR is applicable to licensed commercial banks, licensed specialised banks, licensed finance companies, specialized leasing companies, authorized primary dealers, authorized money brokers, licensed microfinance companies, participants of the payment and settlement systems or any other financial institutions approved by the Central Bank of Sri Lanka. The FCPR provides protection not only to personally identifiable information but also extends to all information pertaining to financial consumers, which includes corporate entities and other legal bodies. The FCPR also provides for grace periods before the same becomes operational, with a majority of the regulations becoming operational upon the expiration of 6 months from the date of its publication. Additionally, the requirements of the FCPR pertaining to the security of personal information are buttressed by the Regulatory Framework on Technology Risk Management and Resilience for Licensed Banks, directions No. 16 of 2021, dated 9 December 2021, promulgated under the Banking Act No. 30 of 1988 (as amended). The applicability of this framework however is limited to licensed commercial banks and licensed specialized banks in Sri Lanka and its concentration lies on the information security requirements of such organizations.
The Special Direction No. 91 published by the Consumer Affairs Authority on the 17 May, 2023, under the Consumer Affairs Authority Act No. 09 of 2003 (as amended), sets out provisions governing e-commerce entities and platform operators for the purpose of protecting consumers. These directions, although not in extensive detail, enumerate the principles set out in PDPA, aiming to the protect the personal data of consumers. It should be noted that unlike the PDPA, these directions are operational as at date.

Related resources

Definitions

Definitions in Sri Lanka

Many definitions in the PDPA are similar to that of the GDPR. In particular:

“Personal data” is defined to mean any information by which a data subject may be identified, either directly or indirectly by referring to an identifier or one or more factors specific to that individual. Thus, a name of a person is not a necessity for data to constitute personal data, but any factor such as an identification number, financial data, location data or an online identifier or factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual that allows for the tracing of him / her, would constitute personal data under the PDPA.

The PDPA further identifies a category of personal data as “special categories of personal data” with a view of protecting more sensitive personal data which are at a higher risk of adversely affecting an individual in the event such data is exploited. Special categories of personal data are defined to include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data and biometric data, data concerning health or a natural person’s sex life or sexual orientation, personal data in relation to offences, criminal proceedings and convictions or personal data relating to a child.

The term ‘processing’ has been rendered an extremely wide meaning within the PDPA to include (but not be limited to) collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on, personal data.

The PDPA places extensive obligations on controllers of personal data. A ‘controller’ is defined to include any natural or legal person / entity which determines the purposes and means of processing personal data. When two or more controllers jointly determine the ways and means of processing personal data, the PDPA identifies them as joint controllers.

A ‘processor’ on the other hand is any natural or legal person / entity which processes personal data on behalf of the controller.

Related resources

Authority

National data protection authority in Sri Lanka

The Data Protection Authority of Sri Lanka ("Authority") is recognized as the regulator of personal data governed by the PDPA. The law provides for comprehensive objects and powers of the Authority as the regulator, which include making rules, issuing guidelines, receiving complaints, conducting inquiries, examining persons under oath, issuing directives and imposing fines in the event of non-compliance with the law. Further details on the Authority are available online.

Related resources

Registration

Registration in Sri Lanka

At present, the PDPA does not require registration. Nevertheless, upon the PDPA becoming operative, rules requiring registration may be introduced as the PDPA empowers the Authority to make regulations specifying the categories and criteria of licenses to be issued under the PDPA.

Although not a registration requirement, the PDPA requires controllers and processors to publish the contact details of their data protection officers and ensure that it is communicated to the Authority.

Related resources

Data protection officers

Data protection officers in Sri Lanka

The PDPA requires controllers and processors which are not public authorities to appoint a Data Protection Officer (“DPO”) where their core activities consist of:

processing operations that require regular and systematic monitoring of data subjects on a prescribed scale or magnitude;
processing special categories of personal data on a prescribed scale or magnitude; or
processing which results in a risk of harm to the rights of the data subjects protected under the PDPA.

The Data Protection Authority has published the draft Personal Data Protection (Scale or Magnitude of Processing and Qualifications of Data Protection Officer) Regulations ("DPO Regulations"), for public consultation. These DPO Regulations are still in draft form and therefore may be subject to change. However, it may be noted that the DPO Regulations provide that the aforesaid scale and magnitude of processing ought to be assessed by taking into consideration the following:

whether the processing currently involves or is estimated to involve within the next twelve months, twenty-five thousand or more data subjects;
whether the processing is carried out by twenty or more persons;
the volume of personal data being processed;
the range of different data items being processed;
the geographical extent of the monitoring;
the frequency, nature and purpose of the monitoring; and
the duration or permanence of the monitoring.

The PDPA permits a group of entities to appoint a single DPO provided, however, such DPO is easily accessible by all of the group entities.

Such DPO is required to be a competent individual possessing academic and professional qualifications in matters relating to data protection. The DPO Regulations prescribes that the DPO must possess:

a degree in law, public or business administration, information technology, information security, computer science, or a related field (each academic or professional qualification has to be one recognized in Sri Lanka); and
a good understanding of data protection laws and regulations of Sri Lanka.

The specific responsibilities of the DPO as per the PDPA includes:

advising controllers or processers on data processing requirements;
ensuring on behalf of the controller or processor that the requirements of the PDPA are met;
enabling capacity building of staff engaging in data processing operations;
advice on personal data protection impact assessments; and
co-operation and compliance with all directives and instructions issued by the Authority.

Related resources

Collection and processing

Collection and processing in Sri Lanka

Similar to the GDPR, the PDPA enshrines certain principles governing the collection and processing of personal data. Each controller must ensure that personal data is processed in compliance with such principles, which are as follows.

process lawfully;
process for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes;
process personal data which is adequate, relevant and limited to the purpose;
ensure that personal data is accurate and where necessary kept up to date;
keep personal data in a form which permits identification of data subjects for no longer than is necessary, for the purpose(s) for which the data are processed;
process in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures;
process in a transparent manner, providing information on such processing to data subjects; and
ensure accountability in processing by the implementation of internal controls and procedures that are able to demonstrate compliance with the PDPA, identified as the "Data Protection Management Programme" (“DPMP”). The Data Protection Authority has published the draft outline of the Data Protection Management Programme intended to be issued as guidelines by the Authority ("DPMP Guidelines") as a baseline for controllers to follow. It may be noted that the DPMP Guidelines are still at the draft stage and thus may be subject to change.

The DPMP Guidelines provide guidance on the controls and procedures that controllers may adopt in their DPMP and also provide certain illustrations and examples in order to clarify the relevant requirements. A brief outline of the main segments enumerated in the DPMP Guidelines is as follows.

Duly Catalogued Records: maintenance of records, including the lawful basis for processing, purpose of processing, data minimization efforts, accuracy of data, storage limitation, data security, and transparency of processing, in order to comply with obligations set forth in the PDPA.
Design Based on Processing Activities: tailoring of the DPMP to suit the structure, scale, volume, and sensitivity of the controller's processing activities, which includes mapping data flows and using a record of processing activities to understand how personal data flows through the controller’s organization in order to manage and protect such data effectively.
Safeguards and Impact Assessments: planning and carrying out of personal data protection impact assessments (“DPIA”) where necessary, taking mitigatory measures in relation to identified risks and managing the documentation and reporting mechanisms in relation thereto.
Updates Based on Monitoring and Assessments: regular monitoring and assessment of systems to ensure continuous improvement and compliance with data protection obligations.
Governance and Oversight: integration of the DPMP into the organization's governance structures, with internal oversight mechanisms to monitor compliance with data protection policies and procedures, together with examples of governance and monitoring tools that controllers may use to achieve this.
Complaints and Breach Management: mechanisms to be implemented in order to receive complaints, conduct inquiries, and identify personal data breaches, including having an incident response plan.
Facilitation of Data Subject Rights: mechanisms for facilitation of the exercise of data subjects’ rights through clear and accessible procedures.

Legal Basis

In order to ensure that processing is ‘lawful’ whenever personal data is processed, such processing should be based on the most appropriate legal basis out of the following grounds provided under the PDPA:

consent of the data subject (consent should be freely given, specific, informed and unambiguous indication in writing or by affirmative action and capable of being withdrawn at any time);
necessary for the performance of a contract with the data subject in order to take steps at the request of a data subject to enter into a contract with such data subject;
necessary for compliance with a legal obligation to which the controller / processor is subject to under Sri Lanka law;
necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person;
necessary for the performance of a task carried out in the public interest or in the exercise of powers, functions or duties imposed under Sri Lanka law; or
necessary for the purposes of legitimate interests of the controller or a third party (subject to an assessment where the interests of the controller should be balanced against the rights of the data subjects and accordingly, must not override the interests of the data subject, especially when the data subject is a child).

Special Categories of Personal Data

In addition to the aforesaid lawful grounds, if processing special categories of personal data, a controller is required to satisfy one of the following additional conditions, on the objective basis of being most appropriate:

consent of the data subject, which in the case of a child will mean the consent of the parent or legal guardian;
processing is necessary for the purposes of carrying out the obligations of the controller and exercising of the rights of the data subject, in the field of employment, social security including pension and for public health purposes in so far as it is provided for in Sri Lanka Law, providing for appropriate safeguards for rights of the data subject;
processing is necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person who is incapable of giving consent;
relates to personal data which is manifestly made public by the data subject;
processing is necessary for the establishment, exercise or defence of legal claims;
processing is necessary for any purpose as provided for under any written law in Sri Lanka or public interest;
processing is necessary for medical purposes and where such data is processed by a health professional licensed under or authorized by any written law in Sri Lanka; or
processing is necessary for archiving purposes in the public interest, scientific, historical research or statistical purposes in accordance with law.

Criminal Investigations

The PDPA provides for the processing of personal data in relation to criminal investigations, only where such processing is carried out in accordance with written laws in Sri Lanka, whilst providing for appropriate safeguards for the rights and freedoms of data subjects, which may be prescribed in the future upon the PDPA becoming operative.

Transparency of Data Processing

Transparency is an important principle enshrined in the PDPA and as stated above, it aims to ensure that data subjects are aware of how their personal data is processed and understand their rights pertaining to such data.

Accordingly, the PDPA requires controllers to provide detailed information to data subjects in a concise, transparent, intelligible and easily accessible form. Therefore, providing the following information to data subjects at the point of collection of their personal data is imperative, which can be fulfilled by the provision of a privacy notice:

identity and contact details of the controller;
contact details of the data protection officer (where there is a DPO);
intended purpose for collecting personal data and the legal basis for the processing;
legitimate interest pursued by the controller (where applicable);
categories of personal data collected;
right of data subjects to withdraw consent for processing and method of withdrawing such consent (if processing is based on consent);
recipients and third parties with whom personal data will be shared;
details of cross border data transfer;
period of data retention;
rights of data subjects with regard to their personal data and how such rights may be exercised;
right to file a complaint with the Authority;
whether the provision of personal data is a statutory or contractual requirement and the consequences of failing to provide such personal data;
the existence of automated individual decision-making including profiling and the consequences for the data subject.

In addition, when a controller intends to process personal data for a new purpose, a data subject must be informed of such further processing, providing them with the information set out above.

If in any event personal data is collected via means other than direct collection from the data subject, the above information should be provided to the data subject within one month or at the time of the first communication to that data subject or when the personal data is first disclosed to another recipient, whichever event occurs first.

The DPMP Guidelines (which are still in draft form), also recommends that the controllers ought to carefully consider the information they must provide, prepare the content in a manner that will be easily understood by data subjects, ensure that it is delivered to them in a way and at a time that allows them to consider it and keep a record of having done so. The controllers must check from time to time with data subjects that the information is readily understood.

Rights of Data Subjects

The PDPA provides a series of rights for data subjects, largely similar to that of the GDPR. A controller must respond to any written request made by a data subject pertaining to his rights within 21 working days of receiving the request.

Right to access personal data: data subjects have the right to access their personal data, be provided with confirmation as to whether such personal data has been processed and be provided a copy of such personal data by submitting a written request.

Right to withdraw consent: if processing is based on consent, the data subject has the right to withdraw such consent at any time and the right to request a controller to refrain from further processing of the data subject’s personal data, provided the processing was based on the data subject’s consent.

Right to object to processing: data subjects have the right to object to further processing beyond the original purpose for which it was collected where such processing is based on the grounds of legitimate interests or public interest.

Right to rectification or completion: data subjects have the right to request a controller to rectify or complete any personal data that is inaccurate or incomplete.

Right to restriction of processing: In certain limited circumstances data subjects have the right to request for restriction on processing of personal data, such as where controllers are required to maintain such personal data for evidentiary purposes under Sri Lanka law or on an order of a competent court, without rectifying, despite the request for correction by data subjects.

Right to request a review of automated decisions: a data subject has the right to request for a review of a decision made by a controller based solely on automated processing which is likely to create “an irreversible and continuous impact on the rights and freedoms of the data subject” under Sri Lankan law, unless such automated processing is:

authorized by Sri Lanka law;
authorized in a manner determined by the Authority;
based on the data subject’s consent; or
necessary for entering into a performance of a contract between the data subject and the controller.

Right to erasure: the data subject may, under a limited set of circumstances, request the controller to erase their personal data. This includes when a controller is in contravention of its obligations and when the erasure is mandated by a written law of Sri Lanka or order of a competent court.

A controller is permitted to refuse to a request of a data subject based on the above rights only in limited instances, having regard to the following:

national security;
public order;
any inquiry, investigation or procedure carried out under Sri Lanka law;
the prevention, investigation and prosecution of criminal offences;
the execution of criminal penalties;
the protection of the rights and fundamental freedoms of persons under Sri Lanka law;
where the controller is unable to establish the identity of a data subject;
the requirement to process personal data under any other law in Sri Lanka.

The draft Personal Data Protection (Exercise of Data Subjects’ Rights and Appeals) Regulations (“Rights and Appeals Regulations”) published by the Authority provides further guidance in this regard. However, the said Rights and Appeals Regulations are still at the draft stage and thus may be subject to change.

In terms of the Rights and Appeals Regulations, every right conferred on a data subject under the PDPA may be exercised:

in the case of a minor, upon the submission of a certified copy of the birth certificate of the data subject or, any other document to prove the legal guardianship;
in the case of a mentally unfit data subject, upon the submission of the certified copy of the order issued by a competent court relating to the appointment of the legal guardian or manager for such data subject;
in the case of a physically unfit data subject, upon the submission of the letter of authorisation issued by such data subject; and
in the case of an heir, upon the submission of a certified copy of the death certificate of the data subject and a valid document proving the heirship of the data subject.

The Rights and Appeals Regulations also stipulate that any person who is aggrieved by the decision of the controller may, within three months from the date of such decision, prefer an appeal in writing to the Data Protection Authority substantially in the form set out therein through registered post or any electronic communication provided by the Authority.

Related resources

Transfer of personal data

Transfer of personal data in Sri Lanka

The PDPA allows for cross-border data flow and the processing of data in a third country outside Sri Lanka, subject to the parameters set out in the PDPA.

In case of a public authority acting as a controller or a processor, such transfer should only be made to a third country prescribed pursuant to an adequacy decision. The Minister in charge of the subject matter has the power to make an adequacy decision in consultation with the Authority, and factors such as the relevant written laws and the enforcement mechanisms available in such third country will be considered in making such an adequacy decision.

A controller or processer that is not a public authority may also process personal data in a third country subject to an adequacy decision. If no adequacy decision has been made, personal data may be transferred to such third country only where the controller or processor effecting such transfer is able to ensure compliance with the obligations imposed under Part I, II and sections 20 to 25 of the PDPA by the imposition of appropriate safeguards. The transferor effecting such transfer is required to adopt an instrument that may be specified by the Authority in order to ensure compliance with the provisions of the PDPA by the transferee.

It is noteworthy that no such adequacy decisions have been made yet, considering the fact that the majority of the law is yet to become operative.

The draft Personal Data Protection (Specification of Instruments for Processing of Personal Data Outside Sri Lanka) Directives (“Cross Border Instruments Directives”), recently published by the Data Protection Authority, stipulate the following types of instruments that may be adopted by controllers or processors, other than a public authority, to ensure binding and enforceable commitments of the recipient in the third country.

binding corporate rules;
an agreement;
a code of conduct;
a binding certification scheme; or
a cross border processing impact assessment.

Further, for instances where a controller, processor or sub processor transfers personal data, for further processing, to a recipient in a third country to whom the PDPA may not apply, a resolution of the board of directors or equivalent authority of a controller must also be adopted.

However, the said Cross Border Instruments Directives are still at draft stage and thus may be subject to change.

In the absence of an adequacy decision or appropriate safeguards, as listed above, the PDPA provides the following limited instances where personal data could still be transferred to a third country (provided that the transferor in such instance is not a public authority):

the data subject has explicitly consented, upon having been informed of the risks of such processing;
the transfer is necessary for the performance of a contract between the data subject and the controller, or the implementation of any pre-contractual measures taken by the controller at the request of the data subject;
the transfer is necessary for the establishment, exercise or defence of legal claims relating to the data subject;
the transfer is necessary for reasons of public interest;
the transfer is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another person and where the data subject is incapable of giving consent; or
any other condition that may be prescribed under the PDPA in the future.

In this context, the lack of appropriate safeguards set out from (a) to (e) above does not absolve a controller or processor from its other obligations under the PDPA. Therefore, the provisions set out in Part I, II and sections 20 to 25 of the PDPA (which contains substantial obligations of controllers and processors) must be complied with by every controller/processor. Thus, if a specified instrument is not entered into, in addition to complying with such obligations of the PDPA, one of the exceptional grounds set out above, should also be satisfied to carry out a lawful cross border transfer of data.

Related resources

Security

Security in Sri Lanka

The PDPA does not prescribe the specific technical measures or standards that ought to be implemented but requires the adoption of appropriate technical and organizational measures to ensure security that is commensurate to the risk of the processing activity.

Nonetheless, it provides insight into such technical and organizational measures by setting out that such measures include encryption, pseudonymization, anonymization or access controls.

Moreover, the PDPA also requires processors of personal data to have in place such technical and organizational measures, and ensure that their personnel data are bound by contractual obligations of confidentiality and secrecy.

As regards to data security, the DPMP Guidelines, (which are in draft form as at date), have provided examples of measures that may be adopted in this regard including encrypting sensitive customer data such as payment information during online transactions, role-based access controls to limit data access based on job roles, using data centres with advanced security features like biometric access and surveillance, conducting regular security audits and vulnerability assessments, implementing regular data backup procedures to ensure data can be recovered in the event of a loss or disaster, providing ongoing training to employees on data security best practices and recognising phishing attempts or other cyber threats and developing and maintaining an incident response plan.

Related resources

Breach notification

Breach notification in Sri Lanka

A ‘personal data breach’ is broadly defined in the PDPA to mean “any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The PDPA imposes a general obligation on a controller to notify the Authority in the event of a personal data breach.

The draft “Personal Data Protection (Personal Data Breach Notification) Rules” (“Breach Notification Rules”) recently published by the Data Protection Authority provide for such notification requirements. The said Breach Notification Rules are still in draft form and thus may be subject to change.

As per the said Breach Notification Rules, a controller must notify the Authority where a personal data breach has occurred or is reasonably likely to have occurred, unless such personal data breach is unlikely to result in a risk, or is likely to result in a low risk, to the rights and freedoms of the data subjects, in the form specified therein.

In this regard, the Breach Notification Rules stipulates that the controller must notify the Authority of such personal data breach with the requisite information set out therein, to the extent feasible, within seventy two (72) hours after:

the controller (or the relevant processor or sub processor) becomes aware that a personal data breach has occurred; or
the controller has determined, or shall have reasonably determined, based on the information available to it (or the relevant processor or sub processor) at the time that a personal data breach is reasonably likely to have occurred.

Where it is not feasible to notify the Authority within seventy two (72) hours, such notification must be accompanied by reasons for the delay.

Additionally, the Breach Notification Rules requires a controller to notify the data subjects where the controller is of the opinion that the data subjects are affected or likely to be affected by a personal data breach that is likely to result in a high risk to rights and freedoms of the data subjects, in the form specified therein.

A controller must make such notification of the breach to data subjects at the same time i.e. within seventy two (72) hours, as making the notification to the Authority with respect to the same personal data breach.

Further, the Breach Notification Rules provide that the notification to data subjects may be made using one or more reasonably effective and available means, such as:

emails
concise text messages (SMS);
phone calls;
social media and direct messaging applications or other applications with widespread usage;
video messaging, webinars and informational sessions for large scale personal data breaches; and
physical mail, where other means of notification are inefficient, or other contact information is outdated or compromised.

The Breach Notification Rules further provide that if the aforesaid methods of direct notification to data subjects involve disproportionate effort or expense or are otherwise not feasible, a controller may make a public notification in one or more widely used media sources by which affected data subjects are likely to be informed, including, without limitation, newspapers, magazines, websites, social media, online advertising, radio, television and billboards and any other media, electronic or otherwise.

Additionally, as mentioned in Collection and processing, the Data Protection Management programme, which is required to be implemented by every controller, must also include a robust mechanism to detect breaches of personal data.

Related resources

Enforcement

Enforcement in Sri Lanka

Enforcement of the PDPA is carried out by the Data Protection Authority of Sri Lanka (“Authority”). As an initial step, the PDPA provides that data subjects aggrieved by the decisions of controllers have the right appeal to the Authority. The Authority is empowered to conduct investigations, and to allow or disallow such appeals at its discretion. In the event an appeal is allowed, the controller in question is required to give effect to the decision of the Authority, and inform the action taken in line with such decision, to both the relevant data subject and the Authority.

As per the Rights and Appeals Regulations (which are still in draft form), the Authority may disallow an appeal where the Authority is satisfied that:

the matter relating to appeal is not within the scope provided under the PDPA;
the appeal was not submitted within 3 months from the date of the decision of the controller;
the appeal was submitted by any person or entity other than the data subject or his representative; or
the appeal was submitted on the same ground which was earlier refused by the Authority and there is no other reasonable ground for appeal again.

The Authority is also empowered to conduct inquiries on a complaint made, or otherwise if the Authority believes that a controller or a processor inter alia has contravened, is acting in contravention of or is likely to contravene the PDPA or any other legislation in Sri Lanka relating to processing of personal data.

The draft Personal Data Protection (Inquiry Procedure) Regulations (“Inquiry Procedure Regulations”) published by the Authority, provides that any person aggrieved by the conduct of the controller or processor may make a complaint to the Authority, substantially in the form set out in therein.

The Inquiry Procedure Regulations also stipulate comprehensive provisions on the manner in which the inquiry on the alleged contravention will be conducted by the Authority.

However, it must be noted that the Inquiry Procedure Regulations are still in draft form and thus may be subject to change.

The Authority has wide powers in conducting inquiries, which includes requiring persons to appear before it, examine persons under oath or affirmation and require the furnishing of information relating to the processing functions of a controller or processor.

Corrective Powers

Upon an inquiry where the controller or processor will be given an opportunity to be heard, the Authority is empowered to issue a binding directive which may include any one or more of the following:

cease and refrain from the activity in question;
take certain measured to rectify the situation;
pay compensation to the person aggrieved.

Administrative Penalties

In the event a controller or processor fails to comply with directives issued by the Authority, the Authority may impose a penalty that will not exceed LKR ten million (10,000,000) for each non-compliance.

In imposing a penalty, the Authority will consider a number of factors, including the following:

the nature, gravity and duration of the contravention;
action taken by the controller or processor to mitigate the damage suffered by data subjects;
the effectiveness of the controller’s data protection management programme;
the degree of co-operation by the controller with the Authority, in remedying the contravention and mitigating any adverse effects;
the categories of personal data affected by the contravention;
whether the controller or processor notified the Authority of the contravention;
previous contraventions by controller or processor;
financial benefits gained or losses avoided by the contravention.

Where a controller or processor has been subject to a penalty on a previous occasion and subsequently does not conform to a directive by the Authority, in addition to the penalty, such controller or processor will be liable to pay an additional penalty of twice the amount imposed as the penalty.

If the payment of a penalty is in default, the Authority may make an ex-parte application to the Magistrate Court of Colombo for an order requiring the payment, which can be recovered as a fine imposed by such court, even if such fine exceeds the amount such courts in its ordinary jurisdiction would impose.

The PDPA however makes provisions for an appeal to the Court of Appeal to a controller or processor that is aggrieved by the imposition of a penalty, which appeal should be referred within 21 working days from the date the notice of the imposition of such penalty was communicated to such controller or processor.

Related resources

Electronic marketing

Electronic marketing in Sri Lanka

The data protection principles enshrined in the PDPA apply in relation to any electronic marketing activity carried out using personal data.

In addition, if direct marketing messages are to be sent using electronic or any other means, the controller must first obtain consent from the data subject prior to sending such message, which are identified as ‘solicited messages’ under the law.

Therefore, unlike the GDPR, legitimate interests cannot be used as the legal basis for processing personal data in sending electronic marketing messages to data subjects.

Consent under the PDPA is required to be freely given, specific, informed and unambiguous indication in writing or by affirmative action. The conditions governing consent under the PDPA set out that:

the controller should be able to demonstrate that consent was obtained from the data subject;
if consent is provided in a written form which also concerns other matters, the request for consent should be clearly distinguishable;
the performance of a contract should not be conditional on a data subject’s consent to processing his personal data that is not necessary for the same; and
the data subject must be informed, before they give consent, that they may withdraw consent at any time.

Additionally, when sending solicited messages, the controller should:

provide the data subject information on how they may opt out of receiving such messages, free of charge; and
inform the data subject of the nature of the message, to whom it is intended, and the identity of the controller or the third party on whose behalf the controller is disseminating the message.

The PDPA also allows the Authority to introduce rules, codes or prefixes that controllers should adopt to identify different categories of solicited messages. However, given that the law is in its transitional stage, such rules have not yet been introduced.

The aforesaid restrictions on marketing would not apply where marketing is aimed at corporate subscribers.

Related resources

Online privacy

Online privacy in Sri Lanka

At present there are no requirements specifically applicable to aspects of online privacy such as cookies and location data. However, controllers and processors would be required to adhere to the general obligations set out in the PDPA, and data subjects would still be eligible to the rights and protections afforded to their personal data under the PDPA, when personal data is processed for online purposes.

Related resources

Key contacts

Data protection lawyers in Sri Lanka

Shanaka Gunasekara

Partner

FJ&G de Saram

Colombo

Email Full bio

Part I, II and III and VII (Data Protection Principles, Rights and Obligations of the Controllers and Processors, Rights of the Data Subjects and Penalties) – 18th of March 2025.
Part IV (Use of Personal Data to Disseminate Unsolicited Messages) – latest by 18th of March 2026.
Part V (Data Protection Authority) – 17th July 2023 (accordingly, the Data Protection Authority being the regulator under the PDPA has now been established)
Part VI, VIII, IX and X (Director General, Staff and Fund of the Data Protection Authority, Miscellaneous and Interpretation Provisions) – 1st of December 2023.

The PDPA is primarily inspired by the European Union's General Data Protection Regulation (“GDPR”) and, therefore, shares many similarities with the GDPR.

The Financial Consumer Protection Regulations No. 1 of 2023 (the “FCPR”), published on the 9 August, 2023, promulgated under the Monetary Law Act, No.58 of 1949 (now replaced by the Central Bank of Sri Lanka Act, No. 16 of 2023), provides obligations substantially similar to the PDPA in relation to the protection of personal information of financial consumers. The FCPR is applicable to licensed commercial banks, licensed specialised banks, licensed finance companies, specialized leasing companies, authorized primary dealers, authorized money brokers, licensed microfinance companies, participants of the payment and settlement systems or any other financial institutions approved by the Central Bank of Sri Lanka. The FCPR provides protection not only to personally identifiable information but also extends to all information pertaining to financial consumers, which includes corporate entities and other legal bodies. The FCPR also provides for grace periods before the same becomes operational, with a majority of the regulations becoming operational upon the expiration of 6 months from the date of its publication. Additionally, the requirements of the FCPR pertaining to the security of personal information are buttressed by the Regulatory Framework on Technology Risk Management and Resilience for Licensed Banks, directions No. 16 of 2021, dated 9 December 2021, promulgated under the Banking Act No. 30 of 1988 (as amended). The applicability of this framework however is limited to licensed commercial banks and licensed specialized banks in Sri Lanka and its concentration lies on the information security requirements of such organizations.
The Special Direction No. 91 published by the Consumer Affairs Authority on the 17 May, 2023, under the Consumer Affairs Authority Act No. 09 of 2003 (as amended), sets out provisions governing e-commerce entities and platform operators for the purpose of protecting consumers. These directions, although not in extensive detail, enumerate the principles set out in PDPA, aiming to the protect the personal data of consumers. It should be noted that unlike the PDPA, these directions are operational as at date.

Quick links

Data Protection in Sri Lanka

Data protection laws in Sri Lanka

Continue reading